Minimize base image.

tier-1: add f42 treefile after branching

See merge request fedora/bootc/base-images!87

Containerfile

@@ -20,12 +20,14 @@
 #
 # # Why does this build process require additional privileges?
 #
-# Because it's generating a base image and uses containerbuildcontextization features itself.
+# Because it's generating a base image and uses containerization features itself.
 # In the future some of this can be lifted.
 
-FROM quay.io/fedora/fedora:rawhide as repos
+FROM quay.io/fedora/fedora:41 as repos
 
-FROM quay.io/centos-bootc/bootc-image-builder:latest as builder
+# BOOTSTRAPPING: This can be any image that has rpm-ostree and selinux-policy-targeted.
+FROM quay.io/fedora/fedora:41 as builder
+RUN dnf -y install rpm-ostree selinux-policy-targeted
 ARG MANIFEST=fedora-bootc.yaml
 COPY --from=repos /etc/dnf/vars /etc/dnf/vars
 COPY --from=repos /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-* /etc/pki/rpm-gpg
@@ -37,10 +39,16 @@ COPY . /src
 WORKDIR /src
 RUN rm -vf /src/*.repo
 COPY --from=repos /etc/yum.repos.d/*.repo /src
-RUN --mount=type=cache,target=/workdir --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rpm-ostree compose image \
- --image-config fedora-bootc-config.json --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} /buildcontext/out.ociarchive
+RUN --mount=type=cache,target=/workdir \
+    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
+    --mount=type=bind,from=repos,src=/,dst=/repos \
+      rpm-ostree compose image --image-config fedora-bootc-config.json \
+        --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} \
+       --source-root=/repos /buildcontext/out.ociarchive
 
 FROM oci-archive:./out.ociarchive
 # Need to reference builder here to force ordering. But since we have to run
 # something anyway, we might as well cleanup after ourselves.
-RUN --mount=type=bind,from=builder,src=.,target=/var/tmp --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rm /buildcontext/out.ociarchive
+RUN --mount=type=bind,from=builder,src=.,target=/var/tmp \
+    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
+      rm /buildcontext/out.ociarchive

README.md

@@ -32,6 +32,16 @@ podman build --security-opt=label=disable --cap-add=all \
 
 See the `Containerfile` for more details. This builds the default `tier-1` image.
 
+## Fedora versions
+
+By default, the base images are built for Fedora rawhide. To build against a
+different Fedora version, you can override the `FROM` image used to obtain the
+Fedora repos and dnf variables. E.g.:
+
+```
+podman build --from quay.io/fedora/fedora:41 ...
+```
+
 ### Deriving
 
 You are of course also free to fork, customize, and build base images yourself.
@@ -39,15 +49,23 @@ See this page[6] of the documentation for more information.
 
 ## Tiers
 
-There are currently 3 tiers:
+At the current time, there is just one reference base image published
+to the registry. Internally the content set is split up somewhat
+into "tiers", but this is an internal implementation detail and may change
+at any time.
+
+It is planned to rework and improve this in the future, especially
+to support smaller custom images. For more on this, see
+[this tracker issue](https://gitlab.com/fedora/bootc/tracker/-/issues/32).
+
 - **tier-1**: This image is the default, what is published as
   https://quay.io/repository/fedora/fedora-bootc
-- **tier-0**: This image is more of a convenient centralization point for CI
+- **tier-0**: This content set is more of a convenient centralization point for CI
   and curation around a package set that we can all agree is the rough minimum
   necessary for a usable system. It's not meant to be used as is, but layered
   upon.
-- **tier-x**: This image is not intended for end-users. It's the shared base
-  used by all image-based Fedora variants (IoT, Atomic Desktops, and CoreOS).
+- **tier-x**: This content set is the shared base used by all image-based
+  Fedora variants (IoT, Atomic Desktops, and CoreOS).
   Changes to this tier may be done without accounting for external users.
   To build this, pass `--build-arg=MANIFEST=fedora-tier-x.yaml` to the build
   command above.

build.sh

@@ -0,0 +1,5 @@
+podman build \
+       --security-opt=label=disable \
+       --cap-add=all \
+       --device /dev/fuse \
+       -t localhost/fedora-bootc .

fedora-40.yaml

@@ -0,0 +1,7 @@
+# NB: This treefile is used by the legacy pungi path only to build tier-1. It
+# will be removed in the future.
+releasever: 40
+repos:
+  - fedora
+  - fedora-updates
+include: fedora-bootc.yaml

fedora-41.yaml

@@ -0,0 +1,7 @@
+# NB: This treefile is used by the legacy pungi path only to build tier-1. It
+# will be removed in the future.
+releasever: 41
+repos:
+  - fedora
+  - fedora-updates
+include: fedora-bootc.yaml

fedora-42.yaml

@@ -0,0 +1,6 @@
+# NB: This treefile is used by the legacy pungi path only to build tier-1. It
+# will be removed in the future.
+releasever: 42
+repos:
+  - fedora-devel
+include: fedora-bootc.yaml

fedora-bootc.yaml

@@ -1,7 +1,3 @@
-releasever: rawhide
-repos:
-  - rawhide
-
 metadata:
   name: fedora-boot-tier1
   summary: Fedora Bootable Tier 1

fedora-generic.yaml

@@ -5,3 +5,5 @@ variables:
 packages:
   # https://gitlab.com/fedora/bootc/base-images/-/issues/12
   - fedora-repos-archive
+  # Not in RHEL10
+  - systemd-resolved

fedora-rawhide.yaml

@@ -0,0 +1,6 @@
+# NB: This treefile is used by the legacy pungi path only to build tier-1. It
+# will be removed in the future.
+releasever: rawhide
+repos:
+  - fedora-rawhide
+include: fedora-bootc.yaml

fedora-tier-0.yaml

@@ -1,7 +1,3 @@
-releasever: rawhide
-repos:
-  - rawhide
-
 metadata:
   name: fedora-boot-tier0
   summary: Fedora Bootable Tier 0

fedora-tier-x.yaml

@@ -1,7 +1,3 @@
-releasever: rawhide
-repos:
-  - rawhide
-
 metadata:
   name: fedora-boot-tier-x
   summary: Fedora Bootable Tier X

tier-0/bootc.yaml

@@ -6,8 +6,9 @@ packages:
  # `iptables`. Currently that pulls in iptables-legacy. Let's explicitly name
  # iptables-nft instead to satisfy it.
  - iptables-nft
- # Required by bootc install today, though we'll likely switch bootc to use a Rust crate instead of sgdisk
- - gdisk xfsprogs e2fsprogs dosfstools
+ # Required by bootc install, sgdisk has been replaced by Rust crate
+ # in bootc https://github.com/containers/bootc/pull/775
+ - xfsprogs e2fsprogs dosfstools
 
 exclude-packages:
   # Exclude kernel-debug-core to make sure that it doesn't somehow get

tier-0/bootupd.yaml

@@ -9,9 +9,8 @@ packages-aarch64:
 packages-ppc64le:
   - grub2 ostree-grub2
 packages-s390x:
-  # On Fedora, this is provided by s390utils-core. on RHEL, this is for now
-  # provided by s390utils-base, but soon will be -core too.
-  - /usr/sbin/zipl
+  # For zipl
+  - s390utils-core
 packages-x86_64:
   - grub2 grub2-efi-x64 efibootmgr shim
   - microcode_ctl
@@ -27,3 +26,8 @@ postprocess:
     set -xeuo pipefail
     # Transforms /usr/lib/ostree-boot into a bootupd-compatible update payload
     /usr/bin/bootupctl backend generate-update-metadata
+  - |
+    #!/bin/bash
+    # Workaround for https://issues.redhat.com/browse/RHEL-78104
+    set -xeuo pipefail
+    rm -vrf /usr/lib/ostree-boot/loader

tier-0/finalize.d/01-var.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# https://gitlab.com/fedora/bootc/base-images/-/issues/28
+set -xeuo pipefail
+ln -s ../run var/run
+# https://gitlab.com/fedora/bootc/tracker/-/issues/58
+mkdir -p var/lib/rpm-state

tier-0/kernel-install.yaml

@@ -0,0 +1,21 @@
+# Configuration to enable kernel-install integration
+postprocess:
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    source /usr/lib/os-release
+    echo -e "# kernel-install will not try to run dracut and allow rpm-ostree to\n\
+    # take over. Rpm-ostree will use this to know that it is responsible\n\
+    # to run dracut and ensure that there is only one kernel in the image\n\
+    layout=ostree" | tee /usr/lib/kernel/install.conf > /dev/null
+    # By default dnf keeps multiple versions of the kernel, with this
+    # configuration we tell dnf to treat the kernel as everything else.
+    # https://dnf.readthedocs.io/en/latest/conf_ref.html#main-options
+    # Let's add the config to a distribution configuration file if dnf5
+    # is used, we append to /etc/dnf/dnf.conf if not.
+    if [ -d "/usr/share/dnf5/libdnf.conf.d/" ]; then
+      echo -e "[main]\ninstallonlypkgs=''" >> /usr/share/dnf5/libdnf.conf.d/20-ostree-installonlypkgs.conf
+    else
+      echo "installonlypkgs=''" >> /etc/dnf/dnf.conf
+    fi
+

tier-0/kernel-rt.yaml

@@ -1,10 +0,0 @@
-repos:
-  - rt
-  - nfv
-
-# Enable the "realtime" AKA soft-realtime AKA latency-optimized kernel.
-packages:
- - kernel-rt-core kernel-rt-modules kernel-rt-modules-extra kernel-rt-kvm
-
-exclude-packages:
-  - kernel-rt-debug-core

tier-0/manifest.yaml

@@ -1,43 +1,12 @@
+edition: "2024"
 
-# Modern defaults we want
-boot-location: modules
-tmp-is-dir: true
-# https://github.com/CentOS/centos-bootc/issues/167
-machineid-compat: true
 # Be minimal
 recommends: false
 
-ignore-removed-users:
-  - root
-ignore-removed-groups:
-  - root
-etc-group-members:
-  - wheel
-  - sudo
-  - systemd-journal
-  - adm
-
 # Default to `bash` in our container, the same as other containers we ship.
 container-cmd:
   - /sbin/init
 
-# Note that the default for c9s+ is sqlite; we can't rely on rpm being
-# in the target (it isn't in tier-0!) so turn this to host here.  This
-# does break the "hermetic build" aspect a bit.  Maybe eventually
-# what we should do is special case this and actually install RPM temporarily
-# and then remove it...
-rpmdb: host
-
-check-passwd:
-  type: "file"
-  filename: "passwd"
-check-groups:
-  type: "file"
-  filename: "group"
-
-automatic-version-prefix: "${releasever}.<date:%Y%m%d>"
-mutate-os-release: "${releasever}"
-
 remove-from-packages:
   # Generally we expect other tools to do this (e.g. Ignition or cloud-init)
   - [systemd, /usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service]
@@ -46,17 +15,21 @@ remove-from-packages:
   - [systemd-udev, /usr/lib/systemd/system-generators/systemd-gpt-auto-generator]
 
 include:
+  - postprocess-conf.yaml
   - bootc.yaml
   - bootupd.yaml
   - ostree.yaml
   - initramfs.yaml
   - basic-fixes.yaml
+  - kernel-install.yaml
 
 packages:
   # this is implied by dependencies but let's make it explicit
   - coreutils
-  # needed for building derived container images
-  - dnf5
+  # We need dnf for building derived container images. In Fedora, this pulls
+  # in dnf5. In CentOS/RHEL, this pulls in dnf(4). We can simplify this back to
+  # just `dnf` once the `dnf` package is retired from Fedora.
+  - /usr/bin/dnf
   # Even in tier-0, we have this.  If you don't want SELinux today, you'll need
   # to build a custom image.
   - selinux-policy-targeted

tier-0/ostree.yaml

@@ -1,9 +1,6 @@
 packages:
  - ostree nss-altfiles
 
-# We want content lifecycled with the image
-opt-usrlocal: "root"
-
 postprocess:
   # Set up default root config
   - |

tier-0/passwd

@@ -23,7 +23,7 @@ rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/usr/sbin/nologin
 rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/usr/sbin/nologin
 shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
 sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/usr/sbin/nologin
-sssd:x:995:993:User for sssd:/:/usr/sbin/nologin
+sssd:x:995:993:User for sssd:/run/sssd:/usr/sbin/nologin
 sync:x:5:0:sync:/sbin:/bin/sync
 systemd-bus-proxy:x:989:988:systemd Bus Proxy:/:/usr/sbin/nologin
 systemd-network:x:991:990:systemd Network Management:/:/usr/sbin/nologin

tier-0/postprocess-conf.yaml

@@ -0,0 +1,34 @@
+# This file configures things relevant to `rpm-ostree compose postprocess`.
+
+# We want content lifecycled with the image
+opt-usrlocal: "root"
+
+# https://github.com/CentOS/centos-bootc/issues/167
+machineid-compat: true
+
+# Note that the default for c9s+ is sqlite; we can't rely on rpm being
+# in the target (it isn't in tier-0!) so turn this to host here.  This
+# does break the "hermetic build" aspect a bit.  Maybe eventually
+# what we should do is special case this and actually install RPM temporarily
+# and then remove it...
+rpmdb: host
+
+ignore-removed-users:
+  - root
+ignore-removed-groups:
+  - root
+etc-group-members:
+  - wheel
+  - sudo
+  - systemd-journal
+  - adm
+
+check-passwd:
+  type: "file"
+  filename: "passwd"
+check-groups:
+  type: "file"
+  filename: "group"
+
+automatic-version-prefix: "${releasever}.<date:%Y%m%d>"
+mutate-os-release: "${releasever}"

tier-1/bootc-generic-growpart.service

@@ -6,6 +6,8 @@ Documentation=https://gitlab.com/fedora/bootc/docs
 ConditionVirtualization=vm
 # This helps verify that we're running in a bootc/ostree based target.
 ConditionPathIsMountPoint=/sysroot
+# For someone making a smaller image, assume they have this handled.
+ConditionPathExists=/usr/bin/growpart
 # We want to run before any e.g. large container images might be pulled.
 DefaultDependencies=no
 Requires=sysinit.target

tier-1/coreos-user-experience.yaml

@@ -3,15 +3,8 @@
 packages:
   # Additional file compression/decompression
   - bzip2 zstd
-  # Improved MOTD experience
-  - console-login-helper-messages-issuegen
-  - console-login-helper-messages-profile
   # kdump support
   # https://github.com/coreos/fedora-coreos-tracker/issues/622
   - kexec-tools
-  # Container tooling
-  - toolbox
   # nvme-cli for managing nvme disks
   - nvme-cli
-  # Used by admins interactively
-  - lsof

tier-1/manifest.yaml

@@ -3,28 +3,18 @@ recommends: true
 
 include:
   - ../tier-x/manifest.yaml
-  - autoupdates.yaml
   - networking-tools.yaml
   - system-configuration.yaml
   - coreos-user-experience.yaml
   - persistent-journal.yaml
   - initramfs-full.yaml
-  - generic-growfs.yaml
 
 packages:
-  # Include and set the default editor
-  - nano
   - nfs-utils
   # Additional firewall support; we aren't including these in RHCOS or they
   # don't exist in RHEL
   - iptables-services
   - WALinuxAgent-udev
-  # Allow communication between sudo and SSSD
-  # for caching sudo rules by SSSD.
-  # https://github.com/coreos/fedora-coreos-tracker/issues/445
-  - libsss_sudo
-  # SSSD; we only ship a subset of the backends
-  - sssd-client sssd-ad sssd-ipa sssd-krb5 sssd-ldap
   # Used by admins interactively
   - openssl
   # Provides terminal tools like clear, reset, tput, and tset
@@ -34,19 +24,10 @@ packages:
   # zram-generator (but not zram-generator-defaults) for F33 change
   # https://github.com/coreos/fedora-coreos-tracker/issues/509
   - zram-generator
-  # This one is in Python so isn't in FCOS, but we can safely add it here.
-  - sos
 
 # These are random architecture-specific packages
-packages-x86_64:
-  - irqbalance
-packages-ppc64le:
-  - irqbalance
-  - librtas
-  - powerpc-utils-core
-  - ppc64-diag-rtas
-packages-aarch64:
-  - irqbalance
+packages-x86_64: []
+packages-aarch64: []
 
 postprocess:
   # Undo RPM scripts enabling units; we want the presets to be canonical

tier-1/system-configuration.yaml

@@ -3,9 +3,6 @@
 packages:
   # Explicit dep for RHEL >= 10
   - crypto-policies-scripts
-  # Configuring SSH keys, cloud provider check-in, etc
-  # TODO: needs Ignition kargs
-  # - afterburn afterburn-dracut
   # NTP support
   - chrony
   # Storage configuration/management
@@ -24,7 +21,4 @@ packages:
   # Anything package layered will also tend to expect files dropped in
   # /etc/logrotate.d to work. Really, this is a legacy thing, but if we don't
   # have it then people's disks will slowly fill up with logs.
-  - logrotate
-  # Boost starving threads
-  # https://github.com/coreos/fedora-coreos-tracker/issues/753
-  - stalld
+  - logrotate

tier-x/manifest.yaml

@@ -10,12 +10,12 @@ packages:
   - jq
   - less
   - vim-minimal
-  # crun recommends but doesn't require criu and criu-libs. We want them for
-  # checkpoint/restore. https://github.com/coreos/fedora-coreos-tracker/issues/1370
-  - criu criu-libs
   # deps of bootc, but let's be explicit. e.g. even if bootc drops the skopeo
   # dep, we still want it
   - podman skopeo
+  # crun recommends but doesn't require criu and criu-libs. We want them for
+  # checkpoint/restore. https://github.com/coreos/fedora-coreos-tracker/issues/1370
+  - crun criu criu-libs
   # storage
   - cryptsetup
   - lvm2
@@ -28,7 +28,6 @@ packages:
   - NetworkManager
   - openssh-clients
   - openssh-server
-  - systemd-resolved
   # linux-firmware now a recommends so let's explicitly include it
   # https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
   # https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide