chore(deps): update pre-commit hook pre-commit/pre-commit-hooks to v5

Signed-off-by: Platform Engineering Bot <platform-engineering@redhat.com>

.gitlab-ci.yml

@@ -4,11 +4,8 @@ include:
 
 build-image:
   extends: .build-image
-  parallel:
-    matrix:
-      - TIER: [tier-0, tier-1, tier-x]
   variables:
-    EXTRA_ARGS: "--security-opt=label=disable --cap-add=all --build-arg MANIFEST=fedora-$TIER.yaml"
+    EXTRA_ARGS: "--security-opt=label=disable --cap-add=all"
   rules:
     - if: $CI_PROJECT_NAMESPACE != "fedora/bootc"
       when: never

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 ---
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
+    rev: v5.0.0
     hooks:
       - id: end-of-file-fixer
       - id: trailing-whitespace

Containerfile

@@ -20,14 +20,12 @@
 #
 # # Why does this build process require additional privileges?
 #
-# Because it's generating a base image and uses containerization features itself.
+# Because it's generating a base image and uses containerbuildcontextization features itself.
 # In the future some of this can be lifted.
 
-FROM quay.io/fedora/fedora:41 as repos
+FROM quay.io/fedora/fedora:40 as repos
 
-# BOOTSTRAPPING: This can be any image that has rpm-ostree and selinux-policy-targeted.
-FROM quay.io/fedora/fedora:41 as builder
-RUN dnf -y install rpm-ostree selinux-policy-targeted
+FROM quay.io/centos-bootc/bootc-image-builder:latest as builder
 ARG MANIFEST=fedora-bootc.yaml
 COPY --from=repos /etc/dnf/vars /etc/dnf/vars
 COPY --from=repos /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-* /etc/pki/rpm-gpg
@@ -39,16 +37,10 @@ COPY . /src
 WORKDIR /src
 RUN rm -vf /src/*.repo
 COPY --from=repos /etc/yum.repos.d/*.repo /src
-RUN --mount=type=cache,target=/workdir \
-    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
-    --mount=type=bind,from=repos,src=/,dst=/repos \
-      rpm-ostree compose image --image-config fedora-bootc-config.json \
-        --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} \
-       --source-root=/repos /buildcontext/out.ociarchive
+RUN --mount=type=cache,target=/workdir --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rpm-ostree compose image \
+ --image-config fedora-bootc-config.json --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} /buildcontext/out.ociarchive
 
 FROM oci-archive:./out.ociarchive
 # Need to reference builder here to force ordering. But since we have to run
 # something anyway, we might as well cleanup after ourselves.
-RUN --mount=type=bind,from=builder,src=.,target=/var/tmp \
-    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
-      rm /buildcontext/out.ociarchive
+RUN --mount=type=bind,from=builder,src=.,target=/var/tmp --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rm /buildcontext/out.ociarchive

README.md

@@ -9,72 +9,25 @@ been extremely successful. This project aims to apply the same technique for
 bootable host systems - using standard OCI/Docker containers as a transport and
 delivery format for base operating system updates.
 
-## Building images
+## Building
 
-The current default user experience is to build *layered* images on top of the official
-binary base images produced and tested by this project. See the documentation[5] for more info.
+First, the expectation is that most users will want to build *layered* images
+on top of the official base images. See the documentation[5] for more info.
 
-You can build custom base images by forking this repository; however,
-https://gitlab.com/fedora/bootc/tracker/-/issues/32 tracks a more supportable
-mechanism that is not simply forking. For more information see[6].
-
-## Build process
-
-Building the images in this repo can be done with `podman build`, but
-note the build process uses a special podman-ecosystem specific mechanism
-to create fully custom images while inside a `Containerfile`.
-You need to enable some privileges as nested containerization is required.
+Building the images in this repo can be done with `podman build` as with any
+other application image (note that building with `docker` is not currently
+supported). You need to enable some privileges for technical reasons.
 
 ```
 podman build --security-opt=label=disable --cap-add=all \
   --device /dev/fuse -t localhost/fedora-bootc .
 ```
 
-See the `Containerfile` for more details. This builds the default `tier-1` image.
-
-## Fedora versions
-
-By default, the base images are built for Fedora rawhide. To build against a
-different Fedora version, you can override the `FROM` image used to obtain the
-Fedora repos and dnf variables. E.g.:
-
-```
-podman build --from quay.io/fedora/fedora:41 ...
-```
-
-### Deriving
+See the `Containerfile` for more details.
 
 You are of course also free to fork, customize, and build base images yourself.
 See this page[6] of the documentation for more information.
 
-## Tiers
-
-At the current time, there is just one reference base image published
-to the registry. Internally the content set is split up somewhat
-into "tiers", but this is an internal implementation detail and may change
-at any time.
-
-It is planned to rework and improve this in the future, especially
-to support smaller custom images. For more on this, see
-[this tracker issue](https://gitlab.com/fedora/bootc/tracker/-/issues/32).
-
-- **tier-1**: This image is the default, what is published as
-  https://quay.io/repository/fedora/fedora-bootc
-- **tier-0**: This content set is more of a convenient centralization point for CI
-  and curation around a package set that we can all agree is the rough minimum
-  necessary for a usable system. It's not meant to be used as is, but layered
-  upon.
-- **tier-x**: This content set is the shared base used by all image-based
-  Fedora variants (IoT, Atomic Desktops, and CoreOS).
-  Changes to this tier may be done without accounting for external users.
-  To build this, pass `--build-arg=MANIFEST=fedora-tier-x.yaml` to the build
-  command above.
-
-**tier-1** inherits from **tier-x** and **tier-x** in turn inherit from **tier-0**.
-
-All non-trivial changes to **tier-0** and **tier-x** should be ACKed by at least
-one stakeholder of each Fedora variant WGs.
-
 ## More information
 
 Documentation: <https://docs.fedoraproject.org/en-US/bootc/>

build.sh

@@ -1,5 +0,0 @@
-podman build \
-       --security-opt=label=disable \
-       --cap-add=all \
-       --device /dev/fuse \
-       -t localhost/fedora-bootc .

fedora-40.yaml

@@ -1,7 +0,0 @@
-# NB: This treefile is used by the legacy pungi path only to build tier-1. It
-# will be removed in the future.
-releasever: 40
-repos:
-  - fedora
-  - fedora-updates
-include: fedora-bootc.yaml

fedora-41.yaml

@@ -1,7 +0,0 @@
-# NB: This treefile is used by the legacy pungi path only to build tier-1. It
-# will be removed in the future.
-releasever: 41
-repos:
-  - fedora
-  - fedora-updates
-include: fedora-bootc.yaml

fedora-42.yaml

@@ -1,6 +0,0 @@
-# NB: This treefile is used by the legacy pungi path only to build tier-1. It
-# will be removed in the future.
-releasever: 42
-repos:
-  - fedora-devel
-include: fedora-bootc.yaml

fedora-bootc-config.json

@@ -3,7 +3,7 @@
         "containers.bootc": "1",
         "bootc.diskimage-builder": "quay.io/centos-bootc/bootc-image-builder",
         "redhat.id": "fedora",
-        "redhat.version-id": "rawhide"
+        "redhat.version-id": "40"
     },
     "StopSignal": "SIGRTMIN+3",
     "Env": [

fedora-bootc.yaml

@@ -1,8 +1,15 @@
+releasever: 40
+variables:
+  distro: "fedora"
+
+repos:
+  - fedora
+  - updates
+
 metadata:
   name: fedora-boot-tier1
   summary: Fedora Bootable Tier 1
 
 include:
-  - fedora-generic.yaml
   - tier-1/manifest.yaml
   - tier-1/kernel.yaml

fedora-generic.yaml

@@ -1,9 +0,0 @@
-variables:
-  distro: "fedora"
-
-# Fedora-specific packages here
-packages:
-  # https://gitlab.com/fedora/bootc/base-images/-/issues/12
-  - fedora-repos-archive
-  # Not in RHEL10
-  - systemd-resolved

fedora-rawhide.yaml

@@ -1,6 +0,0 @@
-# NB: This treefile is used by the legacy pungi path only to build tier-1. It
-# will be removed in the future.
-releasever: rawhide
-repos:
-  - fedora-rawhide
-include: fedora-bootc.yaml

fedora-tier-0.yaml

@@ -1,8 +1,15 @@
+releasever: 40
+variables:
+  distro: "fedora"
+
+repos:
+  - fedora-devel
+  - fedora-updates
+
 metadata:
   name: fedora-boot-tier0
   summary: Fedora Bootable Tier 0
 
 include:
-  - fedora-generic.yaml
   - tier-0/manifest.yaml
   - tier-0/kernel.yaml

fedora-tier-1.yaml

@@ -1 +0,0 @@
-fedora-bootc.yaml

fedora-tier-x.yaml

@@ -1,8 +0,0 @@
-metadata:
-  name: fedora-boot-tier-x
-  summary: Fedora Bootable Tier X
-
-include:
-  - fedora-generic.yaml
-  - tier-x/manifest.yaml
-  - tier-x/kernel.yaml

renovate.json

@@ -3,17 +3,10 @@
   "extends": [
     "github>platform-engineering-org/.github"
   ],
-  "baseBranches": ["main", "f40", "f41"],
   "packageRules": [
     {
       "matchPackageNames": ["quay.io/fedora/fedora"],
-      "allowedVersions": "=40",
-      "matchBaseBranches": ["f40"]
-    },
-    {
-      "matchPackageNames": ["quay.io/fedora/fedora"],
-      "allowedVersions": "=41",
-      "matchBaseBranches": ["f41"]
+      "allowedVersions": "=40"
     }
   ]
 }

tier-0/autoupdates.yaml

@@ -0,0 +1,9 @@
+# Enable automatic updates by default
+postprocess:
+  - |
+    #!/usr/bin/env bash
+    set -euo pipefail
+    target=/usr/lib/systemd/system/default.target.wants
+    mkdir -p $target
+    set -x
+    ln -s ../bootc-fetch-apply-updates.timer $target

tier-0/basic-fixes.yaml

@@ -23,7 +23,7 @@ postprocess:
     # tmpfiles.d unit for `/var/roothome` is fine, but this actually doesn't
     # work if we want to use tmpfiles.d to write to `/root/.ssh` because
     # tmpfiles gives up on that before getting to `/var/roothome`.
-    sed -i -e 's, /root, /var/roothome,' /usr/lib/tmpfiles.d/provision.conf
+    sed -ie 's, /root, /var/roothome,' /usr/lib/tmpfiles.d/provision.conf
     # Because /var/roothome is also defined in rpm-ostree-0-integration.conf
     # we need to delete /var/roothome
-    sed -i -e '/^d- \/var\/roothome /d' /usr/lib/tmpfiles.d/provision.conf
+    sed -ie '/^d- \/var\/roothome /d' /usr/lib/tmpfiles.d/provision.conf

tier-0/bootc.yaml

@@ -2,13 +2,8 @@
 packages:
  - systemd
  - bootc
- # bootc pulls in podman, which pulls in containers-common, which wants
- # `iptables`. Currently that pulls in iptables-legacy. Let's explicitly name
- # iptables-nft instead to satisfy it.
- - iptables-nft
- # Required by bootc install, sgdisk has been replaced by Rust crate
- # in bootc https://github.com/containers/bootc/pull/775
- - xfsprogs e2fsprogs dosfstools
+ # Required by bootc install today, though we'll likely switch bootc to use a Rust crate instead of sgdisk
+ - gdisk xfsprogs e2fsprogs dosfstools
 
 exclude-packages:
   # Exclude kernel-debug-core to make sure that it doesn't somehow get

tier-0/bootupd.yaml

@@ -9,8 +9,9 @@ packages-aarch64:
 packages-ppc64le:
   - grub2 ostree-grub2
 packages-s390x:
-  # For zipl
-  - s390utils-core
+  # On Fedora, this is provided by s390utils-core. on RHEL, this is for now
+  # provided by s390utils-base, but soon will be -core too.
+  - /usr/sbin/zipl
 packages-x86_64:
   - grub2 grub2-efi-x64 efibootmgr shim
   - microcode_ctl
@@ -24,10 +25,7 @@ postprocess:
   - |
     #!/bin/bash
     set -xeuo pipefail
+    # Until we have https://github.com/coreos/rpm-ostree/pull/2275
+    mkdir -p /run
     # Transforms /usr/lib/ostree-boot into a bootupd-compatible update payload
     /usr/bin/bootupctl backend generate-update-metadata
-  - |
-    #!/bin/bash
-    # Workaround for https://issues.redhat.com/browse/RHEL-78104
-    set -xeuo pipefail
-    rm -vrf /usr/lib/ostree-boot/loader

tier-0/finalize.d/01-var.sh

@@ -1,6 +0,0 @@
-#!/bin/bash
-# https://gitlab.com/fedora/bootc/base-images/-/issues/28
-set -xeuo pipefail
-ln -s ../run var/run
-# https://gitlab.com/fedora/bootc/tracker/-/issues/58
-mkdir -p var/lib/rpm-state

tier-0/initramfs.yaml

@@ -6,19 +6,13 @@ postprocess:
     cat > /usr/lib/dracut/dracut.conf.d/20-bootc-base.conf << 'EOF'
     # We want a generic image; hostonly makes no sense as part of a server side build
     hostonly=no
-    add_dracutmodules+=" kernel-modules dracut-systemd systemd-initrd base ostree "
+    dracutmodules+=" kernel-modules dracut-systemd systemd-initrd base ostree "
     EOF
     cat > /usr/lib/dracut/dracut.conf.d/22-bootc-generic.conf << 'EOF'
     # Extra modules that we want by default that are known to exist in the kernel
-    add_dracutmodules+=" virtiofs "
+    dracutmodules+=" virtiofs "
     EOF
     cat > /usr/lib/dracut/dracut.conf.d/49-bootc-tpm2-tss.conf << 'EOF'
     # We want this for systemd-cryptsetup tpm2 locking
-    add_dracutmodules+=" tpm2-tss "
-    EOF
-    cat > /usr/lib/dracut/dracut.conf.d/59-altfiles.conf << 'EOF'
-    # https://issues.redhat.com/browse/RHEL-49590
-    # On image mode systems we use nss-altfiles for passwd and group,
-    # this makes sure dracut uses them which also fixes kdump writing to NFS.
-    install_items+=" /usr/lib/passwd /usr/lib/group "
+    dracutmodules+=" tpm2-tss "
     EOF

tier-0/kernel-install.yaml

@@ -1,21 +0,0 @@
-# Configuration to enable kernel-install integration
-postprocess:
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    source /usr/lib/os-release
-    echo -e "# kernel-install will not try to run dracut and allow rpm-ostree to\n\
-    # take over. Rpm-ostree will use this to know that it is responsible\n\
-    # to run dracut and ensure that there is only one kernel in the image\n\
-    layout=ostree" | tee /usr/lib/kernel/install.conf > /dev/null
-    # By default dnf keeps multiple versions of the kernel, with this
-    # configuration we tell dnf to treat the kernel as everything else.
-    # https://dnf.readthedocs.io/en/latest/conf_ref.html#main-options
-    # Let's add the config to a distribution configuration file if dnf5
-    # is used, we append to /etc/dnf/dnf.conf if not.
-    if [ -d "/usr/share/dnf5/libdnf.conf.d/" ]; then
-      echo -e "[main]\ninstallonlypkgs=''" >> /usr/share/dnf5/libdnf.conf.d/20-ostree-installonlypkgs.conf
-    else
-      echo "installonlypkgs=''" >> /etc/dnf/dnf.conf
-    fi
-

tier-0/kernel-rt.yaml

@@ -0,0 +1,10 @@
+repos:
+  - rt
+  - nfv
+
+# Enable the "realtime" AKA soft-realtime AKA latency-optimized kernel.
+packages:
+ - kernel-rt-core kernel-rt-modules kernel-rt-modules-extra kernel-rt-kvm
+
+exclude-packages:
+  - kernel-rt-debug-core

tier-0/manifest.yaml

@@ -1,35 +1,63 @@
-edition: "2024"
 
+# Modern defaults we want
+boot-location: modules
+tmp-is-dir: true
+# https://github.com/CentOS/centos-bootc/issues/167
+machineid-compat: true
 # Be minimal
 recommends: false
 
+ignore-removed-users:
+  - root
+ignore-removed-groups:
+  - root
+etc-group-members:
+  - wheel
+  - sudo
+  - systemd-journal
+  - adm
+
 # Default to `bash` in our container, the same as other containers we ship.
 container-cmd:
   - /sbin/init
 
+# Note that the default for c9s+ is sqlite; we can't rely on rpm being
+# in the target (it isn't in tier-0!) so turn this to host here.  This
+# does break the "hermetic build" aspect a bit.  Maybe eventually
+# what we should do is special case this and actually install RPM temporarily
+# and then remove it...
+rpmdb: host
+
+check-passwd:
+  type: "file"
+  filename: "passwd"
+check-groups:
+  type: "file"
+  filename: "group"
+
+automatic-version-prefix: "${releasever}.<date:%Y%m%d>"
+mutate-os-release: "${releasever}"
+
 remove-from-packages:
   # Generally we expect other tools to do this (e.g. Ignition or cloud-init)
   - [systemd, /usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service]
   # We don't want auto-generated mount units. See also
   # https://github.com/systemd/systemd/issues/13099
   - [systemd-udev, /usr/lib/systemd/system-generators/systemd-gpt-auto-generator]
+  # Drop some buggy sysusers fragments which do not match static IDs allocation:
+  # https://bugzilla.redhat.com/show_bug.cgi?id=2105177
+  - [dbus-common, /usr/lib/sysusers.d/dbus.conf]
 
 include:
-  - postprocess-conf.yaml
   - bootc.yaml
-  - bootupd.yaml
   - ostree.yaml
   - initramfs.yaml
+  - autoupdates.yaml
   - basic-fixes.yaml
-  - kernel-install.yaml
 
 packages:
-  # this is implied by dependencies but let's make it explicit
-  - coreutils
-  # We need dnf for building derived container images. In Fedora, this pulls
-  # in dnf5. In CentOS/RHEL, this pulls in dnf(4). We can simplify this back to
-  # just `dnf` once the `dnf` package is retired from Fedora.
-  - /usr/bin/dnf
+  # needed for building derived container images
+  - dnf
   # Even in tier-0, we have this.  If you don't want SELinux today, you'll need
   # to build a custom image.
   - selinux-policy-targeted
@@ -37,3 +65,8 @@ packages:
   - container-selinux
   # Needed for tpm2 bound luks
   - tpm2-tools
+
+# See https://github.com/coreos/bootupd
+arch-include:
+  x86_64: bootupd.yaml
+  aarch64: bootupd.yaml

tier-0/ostree.yaml

@@ -1,6 +1,9 @@
 packages:
  - ostree nss-altfiles
 
+# We want content lifecycled with the image
+opt-usrlocal: "root"
+
 postprocess:
   # Set up default root config
   - |

tier-0/passwd

@@ -23,7 +23,7 @@ rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/usr/sbin/nologin
 rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/usr/sbin/nologin
 shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
 sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/usr/sbin/nologin
-sssd:x:995:993:User for sssd:/run/sssd:/usr/sbin/nologin
+sssd:x:995:993:User for sssd:/:/usr/sbin/nologin
 sync:x:5:0:sync:/sbin:/bin/sync
 systemd-bus-proxy:x:989:988:systemd Bus Proxy:/:/usr/sbin/nologin
 systemd-network:x:991:990:systemd Network Management:/:/usr/sbin/nologin

tier-0/postprocess-conf.yaml

@@ -1,34 +0,0 @@
-# This file configures things relevant to `rpm-ostree compose postprocess`.
-
-# We want content lifecycled with the image
-opt-usrlocal: "root"
-
-# https://github.com/CentOS/centos-bootc/issues/167
-machineid-compat: true
-
-# Note that the default for c9s+ is sqlite; we can't rely on rpm being
-# in the target (it isn't in tier-0!) so turn this to host here.  This
-# does break the "hermetic build" aspect a bit.  Maybe eventually
-# what we should do is special case this and actually install RPM temporarily
-# and then remove it...
-rpmdb: host
-
-ignore-removed-users:
-  - root
-ignore-removed-groups:
-  - root
-etc-group-members:
-  - wheel
-  - sudo
-  - systemd-journal
-  - adm
-
-check-passwd:
-  type: "file"
-  filename: "passwd"
-check-groups:
-  type: "file"
-  filename: "group"
-
-automatic-version-prefix: "${releasever}.<date:%Y%m%d>"
-mutate-os-release: "${releasever}"

tier-1/autoupdates.yaml

@@ -1,9 +0,0 @@
-# Enable automatic updates by default
-postprocess:
-  - |
-    #!/usr/bin/env bash
-    set -euo pipefail
-    target=/usr/lib/systemd/system/default.target.wants
-    mkdir -p $target
-    set -x
-    ln -s ../bootc-fetch-apply-updates.timer $target

tier-1/autoupdates.yaml

@@ -0,0 +1 @@
+../tier-0/autoupdates.yaml

tier-1/basic-fixes.yaml

@@ -0,0 +1 @@
+../tier-0/basic-fixes.yaml

tier-1/bootable-rpm-ostree.yaml

@@ -0,0 +1,8 @@
+packages:
+ - rpm-ostree nss-altfiles
+
+exclude-packages:
+  # Exclude kernel-debug-core to make sure that it doesn't somehow get
+  # chosen as the package to satisfy the `kernel-core` dependency from
+  # the kernel package.
+  - kernel-debug-core

tier-1/bootc-config.yaml

@@ -0,0 +1 @@
+../tier-0/bootc-config.yaml

tier-1/bootc-generic-growpart

@@ -3,18 +3,15 @@ set -eu
 
 backing_device=$(findmnt -vno SOURCE /sysroot)
 echo "Backing device: ${backing_device}"
-
-# Handling devicemapper targets is a whole other thing
-case $backing_device in
-    /dev/mapper/*) echo "Not growing $backing_device"; exit 0 ;;
-esac
-
 syspath=/sys/class/block/$(basename "${backing_device}")
 if ! test -d "${syspath}"; then
     echo "failed to find backing device ${syspath}"; exit 1
 fi
 
-
+# Handling devicemapper targets is a whole other thing
+case $backing_device in
+    /dev/mapper/*) "Not growing $backing_device"; exit 0 ;;
+esac
 
 # Note that we expect that the rootfs is on a partition
 partition=$(cat "${syspath}"/partition)

tier-1/bootc-generic-growpart.service

@@ -6,8 +6,6 @@ Documentation=https://gitlab.com/fedora/bootc/docs
 ConditionVirtualization=vm
 # This helps verify that we're running in a bootc/ostree based target.
 ConditionPathIsMountPoint=/sysroot
-# For someone making a smaller image, assume they have this handled.
-ConditionPathExists=/usr/bin/growpart
 # We want to run before any e.g. large container images might be pulled.
 DefaultDependencies=no
 Requires=sysinit.target

tier-1/bootc.yaml

@@ -0,0 +1 @@
+../tier-0/bootc.yaml

tier-1/bootupd.yaml

@@ -0,0 +1 @@
+../tier-0/bootupd.yaml

tier-1/coreos-user-experience.yaml

@@ -1,10 +1,41 @@
 # This file was forked/copied from Fedora CoreOS.  TODO: resync
 # once we have a good generic mechanism for sharing.
 packages:
-  # Additional file compression/decompression
-  - bzip2 zstd
+  # Basic user tools
+  ## jq - parsing/interacting with JSON data
+  - bash-completion
+  - coreutils
+  - file
+  - jq
+  - less
+  - sudo
+  - vim-minimal
+  # File compression/decompression
+  ## bsdtar - dependency of 35coreos-live dracut module
+  - bsdtar
+  - bzip2
+  - gzip
+  - tar
+  - xz
+  - zstd
+  # Improved MOTD experience
+  - console-login-helper-messages-issuegen
+  - console-login-helper-messages-profile
   # kdump support
   # https://github.com/coreos/fedora-coreos-tracker/issues/622
   - kexec-tools
+  # Remote Access
+  - openssh-clients openssh-server
+  # Container tooling
+  ## crun recommends but doesn't require criu and criu-libs. We want them for
+  ## checkpoint/restore. https://github.com/coreos/fedora-coreos-tracker/issues/1370
+  - crun criu criu-libs
+  - podman
+  - skopeo
+  - toolbox
+  # passt provides user-mode networking daemons for namespaces
+  - passt
   # nvme-cli for managing nvme disks
   - nvme-cli
+  # Used by admins interactively
+  - lsof

tier-1/firmware.yaml

@@ -0,0 +1,7 @@
+ packages:
+  # linux-firmware now a recommends so let's explicitly include it
+  # https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
+  # https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide
+  - linux-firmware
+  # If you're using linux-firmware, you probably also want fwupd
+  - fwupd

tier-1/fwupd.yaml

@@ -0,0 +1,5 @@
+# Firmware updates
+packages-aarch64:
+  - fwupd
+packages-x86_64:
+  - fwupd

tier-1/group

@@ -0,0 +1 @@
+../tier-0/group

tier-1/grub2-removals.yaml

@@ -0,0 +1 @@
+../tier-0/grub2-removals.yaml

tier-1/initramfs-full.yaml

@@ -4,5 +4,5 @@ postprocess:
     #!/usr/bin/env bash
     mkdir -p /usr/lib/dracut/dracut.conf.d
     cat > /usr/lib/dracut/dracut.conf.d/30-bootc-tier-1.conf << 'EOF'
-    add_dracutmodules+=" lvm crypt fips "
+    dracutmodules+=" lvm crypt "
     EOF

tier-1/initramfs.yaml

@@ -0,0 +1 @@
+../tier-0/initramfs.yaml

tier-1/kdump-aarch64-aws-workaround.yaml

@@ -0,0 +1,12 @@
+# This file includes a fixup for kdump on aarch64 AWS instances.
+# The issue seems specific to aarch64 AWS instances, but we'll go
+# ahead and apply it across the board for aarch64, since that's
+# the easiest thing to do. Hopefully the upstream issue will get
+# resolved soon.
+postprocess:
+  - |
+    #!/usr/bin/env bash
+    # Remove irqpoll from the list of KDUMP_COMMANDLINE_APPEND. This
+    # causes issues on aarch64 AWS instances.
+    # https://github.com/coreos/fedora-coreos-tracker/issues/1187
+    sed -i -e 's/irqpoll //' /etc/sysconfig/kdump

tier-1/manifest-tier-0.yaml

@@ -0,0 +1 @@
+../tier-0/manifest.yaml

tier-1/manifest.yaml

@@ -2,21 +2,38 @@
 recommends: true
 
 include:
-  - ../tier-x/manifest.yaml
+  - manifest-tier-0.yaml
+  - bootable-rpm-ostree.yaml
+  - podman.yaml
+  - firmware.yaml
   - networking-tools.yaml
   - system-configuration.yaml
   - coreos-user-experience.yaml
+  - fwupd.yaml
   - persistent-journal.yaml
   - initramfs-full.yaml
+  - generic-growfs.yaml
 
 packages:
+  # Include and set the default editor
+  - nano
+  # And we expect this in general
+  - vim-minimal
   - nfs-utils
   # Additional firewall support; we aren't including these in RHCOS or they
   # don't exist in RHEL
-  - iptables-services
+  - iptables-nft iptables-services
   - WALinuxAgent-udev
+  # Allow communication between sudo and SSSD
+  # for caching sudo rules by SSSD.
+  # https://github.com/coreos/fedora-coreos-tracker/issues/445
+  - libsss_sudo
+  # SSSD; we only ship a subset of the backends
+  - sssd-client sssd-ad sssd-ipa sssd-krb5 sssd-ldap
   # Used by admins interactively
+  - attr
   - openssl
+  - lsof
   # Provides terminal tools like clear, reset, tput, and tset
   - ncurses
   # i18n
@@ -24,10 +41,21 @@ packages:
   # zram-generator (but not zram-generator-defaults) for F33 change
   # https://github.com/coreos/fedora-coreos-tracker/issues/509
   - zram-generator
+  # resolved was broken out to its own package in rawhide/f35
+  - systemd-resolved
+  # This one is in Python so isn't in FCOS, but we can safely add it here.
+  - sos
 
 # These are random architecture-specific packages
-packages-x86_64: []
-packages-aarch64: []
+packages-x86_64:
+  - irqbalance
+packages-ppc64le:
+  - irqbalance
+  - librtas
+  - powerpc-utils-core
+  - ppc64-diag-rtas
+packages-aarch64:
+  - irqbalance
 
 postprocess:
   # Undo RPM scripts enabling units; we want the presets to be canonical
@@ -39,6 +67,19 @@ postprocess:
     systemctl preset-all
     rm -rf /etc/systemd/user/*
     systemctl --user --global preset-all
+  # Default to iptables-nft. Otherwise, legacy wins. We can drop this once/if we
+  # remove iptables-legacy. This is needed because alternatives don't work
+  # https://github.com/coreos/fedora-coreos-tracker/issues/677
+  # https://github.com/coreos/fedora-coreos-tracker/issues/676
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    ln -sf /usr/sbin/ip6tables-nft         /etc/alternatives/ip6tables
+    ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore
+    ln -sf /usr/sbin/ip6tables-nft-save    /etc/alternatives/ip6tables-save
+    ln -sf /usr/sbin/iptables-nft          /etc/alternatives/iptables
+    ln -sf /usr/sbin/iptables-nft-restore  /etc/alternatives/iptables-restore
+    ln -sf /usr/sbin/iptables-nft-save     /etc/alternatives/iptables-save
   # See: https://github.com/coreos/fedora-coreos-tracker/issues/1253
   #      https://bugzilla.redhat.com/show_bug.cgi?id=2112857
   #      https://github.com/coreos/rpm-ostree/issues/3918
@@ -67,6 +108,3 @@ exclude-packages:
   # Do not use legacy ifcfg config format in NetworkManager
   # See https://github.com/coreos/fedora-coreos-config/pull/1991
   - NetworkManager-initscripts-ifcfg-rh
-  # Let's not have both legacy and nft versions in the image. Users are free to
-  # also layer legacy themselves if they want.
-  - iptables-legacy

tier-1/networking-tools.yaml

@@ -3,6 +3,8 @@
 # generic enough to be shared downstream with RHCOS.
 
 packages:
+  # Standard tools for configuring network/hostname
+  - NetworkManager hostname
   # Interactive Networking configuration during coreos-install
   - NetworkManager-tui
   # Support for cloud quirks and dynamic config in real rootfs:

tier-1/ostree.yaml

@@ -0,0 +1 @@
+../tier-0/ostree.yaml

tier-1/passwd

@@ -0,0 +1 @@
+../tier-0/passwd

tier-1/podman.yaml

@@ -0,0 +1,7 @@
+# Core podman bits
+
+packages:
+  - crun
+  - podman
+  - container-selinux
+  - skopeo

tier-1/system-configuration.yaml

@@ -1,12 +1,17 @@
 # These are packages that are related to configuring parts of the system.
 
 packages:
-  # Explicit dep for RHEL >= 10
-  - crypto-policies-scripts
+  # Configuring SSH keys, cloud provider check-in, etc
+  # TODO: needs Ignition kargs
+  # - afterburn afterburn-dracut
   # NTP support
   - chrony
   # Storage configuration/management
+  - lvm2
+  - cryptsetup
+  - e2fsprogs
   - sg3_utils
+  - xfsprogs
   ## This is generally useful... https://github.com/CentOS/centos-bootc/issues/394
   - cloud-utils-growpart
   # User configuration
@@ -22,3 +27,6 @@ packages:
   # /etc/logrotate.d to work. Really, this is a legacy thing, but if we don't
   # have it then people's disks will slowly fill up with logs.
   - logrotate
+  # Boost starving threads
+  # https://github.com/coreos/fedora-coreos-tracker/issues/753
+  - stalld

tier-x/kernel.yaml

@@ -1 +0,0 @@
-../tier-0/kernel.yaml

tier-x/manifest.yaml

@@ -1,44 +0,0 @@
-include:
-  - ../tier-0/manifest.yaml
-
-packages:
-  # Used by admins interactively
-  - attr
-  - bash-completion
-  - hostname
-  - iproute
-  - jq
-  - less
-  - vim-minimal
-  # deps of bootc, but let's be explicit. e.g. even if bootc drops the skopeo
-  # dep, we still want it
-  - podman skopeo
-  # crun recommends but doesn't require criu and criu-libs. We want them for
-  # checkpoint/restore. https://github.com/coreos/fedora-coreos-tracker/issues/1370
-  - crun criu criu-libs
-  # storage
-  - cryptsetup
-  - lvm2
-  - tar
-  # zram-generator (but not zram-generator-defaults) for F33 change
-  # https://github.com/coreos/fedora-coreos-tracker/issues/509
-  - zram-generator
-  # networking
-  - iptables-nft
-  - NetworkManager
-  - openssh-clients
-  - openssh-server
-  # linux-firmware now a recommends so let's explicitly include it
-  # https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
-  # https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide
-  - linux-firmware
-  # security
-  - polkit
-  - sudo
-  # Allow for configuring different timezones
-  - tzdata
-  # rpm-ostree
-  - rpm-ostree nss-altfiles
-  # firmware updates
-  # If you're using linux-firmware, you probably also want fwupd
-  - fwupd