Containerfile

@@ -20,14 +20,12 @@
 #
 # # Why does this build process require additional privileges?
 #
-# Because it's generating a base image and uses containerization features itself.
+# Because it's generating a base image and uses containerbuildcontextization features itself.
 # In the future some of this can be lifted.
 
-FROM quay.io/fedora/fedora:41 as repos
+FROM quay.io/fedora/fedora:rawhide as repos
 
-# BOOTSTRAPPING: This can be any image that has rpm-ostree and selinux-policy-targeted.
-FROM quay.io/fedora/fedora:41 as builder
-RUN dnf -y install rpm-ostree selinux-policy-targeted
+FROM quay.io/centos-bootc/bootc-image-builder:latest as builder
 ARG MANIFEST=fedora-bootc.yaml
 COPY --from=repos /etc/dnf/vars /etc/dnf/vars
 COPY --from=repos /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-* /etc/pki/rpm-gpg
@@ -39,16 +37,10 @@ COPY . /src
 WORKDIR /src
 RUN rm -vf /src/*.repo
 COPY --from=repos /etc/yum.repos.d/*.repo /src
-RUN --mount=type=cache,target=/workdir \
-    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
-    --mount=type=bind,from=repos,src=/,dst=/repos \
-      rpm-ostree compose image --image-config fedora-bootc-config.json \
-        --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} \
-       --source-root=/repos /buildcontext/out.ociarchive
+RUN --mount=type=cache,target=/workdir --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rpm-ostree compose image \
+ --image-config fedora-bootc-config.json --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} /buildcontext/out.ociarchive
 
 FROM oci-archive:./out.ociarchive
 # Need to reference builder here to force ordering. But since we have to run
 # something anyway, we might as well cleanup after ourselves.
-RUN --mount=type=bind,from=builder,src=.,target=/var/tmp \
-    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
-      rm /buildcontext/out.ociarchive
+RUN --mount=type=bind,from=builder,src=.,target=/var/tmp --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rm /buildcontext/out.ociarchive

README.md

@@ -32,16 +32,6 @@ podman build --security-opt=label=disable --cap-add=all \
 
 See the `Containerfile` for more details. This builds the default `tier-1` image.
 
-## Fedora versions
-
-By default, the base images are built for Fedora rawhide. To build against a
-different Fedora version, you can override the `FROM` image used to obtain the
-Fedora repos and dnf variables. E.g.:
-
-```
-podman build --from quay.io/fedora/fedora:41 ...
-```
-
 ### Deriving
 
 You are of course also free to fork, customize, and build base images yourself.
@@ -49,23 +39,15 @@ See this page[6] of the documentation for more information.
 
 ## Tiers
 
-At the current time, there is just one reference base image published
-to the registry. Internally the content set is split up somewhat
-into "tiers", but this is an internal implementation detail and may change
-at any time.
-
-It is planned to rework and improve this in the future, especially
-to support smaller custom images. For more on this, see
-[this tracker issue](https://gitlab.com/fedora/bootc/tracker/-/issues/32).
-
+There are currently 3 tiers:
 - **tier-1**: This image is the default, what is published as
   https://quay.io/repository/fedora/fedora-bootc
-- **tier-0**: This content set is more of a convenient centralization point for CI
+- **tier-0**: This image is more of a convenient centralization point for CI
   and curation around a package set that we can all agree is the rough minimum
   necessary for a usable system. It's not meant to be used as is, but layered
   upon.
-- **tier-x**: This content set is the shared base used by all image-based
-  Fedora variants (IoT, Atomic Desktops, and CoreOS).
+- **tier-x**: This image is not intended for end-users. It's the shared base
+  used by all image-based Fedora variants (IoT, Atomic Desktops, and CoreOS).
   Changes to this tier may be done without accounting for external users.
   To build this, pass `--build-arg=MANIFEST=fedora-tier-x.yaml` to the build
   command above.

build.sh

@@ -1,5 +0,0 @@
-podman build \
-       --security-opt=label=disable \
-       --cap-add=all \
-       --device /dev/fuse \
-       -t localhost/fedora-bootc .

fedora-40.yaml

@@ -1,7 +0,0 @@
-# NB: This treefile is used by the legacy pungi path only to build tier-1. It
-# will be removed in the future.
-releasever: 40
-repos:
-  - fedora
-  - fedora-updates
-include: fedora-bootc.yaml

fedora-41.yaml

@@ -1,7 +0,0 @@
-# NB: This treefile is used by the legacy pungi path only to build tier-1. It
-# will be removed in the future.
-releasever: 41
-repos:
-  - fedora
-  - fedora-updates
-include: fedora-bootc.yaml

fedora-42.yaml

@@ -1,6 +0,0 @@
-# NB: This treefile is used by the legacy pungi path only to build tier-1. It
-# will be removed in the future.
-releasever: 42
-repos:
-  - fedora-devel
-include: fedora-bootc.yaml

fedora-bootc.yaml

@@ -1,3 +1,7 @@
+releasever: rawhide
+repos:
+  - rawhide
+
 metadata:
   name: fedora-boot-tier1
   summary: Fedora Bootable Tier 1

fedora-generic.yaml

@@ -5,5 +5,3 @@ variables:
 packages:
   # https://gitlab.com/fedora/bootc/base-images/-/issues/12
   - fedora-repos-archive
-  # Not in RHEL10
-  - systemd-resolved

fedora-rawhide.yaml

@@ -1,6 +0,0 @@
-# NB: This treefile is used by the legacy pungi path only to build tier-1. It
-# will be removed in the future.
-releasever: rawhide
-repos:
-  - fedora-rawhide
-include: fedora-bootc.yaml

fedora-tier-0.yaml

@@ -1,3 +1,7 @@
+releasever: rawhide
+repos:
+  - rawhide
+
 metadata:
   name: fedora-boot-tier0
   summary: Fedora Bootable Tier 0

fedora-tier-x.yaml

@@ -1,3 +1,7 @@
+releasever: rawhide
+repos:
+  - rawhide
+
 metadata:
   name: fedora-boot-tier-x
   summary: Fedora Bootable Tier X

tier-0/bootc.yaml

@@ -6,9 +6,8 @@ packages:
  # `iptables`. Currently that pulls in iptables-legacy. Let's explicitly name
  # iptables-nft instead to satisfy it.
  - iptables-nft
- # Required by bootc install, sgdisk has been replaced by Rust crate
- # in bootc https://github.com/containers/bootc/pull/775
- - xfsprogs e2fsprogs dosfstools
+ # Required by bootc install today, though we'll likely switch bootc to use a Rust crate instead of sgdisk
+ - gdisk xfsprogs e2fsprogs dosfstools
 
 exclude-packages:
   # Exclude kernel-debug-core to make sure that it doesn't somehow get

tier-0/bootupd.yaml

@@ -9,8 +9,9 @@ packages-aarch64:
 packages-ppc64le:
   - grub2 ostree-grub2
 packages-s390x:
-  # For zipl
-  - s390utils-core
+  # On Fedora, this is provided by s390utils-core. on RHEL, this is for now
+  # provided by s390utils-base, but soon will be -core too.
+  - /usr/sbin/zipl
 packages-x86_64:
   - grub2 grub2-efi-x64 efibootmgr shim
   - microcode_ctl
@@ -26,8 +27,3 @@ postprocess:
     set -xeuo pipefail
     # Transforms /usr/lib/ostree-boot into a bootupd-compatible update payload
     /usr/bin/bootupctl backend generate-update-metadata
-  - |
-    #!/bin/bash
-    # Workaround for https://issues.redhat.com/browse/RHEL-78104
-    set -xeuo pipefail
-    rm -vrf /usr/lib/ostree-boot/loader

tier-0/finalize.d/01-var.sh

@@ -1,6 +0,0 @@
-#!/bin/bash
-# https://gitlab.com/fedora/bootc/base-images/-/issues/28
-set -xeuo pipefail
-ln -s ../run var/run
-# https://gitlab.com/fedora/bootc/tracker/-/issues/58
-mkdir -p var/lib/rpm-state

tier-0/kernel-install.yaml

@@ -1,21 +0,0 @@
-# Configuration to enable kernel-install integration
-postprocess:
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    source /usr/lib/os-release
-    echo -e "# kernel-install will not try to run dracut and allow rpm-ostree to\n\
-    # take over. Rpm-ostree will use this to know that it is responsible\n\
-    # to run dracut and ensure that there is only one kernel in the image\n\
-    layout=ostree" | tee /usr/lib/kernel/install.conf > /dev/null
-    # By default dnf keeps multiple versions of the kernel, with this
-    # configuration we tell dnf to treat the kernel as everything else.
-    # https://dnf.readthedocs.io/en/latest/conf_ref.html#main-options
-    # Let's add the config to a distribution configuration file if dnf5
-    # is used, we append to /etc/dnf/dnf.conf if not.
-    if [ -d "/usr/share/dnf5/libdnf.conf.d/" ]; then
-      echo -e "[main]\ninstallonlypkgs=''" >> /usr/share/dnf5/libdnf.conf.d/20-ostree-installonlypkgs.conf
-    else
-      echo "installonlypkgs=''" >> /etc/dnf/dnf.conf
-    fi
-

tier-0/kernel-rt.yaml

@@ -0,0 +1,10 @@
+repos:
+  - rt
+  - nfv
+
+# Enable the "realtime" AKA soft-realtime AKA latency-optimized kernel.
+packages:
+ - kernel-rt-core kernel-rt-modules kernel-rt-modules-extra kernel-rt-kvm
+
+exclude-packages:
+  - kernel-rt-debug-core

tier-0/manifest.yaml

@@ -1,12 +1,43 @@
-edition: "2024"
 
+# Modern defaults we want
+boot-location: modules
+tmp-is-dir: true
+# https://github.com/CentOS/centos-bootc/issues/167
+machineid-compat: true
 # Be minimal
 recommends: false
 
+ignore-removed-users:
+  - root
+ignore-removed-groups:
+  - root
+etc-group-members:
+  - wheel
+  - sudo
+  - systemd-journal
+  - adm
+
 # Default to `bash` in our container, the same as other containers we ship.
 container-cmd:
   - /sbin/init
 
+# Note that the default for c9s+ is sqlite; we can't rely on rpm being
+# in the target (it isn't in tier-0!) so turn this to host here.  This
+# does break the "hermetic build" aspect a bit.  Maybe eventually
+# what we should do is special case this and actually install RPM temporarily
+# and then remove it...
+rpmdb: host
+
+check-passwd:
+  type: "file"
+  filename: "passwd"
+check-groups:
+  type: "file"
+  filename: "group"
+
+automatic-version-prefix: "${releasever}.<date:%Y%m%d>"
+mutate-os-release: "${releasever}"
+
 remove-from-packages:
   # Generally we expect other tools to do this (e.g. Ignition or cloud-init)
   - [systemd, /usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service]
@@ -15,21 +46,17 @@ remove-from-packages:
   - [systemd-udev, /usr/lib/systemd/system-generators/systemd-gpt-auto-generator]
 
 include:
-  - postprocess-conf.yaml
   - bootc.yaml
   - bootupd.yaml
   - ostree.yaml
   - initramfs.yaml
   - basic-fixes.yaml
-  - kernel-install.yaml
 
 packages:
   # this is implied by dependencies but let's make it explicit
   - coreutils
-  # We need dnf for building derived container images. In Fedora, this pulls
-  # in dnf5. In CentOS/RHEL, this pulls in dnf(4). We can simplify this back to
-  # just `dnf` once the `dnf` package is retired from Fedora.
-  - /usr/bin/dnf
+  # needed for building derived container images
+  - dnf5
   # Even in tier-0, we have this.  If you don't want SELinux today, you'll need
   # to build a custom image.
   - selinux-policy-targeted

tier-0/ostree.yaml

@@ -1,6 +1,9 @@
 packages:
  - ostree nss-altfiles
 
+# We want content lifecycled with the image
+opt-usrlocal: "root"
+
 postprocess:
   # Set up default root config
   - |

tier-0/passwd

@@ -23,7 +23,7 @@ rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/usr/sbin/nologin
 rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/usr/sbin/nologin
 shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
 sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/usr/sbin/nologin
-sssd:x:995:993:User for sssd:/run/sssd:/usr/sbin/nologin
+sssd:x:995:993:User for sssd:/:/usr/sbin/nologin
 sync:x:5:0:sync:/sbin:/bin/sync
 systemd-bus-proxy:x:989:988:systemd Bus Proxy:/:/usr/sbin/nologin
 systemd-network:x:991:990:systemd Network Management:/:/usr/sbin/nologin

tier-0/postprocess-conf.yaml

@@ -1,34 +0,0 @@
-# This file configures things relevant to `rpm-ostree compose postprocess`.
-
-# We want content lifecycled with the image
-opt-usrlocal: "root"
-
-# https://github.com/CentOS/centos-bootc/issues/167
-machineid-compat: true
-
-# Note that the default for c9s+ is sqlite; we can't rely on rpm being
-# in the target (it isn't in tier-0!) so turn this to host here.  This
-# does break the "hermetic build" aspect a bit.  Maybe eventually
-# what we should do is special case this and actually install RPM temporarily
-# and then remove it...
-rpmdb: host
-
-ignore-removed-users:
-  - root
-ignore-removed-groups:
-  - root
-etc-group-members:
-  - wheel
-  - sudo
-  - systemd-journal
-  - adm
-
-check-passwd:
-  type: "file"
-  filename: "passwd"
-check-groups:
-  type: "file"
-  filename: "group"
-
-automatic-version-prefix: "${releasever}.<date:%Y%m%d>"
-mutate-os-release: "${releasever}"

tier-1/bootc-generic-growpart.service

@@ -6,8 +6,6 @@ Documentation=https://gitlab.com/fedora/bootc/docs
 ConditionVirtualization=vm
 # This helps verify that we're running in a bootc/ostree based target.
 ConditionPathIsMountPoint=/sysroot
-# For someone making a smaller image, assume they have this handled.
-ConditionPathExists=/usr/bin/growpart
 # We want to run before any e.g. large container images might be pulled.
 DefaultDependencies=no
 Requires=sysinit.target

tier-1/coreos-user-experience.yaml

@@ -3,8 +3,15 @@
 packages:
   # Additional file compression/decompression
   - bzip2 zstd
+  # Improved MOTD experience
+  - console-login-helper-messages-issuegen
+  - console-login-helper-messages-profile
   # kdump support
   # https://github.com/coreos/fedora-coreos-tracker/issues/622
   - kexec-tools
+  # Container tooling
+  - toolbox
   # nvme-cli for managing nvme disks
   - nvme-cli
+  # Used by admins interactively
+  - lsof

tier-1/manifest.yaml

@@ -3,18 +3,28 @@ recommends: true
 
 include:
   - ../tier-x/manifest.yaml
+  - autoupdates.yaml
   - networking-tools.yaml
   - system-configuration.yaml
   - coreos-user-experience.yaml
   - persistent-journal.yaml
   - initramfs-full.yaml
+  - generic-growfs.yaml
 
 packages:
+  # Include and set the default editor
+  - nano
   - nfs-utils
   # Additional firewall support; we aren't including these in RHCOS or they
   # don't exist in RHEL
   - iptables-services
   - WALinuxAgent-udev
+  # Allow communication between sudo and SSSD
+  # for caching sudo rules by SSSD.
+  # https://github.com/coreos/fedora-coreos-tracker/issues/445
+  - libsss_sudo
+  # SSSD; we only ship a subset of the backends
+  - sssd-client sssd-ad sssd-ipa sssd-krb5 sssd-ldap
   # Used by admins interactively
   - openssl
   # Provides terminal tools like clear, reset, tput, and tset
@@ -24,10 +34,19 @@ packages:
   # zram-generator (but not zram-generator-defaults) for F33 change
   # https://github.com/coreos/fedora-coreos-tracker/issues/509
   - zram-generator
+  # This one is in Python so isn't in FCOS, but we can safely add it here.
+  - sos
 
 # These are random architecture-specific packages
-packages-x86_64: []
-packages-aarch64: []
+packages-x86_64:
+  - irqbalance
+packages-ppc64le:
+  - irqbalance
+  - librtas
+  - powerpc-utils-core
+  - ppc64-diag-rtas
+packages-aarch64:
+  - irqbalance
 
 postprocess:
   # Undo RPM scripts enabling units; we want the presets to be canonical

tier-1/system-configuration.yaml

@@ -3,6 +3,9 @@
 packages:
   # Explicit dep for RHEL >= 10
   - crypto-policies-scripts
+  # Configuring SSH keys, cloud provider check-in, etc
+  # TODO: needs Ignition kargs
+  # - afterburn afterburn-dracut
   # NTP support
   - chrony
   # Storage configuration/management
@@ -21,4 +24,7 @@ packages:
   # Anything package layered will also tend to expect files dropped in
   # /etc/logrotate.d to work. Really, this is a legacy thing, but if we don't
   # have it then people's disks will slowly fill up with logs.
-  - logrotate
+  - logrotate
+  # Boost starving threads
+  # https://github.com/coreos/fedora-coreos-tracker/issues/753
+  - stalld

tier-x/manifest.yaml

@@ -10,12 +10,12 @@ packages:
   - jq
   - less
   - vim-minimal
+  # crun recommends but doesn't require criu and criu-libs. We want them for
+  # checkpoint/restore. https://github.com/coreos/fedora-coreos-tracker/issues/1370
+  - criu criu-libs
   # deps of bootc, but let's be explicit. e.g. even if bootc drops the skopeo
   # dep, we still want it
   - podman skopeo
-  # crun recommends but doesn't require criu and criu-libs. We want them for
-  # checkpoint/restore. https://github.com/coreos/fedora-coreos-tracker/issues/1370
-  - crun criu criu-libs
   # storage
   - cryptsetup
   - lvm2
@@ -28,6 +28,7 @@ packages:
   - NetworkManager
   - openssh-clients
   - openssh-server
+  - systemd-resolved
   # linux-firmware now a recommends so let's explicitly include it
   # https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
   # https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide