26 changed files with 114 additions and 156 deletions
--- a/20
+++ b/20
@ -20,14 +20,12 @@
 #
 # # Why does this build process require additional privileges?
 #
-# Because it's generating a base image and uses containerization features itself.
+# Because it's generating a base image and uses containerbuildcontextization features itself.
 # In the future some of this can be lifted.
-FROM quay.io/fedora/fedora:41 as repos
+FROM quay.io/fedora/fedora:rawhide as repos
-# BOOTSTRAPPING: This can be any image that has rpm-ostree and selinux-policy-targeted.
+FROM quay.io/centos-bootc/bootc-image-builder:latest as builder
 FROM quay.io/fedora/fedora:41 as builder
 RUN dnf -y install rpm-ostree selinux-policy-targeted
 ARG MANIFEST=fedora-bootc.yaml
 COPY --from=repos /etc/dnf/vars /etc/dnf/vars
 COPY --from=repos /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-* /etc/pki/rpm-gpg
@ -39,16 +37,10 @@ COPY . /src
 WORKDIR /src
 RUN rm -vf /src/*.repo
 COPY --from=repos /etc/yum.repos.d/*.repo /src
-RUN --mount=type=cache,target=/workdir \
+RUN --mount=type=cache,target=/workdir --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rpm-ostree compose image \
-    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
+ --image-config fedora-bootc-config.json --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} /buildcontext/out.ociarchive
    --mount=type=bind,from=repos,src=/,dst=/repos \
      rpm-ostree compose image --image-config fedora-bootc-config.json \
        --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} \
       --source-root=/repos /buildcontext/out.ociarchive
 FROM oci-archive:./out.ociarchive
 # Need to reference builder here to force ordering. But since we have to run
 # something anyway, we might as well cleanup after ourselves.
-RUN --mount=type=bind,from=builder,src=.,target=/var/tmp \
+RUN --mount=type=bind,from=builder,src=.,target=/var/tmp --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rm /buildcontext/out.ociarchive
    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
      rm /buildcontext/out.ociarchive
--- a/README.md
+++ b/README.md
@ -32,16 +32,6 @@ podman build --security-opt=label=disable --cap-add=all \
 See the `Containerfile` for more details. This builds the default `tier-1` image.
 ## Fedora versions
 By default, the base images are built for Fedora rawhide. To build against a
 different Fedora version, you can override the `FROM` image used to obtain the
 Fedora repos and dnf variables. E.g.:
 ```
 podman build --from quay.io/fedora/fedora:41 ...
 ```
 ### Deriving
 You are of course also free to fork, customize, and build base images yourself.
@ -49,23 +39,15 @@ See this page[6] of the documentation for more information.
 ## Tiers
-At the current time, there is just one reference base image published
+There are currently 3 tiers:
 to the registry. Internally the content set is split up somewhat
 into "tiers", but this is an internal implementation detail and may change
 at any time.
 It is planned to rework and improve this in the future, especially
 to support smaller custom images. For more on this, see
 [this tracker issue](https://gitlab.com/fedora/bootc/tracker/-/issues/32).
 - **tier-1**: This image is the default, what is published as
  https://quay.io/repository/fedora/fedora-bootc
- **tier-0**: This content set is more of a convenient centralization point for CI
+- **tier-0**: This image is more of a convenient centralization point for CI
  and curation around a package set that we can all agree is the rough minimum
  necessary for a usable system. It's not meant to be used as is, but layered
  upon.
- **tier-x**: This content set is the shared base used by all image-based
+- **tier-x**: This image is not intended for end-users. It's the shared base
-  Fedora variants (IoT, Atomic Desktops, and CoreOS).
+  used by all image-based Fedora variants (IoT, Atomic Desktops, and CoreOS).
  Changes to this tier may be done without accounting for external users.
  To build this, pass `--build-arg=MANIFEST=fedora-tier-x.yaml` to the build
  command above.
--- a/build.sh
+++ b/build.sh
@ -1,5 +0,0 @@
 podman build \
       --security-opt=label=disable \
       --cap-add=all \
       --device /dev/fuse \
       -t localhost/fedora-bootc .
--- a/fedora-40.yaml
+++ b/fedora-40.yaml
@ -1,7 +0,0 @@
 # NB: This treefile is used by the legacy pungi path only to build tier-1. It
 # will be removed in the future.
 releasever: 40
 repos:
  - fedora
  - fedora-updates
 include: fedora-bootc.yaml
--- a/fedora-41.yaml
+++ b/fedora-41.yaml
@ -1,7 +0,0 @@
 # NB: This treefile is used by the legacy pungi path only to build tier-1. It
 # will be removed in the future.
 releasever: 41
 repos:
  - fedora
  - fedora-updates
 include: fedora-bootc.yaml
--- a/fedora-42.yaml
+++ b/fedora-42.yaml
@ -1,6 +0,0 @@
 # NB: This treefile is used by the legacy pungi path only to build tier-1. It
 # will be removed in the future.
 releasever: 42
 repos:
  - fedora-devel
 include: fedora-bootc.yaml
--- a/fedora-bootc.yaml
+++ b/fedora-bootc.yaml
@ -1,3 +1,7 @@
 releasever: rawhide
 repos:
  - rawhide
 metadata:
  name: fedora-boot-tier1
  summary: Fedora Bootable Tier 1
--- a/fedora-generic.yaml
+++ b/fedora-generic.yaml
@ -5,5 +5,3 @@ variables:
 packages:
  # https://gitlab.com/fedora/bootc/base-images/-/issues/12
  - fedora-repos-archive
  # Not in RHEL10
  - systemd-resolved
--- a/fedora-rawhide.yaml
+++ b/fedora-rawhide.yaml
@ -1,6 +0,0 @@
 # NB: This treefile is used by the legacy pungi path only to build tier-1. It
 # will be removed in the future.
 releasever: rawhide
 repos:
  - fedora-rawhide
 include: fedora-bootc.yaml
--- a/fedora-tier-0.yaml
+++ b/fedora-tier-0.yaml
@ -1,3 +1,7 @@
 releasever: rawhide
 repos:
  - rawhide
 metadata:
  name: fedora-boot-tier0
  summary: Fedora Bootable Tier 0
--- a/fedora-tier-x.yaml
+++ b/fedora-tier-x.yaml
@ -1,3 +1,7 @@
 releasever: rawhide
 repos:
  - rawhide
 metadata:
  name: fedora-boot-tier-x
  summary: Fedora Bootable Tier X
--- a/tier-0/bootc-config.yaml
+++ b/tier-0/bootc-config.yaml
--- a/tier-0/bootc.yaml
+++ b/tier-0/bootc.yaml
@ -6,9 +6,8 @@ packages:
 # `iptables`. Currently that pulls in iptables-legacy. Let's explicitly name
 # iptables-nft instead to satisfy it.
 - iptables-nft
- # Required by bootc install, sgdisk has been replaced by Rust crate
+ # Required by bootc install today, though we'll likely switch bootc to use a Rust crate instead of sgdisk
- # in bootc https://github.com/containers/bootc/pull/775
+ - gdisk xfsprogs e2fsprogs dosfstools
 - xfsprogs e2fsprogs dosfstools
 exclude-packages:
  # Exclude kernel-debug-core to make sure that it doesn't somehow get
--- a/tier-0/bootupd.yaml
+++ b/tier-0/bootupd.yaml
@ -9,8 +9,9 @@ packages-aarch64:
 packages-ppc64le:
  - grub2 ostree-grub2
 packages-s390x:
-  # For zipl
+  # On Fedora, this is provided by s390utils-core. on RHEL, this is for now
-  - s390utils-core
+  # provided by s390utils-base, but soon will be -core too.
  - /usr/sbin/zipl
 packages-x86_64:
  - grub2 grub2-efi-x64 efibootmgr shim
  - microcode_ctl
@ -26,8 +27,3 @@ postprocess:
    set -xeuo pipefail
    # Transforms /usr/lib/ostree-boot into a bootupd-compatible update payload
    /usr/bin/bootupctl backend generate-update-metadata
  - |
    #!/bin/bash
    # Workaround for https://issues.redhat.com/browse/RHEL-78104
    set -xeuo pipefail
    rm -vrf /usr/lib/ostree-boot/loader
--- a/tier-0/finalize.d/01-var.sh
+++ b/tier-0/finalize.d/01-var.sh
@ -1,6 +0,0 @@
 #!/bin/bash
 # https://gitlab.com/fedora/bootc/base-images/-/issues/28
 set -xeuo pipefail
 ln -s ../run var/run
 # https://gitlab.com/fedora/bootc/tracker/-/issues/58
 mkdir -p var/lib/rpm-state
--- a/tier-0/kernel-install.yaml
+++ b/tier-0/kernel-install.yaml
@ -1,21 +0,0 @@
 # Configuration to enable kernel-install integration
 postprocess:
  - |
    #!/usr/bin/env bash
    set -xeuo pipefail
    source /usr/lib/os-release
    echo -e "# kernel-install will not try to run dracut and allow rpm-ostree to\n\
    # take over. Rpm-ostree will use this to know that it is responsible\n\
    # to run dracut and ensure that there is only one kernel in the image\n\
    layout=ostree" | tee /usr/lib/kernel/install.conf > /dev/null
    # By default dnf keeps multiple versions of the kernel, with this
    # configuration we tell dnf to treat the kernel as everything else.
    # https://dnf.readthedocs.io/en/latest/conf_ref.html#main-options
    # Let's add the config to a distribution configuration file if dnf5
    # is used, we append to /etc/dnf/dnf.conf if not.
    if [ -d "/usr/share/dnf5/libdnf.conf.d/" ]; then
      echo -e "[main]\ninstallonlypkgs=''" >> /usr/share/dnf5/libdnf.conf.d/20-ostree-installonlypkgs.conf
    else
      echo "installonlypkgs=''" >> /etc/dnf/dnf.conf
    fi
--- a/tier-0/kernel-rt.yaml
+++ b/tier-0/kernel-rt.yaml
@ -0,0 +1,10 @@
 repos:
  - rt
  - nfv
 # Enable the "realtime" AKA soft-realtime AKA latency-optimized kernel.
 packages:
 - kernel-rt-core kernel-rt-modules kernel-rt-modules-extra kernel-rt-kvm
 exclude-packages:
  - kernel-rt-debug-core
--- a/tier-0/manifest.yaml
+++ b/tier-0/manifest.yaml
@ -1,12 +1,43 @@
 edition: "2024"
 # Modern defaults we want
 boot-location: modules
 tmp-is-dir: true
 # https://github.com/CentOS/centos-bootc/issues/167
 machineid-compat: true
 # Be minimal
 recommends: false
 ignore-removed-users:
  - root
 ignore-removed-groups:
  - root
 etc-group-members:
  - wheel
  - sudo
  - systemd-journal
  - adm
 # Default to `bash` in our container, the same as other containers we ship.
 container-cmd:
  - /sbin/init
 # Note that the default for c9s+ is sqlite; we can't rely on rpm being
 # in the target (it isn't in tier-0!) so turn this to host here.  This
 # does break the "hermetic build" aspect a bit.  Maybe eventually
 # what we should do is special case this and actually install RPM temporarily
 # and then remove it...
 rpmdb: host
 check-passwd:
  type: "file"
  filename: "passwd"
 check-groups:
  type: "file"
  filename: "group"
 automatic-version-prefix: "${releasever}.<date:%Y%m%d>"
 mutate-os-release: "${releasever}"
 remove-from-packages:
  # Generally we expect other tools to do this (e.g. Ignition or cloud-init)
  - [systemd, /usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service]
@ -15,21 +46,17 @@ remove-from-packages:
  - [systemd-udev, /usr/lib/systemd/system-generators/systemd-gpt-auto-generator]
 include:
  - postprocess-conf.yaml
  - bootc.yaml
  - bootupd.yaml
  - ostree.yaml
  - initramfs.yaml
  - basic-fixes.yaml
  - kernel-install.yaml
 packages:
  # this is implied by dependencies but let's make it explicit
  - coreutils
-  # We need dnf for building derived container images. In Fedora, this pulls
+  # needed for building derived container images
-  # in dnf5. In CentOS/RHEL, this pulls in dnf(4). We can simplify this back to
+  - dnf5
  # just `dnf` once the `dnf` package is retired from Fedora.
  - /usr/bin/dnf
  # Even in tier-0, we have this.  If you don't want SELinux today, you'll need
  # to build a custom image.
  - selinux-policy-targeted
--- a/tier-0/ostree.yaml
+++ b/tier-0/ostree.yaml
@ -1,6 +1,9 @@
 packages:
 - ostree nss-altfiles
 # We want content lifecycled with the image
 opt-usrlocal: "root"
 postprocess:
  # Set up default root config
  - |
--- a/tier-0/passwd
+++ b/tier-0/passwd
@ -23,7 +23,7 @@ rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/usr/sbin/nologin
 rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/usr/sbin/nologin
 shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
 sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/usr/sbin/nologin
-sssd:x:995:993:User for sssd:/run/sssd:/usr/sbin/nologin
+sssd:x:995:993:User for sssd:/:/usr/sbin/nologin
 sync:x:5:0:sync:/sbin:/bin/sync
 systemd-bus-proxy:x:989:988:systemd Bus Proxy:/:/usr/sbin/nologin
 systemd-network:x:991:990:systemd Network Management:/:/usr/sbin/nologin
--- a/tier-0/postprocess-conf.yaml
+++ b/tier-0/postprocess-conf.yaml
@ -1,34 +0,0 @@
 # This file configures things relevant to `rpm-ostree compose postprocess`.
 # We want content lifecycled with the image
 opt-usrlocal: "root"
 # https://github.com/CentOS/centos-bootc/issues/167
 machineid-compat: true
 # Note that the default for c9s+ is sqlite; we can't rely on rpm being
 # in the target (it isn't in tier-0!) so turn this to host here.  This
 # does break the "hermetic build" aspect a bit.  Maybe eventually
 # what we should do is special case this and actually install RPM temporarily
 # and then remove it...
 rpmdb: host
 ignore-removed-users:
  - root
 ignore-removed-groups:
  - root
 etc-group-members:
  - wheel
  - sudo
  - systemd-journal
  - adm
 check-passwd:
  type: "file"
  filename: "passwd"
 check-groups:
  type: "file"
  filename: "group"
 automatic-version-prefix: "${releasever}.<date:%Y%m%d>"
 mutate-os-release: "${releasever}"
