Minimize base image.

tier-1: add f42 treefile after branching

See merge request fedora/bootc/base-images!87

Containerfile

@@ -23,7 +23,7 @@
 # Because it's generating a base image and uses containerization features itself.
 # In the future some of this can be lifted.
 
-FROM quay.io/fedora/fedora:rawhide as repos
+FROM quay.io/fedora/fedora:41 as repos
 
 # BOOTSTRAPPING: This can be any image that has rpm-ostree and selinux-policy-targeted.
 FROM quay.io/fedora/fedora:41 as builder

README.md

@@ -49,15 +49,23 @@ See this page[6] of the documentation for more information.
 
 ## Tiers
 
-There are currently 3 tiers:
+At the current time, there is just one reference base image published
+to the registry. Internally the content set is split up somewhat
+into "tiers", but this is an internal implementation detail and may change
+at any time.
+
+It is planned to rework and improve this in the future, especially
+to support smaller custom images. For more on this, see
+[this tracker issue](https://gitlab.com/fedora/bootc/tracker/-/issues/32).
+
 - **tier-1**: This image is the default, what is published as
   https://quay.io/repository/fedora/fedora-bootc
-- **tier-0**: This image is more of a convenient centralization point for CI
+- **tier-0**: This content set is more of a convenient centralization point for CI
   and curation around a package set that we can all agree is the rough minimum
   necessary for a usable system. It's not meant to be used as is, but layered
   upon.
-- **tier-x**: This image is not intended for end-users. It's the shared base
-  used by all image-based Fedora variants (IoT, Atomic Desktops, and CoreOS).
+- **tier-x**: This content set is the shared base used by all image-based
+  Fedora variants (IoT, Atomic Desktops, and CoreOS).
   Changes to this tier may be done without accounting for external users.
   To build this, pass `--build-arg=MANIFEST=fedora-tier-x.yaml` to the build
   command above.

build.sh

@@ -0,0 +1,5 @@
+podman build \
+       --security-opt=label=disable \
+       --cap-add=all \
+       --device /dev/fuse \
+       -t localhost/fedora-bootc .

fedora-42.yaml

@@ -0,0 +1,6 @@
+# NB: This treefile is used by the legacy pungi path only to build tier-1. It
+# will be removed in the future.
+releasever: 42
+repos:
+  - fedora-devel
+include: fedora-bootc.yaml

fedora-generic.yaml

@@ -5,3 +5,5 @@ variables:
 packages:
   # https://gitlab.com/fedora/bootc/base-images/-/issues/12
   - fedora-repos-archive
+  # Not in RHEL10
+  - systemd-resolved

tier-0/bootupd.yaml

@@ -9,9 +9,8 @@ packages-aarch64:
 packages-ppc64le:
   - grub2 ostree-grub2
 packages-s390x:
-  # On Fedora, this is provided by s390utils-core. on RHEL, this is for now
-  # provided by s390utils-base, but soon will be -core too.
-  - /usr/sbin/zipl
+  # For zipl
+  - s390utils-core
 packages-x86_64:
   - grub2 grub2-efi-x64 efibootmgr shim
   - microcode_ctl
@@ -27,3 +26,8 @@ postprocess:
     set -xeuo pipefail
     # Transforms /usr/lib/ostree-boot into a bootupd-compatible update payload
     /usr/bin/bootupctl backend generate-update-metadata
+  - |
+    #!/bin/bash
+    # Workaround for https://issues.redhat.com/browse/RHEL-78104
+    set -xeuo pipefail
+    rm -vrf /usr/lib/ostree-boot/loader

tier-0/finalize.d/01-var.sh

@@ -2,3 +2,5 @@
 # https://gitlab.com/fedora/bootc/base-images/-/issues/28
 set -xeuo pipefail
 ln -s ../run var/run
+# https://gitlab.com/fedora/bootc/tracker/-/issues/58
+mkdir -p var/lib/rpm-state

tier-0/kernel-install.yaml

@@ -0,0 +1,21 @@
+# Configuration to enable kernel-install integration
+postprocess:
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    source /usr/lib/os-release
+    echo -e "# kernel-install will not try to run dracut and allow rpm-ostree to\n\
+    # take over. Rpm-ostree will use this to know that it is responsible\n\
+    # to run dracut and ensure that there is only one kernel in the image\n\
+    layout=ostree" | tee /usr/lib/kernel/install.conf > /dev/null
+    # By default dnf keeps multiple versions of the kernel, with this
+    # configuration we tell dnf to treat the kernel as everything else.
+    # https://dnf.readthedocs.io/en/latest/conf_ref.html#main-options
+    # Let's add the config to a distribution configuration file if dnf5
+    # is used, we append to /etc/dnf/dnf.conf if not.
+    if [ -d "/usr/share/dnf5/libdnf.conf.d/" ]; then
+      echo -e "[main]\ninstallonlypkgs=''" >> /usr/share/dnf5/libdnf.conf.d/20-ostree-installonlypkgs.conf
+    else
+      echo "installonlypkgs=''" >> /etc/dnf/dnf.conf
+    fi
+

tier-0/kernel-rt.yaml

@@ -1,10 +0,0 @@
-repos:
-  - rt
-  - nfv
-
-# Enable the "realtime" AKA soft-realtime AKA latency-optimized kernel.
-packages:
- - kernel-rt-core kernel-rt-modules kernel-rt-modules-extra kernel-rt-kvm
-
-exclude-packages:
-  - kernel-rt-debug-core

tier-0/manifest.yaml

@@ -1,40 +1,12 @@
 edition: "2024"
-# https://github.com/CentOS/centos-bootc/issues/167
-machineid-compat: true
+
 # Be minimal
 recommends: false
 
-ignore-removed-users:
-  - root
-ignore-removed-groups:
-  - root
-etc-group-members:
-  - wheel
-  - sudo
-  - systemd-journal
-  - adm
-
 # Default to `bash` in our container, the same as other containers we ship.
 container-cmd:
   - /sbin/init
 
-# Note that the default for c9s+ is sqlite; we can't rely on rpm being
-# in the target (it isn't in tier-0!) so turn this to host here.  This
-# does break the "hermetic build" aspect a bit.  Maybe eventually
-# what we should do is special case this and actually install RPM temporarily
-# and then remove it...
-rpmdb: host
-
-check-passwd:
-  type: "file"
-  filename: "passwd"
-check-groups:
-  type: "file"
-  filename: "group"
-
-automatic-version-prefix: "${releasever}.<date:%Y%m%d>"
-mutate-os-release: "${releasever}"
-
 remove-from-packages:
   # Generally we expect other tools to do this (e.g. Ignition or cloud-init)
   - [systemd, /usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service]
@@ -43,11 +15,13 @@ remove-from-packages:
   - [systemd-udev, /usr/lib/systemd/system-generators/systemd-gpt-auto-generator]
 
 include:
+  - postprocess-conf.yaml
   - bootc.yaml
   - bootupd.yaml
   - ostree.yaml
   - initramfs.yaml
   - basic-fixes.yaml
+  - kernel-install.yaml
 
 packages:
   # this is implied by dependencies but let's make it explicit

tier-0/ostree.yaml

@@ -1,9 +1,6 @@
 packages:
  - ostree nss-altfiles
 
-# We want content lifecycled with the image
-opt-usrlocal: "root"
-
 postprocess:
   # Set up default root config
   - |

tier-0/postprocess-conf.yaml

@@ -0,0 +1,34 @@
+# This file configures things relevant to `rpm-ostree compose postprocess`.
+
+# We want content lifecycled with the image
+opt-usrlocal: "root"
+
+# https://github.com/CentOS/centos-bootc/issues/167
+machineid-compat: true
+
+# Note that the default for c9s+ is sqlite; we can't rely on rpm being
+# in the target (it isn't in tier-0!) so turn this to host here.  This
+# does break the "hermetic build" aspect a bit.  Maybe eventually
+# what we should do is special case this and actually install RPM temporarily
+# and then remove it...
+rpmdb: host
+
+ignore-removed-users:
+  - root
+ignore-removed-groups:
+  - root
+etc-group-members:
+  - wheel
+  - sudo
+  - systemd-journal
+  - adm
+
+check-passwd:
+  type: "file"
+  filename: "passwd"
+check-groups:
+  type: "file"
+  filename: "group"
+
+automatic-version-prefix: "${releasever}.<date:%Y%m%d>"
+mutate-os-release: "${releasever}"

tier-1/bootc-generic-growpart.service

@@ -6,6 +6,8 @@ Documentation=https://gitlab.com/fedora/bootc/docs
 ConditionVirtualization=vm
 # This helps verify that we're running in a bootc/ostree based target.
 ConditionPathIsMountPoint=/sysroot
+# For someone making a smaller image, assume they have this handled.
+ConditionPathExists=/usr/bin/growpart
 # We want to run before any e.g. large container images might be pulled.
 DefaultDependencies=no
 Requires=sysinit.target

tier-1/coreos-user-experience.yaml

@@ -3,15 +3,8 @@
 packages:
   # Additional file compression/decompression
   - bzip2 zstd
-  # Improved MOTD experience
-  - console-login-helper-messages-issuegen
-  - console-login-helper-messages-profile
   # kdump support
   # https://github.com/coreos/fedora-coreos-tracker/issues/622
   - kexec-tools
-  # Container tooling
-  - toolbox
   # nvme-cli for managing nvme disks
   - nvme-cli
-  # Used by admins interactively
-  - lsof

tier-1/manifest.yaml

@@ -3,28 +3,18 @@ recommends: true
 
 include:
   - ../tier-x/manifest.yaml
-  - autoupdates.yaml
   - networking-tools.yaml
   - system-configuration.yaml
   - coreos-user-experience.yaml
   - persistent-journal.yaml
   - initramfs-full.yaml
-  - generic-growfs.yaml
 
 packages:
-  # Include and set the default editor
-  - nano
   - nfs-utils
   # Additional firewall support; we aren't including these in RHCOS or they
   # don't exist in RHEL
   - iptables-services
   - WALinuxAgent-udev
-  # Allow communication between sudo and SSSD
-  # for caching sudo rules by SSSD.
-  # https://github.com/coreos/fedora-coreos-tracker/issues/445
-  - libsss_sudo
-  # SSSD; we only ship a subset of the backends
-  - sssd-client sssd-ad sssd-ipa sssd-krb5 sssd-ldap
   # Used by admins interactively
   - openssl
   # Provides terminal tools like clear, reset, tput, and tset
@@ -34,19 +24,10 @@ packages:
   # zram-generator (but not zram-generator-defaults) for F33 change
   # https://github.com/coreos/fedora-coreos-tracker/issues/509
   - zram-generator
-  # This one is in Python so isn't in FCOS, but we can safely add it here.
-  - sos
 
 # These are random architecture-specific packages
-packages-x86_64:
-  - irqbalance
-packages-ppc64le:
-  - irqbalance
-  - librtas
-  - powerpc-utils-core
-  - ppc64-diag-rtas
-packages-aarch64:
-  - irqbalance
+packages-x86_64: []
+packages-aarch64: []
 
 postprocess:
   # Undo RPM scripts enabling units; we want the presets to be canonical

tier-1/system-configuration.yaml

@@ -3,9 +3,6 @@
 packages:
   # Explicit dep for RHEL >= 10
   - crypto-policies-scripts
-  # Configuring SSH keys, cloud provider check-in, etc
-  # TODO: needs Ignition kargs
-  # - afterburn afterburn-dracut
   # NTP support
   - chrony
   # Storage configuration/management
@@ -24,7 +21,4 @@ packages:
   # Anything package layered will also tend to expect files dropped in
   # /etc/logrotate.d to work. Really, this is a legacy thing, but if we don't
   # have it then people's disks will slowly fill up with logs.
-  - logrotate
-  # Boost starving threads
-  # https://github.com/coreos/fedora-coreos-tracker/issues/753
-  - stalld
+  - logrotate

tier-x/manifest.yaml

@@ -28,7 +28,6 @@ packages:
   - NetworkManager
   - openssh-clients
   - openssh-server
-  - systemd-resolved
   # linux-firmware now a recommends so let's explicitly include it
   # https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
   # https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide