Minimize base image.

tier-1: add f42 treefile after branching

See merge request fedora/bootc/base-images!87

.gitlab-ci.yml

@@ -1,25 +1,15 @@
-stages:
+---
-  - build
+include:
+  - remote: https://gitlab.com/platform-engineering-org/gitlab-ci/-/raw/main/templates/build-image.gitlab-ci.yml
 
-variables:
+build-image:
-  IMAGE_PREFIX: ${CI_REGISTRY}/${CI_PROJECT_PATH}
-
-.build-image:
-  stage: build
-  image: quay.io/buildah/stable:v1.38.1
-  needs: []
-
-build:
   extends: .build-image
-  stage: build
+  parallel:
-  script: |
+    matrix:
-    set -xeuo pipefail
+      - TIER: [tier-0, tier-1, tier-x]
-    curl -L --fail -o /etc/yum.repos.d/coreos-continuous.repo https://copr.fedorainfracloud.org/coprs/g/CoreOS/continuous/repo/fedora-42/group_CoreOS-continuous-fedora-42.repo
+  variables:
-    dnf -y install rpm-ostree
+    EXTRA_ARGS: "--security-opt=label=disable --cap-add=all --build-arg MANIFEST=fedora-$TIER.yaml"
-    cd base
+  rules:
-    buildah build "${hostbuildopts[@]}" -f Containerfile --no-cache --security-opt=label=disable --cap-add=all --device /dev/fuse -t ${IMAGE_PREFIX}-base:tmp .
+    - if: $CI_PROJECT_NAMESPACE != "fedora/bootc"
-    # Rechunk
+      when: never
-    rpm-ostree experimental compose build-chunked-oci --bootc --format-version=1 \
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-           --from=${IMAGE_PREFIX}-base:tmp --output containers-storage:${IMAGE_PREFIX}-base
-    cd ..
-    buildah build "${hostbuildopts[@]}" -f Containerfile --no-cache --from ${IMAGE_PREFIX}-base -t ${IMAGE_PREFIX}-standard:tmp .

Containerfile

@@ -1,18 +1,54 @@
-# This generates the "standard" base image, deriving from the minimal base.
+# This container build uses some special features of podman that allow
+# a process executing as part of a container build to generate a new container
+# image "from scratch".
+#
+# This container build uses nested containerization, so you must build with e.g.
+# podman build --security-opt=label=disable --cap-add=all --device /dev/fuse <...>
+#
+# # Why are we doing this?
+#
+# Today this base image build process uses rpm-ostree.  There is a lot of things that
+# rpm-ostree does when generating a container image...but important parts include:
+#
+# - auto-updating labels in the container metadata
+# - Generating "chunked" content-addressed reproducible image layers (notice
+#   how there are ~60 layers in the generated image)
+#
+# The latter bit in particular is currently impossible to do from Containerfile.
+# A future goal is adding some support for this in a way that can be honored by
+# buildah (xref https://github.com/containers/podman/discussions/12605)
+#
+# # Why does this build process require additional privileges?
+#
+# Because it's generating a base image and uses containerization features itself.
+# In the future some of this can be lifted.
 
-# This is a local reference by default because we haven't shipped this image yet.
+FROM quay.io/fedora/fedora:41 as repos
-FROM localhost/fedora-bootc:base
+
-# Copy in our configuration and build scripts. Most of the heavy lifting
+# BOOTSTRAPPING: This can be any image that has rpm-ostree and selinux-policy-targeted.
-# is in `stage-install` which we emit into /usr/share/doc so it can be
+FROM quay.io/fedora/fedora:41 as builder
-# used as a reference in other images.
+RUN dnf -y install rpm-ostree selinux-policy-targeted
-COPY usr/ /usr/
+ARG MANIFEST=fedora-bootc.yaml
-RUN <<EORUN
+COPY --from=repos /etc/dnf/vars /etc/dnf/vars
-set -xeuo pipefail
+COPY --from=repos /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-* /etc/pki/rpm-gpg
-# This script installs our default packages. These scripts
+# The input git repository has .repo files committed to git rpm-ostree has historically
-# are not a stable API, but may become one in the future.
+# emphasized that.  But here, we are fetching the repos from the container base image.
-/usr/share/doc/bootc-image-standard/stage-install
+# So copy the source, and delete the hardcoded ones in git, and use the container base
-# Cleanup
+# image ones.  We can drop the ones commited to git when we hard switch to Containerfile.
-/usr/share/doc/bootc-image-standard/stage-clean
+COPY . /src
-# And lint.
+WORKDIR /src
-bootc container lint --fatal-warnings
+RUN rm -vf /src/*.repo
-EORUN
+COPY --from=repos /etc/yum.repos.d/*.repo /src
+RUN --mount=type=cache,target=/workdir \
+    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
+    --mount=type=bind,from=repos,src=/,dst=/repos \
+      rpm-ostree compose image --image-config fedora-bootc-config.json \
+        --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} \
+       --source-root=/repos /buildcontext/out.ociarchive
+
+FROM oci-archive:./out.ociarchive
+# Need to reference builder here to force ordering. But since we have to run
+# something anyway, we might as well cleanup after ourselves.
+RUN --mount=type=bind,from=builder,src=.,target=/var/tmp \
+    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
+      rm /buildcontext/out.ociarchive

README.md

@@ -47,17 +47,33 @@ podman build --from quay.io/fedora/fedora:41 ...
 You are of course also free to fork, customize, and build base images yourself.
 See this page[6] of the documentation for more information.
 
-## Images
+## Tiers
 
 At the current time, there is just one reference base image published
-to the registry. There is a `Containerfile.base` which produces a
+to the registry. Internally the content set is split up somewhat
-quite minimal base image, from which the default image derives.
+into "tiers", but this is an internal implementation detail and may change
+at any time.
 
-More on the history from [this tracker issue](https://gitlab.com/fedora/bootc/tracker/-/issues/32).
+It is planned to rework and improve this in the future, especially
+to support smaller custom images. For more on this, see
+[this tracker issue](https://gitlab.com/fedora/bootc/tracker/-/issues/32).
 
-- Containefile.base: A base image with the effective equivalent of installing `bootc kernel systemd dnf`
+- **tier-1**: This image is the default, what is published as
-  with "recommends" off. Intended as a derivation starting point for minimal systems.
+  https://quay.io/repository/fedora/fedora-bootc
-- Containerfile: Produces the default much larger image; somewhat similar to CoreOS.
+- **tier-0**: This content set is more of a convenient centralization point for CI
+  and curation around a package set that we can all agree is the rough minimum
+  necessary for a usable system. It's not meant to be used as is, but layered
+  upon.
+- **tier-x**: This content set is the shared base used by all image-based
+  Fedora variants (IoT, Atomic Desktops, and CoreOS).
+  Changes to this tier may be done without accounting for external users.
+  To build this, pass `--build-arg=MANIFEST=fedora-tier-x.yaml` to the build
+  command above.
+
+**tier-1** inherits from **tier-x** and **tier-x** in turn inherit from **tier-0**.
+
+All non-trivial changes to **tier-0** and **tier-x** should be ACKed by at least
+one stakeholder of each Fedora variant WGs.
 
 ## More information
 

base/Containerfile

@@ -1,46 +0,0 @@
-# This is a relatively minimal base image build; it's intended as a derivation
-# point.
-#
-# This container build uses nested containerization to construct
-# a target rootfs from scratch; so you must build with e.g.
-# podman build --security-opt=label=disable --cap-add=all --device /dev/fuse <...>
-
-# If you want to configure the input rpm-md repositories, just override this
-# container image.
-FROM quay.io/fedora/fedora:rawhide as repos
-
-# We use stream10 to demonstrate that we support "cross builds".
-FROM quay.io/centos/centos:stream10 as builder
-RUN <<EORUN
-set -xeuo pipefail
-# For rpm-ostree v2025.5
-curl -L -o /etc/yum.repos.d/coreos-continuous.repo https://copr.fedorainfracloud.org/coprs/g/CoreOS/continuous/repo/centos-stream-10/group_CoreOS-continuous-centos-stream-10.repo
-dnf -y install rpm-ostree selinux-policy-targeted sqlite
-EORUN
-# Copy in our source code.
-COPY . /src
-WORKDIR /src
-RUN --mount=type=bind,from=repos,src=/,dst=/repos,rw <<EORUN
-set -xeuo pipefail
-# Copy the build configuration into the builder image, as if it's the final image
-cp -a . /usr/lib/sysimage/base-image-manifest
-# And embed the rebuild script
-install -m 0755 -t /usr/libexec ./bootc-base-image-rebuild-self
-# Finally, run the build script in the same way we expect custom images to do.
-/usr/libexec/bootc-base-image-rebuild-self /repos /target-rootfs
-EORUN
-
-# This pulls in the rootfs generated in the previous step
-FROM scratch
-COPY --from=builder /target-rootfs/ /
-LABEL containers.bootc 1
-# This is an ad-hoc way for us to reference bootc-image-builder in
-# a way that in theory client tooling can inspect and find. Today
-# it isn't widely used.
-LABEL bootc.diskimage-builder quay.io/centos-bootc/bootc-image-builder
-# https://pagure.io/fedora-kiwi-descriptions/pull-request/52
-ENV container=oci
-# Make systemd the default
-STOPSIGNAL SIGRTMIN+3
-CMD ["/sbin/init"]
-

base/Makefile

@@ -1,2 +0,0 @@
-install:
-	install -m 0755 -t $(DESTDIR)/usr/libexec bootc-base-image-rebuild-self

base/bootc-base-image-rebuild-self

@@ -1,17 +0,0 @@
-#!/bin/bash
-# This script regenerates this base image using a build
-# configuration (list of packages, scripts) embedded in this current image.
-# The actual *content* packages will come from the source root.
-set -xeuo pipefail
-source_root=$1
-shift
-target=$1
-shift
-if ! test -x /usr/bin/rpm-ostree; then
-    dnf -y install rpm-ostree
-fi
-rpm-ostree experimental compose rootfs --source-root-rw=$source_root /usr/lib/sysimage/base-image-manifest/manifest.yaml $target
-# Finally, propagate the configuration and build script into the target root.
-for f in /usr/lib/sysimage/base-image-manifest /usr/libexec/bootc-base-image-rebuild-self; do
-    cp -a $f $target/$f
-done

base/bootc-base-image-rebuild-self.md

@@ -1,83 +0,0 @@
-# bootc-base-image-rebuild-self
-
-A core premise of the bootc model is that rich
-control over Linux system customization can be accomplished
-with a "default" container build:
-
-```
-FROM <base image>
-RUN ...
-```
-
-As of recently, it is possible to e.g. swap the kernel
-and other fundamental components as part of default derivation.
-
-## Understanding the base image content
-
-Most, but not all content from the base image comes from RPMs.
-There is some additional non-RPM content, as well as postprocessing
-that operates on the filesystem root. At the current
-time the implementation of the base image build uses `rpm-ostree`,
-but this is considered an implementation detail subject to change.
-
-## Rebuilding from externally controlled content
-
-Some use cases want even more control - for example,
-as an organization deploying a bootc system, I may want to ensure
-the base image version carries a set of packages at
-exactly specific versions (perhaps defined by a lockfile,
-or an rpm-md repository). There are many tools which
-manage snapshots of yum (rpm-md) repositories.
-
-The `/usr/libexec/bootc-base-image-rebuild-self` which is
-included in the base image is designed to enable this
-level of control.
-
-## Using bootc-base-image-rebuild-self
-
-This tool takes just two arguments:
-
-- A "repository configuration root" which should have an `/etc/yum.repos.d`
-  that defines the input RPM content.
-- A path to the target root filesystem which will be generated
-
-### Implementation
-
-The current implementation uses `rpm-ostree` on a manifest (treefile)
-embedded in the container image itself. The set of packages installed
-is currently not configurable; however it is quite minimal and can
-easily be customized further as we will see below.
-
-The build tooling is designed to support "cross builds"; the
-repository root could e.g. be CentOS Stream 10, while the
-builder root is Fedora or RHEL, etc. In other words, one given
-base image can be used as a "builder" to produce another
-using different RPMs.
-
-### Example: Generate a new image using CentOS Stream 10 content from RHEL
-
-FROM quay.io/centos/centos:stream10 as repos
-
-FROM registry.redhat.io/rhel10/rhel-bootc:10 as builder
-RUN --mount=type=bind,from=repos,src=/,dst=/repos,rw /usr/libexec/bootc-base-image-rebuild-self /repos /target-rootfs
-
-# This container image uses the "artifact pattern"; it has some
-# basic configuration we expect to apply to multiple container images.
-FROM quay.io/exampleos/baseconfig@sha256:.... as baseconfig
-
-FROM scratch
-COPY --from=builder /target-rootfs/ /
-# Now we make other arbitrary changes. Copy our systemd units and
-# other tweaks from the baseconfig container image.
-COPY --from=baseconfig /usr/ /usr/
-RUN <<EORUN
-set -xeuo pipefail
-# Install critical components
-dnf -y install linux-firmware NetworkManager cloud-init cowsay
-dnf clean all
-bootc container lint
-EORUN
-LABEL containers.bootc 1
-ENV container=oci
-STOPSIGNAL SIGRTMIN+3
-CMD ["/sbin/init"]

base/finalize.d/05-rpmdb.sh

@@ -1,24 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-# https://github.com/coreos/rpm-ostree/pull/5244
-# 
-sysimage_rpmdb=usr/lib/sysimage/rpm/rpmdb.sqlite
-rpmostree_rpmdb_dir=usr/share/rpm
-rpmostree_rpmdb="${rpmostree_rpmdb_dir}/rpmdb.sqlite"
-rpmostree_base_rpmdb_dir=usr/lib/sysimage/rpm-ostree-base-db
-rpmostree_base_rpmdb="${rpmostree_base_rpmdb_dir}/rpmdb.sqlite"
-pragma='PRAGMA journal_mode=delete;'
-
-# Forcibly delete this because ostree hardlinking the sqlite databases
-# confuses rpm. This will cause rpm-ostree to enter a fallback
-# mode with package layering, but that's OK.
-if test -d "${rpmostree_base_rpmdb_dir}"; then
-    echo "Removing ${rpmostree_base_rpmdb_dir}"
-    rm "${rpmostree_base_rpmdb_dir}" -rf
-fi
-for path in ${sysimage_rpmdb} ${rpmostree_rpmdb}; do
-    if test -f "${path}-shm"; then
-        echo "Executing in ${path}: ${pragma}"
-        sqlite3 "${path}" "${pragma}" >/dev/null
-    fi
-done

base/tmpfiles.yaml

@@ -1,7 +0,0 @@
-postprocess:
-  - |
-    #!/bin/bash
-    cat >/usr/lib/tmpfiles.d/bootc-base-rpmstate.conf <<'EOF'
-    # Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=771713
-    d /var/lib/rpm-state 0755 - - -
-    EOF

build.sh

@@ -0,0 +1,5 @@
+podman build \
+       --security-opt=label=disable \
+       --cap-add=all \
+       --device /dev/fuse \
+       -t localhost/fedora-bootc .

fedora-40.yaml

@@ -0,0 +1,7 @@
+# NB: This treefile is used by the legacy pungi path only to build tier-1. It
+# will be removed in the future.
+releasever: 40
+repos:
+  - fedora
+  - fedora-updates
+include: fedora-bootc.yaml

fedora-41.yaml

@@ -0,0 +1,7 @@
+# NB: This treefile is used by the legacy pungi path only to build tier-1. It
+# will be removed in the future.
+releasever: 41
+repos:
+  - fedora
+  - fedora-updates
+include: fedora-bootc.yaml

fedora-42.yaml

@@ -0,0 +1,6 @@
+# NB: This treefile is used by the legacy pungi path only to build tier-1. It
+# will be removed in the future.
+releasever: 42
+repos:
+  - fedora-devel
+include: fedora-bootc.yaml

fedora-bootc-config.json

@@ -0,0 +1,12 @@
+{
+    "Labels": {
+        "containers.bootc": "1",
+        "bootc.diskimage-builder": "quay.io/centos-bootc/bootc-image-builder",
+        "redhat.id": "fedora",
+        "redhat.version-id": "rawhide"
+    },
+    "StopSignal": "SIGRTMIN+3",
+    "Env": [
+        "container=oci"
+    ]
+}

fedora-bootc.yaml

@@ -0,0 +1,8 @@
+metadata:
+  name: fedora-boot-tier1
+  summary: Fedora Bootable Tier 1
+
+include:
+  - fedora-generic.yaml
+  - tier-1/manifest.yaml
+  - tier-1/kernel.yaml

fedora-generic.yaml

@@ -5,3 +5,5 @@ variables:
 packages:
   # https://gitlab.com/fedora/bootc/base-images/-/issues/12
   - fedora-repos-archive
+  # Not in RHEL10
+  - systemd-resolved

fedora-rawhide.yaml

@@ -0,0 +1,6 @@
+# NB: This treefile is used by the legacy pungi path only to build tier-1. It
+# will be removed in the future.
+releasever: rawhide
+repos:
+  - fedora-rawhide
+include: fedora-bootc.yaml

fedora-tier-0.yaml

@@ -0,0 +1,8 @@
+metadata:
+  name: fedora-boot-tier0
+  summary: Fedora Bootable Tier 0
+
+include:
+  - fedora-generic.yaml
+  - tier-0/manifest.yaml
+  - tier-0/kernel.yaml

fedora-tier-1.yaml

@@ -0,0 +1 @@
+fedora-bootc.yaml

fedora-tier-x.yaml

@@ -0,0 +1,8 @@
+metadata:
+  name: fedora-boot-tier-x
+  summary: Fedora Bootable Tier X
+
+include:
+  - fedora-generic.yaml
+  - tier-x/manifest.yaml
+  - tier-x/kernel.yaml

fedora.repo

@@ -0,0 +1,102 @@
+# Note we use baseurl= here because using auto-selected mirrors conflicts with
+# change detection: https://github.com/coreos/fedora-coreos-pipeline/issues/85.
+
+[fedora]
+name=Fedora $releasever - $basearch
+baseurl=https://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
+        https://dl.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Everything/$basearch/os/
+#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
+enabled=1
+#metadata_expire=7d
+repo_gpgcheck=0
+type=rpm
+gpgcheck=1
+gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
+skip_if_unavailable=False
+
+[fedora-updates]
+name=Fedora $releasever - $basearch - Updates
+baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Everything/$basearch/
+        https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Everything/$basearch/
+#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
+enabled=1
+repo_gpgcheck=0
+type=rpm
+gpgcheck=1
+metadata_expire=6h
+gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
+skip_if_unavailable=False
+
+[fedora-updates-testing]
+name=Fedora $releasever - $basearch - Test Updates
+baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Everything/$basearch/
+        https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Everything/$basearch/
+#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
+enabled=1
+gpgcheck=1
+metadata_expire=6h
+gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
+skip_if_unavailable=False
+
+[fedora-modular]
+name=Fedora Modular $releasever - $basearch
+baseurl=https://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Modular/$basearch/os/
+        https://dl.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Modular/$basearch/os/
+#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-$releasever&arch=$basearch
+enabled=1
+#metadata_expire=7d
+repo_gpgcheck=0
+type=rpm
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
+skip_if_unavailable=False
+
+[fedora-updates-modular]
+name=Fedora Modular $releasever - $basearch - Updates
+baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Modular/$basearch/
+        https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Modular/$basearch/
+#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-modular-f$releasever&arch=$basearch
+enabled=1
+repo_gpgcheck=0
+type=rpm
+gpgcheck=1
+metadata_expire=6h
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
+skip_if_unavailable=False
+
+[fedora-updates-testing-modular]
+name=Fedora Modular $releasever - $basearch - Test Updates
+baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Modular/$basearch/
+        https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Modular/$basearch/
+#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
+enabled=1
+gpgcheck=1
+metadata_expire=6h
+gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
+skip_if_unavailable=False
+
+[rawhide]
+name=Fedora - Rawhide - Developmental packages for the next Fedora release
+baseurl=https://dl.fedoraproject.org/pub/fedora/linux/development/$releasever/Everything/$basearch/os/
+        https://dl.fedoraproject.org/pub/fedora-secondary/development/$releasever/Everything/$basearch/os/
+#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
+enabled=1
+#metadata_expire=7d
+repo_gpgcheck=0
+type=rpm
+gpgcheck=1
+gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
+skip_if_unavailable=False
+
+[fedora-devel]
+name=Fedora $releasever - $basearch
+baseurl=https://dl.fedoraproject.org/pub/fedora/linux/development/$releasever/Everything/$basearch/os/
+        https://dl.fedoraproject.org/pub/fedora-secondary/development/$releasever/Everything/$basearch/os/
+#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
+enabled=1
+#metadata_expire=7d
+repo_gpgcheck=0
+type=rpm
+gpgcheck=1
+gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
+skip_if_unavailable=False

tier-0/bootc.yaml

@@ -9,3 +9,9 @@ packages:
  # Required by bootc install, sgdisk has been replaced by Rust crate
  # in bootc https://github.com/containers/bootc/pull/775
  - xfsprogs e2fsprogs dosfstools
+
+exclude-packages:
+  # Exclude kernel-debug-core to make sure that it doesn't somehow get
+  # chosen as the package to satisfy the `kernel-core` dependency from
+  # the kernel package.
+  - kernel-debug-core

tier-0/bootupd.yaml

@@ -26,3 +26,8 @@ postprocess:
     set -xeuo pipefail
     # Transforms /usr/lib/ostree-boot into a bootupd-compatible update payload
     /usr/bin/bootupctl backend generate-update-metadata
+  - |
+    #!/bin/bash
+    # Workaround for https://issues.redhat.com/browse/RHEL-78104
+    set -xeuo pipefail
+    rm -vrf /usr/lib/ostree-boot/loader

tier-0/kernel-install.yaml

@@ -4,13 +4,10 @@ postprocess:
     #!/usr/bin/env bash
     set -xeuo pipefail
     source /usr/lib/os-release
-    # Check if the ID is Fedora and VERSION_ID is 42 or higher
+    echo -e "# kernel-install will not try to run dracut and allow rpm-ostree to\n\
-    if [[ "$ID" == "fedora" && "$VERSION_ID" -ge 42 ]]; then
-        echo -e "# kernel-install will not try to run dracut and allow rpm-ostree to\n\
     # take over. Rpm-ostree will use this to know that it is responsible\n\
     # to run dracut and ensure that there is only one kernel in the image\n\
     layout=ostree" | tee /usr/lib/kernel/install.conf > /dev/null
-    fi
     # By default dnf keeps multiple versions of the kernel, with this
     # configuration we tell dnf to treat the kernel as everything else.
     # https://dnf.readthedocs.io/en/latest/conf_ref.html#main-options

tier-0/manifest.yaml

@@ -16,26 +16,22 @@ remove-from-packages:
 
 include:
   - postprocess-conf.yaml
-  - tmpfiles.yaml
   - bootc.yaml
   - bootupd.yaml
   - ostree.yaml
   - initramfs.yaml
   - basic-fixes.yaml
   - kernel-install.yaml
-  - persistent-journal.yaml
-  - fedora-repos.yaml
 
 packages:
-  # This can be replaced later
-  - kernel
   # this is implied by dependencies but let's make it explicit
   - coreutils
   # We need dnf for building derived container images. In Fedora, this pulls
   # in dnf5. In CentOS/RHEL, this pulls in dnf(4). We can simplify this back to
   # just `dnf` once the `dnf` package is retired from Fedora.
   - /usr/bin/dnf
-  # If you don't want SELinux today, you'll need to build a custom image.
+  # Even in tier-0, we have this.  If you don't want SELinux today, you'll need
+  # to build a custom image.
   - selinux-policy-targeted
   # And we want container-selinux because trying to layer it on later currently causes issues.
   - container-selinux

tier-1/autoupdates.yaml

@@ -0,0 +1,9 @@
+# Enable automatic updates by default
+postprocess:
+  - |
+    #!/usr/bin/env bash
+    set -euo pipefail
+    target=/usr/lib/systemd/system/default.target.wants
+    mkdir -p $target
+    set -x
+    ln -s ../bootc-fetch-apply-updates.timer $target

tier-1/coreos-user-experience.yaml

@@ -0,0 +1,10 @@
+# This file was forked/copied from Fedora CoreOS.  TODO: resync
+# once we have a good generic mechanism for sharing.
+packages:
+  # Additional file compression/decompression
+  - bzip2 zstd
+  # kdump support
+  # https://github.com/coreos/fedora-coreos-tracker/issues/622
+  - kexec-tools
+  # nvme-cli for managing nvme disks
+  - nvme-cli

tier-1/generic-growfs.yaml

@@ -0,0 +1,12 @@
+add-files:
+  - - bootc-generic-growpart
+    - /usr/libexec/bootc-generic-growpart
+  - - bootc-generic-growpart.service
+    - /usr/lib/systemd/system/bootc-generic-growpart.service
+
+postprocess:
+  - |
+    #!/bin/bash
+    set -euo pipefail
+    mkdir -p /usr/lib/systemd/system/local-fs.target.wants
+    ln -s ../bootc-generic-growpart.service /usr/lib/systemd/system/local-fs.target.wants/bootc-generic-growpart.service

tier-1/initramfs-full.yaml

@@ -0,0 +1,8 @@
+# Configuration for the "tier-1" initramfs
+postprocess:
+  - |
+    #!/usr/bin/env bash
+    mkdir -p /usr/lib/dracut/dracut.conf.d
+    cat > /usr/lib/dracut/dracut.conf.d/30-bootc-tier-1.conf << 'EOF'
+    add_dracutmodules+=" lvm crypt fips "
+    EOF

tier-1/kernel.yaml

@@ -0,0 +1 @@
+../tier-0/kernel.yaml

tier-1/manifest.yaml

@@ -0,0 +1,72 @@
+# Flip this back on, we're going to be a larger system
+recommends: true
+
+include:
+  - ../tier-x/manifest.yaml
+  - networking-tools.yaml
+  - system-configuration.yaml
+  - coreos-user-experience.yaml
+  - persistent-journal.yaml
+  - initramfs-full.yaml
+
+packages:
+  - nfs-utils
+  # Additional firewall support; we aren't including these in RHCOS or they
+  # don't exist in RHEL
+  - iptables-services
+  - WALinuxAgent-udev
+  # Used by admins interactively
+  - openssl
+  # Provides terminal tools like clear, reset, tput, and tset
+  - ncurses
+  # i18n
+  - kbd
+  # zram-generator (but not zram-generator-defaults) for F33 change
+  # https://github.com/coreos/fedora-coreos-tracker/issues/509
+  - zram-generator
+
+# These are random architecture-specific packages
+packages-x86_64: []
+packages-aarch64: []
+
+postprocess:
+  # Undo RPM scripts enabling units; we want the presets to be canonical
+  # https://github.com/projectatomic/rpm-ostree/issues/1803
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    rm -rf /etc/systemd/system/*
+    systemctl preset-all
+    rm -rf /etc/systemd/user/*
+    systemctl --user --global preset-all
+  # See: https://github.com/coreos/fedora-coreos-tracker/issues/1253
+  #      https://bugzilla.redhat.com/show_bug.cgi?id=2112857
+  #      https://github.com/coreos/rpm-ostree/issues/3918
+  # Temporary workaround to remove the SetGID binary from liblockfile that is
+  # pulled by the s390utils but not needed for /usr/sbin/zipl.
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    rm -f /usr/bin/dotlockfile
+
+# Things we don't expect to ship on the host.  We currently
+# have recommends: false so these could only come in via
+# hard requirement, in which case the build will fail.
+exclude-packages:
+  - perl
+  - perl-interpreter
+  - nodejs
+  - grubby
+  - cowsay  # Just in case
+  # Let's make sure initscripts doesn't get pulled back in
+  # https://github.com/coreos/fedora-coreos-tracker/issues/220#issuecomment-611566254
+  - initscripts
+  # For (datacenter/cloud oriented) servers, we want to see the details by default.
+  # https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/HSMISZ3ETWQ4ETVLWZQJ55ARZT27AAV3/
+  - plymouth
+  # Do not use legacy ifcfg config format in NetworkManager
+  # See https://github.com/coreos/fedora-coreos-config/pull/1991
+  - NetworkManager-initscripts-ifcfg-rh
+  # Let's not have both legacy and nft versions in the image. Users are free to
+  # also layer legacy themselves if they want.
+  - iptables-legacy

tier-1/networking-tools.yaml

@@ -0,0 +1,20 @@
+# This defines a set of tools that are useful for configuring, debugging,
+# or manipulating the network of a system.  It is desired to keep this list
+# generic enough to be shared downstream with RHCOS.
+
+packages:
+  # Interactive Networking configuration during coreos-install
+  - NetworkManager-tui
+  # Support for cloud quirks and dynamic config in real rootfs:
+  # https://github.com/coreos/fedora-coreos-tracker/issues/320
+  - NetworkManager-cloud-setup
+  # Route manipulation and QoS
+  - iproute iproute-tc
+  # Firewall manipulation
+  - iptables nftables
+  # Interactive network tools for admins
+  - socat net-tools bind-utils
+
+exclude-packages:
+  # We use NetworkManager
+  - systemd-networkd

tier-1/system-configuration.yaml

@@ -0,0 +1,24 @@
+# These are packages that are related to configuring parts of the system.
+
+packages:
+  # Explicit dep for RHEL >= 10
+  - crypto-policies-scripts
+  # NTP support
+  - chrony
+  # Storage configuration/management
+  - sg3_utils
+  ## This is generally useful... https://github.com/CentOS/centos-bootc/issues/394
+  - cloud-utils-growpart
+  # User configuration
+  - passwd
+  - shadow-utils
+  - acl
+  # Manipulating the kernel keyring; used by bootc
+  - keyutils
+  # There are things that write outside of the journal still (such as the
+  # classic wtmp, etc.). auditd also writes outside the journal but it has its
+  # own log rotation.
+  # Anything package layered will also tend to expect files dropped in
+  # /etc/logrotate.d to work. Really, this is a legacy thing, but if we don't
+  # have it then people's disks will slowly fill up with logs.
+  - logrotate

tier-x/kernel.yaml

@@ -0,0 +1 @@
+../tier-0/kernel.yaml

tier-x/manifest.yaml

@@ -0,0 +1,44 @@
+include:
+  - ../tier-0/manifest.yaml
+
+packages:
+  # Used by admins interactively
+  - attr
+  - bash-completion
+  - hostname
+  - iproute
+  - jq
+  - less
+  - vim-minimal
+  # deps of bootc, but let's be explicit. e.g. even if bootc drops the skopeo
+  # dep, we still want it
+  - podman skopeo
+  # crun recommends but doesn't require criu and criu-libs. We want them for
+  # checkpoint/restore. https://github.com/coreos/fedora-coreos-tracker/issues/1370
+  - crun criu criu-libs
+  # storage
+  - cryptsetup
+  - lvm2
+  - tar
+  # zram-generator (but not zram-generator-defaults) for F33 change
+  # https://github.com/coreos/fedora-coreos-tracker/issues/509
+  - zram-generator
+  # networking
+  - iptables-nft
+  - NetworkManager
+  - openssh-clients
+  - openssh-server
+  # linux-firmware now a recommends so let's explicitly include it
+  # https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
+  # https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide
+  - linux-firmware
+  # security
+  - polkit
+  - sudo
+  # Allow for configuring different timezones
+  - tzdata
+  # rpm-ostree
+  - rpm-ostree nss-altfiles
+  # firmware updates
+  # If you're using linux-firmware, you probably also want fwupd
+  - fwupd

usr/lib/dracut/dracut.conf.d/30-bootc-full.conf

@@ -1 +0,0 @@
-add_dracutmodules+=" lvm crypt fips "

usr/lib/systemd/system-preset/05-bootc.preset

@@ -1,7 +0,0 @@
-# Our fallback
-enable bootc-generic-growpart.service
-
-# We enable this by default just so we can say we have automatic
-# updates on by default, like CoreOS. It's very much intended
-# to be tweaked or replaced outside of trivial scenarios though.
-enable bootc-fetch-apply-updates.timer

usr/lib/tmpfiles.d/bootc-legacy-contentsets.conf

@@ -1,5 +0,0 @@
-# Workaround for https://github.com/konflux-ci/build-tasks-dockerfiles/pull/243
-d /var/roothome/buildinfo 0755 - - -
-d /var/roothome/buildinfo/content_manifests 0755 - - -
-# Note we don't actually try to recreate the content; this just makes the linter ignore it
-f /var/roothome/buildinfo/content_manifests/content-sets.json 0644 - - -

usr/share/doc/bootc-image-standard/packages-aarch64.txt

@@ -1 +0,0 @@
-irqbalance

usr/share/doc/bootc-image-standard/packages-excluded.txt

@@ -1,21 +0,0 @@
-# Packages excluded by default
-
-# We use NetworkManager
-systemd-networkd
-# But without the legacy
-# See https://github.com/coreos/fedora-coreos-config/pull/1991
-NetworkManager-initscripts-ifcfg-rh
-
-# Let's not have both legacy and nft versions in the image. Users are free to
-# also layer legacy themselves if they want.
-iptables-legacy
-
-# We use bootupd
-grubby
-# Let's make sure initscripts doesn't get pulled back in
-# https://github.com/coreos/fedora-coreos-tracker/issues/220#issuecomment-611566254
-initscripts
-
-# For (datacenter/cloud oriented) servers, we want to see the details by default.
-# https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/HSMISZ3ETWQ4ETVLWZQJ55ARZT27AAV3/
-plymouth

usr/share/doc/bootc-image-standard/packages-ppc64le.txt

@@ -1,4 +0,0 @@
-irqbalance
-librtas
-powerpc-utils-core
-ppc64-diag-rtas

usr/share/doc/bootc-image-standard/packages-recommended-minimal.txt

@@ -1,45 +0,0 @@
-# This file is simply a list of packages recommended to be used by default.
-# You can process this via e.g.
-# grep -E -v '^#' packages-recommended.txt | xargs dnf -y install
-
-# Used by admins interactively
-attr
-bash-completion
-hostname
-iproute
-jq
-less
-vim-minimal
-# deps of bootc, but let's be explicit. e.g. even if bootc drops the skopeo
-# dep, we still want it
-podman skopeo
-# crun recommends but doesn't require criu and criu-libs. We want them for
-# checkpoint/restore. https://github.com/coreos/fedora-coreos-tracker/issues/1370
-crun criu criu-libs
-# storage
-cryptsetup
-lvm2
-tar
-# zram-generator (but not zram-generator-defaults) for F33 change
-# https://github.com/coreos/fedora-coreos-tracker/issues/509
-zram-generator
-# networking
-iptables-nft
-NetworkManager
-openssh-clients
-openssh-server
-systemd-resolved
-# linux-firmware now a recommends so let's explicitly include it
-# https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
-# https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide
-linux-firmware
-# security
-polkit
-sudo
-# Allow for configuring different timezones
-tzdata
-# rpm-ostree
-rpm-ostree nss-altfiles
-# firmware updates
-# If you're using linux-firmware, you probably also want fwupd
-fwupd

usr/share/doc/bootc-image-standard/packages-x86_64.txt

@@ -1 +0,0 @@
-irqbalance

usr/share/doc/bootc-image-standard/packages.txt

@@ -1,104 +0,0 @@
-# A relatively large base image suitable for headless servers,
-# a lot like CoreOS.
-
-# Include and set the default editor
-nano
-nfs-utils
-# Additional firewall support; we aren't including these in RHCOS or they
-# don't exist in RHEL
-iptables-services
-WALinuxAgent-udev
-# Allow communication between sudo and SSSD
-# for caching sudo rules by SSSD.
-# https://github.com/coreos/fedora-coreos-tracker/issues/445
-libsss_sudo
-# SSSD; we only ship a subset of the backends
-sssd-client sssd-ad sssd-ipa sssd-krb5 sssd-ldap
-# Used by admins interactively
-openssl
-# Provides terminal tools like clear, reset, tput, and tset
-ncurses
-# i18n
-kbd
-# zram-generator (but not zram-generator-defaults) for F33 change
-# https://github.com/coreos/fedora-coreos-tracker/issues/509
-zram-generator
-# This one is in Python so isn't in FCOS, but we can safely add it here.
-sos
-
-# Additional file compression/decompression
-bzip2 zstd
-# Improved MOTD experience
-console-login-helper-messages-issuegen
-console-login-helper-messages-profile
-# kdump support
-# https://github.com/coreos/fedora-coreos-tracker/issues/622
-kexec-tools
-# Container tooling
-toolbox
-# nvme-cli for managing nvme disks
-nvme-cli
-# Used by admins interactively
-lsof
-
-# Explicit dep for RHEL >= 10
-crypto-policies-scripts
-# Configuring SSH keys, cloud provider check-in, etc
-# TODO: needs Ignition kargs
-# - afterburn afterburn-dracut
-# NTP support
-chrony
-# Storage configuration/management
-sg3_utils
-## This is generally useful... https://github.com/CentOS/centos-bootc/issues/394
-cloud-utils-growpart
-# User configuration
-passwd
-shadow-utils
-acl
-# Manipulating the kernel keyring; used by bootc
-keyutils
-# There are things that write outside of the journal still (such as the
-# classic wtmp, etc.). auditd also writes outside the journal but it has its
-# own log rotation.
-# Anything package layered will also tend to expect files dropped in
-# /etc/logrotate.d to work. Really, this is a legacy thing, but if we don't
-# have it then people's disks will slowly fill up with logs.
-logrotate
-# Boost starving threads
-# https://github.com/coreos/fedora-coreos-tracker/issues/753
-stalld
-
-# This defines a set of tools that are useful for configuring, debugging,
-# or manipulating the network of a system.
-# Interactive Networking configuration during coreos-install
-NetworkManager-tui
-# Support for cloud quirks and dynamic config in real rootfs:
-# https://github.com/coreos/fedora-coreos-tracker/issues/320
-NetworkManager-cloud-setup
-# Route manipulation and QoS
-iproute iproute-tc
-# Firewall manipulation
-iptables nftables
-# Interactive network tools for admins
-socat net-tools bind-utils
-
-# These are recomended by other packages installed above.
-# recommended by containers-common-extra
-qemu-user-static
-# recommended by rpm-libs
-rpm-plugin-audit
-#recomended by gnupg2
-pinentry
-gnupg2-smime
-# recommended by dracut
-pigz
-memstrack
-kpartx
-# recommended by libxcrypt
-pkcs11-provider
-# recommended by containers-common
-fuse-overlayfs
-# recommended by toolbox
-cracklib-dicts
-

usr/share/doc/bootc-image-standard/stage-clean

@@ -1,5 +0,0 @@
-#!/bin/bash
-set -xeuo pipefail
-dnf clean all
-# Lots of cleaning
-rm -vrf /var/log /var/cache /var/lib/dnf

usr/share/doc/bootc-image-standard/stage-install

@@ -1,29 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-dn=$(dirname $0)
-cd ${dn}
-dnf_args=()
-echo "Loading packages-excluded"
-for x in $(grep -E -v '^#' packages-excluded.txt); do
-  dnf_args+=(--exclude ${x})
-done
-echo "Loading packages"
-package_files=(packages-recommended-minimal.txt packages.txt)
-pkgfile_for_arch=packages-$(arch).txt
-if test -f ${pkgfile_for_arch}; then
-  echo "Loading ${pkgfile_for_arch}"
-  package_files+=(${pkgfile_for_arch})
-fi
-base_pkgs=$(grep -hE -v '^#' ${package_files[@]})
-dnf -y ${dnf_args[@]} install $base_pkgs
-
-# Ensure we regenerate the initramfs with new content
-# https://docs.fedoraproject.org/en-US/bootc/initramfs/
-kver=$(cd /usr/lib/modules && echo *); dracut -vf /usr/lib/modules/$kver/initramfs.img $kver
-
-# Undo RPM scripts enabling units; we want the presets to be canonical for the base image.
-# https://github.com/projectatomic/rpm-ostree/issues/1803
-rm -rf /etc/systemd/system/*
-systemctl preset-all
-rm -rf /etc/systemd/user/*
-systemctl --user --global preset-all