--- a/tier-1/bootc-generic-growpart.service
+++ b/tier-1/bootc-generic-growpart.service
@ -6,8 +6,6 @@ Documentation=https://gitlab.com/fedora/bootc/docs
 ConditionVirtualization=vm
 # This helps verify that we're running in a bootc/ostree based target.
 ConditionPathIsMountPoint=/sysroot
 # For someone making a smaller image, assume they have this handled.
 ConditionPathExists=/usr/bin/growpart
 # We want to run before any e.g. large container images might be pulled.
 DefaultDependencies=no
 Requires=sysinit.target
--- a/tier-1/coreos-user-experience.yaml
+++ b/tier-1/coreos-user-experience.yaml
@ -3,8 +3,15 @@
 packages:
  # Additional file compression/decompression
  - bzip2 zstd
  # Improved MOTD experience
  - console-login-helper-messages-issuegen
  - console-login-helper-messages-profile
  # kdump support
  # https://github.com/coreos/fedora-coreos-tracker/issues/622
  - kexec-tools
  # Container tooling
  - toolbox
  # nvme-cli for managing nvme disks
  - nvme-cli
  # Used by admins interactively
  - lsof
--- a/tier-1/manifest.yaml
+++ b/tier-1/manifest.yaml
@ -3,18 +3,28 @@ recommends: true
 include:
  - ../tier-x/manifest.yaml
  - autoupdates.yaml
  - networking-tools.yaml
  - system-configuration.yaml
  - coreos-user-experience.yaml
  - persistent-journal.yaml
  - initramfs-full.yaml
  - generic-growfs.yaml
 packages:
  # Include and set the default editor
  - nano
  - nfs-utils
  # Additional firewall support; we aren't including these in RHCOS or they
  # don't exist in RHEL
  - iptables-services
  - WALinuxAgent-udev
  # Allow communication between sudo and SSSD
  # for caching sudo rules by SSSD.
  # https://github.com/coreos/fedora-coreos-tracker/issues/445
  - libsss_sudo
  # SSSD; we only ship a subset of the backends
  - sssd-client sssd-ad sssd-ipa sssd-krb5 sssd-ldap
  # Used by admins interactively
  - openssl
  # Provides terminal tools like clear, reset, tput, and tset
@ -24,10 +34,19 @@ packages:
  # zram-generator (but not zram-generator-defaults) for F33 change
  # https://github.com/coreos/fedora-coreos-tracker/issues/509
  - zram-generator
  # This one is in Python so isn't in FCOS, but we can safely add it here.
  - sos
 # These are random architecture-specific packages
-packages-x86_64: []
+packages-x86_64:
-packages-aarch64: []
+  - irqbalance
 packages-ppc64le:
  - irqbalance
  - librtas
  - powerpc-utils-core
  - ppc64-diag-rtas
 packages-aarch64:
  - irqbalance
 postprocess:
  # Undo RPM scripts enabling units; we want the presets to be canonical
--- a/tier-1/system-configuration.yaml
+++ b/tier-1/system-configuration.yaml
@ -3,6 +3,9 @@
 packages:
  # Explicit dep for RHEL >= 10
  - crypto-policies-scripts
  # Configuring SSH keys, cloud provider check-in, etc
  # TODO: needs Ignition kargs
  # - afterburn afterburn-dracut
  # NTP support
  - chrony
  # Storage configuration/management
@ -21,4 +24,7 @@ packages:
  # Anything package layered will also tend to expect files dropped in
  # /etc/logrotate.d to work. Really, this is a legacy thing, but if we don't
  # have it then people's disks will slowly fill up with logs.
-  - logrotate
+  - logrotate
  # Boost starving threads
  # https://github.com/coreos/fedora-coreos-tracker/issues/753
  - stalld
--- a/tier-x/manifest.yaml
+++ b/tier-x/manifest.yaml
@ -10,12 +10,12 @@ packages:
  - jq
  - less
  - vim-minimal
  # crun recommends but doesn't require criu and criu-libs. We want them for
  # checkpoint/restore. https://github.com/coreos/fedora-coreos-tracker/issues/1370
  - criu criu-libs
  # deps of bootc, but let's be explicit. e.g. even if bootc drops the skopeo
  # dep, we still want it
  - podman skopeo
  # crun recommends but doesn't require criu and criu-libs. We want them for
  # checkpoint/restore. https://github.com/coreos/fedora-coreos-tracker/issues/1370
  - crun criu criu-libs
  # storage
  - cryptsetup
  - lvm2
@ -28,6 +28,7 @@ packages:
  - NetworkManager
  - openssh-clients
  - openssh-server
  - systemd-resolved
  # linux-firmware now a recommends so let's explicitly include it
  # https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
  # https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide