tier-0: Rename to minimal

The "tiers" nomenclature ended up being unhelpful since
we introduced "tier-x" which is between tier-0 and tier-1.

We also never exposed the tier naming outside of our source
code. In preparation for doing so, rename to tier-0 to
"minimal" which is a bit more descriptive.

Renaming the other images will follow.

Signed-off-by: Colin Walters <walters@verbum.org>

minimal/basic-fixes.yaml

@@ -0,0 +1,29 @@
+# Fix general bugs
+
+postprocess:
+  # See also https://github.com/openshift/os/blob/f6cde963ee140c02364674db378b2bc4ac42675b/common.yaml#L156
+  # This one is undoes the effect of
+  # # RHEL-only: Disable /tmp on tmpfs.
+  #Wants=tmp.mount
+  # in /usr/lib/systemd/system/basic.target
+  # We absolutely must have tmpfs-on-tmp for multiple reasons,
+  # but the biggest is that when we have composefs for / it's read-only,
+  # and for units with ProtectSystem=full systemd clones / but needs
+  # a writable place.
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    mkdir -p /usr/lib/systemd/system/local-fs.target.wants
+    if test '!' -f /usr/lib/systemd/system/local-fs.target.wants/tmp.mount; then
+      ln -sf ../tmp.mount /usr/lib/systemd/system/local-fs.target.wants
+    fi
+
+    # See https://github.com/containers/bootc/issues/358
+    # basically systemd-tmpfiles doesn't follow symlinks; ordinarily our
+    # tmpfiles.d unit for `/var/roothome` is fine, but this actually doesn't
+    # work if we want to use tmpfiles.d to write to `/root/.ssh` because
+    # tmpfiles gives up on that before getting to `/var/roothome`.
+    sed -i -e 's, /root, /var/roothome,' /usr/lib/tmpfiles.d/provision.conf
+    # Because /var/roothome is also defined in rpm-ostree-0-integration.conf
+    # we need to delete /var/roothome
+    sed -i -e '/^d- \/var\/roothome /d' /usr/lib/tmpfiles.d/provision.conf

minimal/bootc.yaml

@@ -0,0 +1,17 @@
+# The bootc components.
+packages:
+ - systemd
+ - bootc
+ # bootc pulls in podman, which pulls in containers-common, which wants
+ # `iptables`. Currently that pulls in iptables-legacy. Let's explicitly name
+ # iptables-nft instead to satisfy it.
+ - iptables-nft
+ # Required by bootc install, sgdisk has been replaced by Rust crate
+ # in bootc https://github.com/containers/bootc/pull/775
+ - xfsprogs e2fsprogs dosfstools
+
+exclude-packages:
+  # Exclude kernel-debug-core to make sure that it doesn't somehow get
+  # chosen as the package to satisfy the `kernel-core` dependency from
+  # the kernel package.
+  - kernel-debug-core

minimal/bootupd.yaml

@@ -0,0 +1,33 @@
+# Integration with https://github.com/coreos/bootupd and bootloader logic
+# xref https://github.com/coreos/fedora-coreos-tracker/issues/510
+packages:
+  - bootupd
+
+# bootloader
+packages-aarch64:
+  - grub2-efi-aa64 efibootmgr shim
+packages-ppc64le:
+  - grub2 ostree-grub2
+packages-s390x:
+  # For zipl
+  - s390utils-core
+packages-x86_64:
+  - grub2 grub2-efi-x64 efibootmgr shim
+  - microcode_ctl
+
+conditional-include:
+  - if: basearch != "s390x"
+    # And remove some cruft from grub2
+    include: grub2-removals.yaml
+
+postprocess:
+  - |
+    #!/bin/bash
+    set -xeuo pipefail
+    # Transforms /usr/lib/ostree-boot into a bootupd-compatible update payload
+    /usr/bin/bootupctl backend generate-update-metadata
+  - |
+    #!/bin/bash
+    # Workaround for https://issues.redhat.com/browse/RHEL-78104
+    set -xeuo pipefail
+    rm -vrf /usr/lib/ostree-boot/loader

minimal/finalize.d/01-var.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# https://gitlab.com/fedora/bootc/base-images/-/issues/28
+set -xeuo pipefail
+ln -s ../run var/run
+# https://gitlab.com/fedora/bootc/tracker/-/issues/58
+mkdir -p var/lib/rpm-state

minimal/group

@@ -0,0 +1,45 @@
+root:x:0:
+bin:x:1:
+daemon:x:2:
+sys:x:3:
+adm:x:4:
+tty:x:5:
+disk:x:6:
+lp:x:7:
+mem:x:8:
+kmem:x:9:
+wheel:x:10:
+cdrom:x:11:
+mail:x:12:
+man:x:15:
+dialout:x:18:
+floppy:x:19:
+games:x:20:
+tape:x:33:
+video:x:39:
+ftp:x:50:
+lock:x:54:
+audio:x:63:
+nobody:x:99:
+users:x:100:
+ssh_keys:x:999:
+systemd-journal:x:190:
+polkitd:x:998:
+etcd:x:997:
+dip:x:40:
+cgred:x:996:
+avahi-autoipd:x:170:
+sssd:x:993:
+dockerroot:x:986:
+rpcuser:x:29:
+nfsnobody:x:65534:
+kube:x:994:
+chrony:x:992:
+tcpdump:x:72:
+ceph:x:167:
+input:x:104:
+systemd-timesync:x:991:
+systemd-network:x:990:
+systemd-resolve:x:989:
+systemd-bus-proxy:x:988:
+cockpit-ws:x:987:

minimal/grub2-removals.yaml

@@ -0,0 +1,8 @@
+remove-from-packages:
+  # The grub bits are mainly designed for desktops, and IMO haven't seen
+  # enough testing in concert with ostree. At some point we'll flesh out
+  # the full plan in https://github.com/coreos/fedora-coreos-tracker/issues/47
+  - [grub2-tools, /etc/grub.d/08_fallback_counting,
+                  /etc/grub.d/10_reset_boot_success,
+                  /etc/grub.d/12_menu_auto_hide,
+                  /usr/lib/systemd/.*]

minimal/initramfs.yaml

@@ -0,0 +1,24 @@
+# Configuration for the initramfs
+postprocess:
+  - |
+    #!/usr/bin/env bash
+    mkdir -p /usr/lib/dracut/dracut.conf.d
+    cat > /usr/lib/dracut/dracut.conf.d/20-bootc-base.conf << 'EOF'
+    # We want a generic image; hostonly makes no sense as part of a server side build
+    hostonly=no
+    add_dracutmodules+=" kernel-modules dracut-systemd systemd-initrd base ostree "
+    EOF
+    cat > /usr/lib/dracut/dracut.conf.d/22-bootc-generic.conf << 'EOF'
+    # Extra modules that we want by default that are known to exist in the kernel
+    add_dracutmodules+=" virtiofs "
+    EOF
+    cat > /usr/lib/dracut/dracut.conf.d/49-bootc-tpm2-tss.conf << 'EOF'
+    # We want this for systemd-cryptsetup tpm2 locking
+    add_dracutmodules+=" tpm2-tss "
+    EOF
+    cat > /usr/lib/dracut/dracut.conf.d/59-altfiles.conf << 'EOF'
+    # https://issues.redhat.com/browse/RHEL-49590
+    # On image mode systems we use nss-altfiles for passwd and group,
+    # this makes sure dracut uses them which also fixes kdump writing to NFS.
+    install_items+=" /usr/lib/passwd /usr/lib/group "
+    EOF

minimal/kernel-install.yaml

@@ -0,0 +1,21 @@
+# Configuration to enable kernel-install integration
+postprocess:
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    source /usr/lib/os-release
+    echo -e "# kernel-install will not try to run dracut and allow rpm-ostree to\n\
+    # take over. Rpm-ostree will use this to know that it is responsible\n\
+    # to run dracut and ensure that there is only one kernel in the image\n\
+    layout=ostree" | tee /usr/lib/kernel/install.conf > /dev/null
+    # By default dnf keeps multiple versions of the kernel, with this
+    # configuration we tell dnf to treat the kernel as everything else.
+    # https://dnf.readthedocs.io/en/latest/conf_ref.html#main-options
+    # Let's add the config to a distribution configuration file if dnf5
+    # is used, we append to /etc/dnf/dnf.conf if not.
+    if [ -d "/usr/share/dnf5/libdnf.conf.d/" ]; then
+      echo -e "[main]\ninstallonlypkgs=''" >> /usr/share/dnf5/libdnf.conf.d/20-ostree-installonlypkgs.conf
+    else
+      echo "installonlypkgs=''" >> /etc/dnf/dnf.conf
+    fi
+

minimal/kernel.yaml

@@ -0,0 +1,6 @@
+# Enable the Linux kernel; see also kernel-rt.
+packages:
+ - kernel
+
+exclude-packages:
+  - kernel-debug

minimal/manifest.yaml

@@ -0,0 +1,40 @@
+edition: "2024"
+
+# Be minimal
+recommends: false
+
+# Default to `bash` in our container, the same as other containers we ship.
+container-cmd:
+  - /sbin/init
+
+remove-from-packages:
+  # Generally we expect other tools to do this (e.g. Ignition or cloud-init)
+  - [systemd, /usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service]
+  # We don't want auto-generated mount units. See also
+  # https://github.com/systemd/systemd/issues/13099
+  - [systemd-udev, /usr/lib/systemd/system-generators/systemd-gpt-auto-generator]
+
+include:
+  - postprocess-conf.yaml
+  - tmpfiles.yaml
+  - bootc.yaml
+  - bootupd.yaml
+  - ostree.yaml
+  - initramfs.yaml
+  - basic-fixes.yaml
+  - kernel-install.yaml
+
+packages:
+  # this is implied by dependencies but let's make it explicit
+  - coreutils
+  # We need dnf for building derived container images. In Fedora, this pulls
+  # in dnf5. In CentOS/RHEL, this pulls in dnf(4). We can simplify this back to
+  # just `dnf` once the `dnf` package is retired from Fedora.
+  - /usr/bin/dnf
+  # Even in minimal, we have this.  If you don't want SELinux today, you'll need
+  # to build a custom image.
+  - selinux-policy-targeted
+  # And we want container-selinux because trying to layer it on later currently causes issues.
+  - container-selinux
+  # Needed for tpm2 bound luks
+  - tpm2-tools

minimal/ostree.yaml

@@ -0,0 +1,14 @@
+packages:
+ - ostree nss-altfiles
+
+postprocess:
+  # Set up default root config
+  - |
+    #!/usr/bin/env bash
+    mkdir -p /usr/lib/ostree
+    cat > /usr/lib/ostree/prepare-root.conf << EOF
+    [composefs]
+    enabled = yes
+    [sysroot]
+    readonly = true
+    EOF

minimal/passwd

@@ -0,0 +1,32 @@
+adm:x:3:4:adm:/var/adm:/usr/sbin/nologin
+avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/usr/sbin/nologin
+bin:x:1:1:bin:/bin:/usr/sbin/nologin
+ceph:x:167:167:Ceph daemons:/var/lib/ceph:/usr/sbin/nologin
+chrony:x:994:992::/var/lib/chrony:/usr/sbin/nologin
+cockpit-ws:x:988:987:User for cockpit-ws:/:/usr/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/usr/sbin/nologin
+dbus:x:81:81:System Message Bus:/:/usr/sbin/nologin
+dockerroot:x:997:986:Docker User:/var/lib/docker:/usr/sbin/nologin
+etcd:x:998:997:etcd user:/var/lib/etcd:/usr/sbin/nologin
+ftp:x:14:50:FTP User:/var/ftp:/usr/sbin/nologin
+games:x:12:100:games:/usr/games:/usr/sbin/nologin
+halt:x:7:0:halt:/sbin:/sbin/halt
+kube:x:996:994:Kubernetes user:/:/usr/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:12:mail:/var/spool/mail:/usr/sbin/nologin
+nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/usr/sbin/nologin
+nobody:x:99:99:Kernel Overflow User:/:/usr/sbin/nologin
+operator:x:11:0:operator:/root:/usr/sbin/nologin
+polkitd:x:999:998:User for polkitd:/:/usr/sbin/nologin
+root:x:0:0:Super User:/root:/bin/bash
+rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/usr/sbin/nologin
+rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/usr/sbin/nologin
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/usr/sbin/nologin
+sssd:x:995:993:User for sssd:/run/sssd:/usr/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/sync
+systemd-bus-proxy:x:989:988:systemd Bus Proxy:/:/usr/sbin/nologin
+systemd-network:x:991:990:systemd Network Management:/:/usr/sbin/nologin
+systemd-resolve:x:990:989:systemd Resolver:/:/usr/sbin/nologin
+systemd-timesync:x:993:991:systemd Time Synchronization:/:/usr/sbin/nologin
+tcpdump:x:72:72::/:/usr/sbin/nologin

minimal/postprocess-conf.yaml

@@ -0,0 +1,33 @@
+# This file configures things relevant to `rpm-ostree compose postprocess`.
+
+# We want content lifecycled with the image
+opt-usrlocal: "root"
+
+# https://github.com/CentOS/centos-bootc/issues/167
+machineid-compat: true
+
+# Note that the default for c9s+ is sqlite; we can't rely on rpm being
+# in the target (it isn't in minimal!) so turn this to host here.  This
+# does break the "hermetic build" aspect a bit.  Maybe eventually
+# what we should do is special case this and actually install RPM temporarily
+# and then remove it...
+rpmdb: host
+
+ignore-removed-users:
+  - root
+ignore-removed-groups:
+  - root
+etc-group-members:
+  - wheel
+  - systemd-journal
+  - adm
+
+check-passwd:
+  type: "file"
+  filename: "passwd"
+check-groups:
+  type: "file"
+  filename: "group"
+
+automatic-version-prefix: "${releasever}.<date:%Y%m%d>"
+mutate-os-release: "${releasever}"

minimal/tmpfiles.yaml

@@ -0,0 +1,7 @@
+postprocess:
+  - |
+    #!/bin/bash
+    cat >/usr/lib/tmpfiles.d/bootc-base-rpmstate.conf <<'EOF'
+    # Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=771713
+    d /var/lib/rpm-state 0755 - - -
+    EOF