diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d25599d..59bd995 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -12,12 +12,16 @@ variables:
 
 build-minimal:
   extends: .build-image
-  script: buildah build -f Containerfile --no-cache -t localhost/fedora-bootc:minimal ${PRIV_ARGS} --build-arg=manifest=fedora-minimal .
+  script: |
+    set -xeuo pipefail
+    buildah build -f Containerfile --no-cache -t localhost/fedora-bootc:minimal ${PRIV_ARGS} --build-arg=manifest=fedora-minimal .
+    cd tests/rootfs && buildah build -t localhost/test --from localhost/fedora-bootc:minimal    
 
 standard-build-and-test:
   extends: .build-image
   script: |
     set -xeuo pipefail
     buildah build --no-cache -t localhost/fedora-bootc ${PRIV_ARGS} .
+    (cd tests/rootfs && buildah build -t localhost/test --from localhost/fedora-bootc)
     cd tests
     buildah build -f Containerfile.test-derive --no-cache -t localhost/fedora-bootc-derived ${PRIV_ARGS} .
diff --git a/minimal/postprocess-conf.yaml b/minimal/postprocess-conf.yaml
index 31ef9af..f8d41d7 100644
--- a/minimal/postprocess-conf.yaml
+++ b/minimal/postprocess-conf.yaml
@@ -6,12 +6,9 @@ opt-usrlocal: "root"
 # https://github.com/CentOS/centos-bootc/issues/167
 machineid-compat: true
 
-# Note that the default for c9s+ is sqlite; we can't rely on rpm being
-# in the target (it isn't in minimal!) so turn this to host here.  This
-# does break the "hermetic build" aspect a bit.  Maybe eventually
-# what we should do is special case this and actually install RPM temporarily
-# and then remove it...
-rpmdb: host
+rpmdb: target
+# We never want rpmdb.sqlite-shm as it's unreproducible
+rpmdb-normalize: true
 
 ignore-removed-users:
   - root
diff --git a/tests/rootfs/Dockerfile b/tests/rootfs/Dockerfile
new file mode 100644
index 0000000..10e6e0c
--- /dev/null
+++ b/tests/rootfs/Dockerfile
@@ -0,0 +1,6 @@
+# This should always be replaced with podman build --from.
+FROM localhost/image-to-test as rootfs
+
+FROM quay.io/centos/centos:stream10
+COPY . /src
+RUN --mount=type=bind,from=rootfs,target=/target-rootfs /src/run /target-rootfs
diff --git a/tests/rootfs/README.md b/tests/rootfs/README.md
new file mode 100644
index 0000000..a8f3381
--- /dev/null
+++ b/tests/rootfs/README.md
@@ -0,0 +1,4 @@
+# rootfs tests
+
+This is a set of scripts that sanity check the target
+rootfs in a read-only fashion.
diff --git a/tests/rootfs/cases/rpmdb b/tests/rootfs/cases/rpmdb
new file mode 100755
index 0000000..34f9c1d
--- /dev/null
+++ b/tests/rootfs/cases/rpmdb
@@ -0,0 +1,7 @@
+#!/bin/bash
+set -xeuo pipefail
+for d in usr/share/rpm usr/lib/sysimage/rpm; do
+  if test -d "$d"; then
+    test '!' -f "$d/rpmdb.sqlite-shm"
+  fi
+done
diff --git a/tests/rootfs/run b/tests/rootfs/run
new file mode 100755
index 0000000..a372861
--- /dev/null
+++ b/tests/rootfs/run
@@ -0,0 +1,13 @@
+#!/bin/bash
+set -euo pipefail
+srcdir=$(cd $(dirname $0) && pwd)
+rootfs=$1
+shift
+cd $rootfs
+for case in ${srcdir}/cases/*; do
+  if test -x "$case"; then
+    echo "Running $case"
+    $case
+    echo "ok $case"
+  fi
+done