Minimize base image.

tier-1: add f42 treefile after branching

See merge request fedora/bootc/base-images!87

.gitlab-ci.yml

@@ -4,8 +4,11 @@ include:
 
 build-image:
   extends: .build-image
+  parallel:
+    matrix:
+      - TIER: [tier-0, tier-1, tier-x]
   variables:
-    EXTRA_ARGS: "--security-opt=label=disable --cap-add=all"
+    EXTRA_ARGS: "--security-opt=label=disable --cap-add=all --build-arg MANIFEST=fedora-$TIER.yaml"
   rules:
     - if: $CI_PROJECT_NAMESPACE != "fedora/bootc"
       when: never

Containerfile

@@ -20,12 +20,14 @@
 #
 # # Why does this build process require additional privileges?
 #
-# Because it's generating a base image and uses containerbuildcontextization features itself.
+# Because it's generating a base image and uses containerization features itself.
 # In the future some of this can be lifted.
 
-FROM quay.io/fedora/fedora:rawhide as repos
+FROM quay.io/fedora/fedora:41 as repos
 
-FROM quay.io/centos-bootc/bootc-image-builder:latest as builder
+# BOOTSTRAPPING: This can be any image that has rpm-ostree and selinux-policy-targeted.
+FROM quay.io/fedora/fedora:41 as builder
+RUN dnf -y install rpm-ostree selinux-policy-targeted
 ARG MANIFEST=fedora-bootc.yaml
 COPY --from=repos /etc/dnf/vars /etc/dnf/vars
 COPY --from=repos /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-* /etc/pki/rpm-gpg
@@ -37,10 +39,16 @@ COPY . /src
 WORKDIR /src
 RUN rm -vf /src/*.repo
 COPY --from=repos /etc/yum.repos.d/*.repo /src
-RUN --mount=type=cache,target=/workdir --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rpm-ostree compose image \
- --image-config fedora-bootc-config.json --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} /buildcontext/out.ociarchive
+RUN --mount=type=cache,target=/workdir \
+    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
+    --mount=type=bind,from=repos,src=/,dst=/repos \
+      rpm-ostree compose image --image-config fedora-bootc-config.json \
+        --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} \
+       --source-root=/repos /buildcontext/out.ociarchive
 
 FROM oci-archive:./out.ociarchive
 # Need to reference builder here to force ordering. But since we have to run
 # something anyway, we might as well cleanup after ourselves.
-RUN --mount=type=bind,from=builder,src=.,target=/var/tmp --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rm /buildcontext/out.ociarchive
+RUN --mount=type=bind,from=builder,src=.,target=/var/tmp \
+    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
+      rm /buildcontext/out.ociarchive

README.md

@@ -9,25 +9,72 @@ been extremely successful. This project aims to apply the same technique for
 bootable host systems - using standard OCI/Docker containers as a transport and
 delivery format for base operating system updates.
 
-## Building
+## Building images
 
-First, the expectation is that most users will want to build *layered* images
-on top of the official base images. See the documentation[5] for more info.
+The current default user experience is to build *layered* images on top of the official
+binary base images produced and tested by this project. See the documentation[5] for more info.
 
-Building the images in this repo can be done with `podman build` as with any
-other application image (note that building with `docker` is not currently
-supported). You need to enable some privileges for technical reasons.
+You can build custom base images by forking this repository; however,
+https://gitlab.com/fedora/bootc/tracker/-/issues/32 tracks a more supportable
+mechanism that is not simply forking. For more information see[6].
+
+## Build process
+
+Building the images in this repo can be done with `podman build`, but
+note the build process uses a special podman-ecosystem specific mechanism
+to create fully custom images while inside a `Containerfile`.
+You need to enable some privileges as nested containerization is required.
 
 ```
 podman build --security-opt=label=disable --cap-add=all \
   --device /dev/fuse -t localhost/fedora-bootc .
 ```
 
-See the `Containerfile` for more details.
+See the `Containerfile` for more details. This builds the default `tier-1` image.
+
+## Fedora versions
+
+By default, the base images are built for Fedora rawhide. To build against a
+different Fedora version, you can override the `FROM` image used to obtain the
+Fedora repos and dnf variables. E.g.:
+
+```
+podman build --from quay.io/fedora/fedora:41 ...
+```
+
+### Deriving
 
 You are of course also free to fork, customize, and build base images yourself.
 See this page[6] of the documentation for more information.
 
+## Tiers
+
+At the current time, there is just one reference base image published
+to the registry. Internally the content set is split up somewhat
+into "tiers", but this is an internal implementation detail and may change
+at any time.
+
+It is planned to rework and improve this in the future, especially
+to support smaller custom images. For more on this, see
+[this tracker issue](https://gitlab.com/fedora/bootc/tracker/-/issues/32).
+
+- **tier-1**: This image is the default, what is published as
+  https://quay.io/repository/fedora/fedora-bootc
+- **tier-0**: This content set is more of a convenient centralization point for CI
+  and curation around a package set that we can all agree is the rough minimum
+  necessary for a usable system. It's not meant to be used as is, but layered
+  upon.
+- **tier-x**: This content set is the shared base used by all image-based
+  Fedora variants (IoT, Atomic Desktops, and CoreOS).
+  Changes to this tier may be done without accounting for external users.
+  To build this, pass `--build-arg=MANIFEST=fedora-tier-x.yaml` to the build
+  command above.
+
+**tier-1** inherits from **tier-x** and **tier-x** in turn inherit from **tier-0**.
+
+All non-trivial changes to **tier-0** and **tier-x** should be ACKed by at least
+one stakeholder of each Fedora variant WGs.
+
 ## More information
 
 Documentation: <https://docs.fedoraproject.org/en-US/bootc/>

build.sh

@@ -0,0 +1,5 @@
+podman build \
+       --security-opt=label=disable \
+       --cap-add=all \
+       --device /dev/fuse \
+       -t localhost/fedora-bootc .

fedora-40.yaml

@@ -0,0 +1,7 @@
+# NB: This treefile is used by the legacy pungi path only to build tier-1. It
+# will be removed in the future.
+releasever: 40
+repos:
+  - fedora
+  - fedora-updates
+include: fedora-bootc.yaml

fedora-41.yaml

@@ -0,0 +1,7 @@
+# NB: This treefile is used by the legacy pungi path only to build tier-1. It
+# will be removed in the future.
+releasever: 41
+repos:
+  - fedora
+  - fedora-updates
+include: fedora-bootc.yaml

fedora-42.yaml

@@ -0,0 +1,6 @@
+# NB: This treefile is used by the legacy pungi path only to build tier-1. It
+# will be removed in the future.
+releasever: 42
+repos:
+  - fedora-devel
+include: fedora-bootc.yaml

fedora-bootc.yaml

@@ -1,7 +1,3 @@
-releasever: rawhide
-repos:
-  - rawhide
-
 metadata:
   name: fedora-boot-tier1
   summary: Fedora Bootable Tier 1

fedora-generic.yaml

@@ -5,3 +5,5 @@ variables:
 packages:
   # https://gitlab.com/fedora/bootc/base-images/-/issues/12
   - fedora-repos-archive
+  # Not in RHEL10
+  - systemd-resolved

fedora-rawhide.yaml

@@ -0,0 +1,6 @@
+# NB: This treefile is used by the legacy pungi path only to build tier-1. It
+# will be removed in the future.
+releasever: rawhide
+repos:
+  - fedora-rawhide
+include: fedora-bootc.yaml

fedora-tier-0.yaml

@@ -1,7 +1,3 @@
-releasever: rawhide
-repos:
-  - rawhide
-
 metadata:
   name: fedora-boot-tier0
   summary: Fedora Bootable Tier 0

fedora-tier-1.yaml

@@ -0,0 +1 @@
+fedora-bootc.yaml

fedora-tier-x.yaml

@@ -0,0 +1,8 @@
+metadata:
+  name: fedora-boot-tier-x
+  summary: Fedora Bootable Tier X
+
+include:
+  - fedora-generic.yaml
+  - tier-x/manifest.yaml
+  - tier-x/kernel.yaml

renovate.json

@@ -3,12 +3,17 @@
   "extends": [
     "github>platform-engineering-org/.github"
   ],
-  "baseBranches": ["main", "f40"],
+  "baseBranches": ["main", "f40", "f41"],
   "packageRules": [
     {
       "matchPackageNames": ["quay.io/fedora/fedora"],
       "allowedVersions": "=40",
       "matchBaseBranches": ["f40"]
+    },
+    {
+      "matchPackageNames": ["quay.io/fedora/fedora"],
+      "allowedVersions": "=41",
+      "matchBaseBranches": ["f41"]
     }
   ]
 }

tier-0/autoupdates.yaml

@@ -1,9 +0,0 @@
-# Enable automatic updates by default
-postprocess:
-  - |
-    #!/usr/bin/env bash
-    set -euo pipefail
-    target=/usr/lib/systemd/system/default.target.wants
-    mkdir -p $target
-    set -x
-    ln -s ../bootc-fetch-apply-updates.timer $target

tier-0/basic-fixes.yaml

@@ -23,7 +23,7 @@ postprocess:
     # tmpfiles.d unit for `/var/roothome` is fine, but this actually doesn't
     # work if we want to use tmpfiles.d to write to `/root/.ssh` because
     # tmpfiles gives up on that before getting to `/var/roothome`.
-    sed -ie 's, /root, /var/roothome,' /usr/lib/tmpfiles.d/provision.conf
+    sed -i -e 's, /root, /var/roothome,' /usr/lib/tmpfiles.d/provision.conf
     # Because /var/roothome is also defined in rpm-ostree-0-integration.conf
     # we need to delete /var/roothome
-    sed -ie '/^d- \/var\/roothome /d' /usr/lib/tmpfiles.d/provision.conf
+    sed -i -e '/^d- \/var\/roothome /d' /usr/lib/tmpfiles.d/provision.conf

tier-0/bootc.yaml

@@ -2,8 +2,13 @@
 packages:
  - systemd
  - bootc
- # Required by bootc install today, though we'll likely switch bootc to use a Rust crate instead of sgdisk
- - gdisk xfsprogs e2fsprogs dosfstools
+ # bootc pulls in podman, which pulls in containers-common, which wants
+ # `iptables`. Currently that pulls in iptables-legacy. Let's explicitly name
+ # iptables-nft instead to satisfy it.
+ - iptables-nft
+ # Required by bootc install, sgdisk has been replaced by Rust crate
+ # in bootc https://github.com/containers/bootc/pull/775
+ - xfsprogs e2fsprogs dosfstools
 
 exclude-packages:
   # Exclude kernel-debug-core to make sure that it doesn't somehow get

tier-0/bootupd.yaml

@@ -9,9 +9,8 @@ packages-aarch64:
 packages-ppc64le:
   - grub2 ostree-grub2
 packages-s390x:
-  # On Fedora, this is provided by s390utils-core. on RHEL, this is for now
-  # provided by s390utils-base, but soon will be -core too.
-  - /usr/sbin/zipl
+  # For zipl
+  - s390utils-core
 packages-x86_64:
   - grub2 grub2-efi-x64 efibootmgr shim
   - microcode_ctl
@@ -25,7 +24,10 @@ postprocess:
   - |
     #!/bin/bash
     set -xeuo pipefail
-    # Until we have https://github.com/coreos/rpm-ostree/pull/2275
-    mkdir -p /run
     # Transforms /usr/lib/ostree-boot into a bootupd-compatible update payload
     /usr/bin/bootupctl backend generate-update-metadata
+  - |
+    #!/bin/bash
+    # Workaround for https://issues.redhat.com/browse/RHEL-78104
+    set -xeuo pipefail
+    rm -vrf /usr/lib/ostree-boot/loader

tier-0/finalize.d/01-var.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# https://gitlab.com/fedora/bootc/base-images/-/issues/28
+set -xeuo pipefail
+ln -s ../run var/run
+# https://gitlab.com/fedora/bootc/tracker/-/issues/58
+mkdir -p var/lib/rpm-state

tier-0/initramfs.yaml

@@ -6,13 +6,19 @@ postprocess:
     cat > /usr/lib/dracut/dracut.conf.d/20-bootc-base.conf << 'EOF'
     # We want a generic image; hostonly makes no sense as part of a server side build
     hostonly=no
-    dracutmodules+=" kernel-modules dracut-systemd systemd-initrd base ostree "
+    add_dracutmodules+=" kernel-modules dracut-systemd systemd-initrd base ostree "
     EOF
     cat > /usr/lib/dracut/dracut.conf.d/22-bootc-generic.conf << 'EOF'
     # Extra modules that we want by default that are known to exist in the kernel
-    dracutmodules+=" virtiofs "
+    add_dracutmodules+=" virtiofs "
     EOF
     cat > /usr/lib/dracut/dracut.conf.d/49-bootc-tpm2-tss.conf << 'EOF'
     # We want this for systemd-cryptsetup tpm2 locking
-    dracutmodules+=" tpm2-tss "
+    add_dracutmodules+=" tpm2-tss "
+    EOF
+    cat > /usr/lib/dracut/dracut.conf.d/59-altfiles.conf << 'EOF'
+    # https://issues.redhat.com/browse/RHEL-49590
+    # On image mode systems we use nss-altfiles for passwd and group,
+    # this makes sure dracut uses them which also fixes kdump writing to NFS.
+    install_items+=" /usr/lib/passwd /usr/lib/group "
     EOF

tier-0/kernel-install.yaml

@@ -0,0 +1,21 @@
+# Configuration to enable kernel-install integration
+postprocess:
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    source /usr/lib/os-release
+    echo -e "# kernel-install will not try to run dracut and allow rpm-ostree to\n\
+    # take over. Rpm-ostree will use this to know that it is responsible\n\
+    # to run dracut and ensure that there is only one kernel in the image\n\
+    layout=ostree" | tee /usr/lib/kernel/install.conf > /dev/null
+    # By default dnf keeps multiple versions of the kernel, with this
+    # configuration we tell dnf to treat the kernel as everything else.
+    # https://dnf.readthedocs.io/en/latest/conf_ref.html#main-options
+    # Let's add the config to a distribution configuration file if dnf5
+    # is used, we append to /etc/dnf/dnf.conf if not.
+    if [ -d "/usr/share/dnf5/libdnf.conf.d/" ]; then
+      echo -e "[main]\ninstallonlypkgs=''" >> /usr/share/dnf5/libdnf.conf.d/20-ostree-installonlypkgs.conf
+    else
+      echo "installonlypkgs=''" >> /etc/dnf/dnf.conf
+    fi
+

tier-0/kernel-rt.yaml

@@ -1,10 +0,0 @@
-repos:
-  - rt
-  - nfv
-
-# Enable the "realtime" AKA soft-realtime AKA latency-optimized kernel.
-packages:
- - kernel-rt-core kernel-rt-modules kernel-rt-modules-extra kernel-rt-kvm
-
-exclude-packages:
-  - kernel-rt-debug-core

tier-0/manifest.yaml

@@ -1,64 +1,35 @@
+edition: "2024"
 
-# Modern defaults we want
-boot-location: modules
-tmp-is-dir: true
-# https://github.com/CentOS/centos-bootc/issues/167
-machineid-compat: true
 # Be minimal
 recommends: false
 
-ignore-removed-users:
-  - root
-ignore-removed-groups:
-  - root
-etc-group-members:
-  - wheel
-  - sudo
-  - systemd-journal
-  - adm
-
 # Default to `bash` in our container, the same as other containers we ship.
 container-cmd:
   - /sbin/init
 
-# Note that the default for c9s+ is sqlite; we can't rely on rpm being
-# in the target (it isn't in tier-0!) so turn this to host here.  This
-# does break the "hermetic build" aspect a bit.  Maybe eventually
-# what we should do is special case this and actually install RPM temporarily
-# and then remove it...
-rpmdb: host
-
-check-passwd:
-  type: "file"
-  filename: "passwd"
-check-groups:
-  type: "file"
-  filename: "group"
-
-automatic-version-prefix: "${releasever}.<date:%Y%m%d>"
-mutate-os-release: "${releasever}"
-
 remove-from-packages:
   # Generally we expect other tools to do this (e.g. Ignition or cloud-init)
   - [systemd, /usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service]
   # We don't want auto-generated mount units. See also
   # https://github.com/systemd/systemd/issues/13099
   - [systemd-udev, /usr/lib/systemd/system-generators/systemd-gpt-auto-generator]
-  # Drop some buggy sysusers fragments which do not match static IDs allocation:
-  # https://bugzilla.redhat.com/show_bug.cgi?id=2105177
-  - [dbus-common, /usr/lib/sysusers.d/dbus.conf]
 
 include:
+  - postprocess-conf.yaml
   - bootc.yaml
   - bootupd.yaml
   - ostree.yaml
   - initramfs.yaml
-  - autoupdates.yaml
   - basic-fixes.yaml
+  - kernel-install.yaml
 
 packages:
-  # needed for building derived container images
-  - dnf
+  # this is implied by dependencies but let's make it explicit
+  - coreutils
+  # We need dnf for building derived container images. In Fedora, this pulls
+  # in dnf5. In CentOS/RHEL, this pulls in dnf(4). We can simplify this back to
+  # just `dnf` once the `dnf` package is retired from Fedora.
+  - /usr/bin/dnf
   # Even in tier-0, we have this.  If you don't want SELinux today, you'll need
   # to build a custom image.
   - selinux-policy-targeted

tier-0/ostree.yaml

@@ -1,9 +1,6 @@
 packages:
  - ostree nss-altfiles
 
-# We want content lifecycled with the image
-opt-usrlocal: "root"
-
 postprocess:
   # Set up default root config
   - |

tier-0/passwd

@@ -23,7 +23,7 @@ rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/usr/sbin/nologin
 rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/usr/sbin/nologin
 shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
 sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/usr/sbin/nologin
-sssd:x:995:993:User for sssd:/:/usr/sbin/nologin
+sssd:x:995:993:User for sssd:/run/sssd:/usr/sbin/nologin
 sync:x:5:0:sync:/sbin:/bin/sync
 systemd-bus-proxy:x:989:988:systemd Bus Proxy:/:/usr/sbin/nologin
 systemd-network:x:991:990:systemd Network Management:/:/usr/sbin/nologin

tier-0/postprocess-conf.yaml

@@ -0,0 +1,34 @@
+# This file configures things relevant to `rpm-ostree compose postprocess`.
+
+# We want content lifecycled with the image
+opt-usrlocal: "root"
+
+# https://github.com/CentOS/centos-bootc/issues/167
+machineid-compat: true
+
+# Note that the default for c9s+ is sqlite; we can't rely on rpm being
+# in the target (it isn't in tier-0!) so turn this to host here.  This
+# does break the "hermetic build" aspect a bit.  Maybe eventually
+# what we should do is special case this and actually install RPM temporarily
+# and then remove it...
+rpmdb: host
+
+ignore-removed-users:
+  - root
+ignore-removed-groups:
+  - root
+etc-group-members:
+  - wheel
+  - sudo
+  - systemd-journal
+  - adm
+
+check-passwd:
+  type: "file"
+  filename: "passwd"
+check-groups:
+  type: "file"
+  filename: "group"
+
+automatic-version-prefix: "${releasever}.<date:%Y%m%d>"
+mutate-os-release: "${releasever}"

tier-1/autoupdates.yaml

@@ -1 +0,0 @@
-../tier-0/autoupdates.yaml

tier-1/autoupdates.yaml

@@ -0,0 +1,9 @@
+# Enable automatic updates by default
+postprocess:
+  - |
+    #!/usr/bin/env bash
+    set -euo pipefail
+    target=/usr/lib/systemd/system/default.target.wants
+    mkdir -p $target
+    set -x
+    ln -s ../bootc-fetch-apply-updates.timer $target

tier-1/basic-fixes.yaml

@@ -1 +0,0 @@
-../tier-0/basic-fixes.yaml

tier-1/bootable-rpm-ostree.yaml

@@ -1,8 +0,0 @@
-packages:
- - rpm-ostree nss-altfiles
-
-exclude-packages:
-  # Exclude kernel-debug-core to make sure that it doesn't somehow get
-  # chosen as the package to satisfy the `kernel-core` dependency from
-  # the kernel package.
-  - kernel-debug-core

tier-1/bootc-config.yaml

@@ -1 +0,0 @@
-../tier-0/bootc-config.yaml

tier-1/bootc-generic-growpart.service

@@ -6,6 +6,8 @@ Documentation=https://gitlab.com/fedora/bootc/docs
 ConditionVirtualization=vm
 # This helps verify that we're running in a bootc/ostree based target.
 ConditionPathIsMountPoint=/sysroot
+# For someone making a smaller image, assume they have this handled.
+ConditionPathExists=/usr/bin/growpart
 # We want to run before any e.g. large container images might be pulled.
 DefaultDependencies=no
 Requires=sysinit.target

tier-1/bootc.yaml

@@ -1 +0,0 @@
-../tier-0/bootc.yaml

tier-1/bootupd.yaml

@@ -1 +0,0 @@
-../tier-0/bootupd.yaml

tier-1/coreos-user-experience.yaml

@@ -1,41 +1,10 @@
 # This file was forked/copied from Fedora CoreOS.  TODO: resync
 # once we have a good generic mechanism for sharing.
 packages:
-  # Basic user tools
-  ## jq - parsing/interacting with JSON data
-  - bash-completion
-  - coreutils
-  - file
-  - jq
-  - less
-  - sudo
-  - vim-minimal
-  # File compression/decompression
-  ## bsdtar - dependency of 35coreos-live dracut module
-  - bsdtar
-  - bzip2
-  - gzip
-  - tar
-  - xz
-  - zstd
-  # Improved MOTD experience
-  - console-login-helper-messages-issuegen
-  - console-login-helper-messages-profile
+  # Additional file compression/decompression
+  - bzip2 zstd
   # kdump support
   # https://github.com/coreos/fedora-coreos-tracker/issues/622
   - kexec-tools
-  # Remote Access
-  - openssh-clients openssh-server
-  # Container tooling
-  ## crun recommends but doesn't require criu and criu-libs. We want them for
-  ## checkpoint/restore. https://github.com/coreos/fedora-coreos-tracker/issues/1370
-  - crun criu criu-libs
-  - podman
-  - skopeo
-  - toolbox
-  # passt provides user-mode networking daemons for namespaces
-  - passt
   # nvme-cli for managing nvme disks
   - nvme-cli
-  # Used by admins interactively
-  - lsof

tier-1/firmware.yaml

@@ -1,7 +0,0 @@
- packages:
-  # linux-firmware now a recommends so let's explicitly include it
-  # https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
-  # https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide
-  - linux-firmware
-  # If you're using linux-firmware, you probably also want fwupd
-  - fwupd

tier-1/fwupd.yaml

@@ -1,5 +0,0 @@
-# Firmware updates
-packages-aarch64:
-  - fwupd
-packages-x86_64:
-  - fwupd

tier-1/group

@@ -1 +0,0 @@
-../tier-0/group

tier-1/grub2-removals.yaml

@@ -1 +0,0 @@
-../tier-0/grub2-removals.yaml

tier-1/initramfs-full.yaml

@@ -4,5 +4,5 @@ postprocess:
     #!/usr/bin/env bash
     mkdir -p /usr/lib/dracut/dracut.conf.d
     cat > /usr/lib/dracut/dracut.conf.d/30-bootc-tier-1.conf << 'EOF'
-    dracutmodules+=" lvm crypt fips "
+    add_dracutmodules+=" lvm crypt fips "
     EOF

tier-1/initramfs.yaml

@@ -1 +0,0 @@
-../tier-0/initramfs.yaml

tier-1/kdump-aarch64-aws-workaround.yaml

@@ -1,12 +0,0 @@
-# This file includes a fixup for kdump on aarch64 AWS instances.
-# The issue seems specific to aarch64 AWS instances, but we'll go
-# ahead and apply it across the board for aarch64, since that's
-# the easiest thing to do. Hopefully the upstream issue will get
-# resolved soon.
-postprocess:
-  - |
-    #!/usr/bin/env bash
-    # Remove irqpoll from the list of KDUMP_COMMANDLINE_APPEND. This
-    # causes issues on aarch64 AWS instances.
-    # https://github.com/coreos/fedora-coreos-tracker/issues/1187
-    sed -i -e 's/irqpoll //' /etc/sysconfig/kdump

tier-1/manifest-tier-0.yaml

@@ -1 +0,0 @@
-../tier-0/manifest.yaml

tier-1/manifest.yaml

@@ -2,38 +2,21 @@
 recommends: true
 
 include:
-  - manifest-tier-0.yaml
-  - bootable-rpm-ostree.yaml
-  - podman.yaml
-  - firmware.yaml
+  - ../tier-x/manifest.yaml
   - networking-tools.yaml
   - system-configuration.yaml
   - coreos-user-experience.yaml
-  - fwupd.yaml
   - persistent-journal.yaml
   - initramfs-full.yaml
-  - generic-growfs.yaml
 
 packages:
-  # Include and set the default editor
-  - nano
-  # And we expect this in general
-  - vim-minimal
   - nfs-utils
   # Additional firewall support; we aren't including these in RHCOS or they
   # don't exist in RHEL
-  - iptables-nft iptables-services
+  - iptables-services
   - WALinuxAgent-udev
-  # Allow communication between sudo and SSSD
-  # for caching sudo rules by SSSD.
-  # https://github.com/coreos/fedora-coreos-tracker/issues/445
-  - libsss_sudo
-  # SSSD; we only ship a subset of the backends
-  - sssd-client sssd-ad sssd-ipa sssd-krb5 sssd-ldap
   # Used by admins interactively
-  - attr
   - openssl
-  - lsof
   # Provides terminal tools like clear, reset, tput, and tset
   - ncurses
   # i18n
@@ -41,21 +24,10 @@ packages:
   # zram-generator (but not zram-generator-defaults) for F33 change
   # https://github.com/coreos/fedora-coreos-tracker/issues/509
   - zram-generator
-  # resolved was broken out to its own package in rawhide/f35
-  - systemd-resolved
-  # This one is in Python so isn't in FCOS, but we can safely add it here.
-  - sos
 
 # These are random architecture-specific packages
-packages-x86_64:
-  - irqbalance
-packages-ppc64le:
-  - irqbalance
-  - librtas
-  - powerpc-utils-core
-  - ppc64-diag-rtas
-packages-aarch64:
-  - irqbalance
+packages-x86_64: []
+packages-aarch64: []
 
 postprocess:
   # Undo RPM scripts enabling units; we want the presets to be canonical
@@ -67,19 +39,6 @@ postprocess:
     systemctl preset-all
     rm -rf /etc/systemd/user/*
     systemctl --user --global preset-all
-  # Default to iptables-nft. Otherwise, legacy wins. We can drop this once/if we
-  # remove iptables-legacy. This is needed because alternatives don't work
-  # https://github.com/coreos/fedora-coreos-tracker/issues/677
-  # https://github.com/coreos/fedora-coreos-tracker/issues/676
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    ln -sf /usr/sbin/ip6tables-nft         /etc/alternatives/ip6tables
-    ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore
-    ln -sf /usr/sbin/ip6tables-nft-save    /etc/alternatives/ip6tables-save
-    ln -sf /usr/sbin/iptables-nft          /etc/alternatives/iptables
-    ln -sf /usr/sbin/iptables-nft-restore  /etc/alternatives/iptables-restore
-    ln -sf /usr/sbin/iptables-nft-save     /etc/alternatives/iptables-save
   # See: https://github.com/coreos/fedora-coreos-tracker/issues/1253
   #      https://bugzilla.redhat.com/show_bug.cgi?id=2112857
   #      https://github.com/coreos/rpm-ostree/issues/3918
@@ -108,3 +67,6 @@ exclude-packages:
   # Do not use legacy ifcfg config format in NetworkManager
   # See https://github.com/coreos/fedora-coreos-config/pull/1991
   - NetworkManager-initscripts-ifcfg-rh
+  # Let's not have both legacy and nft versions in the image. Users are free to
+  # also layer legacy themselves if they want.
+  - iptables-legacy

tier-1/networking-tools.yaml

@@ -3,8 +3,6 @@
 # generic enough to be shared downstream with RHCOS.
 
 packages:
-  # Standard tools for configuring network/hostname
-  - NetworkManager hostname
   # Interactive Networking configuration during coreos-install
   - NetworkManager-tui
   # Support for cloud quirks and dynamic config in real rootfs:

tier-1/ostree.yaml

@@ -1 +0,0 @@
-../tier-0/ostree.yaml

tier-1/passwd

@@ -1 +0,0 @@
-../tier-0/passwd

tier-1/podman.yaml

@@ -1,7 +0,0 @@
-# Core podman bits
-
-packages:
-  - crun
-  - podman
-  - container-selinux
-  - skopeo

tier-1/system-configuration.yaml

@@ -1,17 +1,12 @@
 # These are packages that are related to configuring parts of the system.
 
 packages:
-  # Configuring SSH keys, cloud provider check-in, etc
-  # TODO: needs Ignition kargs
-  # - afterburn afterburn-dracut
+  # Explicit dep for RHEL >= 10
+  - crypto-policies-scripts
   # NTP support
   - chrony
   # Storage configuration/management
-  - lvm2
-  - cryptsetup
-  - e2fsprogs
   - sg3_utils
-  - xfsprogs
   ## This is generally useful... https://github.com/CentOS/centos-bootc/issues/394
   - cloud-utils-growpart
   # User configuration
@@ -26,7 +21,4 @@ packages:
   # Anything package layered will also tend to expect files dropped in
   # /etc/logrotate.d to work. Really, this is a legacy thing, but if we don't
   # have it then people's disks will slowly fill up with logs.
-  - logrotate
-  # Boost starving threads
-  # https://github.com/coreos/fedora-coreos-tracker/issues/753
-  - stalld
+  - logrotate

tier-x/kernel.yaml

@@ -0,0 +1 @@
+../tier-0/kernel.yaml

tier-x/manifest.yaml

@@ -0,0 +1,44 @@
+include:
+  - ../tier-0/manifest.yaml
+
+packages:
+  # Used by admins interactively
+  - attr
+  - bash-completion
+  - hostname
+  - iproute
+  - jq
+  - less
+  - vim-minimal
+  # deps of bootc, but let's be explicit. e.g. even if bootc drops the skopeo
+  # dep, we still want it
+  - podman skopeo
+  # crun recommends but doesn't require criu and criu-libs. We want them for
+  # checkpoint/restore. https://github.com/coreos/fedora-coreos-tracker/issues/1370
+  - crun criu criu-libs
+  # storage
+  - cryptsetup
+  - lvm2
+  - tar
+  # zram-generator (but not zram-generator-defaults) for F33 change
+  # https://github.com/coreos/fedora-coreos-tracker/issues/509
+  - zram-generator
+  # networking
+  - iptables-nft
+  - NetworkManager
+  - openssh-clients
+  - openssh-server
+  # linux-firmware now a recommends so let's explicitly include it
+  # https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
+  # https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide
+  - linux-firmware
+  # security
+  - polkit
+  - sudo
+  # Allow for configuring different timezones
+  - tzdata
+  # rpm-ostree
+  - rpm-ostree nss-altfiles
+  # firmware updates
+  # If you're using linux-firmware, you probably also want fwupd
+  - fwupd