Merge branch 'custom-base-more3' into 'wip-baseimage-rework'

two small patches

See merge request fedora/bootc/base-images!92

.gitlab-ci.yml

@@ -1,15 +1,25 @@
----
-include:
-  - remote: https://gitlab.com/platform-engineering-org/gitlab-ci/-/raw/main/templates/build-image.gitlab-ci.yml
+stages:
+  - build
 
-build-image:
+variables:
+  IMAGE_PREFIX: ${CI_REGISTRY}/${CI_PROJECT_PATH}
+
+.build-image:
+  stage: build
+  image: quay.io/buildah/stable:v1.38.1
+  needs: []
+
+build:
   extends: .build-image
-  parallel:
-    matrix:
-      - TIER: [tier-0, tier-1, tier-x]
-  variables:
-    EXTRA_ARGS: "--security-opt=label=disable --cap-add=all --build-arg MANIFEST=fedora-$TIER.yaml"
-  rules:
-    - if: $CI_PROJECT_NAMESPACE != "fedora/bootc"
-      when: never
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  stage: build
+  script: |
+    set -xeuo pipefail
+    curl -L --fail -o /etc/yum.repos.d/coreos-continuous.repo https://copr.fedorainfracloud.org/coprs/g/CoreOS/continuous/repo/fedora-42/group_CoreOS-continuous-fedora-42.repo
+    dnf -y install rpm-ostree
+    cd base
+    buildah build "${hostbuildopts[@]}" -f Containerfile --no-cache --security-opt=label=disable --cap-add=all --device /dev/fuse -t ${IMAGE_PREFIX}-base:tmp .
+    # Rechunk
+    rpm-ostree experimental compose build-chunked-oci --bootc --format-version=1 \
+           --from=${IMAGE_PREFIX}-base:tmp --output containers-storage:${IMAGE_PREFIX}-base
+    cd ..
+    buildah build "${hostbuildopts[@]}" -f Containerfile --no-cache --from ${IMAGE_PREFIX}-base -t ${IMAGE_PREFIX}-standard:tmp .

Containerfile

@@ -1,54 +1,18 @@
-# This container build uses some special features of podman that allow
-# a process executing as part of a container build to generate a new container
-# image "from scratch".
-#
-# This container build uses nested containerization, so you must build with e.g.
-# podman build --security-opt=label=disable --cap-add=all --device /dev/fuse <...>
-#
-# # Why are we doing this?
-#
-# Today this base image build process uses rpm-ostree.  There is a lot of things that
-# rpm-ostree does when generating a container image...but important parts include:
-#
-# - auto-updating labels in the container metadata
-# - Generating "chunked" content-addressed reproducible image layers (notice
-#   how there are ~60 layers in the generated image)
-#
-# The latter bit in particular is currently impossible to do from Containerfile.
-# A future goal is adding some support for this in a way that can be honored by
-# buildah (xref https://github.com/containers/podman/discussions/12605)
-#
-# # Why does this build process require additional privileges?
-#
-# Because it's generating a base image and uses containerization features itself.
-# In the future some of this can be lifted.
+# This generates the "standard" base image, deriving from the minimal base.
 
-FROM quay.io/fedora/fedora:rawhide as repos
-
-# BOOTSTRAPPING: This can be any image that has rpm-ostree and selinux-policy-targeted.
-FROM quay.io/fedora/fedora:rawhide as builder
-RUN dnf -y install rpm-ostree selinux-policy-targeted
-ARG MANIFEST=fedora-bootc.yaml
-COPY --from=repos /etc/dnf/vars /etc/dnf/vars
-COPY --from=repos /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-* /etc/pki/rpm-gpg
-# The input git repository has .repo files committed to git rpm-ostree has historically
-# emphasized that.  But here, we are fetching the repos from the container base image.
-# So copy the source, and delete the hardcoded ones in git, and use the container base
-# image ones.  We can drop the ones commited to git when we hard switch to Containerfile.
-COPY . /src
-WORKDIR /src
-RUN rm -vf /src/*.repo
-COPY --from=repos /etc/yum.repos.d/*.repo /src
-RUN --mount=type=cache,target=/workdir \
-    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
-    --mount=type=bind,from=repos,src=/,dst=/repos \
-      rpm-ostree compose image --image-config fedora-bootc-config.json \
-        --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} \
-       --source-root=/repos /buildcontext/out.ociarchive
-
-FROM oci-archive:./out.ociarchive
-# Need to reference builder here to force ordering. But since we have to run
-# something anyway, we might as well cleanup after ourselves.
-RUN --mount=type=bind,from=builder,src=.,target=/var/tmp \
-    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
-      rm /buildcontext/out.ociarchive
+# This is a local reference by default because we haven't shipped this image yet.
+FROM localhost/fedora-bootc:base
+# Copy in our configuration and build scripts. Most of the heavy lifting
+# is in `stage-install` which we emit into /usr/share/doc so it can be
+# used as a reference in other images.
+COPY usr/ /usr/
+RUN <<EORUN
+set -xeuo pipefail
+# This script installs our default packages. These scripts
+# are not a stable API, but may become one in the future.
+/usr/share/doc/bootc-image-standard/stage-install
+# Cleanup
+/usr/share/doc/bootc-image-standard/stage-clean
+# And lint.
+bootc container lint --fatal-warnings
+EORUN

README.md

@@ -47,33 +47,17 @@ podman build --from quay.io/fedora/fedora:41 ...
 You are of course also free to fork, customize, and build base images yourself.
 See this page[6] of the documentation for more information.
 
-## Tiers
+## Images
 
 At the current time, there is just one reference base image published
-to the registry. Internally the content set is split up somewhat
-into "tiers", but this is an internal implementation detail and may change
-at any time.
+to the registry. There is a `Containerfile.base` which produces a
+quite minimal base image, from which the default image derives.
 
-It is planned to rework and improve this in the future, especially
-to support smaller custom images. For more on this, see
-[this tracker issue](https://gitlab.com/fedora/bootc/tracker/-/issues/32).
+More on the history from [this tracker issue](https://gitlab.com/fedora/bootc/tracker/-/issues/32).
 
-- **tier-1**: This image is the default, what is published as
-  https://quay.io/repository/fedora/fedora-bootc
-- **tier-0**: This content set is more of a convenient centralization point for CI
-  and curation around a package set that we can all agree is the rough minimum
-  necessary for a usable system. It's not meant to be used as is, but layered
-  upon.
-- **tier-x**: This content set is the shared base used by all image-based
-  Fedora variants (IoT, Atomic Desktops, and CoreOS).
-  Changes to this tier may be done without accounting for external users.
-  To build this, pass `--build-arg=MANIFEST=fedora-tier-x.yaml` to the build
-  command above.
-
-**tier-1** inherits from **tier-x** and **tier-x** in turn inherit from **tier-0**.
-
-All non-trivial changes to **tier-0** and **tier-x** should be ACKed by at least
-one stakeholder of each Fedora variant WGs.
+- Containefile.base: A base image with the effective equivalent of installing `bootc kernel systemd dnf`
+  with "recommends" off. Intended as a derivation starting point for minimal systems.
+- Containerfile: Produces the default much larger image; somewhat similar to CoreOS.
 
 ## More information
 

base/Containerfile

@@ -0,0 +1,46 @@
+# This is a relatively minimal base image build; it's intended as a derivation
+# point.
+#
+# This container build uses nested containerization to construct
+# a target rootfs from scratch; so you must build with e.g.
+# podman build --security-opt=label=disable --cap-add=all --device /dev/fuse <...>
+
+# If you want to configure the input rpm-md repositories, just override this
+# container image.
+FROM quay.io/fedora/fedora:rawhide as repos
+
+# We use stream10 to demonstrate that we support "cross builds".
+FROM quay.io/centos/centos:stream10 as builder
+RUN <<EORUN
+set -xeuo pipefail
+# For rpm-ostree v2025.5
+curl -L -o /etc/yum.repos.d/coreos-continuous.repo https://copr.fedorainfracloud.org/coprs/g/CoreOS/continuous/repo/centos-stream-10/group_CoreOS-continuous-centos-stream-10.repo
+dnf -y install rpm-ostree selinux-policy-targeted sqlite
+EORUN
+# Copy in our source code.
+COPY . /src
+WORKDIR /src
+RUN --mount=type=bind,from=repos,src=/,dst=/repos,rw <<EORUN
+set -xeuo pipefail
+# Copy the build configuration into the builder image, as if it's the final image
+cp -a . /usr/lib/sysimage/base-image-manifest
+# And embed the rebuild script
+install -m 0755 -t /usr/libexec ./bootc-base-image-rebuild-self
+# Finally, run the build script in the same way we expect custom images to do.
+/usr/libexec/bootc-base-image-rebuild-self /repos /target-rootfs
+EORUN
+
+# This pulls in the rootfs generated in the previous step
+FROM scratch
+COPY --from=builder /target-rootfs/ /
+LABEL containers.bootc 1
+# This is an ad-hoc way for us to reference bootc-image-builder in
+# a way that in theory client tooling can inspect and find. Today
+# it isn't widely used.
+LABEL bootc.diskimage-builder quay.io/centos-bootc/bootc-image-builder
+# https://pagure.io/fedora-kiwi-descriptions/pull-request/52
+ENV container=oci
+# Make systemd the default
+STOPSIGNAL SIGRTMIN+3
+CMD ["/sbin/init"]
+

base/Makefile

@@ -0,0 +1,2 @@
+install:
+	install -m 0755 -t $(DESTDIR)/usr/libexec bootc-base-image-rebuild-self

base/bootc-base-image-rebuild-self

@@ -0,0 +1,17 @@
+#!/bin/bash
+# This script regenerates this base image using a build
+# configuration (list of packages, scripts) embedded in this current image.
+# The actual *content* packages will come from the source root.
+set -xeuo pipefail
+source_root=$1
+shift
+target=$1
+shift
+if ! test -x /usr/bin/rpm-ostree; then
+    dnf -y install rpm-ostree
+fi
+rpm-ostree experimental compose rootfs --source-root-rw=$source_root /usr/lib/sysimage/base-image-manifest/manifest.yaml $target
+# Finally, propagate the configuration and build script into the target root.
+for f in /usr/lib/sysimage/base-image-manifest /usr/libexec/bootc-base-image-rebuild-self; do
+    cp -a $f $target/$f
+done

base/bootc-base-image-rebuild-self.md

@@ -0,0 +1,83 @@
+# bootc-base-image-rebuild-self
+
+A core premise of the bootc model is that rich
+control over Linux system customization can be accomplished
+with a "default" container build:
+
+```
+FROM <base image>
+RUN ...
+```
+
+As of recently, it is possible to e.g. swap the kernel
+and other fundamental components as part of default derivation.
+
+## Understanding the base image content
+
+Most, but not all content from the base image comes from RPMs.
+There is some additional non-RPM content, as well as postprocessing
+that operates on the filesystem root. At the current
+time the implementation of the base image build uses `rpm-ostree`,
+but this is considered an implementation detail subject to change.
+
+## Rebuilding from externally controlled content
+
+Some use cases want even more control - for example,
+as an organization deploying a bootc system, I may want to ensure
+the base image version carries a set of packages at
+exactly specific versions (perhaps defined by a lockfile,
+or an rpm-md repository). There are many tools which
+manage snapshots of yum (rpm-md) repositories.
+
+The `/usr/libexec/bootc-base-image-rebuild-self` which is
+included in the base image is designed to enable this
+level of control.
+
+## Using bootc-base-image-rebuild-self
+
+This tool takes just two arguments:
+
+- A "repository configuration root" which should have an `/etc/yum.repos.d`
+  that defines the input RPM content.
+- A path to the target root filesystem which will be generated
+
+### Implementation
+
+The current implementation uses `rpm-ostree` on a manifest (treefile)
+embedded in the container image itself. The set of packages installed
+is currently not configurable; however it is quite minimal and can
+easily be customized further as we will see below.
+
+The build tooling is designed to support "cross builds"; the
+repository root could e.g. be CentOS Stream 10, while the
+builder root is Fedora or RHEL, etc. In other words, one given
+base image can be used as a "builder" to produce another
+using different RPMs.
+
+### Example: Generate a new image using CentOS Stream 10 content from RHEL
+
+FROM quay.io/centos/centos:stream10 as repos
+
+FROM registry.redhat.io/rhel10/rhel-bootc:10 as builder
+RUN --mount=type=bind,from=repos,src=/,dst=/repos,rw /usr/libexec/bootc-base-image-rebuild-self /repos /target-rootfs
+
+# This container image uses the "artifact pattern"; it has some
+# basic configuration we expect to apply to multiple container images.
+FROM quay.io/exampleos/baseconfig@sha256:.... as baseconfig
+
+FROM scratch
+COPY --from=builder /target-rootfs/ /
+# Now we make other arbitrary changes. Copy our systemd units and
+# other tweaks from the baseconfig container image.
+COPY --from=baseconfig /usr/ /usr/
+RUN <<EORUN
+set -xeuo pipefail
+# Install critical components
+dnf -y install linux-firmware NetworkManager cloud-init cowsay
+dnf clean all
+bootc container lint
+EORUN
+LABEL containers.bootc 1
+ENV container=oci
+STOPSIGNAL SIGRTMIN+3
+CMD ["/sbin/init"]

base/bootc.yaml

@@ -9,9 +9,3 @@ packages:
  # Required by bootc install, sgdisk has been replaced by Rust crate
  # in bootc https://github.com/containers/bootc/pull/775
  - xfsprogs e2fsprogs dosfstools
-
-exclude-packages:
-  # Exclude kernel-debug-core to make sure that it doesn't somehow get
-  # chosen as the package to satisfy the `kernel-core` dependency from
-  # the kernel package.
-  - kernel-debug-core

base/finalize.d/05-rpmdb.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+set -euo pipefail
+# https://github.com/coreos/rpm-ostree/pull/5244
+# 
+sysimage_rpmdb=usr/lib/sysimage/rpm/rpmdb.sqlite
+rpmostree_rpmdb_dir=usr/share/rpm
+rpmostree_rpmdb="${rpmostree_rpmdb_dir}/rpmdb.sqlite"
+rpmostree_base_rpmdb_dir=usr/lib/sysimage/rpm-ostree-base-db
+rpmostree_base_rpmdb="${rpmostree_base_rpmdb_dir}/rpmdb.sqlite"
+pragma='PRAGMA journal_mode=delete;'
+
+# Forcibly delete this because ostree hardlinking the sqlite databases
+# confuses rpm. This will cause rpm-ostree to enter a fallback
+# mode with package layering, but that's OK.
+if test -d "${rpmostree_base_rpmdb_dir}"; then
+    echo "Removing ${rpmostree_base_rpmdb_dir}"
+    rm "${rpmostree_base_rpmdb_dir}" -rf
+fi
+for path in ${sysimage_rpmdb} ${rpmostree_rpmdb}; do
+    if test -f "${path}-shm"; then
+        echo "Executing in ${path}: ${pragma}"
+        sqlite3 "${path}" "${pragma}" >/dev/null
+    fi
+done

base/manifest.yaml

@@ -16,22 +16,26 @@ remove-from-packages:
 
 include:
   - postprocess-conf.yaml
+  - tmpfiles.yaml
   - bootc.yaml
   - bootupd.yaml
   - ostree.yaml
   - initramfs.yaml
   - basic-fixes.yaml
   - kernel-install.yaml
+  - persistent-journal.yaml
+  - fedora-repos.yaml
 
 packages:
+  # This can be replaced later
+  - kernel
   # this is implied by dependencies but let's make it explicit
   - coreutils
   # We need dnf for building derived container images. In Fedora, this pulls
   # in dnf5. In CentOS/RHEL, this pulls in dnf(4). We can simplify this back to
   # just `dnf` once the `dnf` package is retired from Fedora.
   - /usr/bin/dnf
-  # Even in tier-0, we have this.  If you don't want SELinux today, you'll need
-  # to build a custom image.
+  # If you don't want SELinux today, you'll need to build a custom image.
   - selinux-policy-targeted
   # And we want container-selinux because trying to layer it on later currently causes issues.
   - container-selinux

base/tmpfiles.yaml

@@ -0,0 +1,7 @@
+postprocess:
+  - |
+    #!/bin/bash
+    cat >/usr/lib/tmpfiles.d/bootc-base-rpmstate.conf <<'EOF'
+    # Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=771713
+    d /var/lib/rpm-state 0755 - - -
+    EOF

fedora-40.yaml

@@ -1,7 +0,0 @@
-# NB: This treefile is used by the legacy pungi path only to build tier-1. It
-# will be removed in the future.
-releasever: 40
-repos:
-  - fedora
-  - fedora-updates
-include: fedora-bootc.yaml

fedora-41.yaml

@@ -1,7 +0,0 @@
-# NB: This treefile is used by the legacy pungi path only to build tier-1. It
-# will be removed in the future.
-releasever: 41
-repos:
-  - fedora
-  - fedora-updates
-include: fedora-bootc.yaml

fedora-bootc-config.json

@@ -1,12 +0,0 @@
-{
-    "Labels": {
-        "containers.bootc": "1",
-        "bootc.diskimage-builder": "quay.io/centos-bootc/bootc-image-builder",
-        "redhat.id": "fedora",
-        "redhat.version-id": "rawhide"
-    },
-    "StopSignal": "SIGRTMIN+3",
-    "Env": [
-        "container=oci"
-    ]
-}

fedora-bootc.yaml

@@ -1,8 +0,0 @@
-metadata:
-  name: fedora-boot-tier1
-  summary: Fedora Bootable Tier 1
-
-include:
-  - fedora-generic.yaml
-  - tier-1/manifest.yaml
-  - tier-1/kernel.yaml

fedora-rawhide.yaml

@@ -1,6 +0,0 @@
-# NB: This treefile is used by the legacy pungi path only to build tier-1. It
-# will be removed in the future.
-releasever: rawhide
-repos:
-  - fedora-rawhide
-include: fedora-bootc.yaml

fedora-tier-0.yaml

@@ -1,8 +0,0 @@
-metadata:
-  name: fedora-boot-tier0
-  summary: Fedora Bootable Tier 0
-
-include:
-  - fedora-generic.yaml
-  - tier-0/manifest.yaml
-  - tier-0/kernel.yaml

fedora-tier-1.yaml

@@ -1 +0,0 @@
-fedora-bootc.yaml

fedora-tier-x.yaml

@@ -1,8 +0,0 @@
-metadata:
-  name: fedora-boot-tier-x
-  summary: Fedora Bootable Tier X
-
-include:
-  - fedora-generic.yaml
-  - tier-x/manifest.yaml
-  - tier-x/kernel.yaml

fedora.repo

@@ -1,102 +0,0 @@
-# Note we use baseurl= here because using auto-selected mirrors conflicts with
-# change detection: https://github.com/coreos/fedora-coreos-pipeline/issues/85.
-
-[fedora]
-name=Fedora $releasever - $basearch
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
-        https://dl.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Everything/$basearch/os/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
-enabled=1
-#metadata_expire=7d
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False
-
-[fedora-updates]
-name=Fedora $releasever - $basearch - Updates
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Everything/$basearch/
-        https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Everything/$basearch/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
-enabled=1
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-metadata_expire=6h
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False
-
-[fedora-updates-testing]
-name=Fedora $releasever - $basearch - Test Updates
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Everything/$basearch/
-        https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Everything/$basearch/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
-enabled=1
-gpgcheck=1
-metadata_expire=6h
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False
-
-[fedora-modular]
-name=Fedora Modular $releasever - $basearch
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Modular/$basearch/os/
-        https://dl.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Modular/$basearch/os/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-$releasever&arch=$basearch
-enabled=1
-#metadata_expire=7d
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
-skip_if_unavailable=False
-
-[fedora-updates-modular]
-name=Fedora Modular $releasever - $basearch - Updates
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Modular/$basearch/
-        https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Modular/$basearch/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-modular-f$releasever&arch=$basearch
-enabled=1
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-metadata_expire=6h
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
-skip_if_unavailable=False
-
-[fedora-updates-testing-modular]
-name=Fedora Modular $releasever - $basearch - Test Updates
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Modular/$basearch/
-        https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Modular/$basearch/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
-enabled=1
-gpgcheck=1
-metadata_expire=6h
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False
-
-[rawhide]
-name=Fedora - Rawhide - Developmental packages for the next Fedora release
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/development/$releasever/Everything/$basearch/os/
-        https://dl.fedoraproject.org/pub/fedora-secondary/development/$releasever/Everything/$basearch/os/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
-enabled=1
-#metadata_expire=7d
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False
-
-[fedora-devel]
-name=Fedora $releasever - $basearch
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/development/$releasever/Everything/$basearch/os/
-        https://dl.fedoraproject.org/pub/fedora-secondary/development/$releasever/Everything/$basearch/os/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
-enabled=1
-#metadata_expire=7d
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False

tier-1/autoupdates.yaml

@@ -1,9 +0,0 @@
-# Enable automatic updates by default
-postprocess:
-  - |
-    #!/usr/bin/env bash
-    set -euo pipefail
-    target=/usr/lib/systemd/system/default.target.wants
-    mkdir -p $target
-    set -x
-    ln -s ../bootc-fetch-apply-updates.timer $target

tier-1/coreos-user-experience.yaml

@@ -1,17 +0,0 @@
-# This file was forked/copied from Fedora CoreOS.  TODO: resync
-# once we have a good generic mechanism for sharing.
-packages:
-  # Additional file compression/decompression
-  - bzip2 zstd
-  # Improved MOTD experience
-  - console-login-helper-messages-issuegen
-  - console-login-helper-messages-profile
-  # kdump support
-  # https://github.com/coreos/fedora-coreos-tracker/issues/622
-  - kexec-tools
-  # Container tooling
-  - toolbox
-  # nvme-cli for managing nvme disks
-  - nvme-cli
-  # Used by admins interactively
-  - lsof

tier-1/generic-growfs.yaml

@@ -1,12 +0,0 @@
-add-files:
-  - - bootc-generic-growpart
-    - /usr/libexec/bootc-generic-growpart
-  - - bootc-generic-growpart.service
-    - /usr/lib/systemd/system/bootc-generic-growpart.service
-
-postprocess:
-  - |
-    #!/bin/bash
-    set -euo pipefail
-    mkdir -p /usr/lib/systemd/system/local-fs.target.wants
-    ln -s ../bootc-generic-growpart.service /usr/lib/systemd/system/local-fs.target.wants/bootc-generic-growpart.service

tier-1/initramfs-full.yaml

@@ -1,8 +0,0 @@
-# Configuration for the "tier-1" initramfs
-postprocess:
-  - |
-    #!/usr/bin/env bash
-    mkdir -p /usr/lib/dracut/dracut.conf.d
-    cat > /usr/lib/dracut/dracut.conf.d/30-bootc-tier-1.conf << 'EOF'
-    add_dracutmodules+=" lvm crypt fips "
-    EOF

tier-1/kernel.yaml

@@ -1 +0,0 @@
-../tier-0/kernel.yaml

tier-1/manifest.yaml

@@ -1,91 +0,0 @@
-# Flip this back on, we're going to be a larger system
-recommends: true
-
-include:
-  - ../tier-x/manifest.yaml
-  - autoupdates.yaml
-  - networking-tools.yaml
-  - system-configuration.yaml
-  - coreos-user-experience.yaml
-  - persistent-journal.yaml
-  - initramfs-full.yaml
-  - generic-growfs.yaml
-
-packages:
-  # Include and set the default editor
-  - nano
-  - nfs-utils
-  # Additional firewall support; we aren't including these in RHCOS or they
-  # don't exist in RHEL
-  - iptables-services
-  - WALinuxAgent-udev
-  # Allow communication between sudo and SSSD
-  # for caching sudo rules by SSSD.
-  # https://github.com/coreos/fedora-coreos-tracker/issues/445
-  - libsss_sudo
-  # SSSD; we only ship a subset of the backends
-  - sssd-client sssd-ad sssd-ipa sssd-krb5 sssd-ldap
-  # Used by admins interactively
-  - openssl
-  # Provides terminal tools like clear, reset, tput, and tset
-  - ncurses
-  # i18n
-  - kbd
-  # zram-generator (but not zram-generator-defaults) for F33 change
-  # https://github.com/coreos/fedora-coreos-tracker/issues/509
-  - zram-generator
-  # This one is in Python so isn't in FCOS, but we can safely add it here.
-  - sos
-
-# These are random architecture-specific packages
-packages-x86_64:
-  - irqbalance
-packages-ppc64le:
-  - irqbalance
-  - librtas
-  - powerpc-utils-core
-  - ppc64-diag-rtas
-packages-aarch64:
-  - irqbalance
-
-postprocess:
-  # Undo RPM scripts enabling units; we want the presets to be canonical
-  # https://github.com/projectatomic/rpm-ostree/issues/1803
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    rm -rf /etc/systemd/system/*
-    systemctl preset-all
-    rm -rf /etc/systemd/user/*
-    systemctl --user --global preset-all
-  # See: https://github.com/coreos/fedora-coreos-tracker/issues/1253
-  #      https://bugzilla.redhat.com/show_bug.cgi?id=2112857
-  #      https://github.com/coreos/rpm-ostree/issues/3918
-  # Temporary workaround to remove the SetGID binary from liblockfile that is
-  # pulled by the s390utils but not needed for /usr/sbin/zipl.
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    rm -f /usr/bin/dotlockfile
-
-# Things we don't expect to ship on the host.  We currently
-# have recommends: false so these could only come in via
-# hard requirement, in which case the build will fail.
-exclude-packages:
-  - perl
-  - perl-interpreter
-  - nodejs
-  - grubby
-  - cowsay  # Just in case
-  # Let's make sure initscripts doesn't get pulled back in
-  # https://github.com/coreos/fedora-coreos-tracker/issues/220#issuecomment-611566254
-  - initscripts
-  # For (datacenter/cloud oriented) servers, we want to see the details by default.
-  # https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/HSMISZ3ETWQ4ETVLWZQJ55ARZT27AAV3/
-  - plymouth
-  # Do not use legacy ifcfg config format in NetworkManager
-  # See https://github.com/coreos/fedora-coreos-config/pull/1991
-  - NetworkManager-initscripts-ifcfg-rh
-  # Let's not have both legacy and nft versions in the image. Users are free to
-  # also layer legacy themselves if they want.
-  - iptables-legacy

tier-1/networking-tools.yaml

@@ -1,20 +0,0 @@
-# This defines a set of tools that are useful for configuring, debugging,
-# or manipulating the network of a system.  It is desired to keep this list
-# generic enough to be shared downstream with RHCOS.
-
-packages:
-  # Interactive Networking configuration during coreos-install
-  - NetworkManager-tui
-  # Support for cloud quirks and dynamic config in real rootfs:
-  # https://github.com/coreos/fedora-coreos-tracker/issues/320
-  - NetworkManager-cloud-setup
-  # Route manipulation and QoS
-  - iproute iproute-tc
-  # Firewall manipulation
-  - iptables nftables
-  # Interactive network tools for admins
-  - socat net-tools bind-utils
-
-exclude-packages:
-  # We use NetworkManager
-  - systemd-networkd

tier-1/system-configuration.yaml

@@ -1,30 +0,0 @@
-# These are packages that are related to configuring parts of the system.
-
-packages:
-  # Explicit dep for RHEL >= 10
-  - crypto-policies-scripts
-  # Configuring SSH keys, cloud provider check-in, etc
-  # TODO: needs Ignition kargs
-  # - afterburn afterburn-dracut
-  # NTP support
-  - chrony
-  # Storage configuration/management
-  - sg3_utils
-  ## This is generally useful... https://github.com/CentOS/centos-bootc/issues/394
-  - cloud-utils-growpart
-  # User configuration
-  - passwd
-  - shadow-utils
-  - acl
-  # Manipulating the kernel keyring; used by bootc
-  - keyutils
-  # There are things that write outside of the journal still (such as the
-  # classic wtmp, etc.). auditd also writes outside the journal but it has its
-  # own log rotation.
-  # Anything package layered will also tend to expect files dropped in
-  # /etc/logrotate.d to work. Really, this is a legacy thing, but if we don't
-  # have it then people's disks will slowly fill up with logs.
-  - logrotate
-  # Boost starving threads
-  # https://github.com/coreos/fedora-coreos-tracker/issues/753
-  - stalld

tier-x/kernel.yaml

@@ -1 +0,0 @@
-../tier-0/kernel.yaml

tier-x/manifest.yaml

@@ -1,45 +0,0 @@
-include:
-  - ../tier-0/manifest.yaml
-
-packages:
-  # Used by admins interactively
-  - attr
-  - bash-completion
-  - hostname
-  - iproute
-  - jq
-  - less
-  - vim-minimal
-  # deps of bootc, but let's be explicit. e.g. even if bootc drops the skopeo
-  # dep, we still want it
-  - podman skopeo
-  # crun recommends but doesn't require criu and criu-libs. We want them for
-  # checkpoint/restore. https://github.com/coreos/fedora-coreos-tracker/issues/1370
-  - crun criu criu-libs
-  # storage
-  - cryptsetup
-  - lvm2
-  - tar
-  # zram-generator (but not zram-generator-defaults) for F33 change
-  # https://github.com/coreos/fedora-coreos-tracker/issues/509
-  - zram-generator
-  # networking
-  - iptables-nft
-  - NetworkManager
-  - openssh-clients
-  - openssh-server
-  - systemd-resolved
-  # linux-firmware now a recommends so let's explicitly include it
-  # https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
-  # https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide
-  - linux-firmware
-  # security
-  - polkit
-  - sudo
-  # Allow for configuring different timezones
-  - tzdata
-  # rpm-ostree
-  - rpm-ostree nss-altfiles
-  # firmware updates
-  # If you're using linux-firmware, you probably also want fwupd
-  - fwupd

usr/lib/dracut/dracut.conf.d/30-bootc-full.conf

@@ -0,0 +1 @@
+add_dracutmodules+=" lvm crypt fips "

usr/lib/systemd/system-preset/05-bootc.preset

@@ -0,0 +1,7 @@
+# Our fallback
+enable bootc-generic-growpart.service
+
+# We enable this by default just so we can say we have automatic
+# updates on by default, like CoreOS. It's very much intended
+# to be tweaked or replaced outside of trivial scenarios though.
+enable bootc-fetch-apply-updates.timer

usr/lib/tmpfiles.d/bootc-legacy-contentsets.conf

@@ -0,0 +1,5 @@
+# Workaround for https://github.com/konflux-ci/build-tasks-dockerfiles/pull/243
+d /var/roothome/buildinfo 0755 - - -
+d /var/roothome/buildinfo/content_manifests 0755 - - -
+# Note we don't actually try to recreate the content; this just makes the linter ignore it
+f /var/roothome/buildinfo/content_manifests/content-sets.json 0644 - - -

usr/share/doc/bootc-image-standard/packages-aarch64.txt

@@ -0,0 +1 @@
+irqbalance

usr/share/doc/bootc-image-standard/packages-excluded.txt

@@ -0,0 +1,21 @@
+# Packages excluded by default
+
+# We use NetworkManager
+systemd-networkd
+# But without the legacy
+# See https://github.com/coreos/fedora-coreos-config/pull/1991
+NetworkManager-initscripts-ifcfg-rh
+
+# Let's not have both legacy and nft versions in the image. Users are free to
+# also layer legacy themselves if they want.
+iptables-legacy
+
+# We use bootupd
+grubby
+# Let's make sure initscripts doesn't get pulled back in
+# https://github.com/coreos/fedora-coreos-tracker/issues/220#issuecomment-611566254
+initscripts
+
+# For (datacenter/cloud oriented) servers, we want to see the details by default.
+# https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/HSMISZ3ETWQ4ETVLWZQJ55ARZT27AAV3/
+plymouth

usr/share/doc/bootc-image-standard/packages-ppc64le.txt

@@ -0,0 +1,4 @@
+irqbalance
+librtas
+powerpc-utils-core
+ppc64-diag-rtas

usr/share/doc/bootc-image-standard/packages-recommended-minimal.txt

@@ -0,0 +1,45 @@
+# This file is simply a list of packages recommended to be used by default.
+# You can process this via e.g.
+# grep -E -v '^#' packages-recommended.txt | xargs dnf -y install
+
+# Used by admins interactively
+attr
+bash-completion
+hostname
+iproute
+jq
+less
+vim-minimal
+# deps of bootc, but let's be explicit. e.g. even if bootc drops the skopeo
+# dep, we still want it
+podman skopeo
+# crun recommends but doesn't require criu and criu-libs. We want them for
+# checkpoint/restore. https://github.com/coreos/fedora-coreos-tracker/issues/1370
+crun criu criu-libs
+# storage
+cryptsetup
+lvm2
+tar
+# zram-generator (but not zram-generator-defaults) for F33 change
+# https://github.com/coreos/fedora-coreos-tracker/issues/509
+zram-generator
+# networking
+iptables-nft
+NetworkManager
+openssh-clients
+openssh-server
+systemd-resolved
+# linux-firmware now a recommends so let's explicitly include it
+# https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
+# https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide
+linux-firmware
+# security
+polkit
+sudo
+# Allow for configuring different timezones
+tzdata
+# rpm-ostree
+rpm-ostree nss-altfiles
+# firmware updates
+# If you're using linux-firmware, you probably also want fwupd
+fwupd

usr/share/doc/bootc-image-standard/packages-x86_64.txt

@@ -0,0 +1 @@
+irqbalance

usr/share/doc/bootc-image-standard/packages.txt

@@ -0,0 +1,104 @@
+# A relatively large base image suitable for headless servers,
+# a lot like CoreOS.
+
+# Include and set the default editor
+nano
+nfs-utils
+# Additional firewall support; we aren't including these in RHCOS or they
+# don't exist in RHEL
+iptables-services
+WALinuxAgent-udev
+# Allow communication between sudo and SSSD
+# for caching sudo rules by SSSD.
+# https://github.com/coreos/fedora-coreos-tracker/issues/445
+libsss_sudo
+# SSSD; we only ship a subset of the backends
+sssd-client sssd-ad sssd-ipa sssd-krb5 sssd-ldap
+# Used by admins interactively
+openssl
+# Provides terminal tools like clear, reset, tput, and tset
+ncurses
+# i18n
+kbd
+# zram-generator (but not zram-generator-defaults) for F33 change
+# https://github.com/coreos/fedora-coreos-tracker/issues/509
+zram-generator
+# This one is in Python so isn't in FCOS, but we can safely add it here.
+sos
+
+# Additional file compression/decompression
+bzip2 zstd
+# Improved MOTD experience
+console-login-helper-messages-issuegen
+console-login-helper-messages-profile
+# kdump support
+# https://github.com/coreos/fedora-coreos-tracker/issues/622
+kexec-tools
+# Container tooling
+toolbox
+# nvme-cli for managing nvme disks
+nvme-cli
+# Used by admins interactively
+lsof
+
+# Explicit dep for RHEL >= 10
+crypto-policies-scripts
+# Configuring SSH keys, cloud provider check-in, etc
+# TODO: needs Ignition kargs
+# - afterburn afterburn-dracut
+# NTP support
+chrony
+# Storage configuration/management
+sg3_utils
+## This is generally useful... https://github.com/CentOS/centos-bootc/issues/394
+cloud-utils-growpart
+# User configuration
+passwd
+shadow-utils
+acl
+# Manipulating the kernel keyring; used by bootc
+keyutils
+# There are things that write outside of the journal still (such as the
+# classic wtmp, etc.). auditd also writes outside the journal but it has its
+# own log rotation.
+# Anything package layered will also tend to expect files dropped in
+# /etc/logrotate.d to work. Really, this is a legacy thing, but if we don't
+# have it then people's disks will slowly fill up with logs.
+logrotate
+# Boost starving threads
+# https://github.com/coreos/fedora-coreos-tracker/issues/753
+stalld
+
+# This defines a set of tools that are useful for configuring, debugging,
+# or manipulating the network of a system.
+# Interactive Networking configuration during coreos-install
+NetworkManager-tui
+# Support for cloud quirks and dynamic config in real rootfs:
+# https://github.com/coreos/fedora-coreos-tracker/issues/320
+NetworkManager-cloud-setup
+# Route manipulation and QoS
+iproute iproute-tc
+# Firewall manipulation
+iptables nftables
+# Interactive network tools for admins
+socat net-tools bind-utils
+
+# These are recomended by other packages installed above.
+# recommended by containers-common-extra
+qemu-user-static
+# recommended by rpm-libs
+rpm-plugin-audit
+#recomended by gnupg2
+pinentry
+gnupg2-smime
+# recommended by dracut
+pigz
+memstrack
+kpartx
+# recommended by libxcrypt
+pkcs11-provider
+# recommended by containers-common
+fuse-overlayfs
+# recommended by toolbox
+cracklib-dicts
+

usr/share/doc/bootc-image-standard/stage-clean

@@ -0,0 +1,5 @@
+#!/bin/bash
+set -xeuo pipefail
+dnf clean all
+# Lots of cleaning
+rm -vrf /var/log /var/cache /var/lib/dnf

usr/share/doc/bootc-image-standard/stage-install

@@ -0,0 +1,29 @@
+#!/bin/bash
+set -euo pipefail
+dn=$(dirname $0)
+cd ${dn}
+dnf_args=()
+echo "Loading packages-excluded"
+for x in $(grep -E -v '^#' packages-excluded.txt); do
+  dnf_args+=(--exclude ${x})
+done
+echo "Loading packages"
+package_files=(packages-recommended-minimal.txt packages.txt)
+pkgfile_for_arch=packages-$(arch).txt
+if test -f ${pkgfile_for_arch}; then
+  echo "Loading ${pkgfile_for_arch}"
+  package_files+=(${pkgfile_for_arch})
+fi
+base_pkgs=$(grep -hE -v '^#' ${package_files[@]})
+dnf -y ${dnf_args[@]} install $base_pkgs
+
+# Ensure we regenerate the initramfs with new content
+# https://docs.fedoraproject.org/en-US/bootc/initramfs/
+kver=$(cd /usr/lib/modules && echo *); dracut -vf /usr/lib/modules/$kver/initramfs.img $kver
+
+# Undo RPM scripts enabling units; we want the presets to be canonical for the base image.
+# https://github.com/projectatomic/rpm-ostree/issues/1803
+rm -rf /etc/systemd/system/*
+systemctl preset-all
+rm -rf /etc/systemd/user/*
+systemctl --user --global preset-all