deps: update images to v0.24.0

Update the images dependency to v0.24.0

Includes the addition of the new FDO option
'di_mfg_string_type_mac_iface'.

cmd/osbuild-playground/my-container.go

@@ -46,7 +46,7 @@ func (img *MyContainer) InstantiateManifest(m *manifest.Manifest,
 	// Let's create a simple OCI container!
 
 	// configure a build pipeline
-	build := manifest.NewBuild(m, runner, repos)
+	build := manifest.NewBuild(m, runner, repos, nil)
 	build.Checkpoint()
 
 	// create a minimal non-bootable OS tree

cmd/osbuild-playground/my-image.go

@@ -30,7 +30,7 @@ func (img *MyImage) InstantiateManifest(m *manifest.Manifest,
 	// Let's create a simple raw image!
 
 	// configure a build pipeline
-	build := manifest.NewBuild(m, runner, repos)
+	build := manifest.NewBuild(m, runner, repos, nil)
 	build.Checkpoint()
 
 	// create an x86_64 platform with bios boot

go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/Azure/go-autorest/autorest v0.11.29
 	github.com/Azure/go-autorest/autorest/azure/auth v0.5.12
 	github.com/BurntSushi/toml v1.3.2
-	github.com/aws/aws-sdk-go v1.48.13
+	github.com/aws/aws-sdk-go v1.49.0
 	github.com/coreos/go-semver v0.3.1
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
 	github.com/deepmap/oapi-codegen v1.8.2
@@ -31,7 +31,7 @@ require (
 	github.com/labstack/gommon v0.4.1
 	github.com/openshift-online/ocm-sdk-go v0.1.388
 	github.com/oracle/oci-go-sdk/v54 v54.0.0
-	github.com/osbuild/images v0.21.0
+	github.com/osbuild/images v0.24.0
 	github.com/osbuild/osbuild-composer/pkg/splunk_logger v0.0.0-20231117174845-e969a9dc3cd1
 	github.com/osbuild/pulp-client v0.1.0
 	github.com/prometheus/client_golang v1.17.0
@@ -69,7 +69,7 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/containers/common v0.57.0 // indirect
+	github.com/containers/common v0.57.1 // indirect
 	github.com/containers/image/v5 v5.29.0 // indirect
 	github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect
 	github.com/containers/ocicrypt v1.1.9 // indirect

go.sum

@@ -61,8 +61,8 @@ github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d/go.mod h1:asat6
 github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
-github.com/aws/aws-sdk-go v1.48.13 h1:6N4GTme6MpxfCisWf5pql8k3TBORiKTmbeutZCDXlG8=
+github.com/aws/aws-sdk-go v1.49.0 h1:g9BkW1fo9GqKfwg2+zCD+TW/D36Ux+vtfJ8guF4AYmY=
-github.com/aws/aws-sdk-go v1.48.13/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
+github.com/aws/aws-sdk-go v1.49.0/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
 github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
 github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -76,8 +76,8 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I=
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
-github.com/containers/common v0.57.0 h1:5O/+6QUBafKK0/zeok9y1rLPukfWgdE0sT4nuzmyAqk=
+github.com/containers/common v0.57.1 h1:KWAs4PMPgBFmBV4QNbXhUB8TqvlgR95BJN2sbbXkWHY=
-github.com/containers/common v0.57.0/go.mod h1:t/Z+/sFrapvFMEJe3YnecN49/Tae2wYEQShbEN6SRaU=
+github.com/containers/common v0.57.1/go.mod h1:t/Z+/sFrapvFMEJe3YnecN49/Tae2wYEQShbEN6SRaU=
 github.com/containers/image/v5 v5.29.0 h1:9+nhS/ZM7c4Kuzu5tJ0NMpxrgoryOJ2HAYTgG8Ny7j4=
 github.com/containers/image/v5 v5.29.0/go.mod h1:kQ7qcDsps424ZAz24thD+x7+dJw1vgur3A9tTDsj97E=
 github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA=
@@ -454,8 +454,8 @@ github.com/openshift-online/ocm-sdk-go v0.1.388 h1:c8yPCUQwJm3QhcVmnyMPFpeDtxPBa
 github.com/openshift-online/ocm-sdk-go v0.1.388/go.mod h1:/+VFIw1iW2H0jEkFH4GnbL/liWareyzsL0w7mDIudB4=
 github.com/oracle/oci-go-sdk/v54 v54.0.0 h1:CDLjeSejv2aDpElAJrhKpi6zvT/zhZCZuXchUUZ+LS4=
 github.com/oracle/oci-go-sdk/v54 v54.0.0/go.mod h1:+t+yvcFGVp+3ZnztnyxqXfQDsMlq8U25faBLa+mqCMc=
-github.com/osbuild/images v0.21.0 h1:xqW7Y6F+ihoL8x2J+S3nGDRXIqZPq//c0Q8ny3afdpo=
+github.com/osbuild/images v0.24.0 h1:EP1+9Y5IKuTIZ3Q/RmP5/MdUyjlX7zSZCS0NOXK2+Bg=
-github.com/osbuild/images v0.21.0/go.mod h1:HtKiCjR4gQcqcd8E7i37orlFqhsjZmFCvyM89E3aeos=
+github.com/osbuild/images v0.24.0/go.mod h1:jC7HIvrDKqMJjvNOiaz+QbBJG9oz2YBZHrHsF4nQX1k=
 github.com/osbuild/osbuild-composer/pkg/splunk_logger v0.0.0-20231117174845-e969a9dc3cd1 h1:UFEJIcPa46W8gtWgOYzriRKYyy1t6SWL0BI7fPTuVvc=
 github.com/osbuild/osbuild-composer/pkg/splunk_logger v0.0.0-20231117174845-e969a9dc3cd1/go.mod h1:z+WA+dX6qMwc7fqY5jCzESDIlg4WR2sBQezxsoXv9Ik=
 github.com/osbuild/pulp-client v0.1.0 h1:L0C4ezBJGTamN3BKdv+rKLuq/WxXJbsFwz/Hj7aEmJ8=

internal/blueprint/blueprint_convert_test.go

@@ -114,10 +114,11 @@ func TestConvert(t *testing.T) {
 					},
 					InstallationDevice: "/dev/sda",
 					FDO: &FDOCustomization{
-						ManufacturingServerURL: "http://manufacturing.fdo",
+						ManufacturingServerURL:  "http://manufacturing.fdo",
-						DiunPubKeyInsecure:     "insecure-pubkey",
+						DiunPubKeyInsecure:      "insecure-pubkey",
-						DiunPubKeyHash:         "hash-pubkey",
+						DiunPubKeyHash:          "hash-pubkey",
-						DiunPubKeyRootCerts:    "root-certs",
+						DiunPubKeyRootCerts:     "root-certs",
+						DiMfgStringTypeMacIface: "iface",
 					},
 					OpenSCAP: &OpenSCAPCustomization{
 						DataStream: "stream",
@@ -264,10 +265,11 @@ func TestConvert(t *testing.T) {
 					},
 					InstallationDevice: "/dev/sda",
 					FDO: &iblueprint.FDOCustomization{
-						ManufacturingServerURL: "http://manufacturing.fdo",
+						ManufacturingServerURL:  "http://manufacturing.fdo",
-						DiunPubKeyInsecure:     "insecure-pubkey",
+						DiunPubKeyInsecure:      "insecure-pubkey",
-						DiunPubKeyHash:         "hash-pubkey",
+						DiunPubKeyHash:          "hash-pubkey",
-						DiunPubKeyRootCerts:    "root-certs",
+						DiunPubKeyRootCerts:     "root-certs",
+						DiMfgStringTypeMacIface: "iface",
 					},
 					OpenSCAP: &iblueprint.OpenSCAPCustomization{
 						DataStream: "stream",

internal/blueprint/customizations.go

@@ -48,8 +48,9 @@ type FDOCustomization struct {
 	DiunPubKeyInsecure     string `json:"diun_pub_key_insecure,omitempty" toml:"diun_pub_key_insecure,omitempty"`
 	// This is the output of:
 	// echo "sha256:$(openssl x509 -fingerprint -sha256 -noout -in diun_cert.pem | cut -d"=" -f2 | sed 's/://g')"
-	DiunPubKeyHash      string `json:"diun_pub_key_hash,omitempty" toml:"diun_pub_key_hash,omitempty"`
+	DiunPubKeyHash          string `json:"diun_pub_key_hash,omitempty" toml:"diun_pub_key_hash,omitempty"`
-	DiunPubKeyRootCerts string `json:"diun_pub_key_root_certs,omitempty" toml:"diun_pub_key_root_certs,omitempty"`
+	DiunPubKeyRootCerts     string `json:"diun_pub_key_root_certs,omitempty" toml:"diun_pub_key_root_certs,omitempty"`
+	DiMfgStringTypeMacIface string `json:"di_mfg_string_type_mac_iface,omitempty" toml:"di_mfg_string_type_mac_iface,omitempty"`
 }
 
 type KernelCustomization struct {

internal/blueprint/repository_customizations.go

@@ -8,18 +8,19 @@ import (
 )
 
 type RepositoryCustomization struct {
-	Id           string   `json:"id" toml:"id"`
+	Id             string   `json:"id" toml:"id"`
-	BaseURLs     []string `json:"baseurls,omitempty" toml:"baseurls,omitempty"`
+	BaseURLs       []string `json:"baseurls,omitempty" toml:"baseurls,omitempty"`
-	GPGKeys      []string `json:"gpgkeys,omitempty" toml:"gpgkeys,omitempty"`
+	GPGKeys        []string `json:"gpgkeys,omitempty" toml:"gpgkeys,omitempty"`
-	Metalink     string   `json:"metalink,omitempty" toml:"metalink,omitempty"`
+	Metalink       string   `json:"metalink,omitempty" toml:"metalink,omitempty"`
-	Mirrorlist   string   `json:"mirrorlist,omitempty" toml:"mirrorlist,omitempty"`
+	Mirrorlist     string   `json:"mirrorlist,omitempty" toml:"mirrorlist,omitempty"`
-	Name         string   `json:"name,omitempty" toml:"name,omitempty"`
+	Name           string   `json:"name,omitempty" toml:"name,omitempty"`
-	Priority     *int     `json:"priority,omitempty" toml:"priority,omitempty"`
+	Priority       *int     `json:"priority,omitempty" toml:"priority,omitempty"`
-	Enabled      *bool    `json:"enabled,omitempty" toml:"enabled,omitempty"`
+	Enabled        *bool    `json:"enabled,omitempty" toml:"enabled,omitempty"`
-	GPGCheck     *bool    `json:"gpgcheck,omitempty" toml:"gpgcheck,omitempty"`
+	GPGCheck       *bool    `json:"gpgcheck,omitempty" toml:"gpgcheck,omitempty"`
-	RepoGPGCheck *bool    `json:"repo_gpgcheck,omitempty" toml:"repo_gpgcheck,omitempty"`
+	RepoGPGCheck   *bool    `json:"repo_gpgcheck,omitempty" toml:"repo_gpgcheck,omitempty"`
-	SSLVerify    *bool    `json:"sslverify,omitempty" toml:"sslverify,omitempty"`
+	SSLVerify      *bool    `json:"sslverify,omitempty" toml:"sslverify,omitempty"`
-	Filename     string   `json:"filename,omitempty" toml:"filename,omitempty"`
+	ModuleHotfixes *bool    `json:"module_hotfixes,omitempty" toml:"module_hotfixes,omitempty"`
+	Filename       string   `json:"filename,omitempty" toml:"filename,omitempty"`
 }
 
 const repoFilenameRegex = "^[\\w.-]{1,250}\\.repo$"

vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go

@@ -25843,55 +25843,123 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "af-south-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "af-south-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-east-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-east-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-northeast-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-northeast-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-northeast-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-northeast-2",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-northeast-3",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-northeast-3",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-south-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-south-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-southeast-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-southeast-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-southeast-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-southeast-2",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-southeast-3",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-southeast-3",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ca-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ca-central-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region:  "ca-central-1",
 					Variant: fipsVariant,
 				}: endpoint{},
+				endpointKey{
+					Region:  "ca-central-1",
+					Variant: fipsVariant | dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-central-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-north-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-north-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-south-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-south-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-west-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-west-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-west-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-west-2",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-west-3",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-west-3",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "fips-ca-central-1",
 				}: endpoint{
@@ -25925,40 +25993,84 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "il-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "il-central-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "me-south-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "me-south-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "sa-east-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "sa-east-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "us-east-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-east-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region:  "us-east-1",
 					Variant: fipsVariant,
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-east-1",
+					Variant: fipsVariant | dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "us-east-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-east-2",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region:  "us-east-2",
 					Variant: fipsVariant,
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-east-2",
+					Variant: fipsVariant | dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "us-west-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-west-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region:  "us-west-1",
 					Variant: fipsVariant,
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-west-1",
+					Variant: fipsVariant | dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "us-west-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-west-2",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region:  "us-west-2",
 					Variant: fipsVariant,
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-west-2",
+					Variant: fipsVariant | dualStackVariant,
+				}: endpoint{},
 			},
 		},
 		"sagemaker-geospatial": service{
@@ -26187,160 +26299,267 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "af-south-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "af-south-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-east-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-east-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-northeast-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-northeast-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-northeast-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-northeast-2",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-northeast-3",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-northeast-3",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-south-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-south-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-south-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-south-2",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-southeast-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-southeast-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-southeast-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-southeast-2",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-southeast-3",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-southeast-3",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-southeast-4",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-southeast-4",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ca-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ca-central-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region:  "ca-central-1",
 					Variant: fipsVariant,
-				}: endpoint{
+				}: endpoint{},
-					Hostname: "secretsmanager-fips.ca-central-1.amazonaws.com",
+				endpointKey{
-				},
+					Region:  "ca-central-1",
+					Variant: fipsVariant | dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ca-central-1-fips",
 				}: endpoint{
-					Hostname: "secretsmanager-fips.ca-central-1.amazonaws.com",
+
-					CredentialScope: credentialScope{
-						Region: "ca-central-1",
-					},
 					Deprecated: boxedTrue,
 				},
 				endpointKey{
 					Region: "eu-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-central-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-central-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-central-2",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-north-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-north-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-south-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-south-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-south-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-south-2",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-west-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-west-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-west-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-west-2",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-west-3",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-west-3",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "il-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "il-central-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "me-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "me-central-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "me-south-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "me-south-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "sa-east-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "sa-east-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "us-east-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-east-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region:  "us-east-1",
 					Variant: fipsVariant,
-				}: endpoint{
+				}: endpoint{},
-					Hostname: "secretsmanager-fips.us-east-1.amazonaws.com",
+				endpointKey{
-				},
+					Region:  "us-east-1",
+					Variant: fipsVariant | dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "us-east-1-fips",
 				}: endpoint{
-					Hostname: "secretsmanager-fips.us-east-1.amazonaws.com",
+
-					CredentialScope: credentialScope{
-						Region: "us-east-1",
-					},
 					Deprecated: boxedTrue,
 				},
 				endpointKey{
 					Region: "us-east-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-east-2",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region:  "us-east-2",
 					Variant: fipsVariant,
-				}: endpoint{
+				}: endpoint{},
-					Hostname: "secretsmanager-fips.us-east-2.amazonaws.com",
+				endpointKey{
-				},
+					Region:  "us-east-2",
+					Variant: fipsVariant | dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "us-east-2-fips",
 				}: endpoint{
-					Hostname: "secretsmanager-fips.us-east-2.amazonaws.com",
+
-					CredentialScope: credentialScope{
-						Region: "us-east-2",
-					},
 					Deprecated: boxedTrue,
 				},
 				endpointKey{
 					Region: "us-west-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-west-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region:  "us-west-1",
 					Variant: fipsVariant,
-				}: endpoint{
+				}: endpoint{},
-					Hostname: "secretsmanager-fips.us-west-1.amazonaws.com",
+				endpointKey{
-				},
+					Region:  "us-west-1",
+					Variant: fipsVariant | dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "us-west-1-fips",
 				}: endpoint{
-					Hostname: "secretsmanager-fips.us-west-1.amazonaws.com",
+
-					CredentialScope: credentialScope{
-						Region: "us-west-1",
-					},
 					Deprecated: boxedTrue,
 				},
 				endpointKey{
 					Region: "us-west-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-west-2",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region:  "us-west-2",
 					Variant: fipsVariant,
-				}: endpoint{
+				}: endpoint{},
-					Hostname: "secretsmanager-fips.us-west-2.amazonaws.com",
+				endpointKey{
-				},
+					Region:  "us-west-2",
+					Variant: fipsVariant | dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "us-west-2-fips",
 				}: endpoint{
-					Hostname: "secretsmanager-fips.us-west-2.amazonaws.com",
+
-					CredentialScope: credentialScope{
-						Region: "us-west-2",
-					},
 					Deprecated: boxedTrue,
 				},
 			},
@@ -34864,9 +35083,17 @@ var awscnPartition = partition{
 				endpointKey{
 					Region: "cn-north-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "cn-north-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "cn-northwest-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "cn-northwest-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 			},
 		},
 		"securityhub": service{
@@ -38246,7 +38473,21 @@ var awsusgovPartition = partition{
 			},
 		},
 		"health": service{
+			Defaults: endpointDefaults{
+				defaultKey{}: endpoint{
+					SSLCommonName: "health.us-gov-west-1.amazonaws.com",
+					Protocols:     []string{"https"},
+				},
+			},
 			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "aws-us-gov-global",
+				}: endpoint{
+					Hostname: "global.health.us-gov.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-gov-west-1",
+					},
+				},
 				endpointKey{
 					Region: "fips-us-gov-west-1",
 				}: endpoint{
@@ -40488,17 +40729,33 @@ var awsusgovPartition = partition{
 				endpointKey{
 					Region: "us-gov-east-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-gov-east-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region:  "us-gov-east-1",
 					Variant: fipsVariant,
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-gov-east-1",
+					Variant: fipsVariant | dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "us-gov-west-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-gov-west-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region:  "us-gov-west-1",
 					Variant: fipsVariant,
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-gov-west-1",
+					Variant: fipsVariant | dualStackVariant,
+				}: endpoint{},
 			},
 		},
 		"secretsmanager": service{
@@ -40506,37 +40763,43 @@ var awsusgovPartition = partition{
 				endpointKey{
 					Region: "us-gov-east-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-gov-east-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region:  "us-gov-east-1",
 					Variant: fipsVariant,
-				}: endpoint{
+				}: endpoint{},
-					Hostname: "secretsmanager-fips.us-gov-east-1.amazonaws.com",
+				endpointKey{
-				},
+					Region:  "us-gov-east-1",
+					Variant: fipsVariant | dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "us-gov-east-1-fips",
 				}: endpoint{
-					Hostname: "secretsmanager-fips.us-gov-east-1.amazonaws.com",
+
-					CredentialScope: credentialScope{
-						Region: "us-gov-east-1",
-					},
 					Deprecated: boxedTrue,
 				},
 				endpointKey{
 					Region: "us-gov-west-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-gov-west-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region:  "us-gov-west-1",
 					Variant: fipsVariant,
-				}: endpoint{
+				}: endpoint{},
-					Hostname: "secretsmanager-fips.us-gov-west-1.amazonaws.com",
+				endpointKey{
-				},
+					Region:  "us-gov-west-1",
+					Variant: fipsVariant | dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "us-gov-west-1-fips",
 				}: endpoint{
-					Hostname: "secretsmanager-fips.us-gov-west-1.amazonaws.com",
+
-					CredentialScope: credentialScope{
-						Region: "us-gov-west-1",
-					},
 					Deprecated: boxedTrue,
 				},
 			},

vendor/github.com/aws/aws-sdk-go/aws/version.go

@@ -5,4 +5,4 @@ package aws
 const SDKName = "aws-sdk-go"
 
 // SDKVersion is the version of this SDK
-const SDKVersion = "1.48.13"
+const SDKVersion = "1.49.0"

vendor/github.com/aws/aws-sdk-go/service/ec2/api.go

@@ -161017,6 +161017,9 @@ func (s *PrivateIpAddressSpecification) SetPrivateIpAddress(v string) *PrivateIp
 type ProcessorInfo struct {
 	_ struct{} `type:"structure"`
 
+	// The manufacturer of the processor.
+	Manufacturer *string `locationName:"manufacturer" type:"string"`
+
 	// The architectures supported by the instance type.
 	SupportedArchitectures []*string `locationName:"supportedArchitectures" locationNameList:"item" type:"list" enum:"ArchitectureType"`
 
@@ -161047,6 +161050,12 @@ func (s ProcessorInfo) GoString() string {
 	return s.String()
 }
 
+// SetManufacturer sets the Manufacturer field's value.
+func (s *ProcessorInfo) SetManufacturer(v string) *ProcessorInfo {
+	s.Manufacturer = &v
+	return s
+}
+
 // SetSupportedArchitectures sets the SupportedArchitectures field's value.
 func (s *ProcessorInfo) SetSupportedArchitectures(v []*string) *ProcessorInfo {
 	s.SupportedArchitectures = v
@@ -194338,6 +194347,33 @@ const (
 
 	// InstanceTypeDl2q24xlarge is a InstanceType enum value
 	InstanceTypeDl2q24xlarge = "dl2q.24xlarge"
+
+	// InstanceTypeMac2M2Metal is a InstanceType enum value
+	InstanceTypeMac2M2Metal = "mac2-m2.metal"
+
+	// InstanceTypeI4i12xlarge is a InstanceType enum value
+	InstanceTypeI4i12xlarge = "i4i.12xlarge"
+
+	// InstanceTypeI4i24xlarge is a InstanceType enum value
+	InstanceTypeI4i24xlarge = "i4i.24xlarge"
+
+	// InstanceTypeC7iMetal24xl is a InstanceType enum value
+	InstanceTypeC7iMetal24xl = "c7i.metal-24xl"
+
+	// InstanceTypeC7iMetal48xl is a InstanceType enum value
+	InstanceTypeC7iMetal48xl = "c7i.metal-48xl"
+
+	// InstanceTypeM7iMetal24xl is a InstanceType enum value
+	InstanceTypeM7iMetal24xl = "m7i.metal-24xl"
+
+	// InstanceTypeM7iMetal48xl is a InstanceType enum value
+	InstanceTypeM7iMetal48xl = "m7i.metal-48xl"
+
+	// InstanceTypeR7iMetal24xl is a InstanceType enum value
+	InstanceTypeR7iMetal24xl = "r7i.metal-24xl"
+
+	// InstanceTypeR7iMetal48xl is a InstanceType enum value
+	InstanceTypeR7iMetal48xl = "r7i.metal-48xl"
 )
 
 // InstanceType_Values returns all elements of the InstanceType enum
@@ -195115,6 +195151,15 @@ func InstanceType_Values() []string {
 		InstanceTypeR7i24xlarge,
 		InstanceTypeR7i48xlarge,
 		InstanceTypeDl2q24xlarge,
+		InstanceTypeMac2M2Metal,
+		InstanceTypeI4i12xlarge,
+		InstanceTypeI4i24xlarge,
+		InstanceTypeC7iMetal24xl,
+		InstanceTypeC7iMetal48xl,
+		InstanceTypeM7iMetal24xl,
+		InstanceTypeM7iMetal48xl,
+		InstanceTypeR7iMetal24xl,
+		InstanceTypeR7iMetal48xl,
 	}
 }
 

vendor/github.com/osbuild/images/internal/common/constants.go

@@ -11,6 +11,14 @@ const (
 	GibiByte = 1024 * 1024 * 1024        // GiB
 	TeraByte = 1000 * 1000 * 1000 * 1000 // TB
 	TebiByte = 1024 * 1024 * 1024 * 1024 // TiB
+
+	// shorthands
+	KiB = KibiByte
+	MB  = MegaByte
+	MiB = MebiByte
+	GB  = GigaByte
+	GiB = GibiByte
+	TiB = TebiByte
 )
 
 // These constants are set during buildtime using additional

vendor/github.com/osbuild/images/pkg/blueprint/customizations.go

@@ -45,8 +45,9 @@ type FDOCustomization struct {
 	DiunPubKeyInsecure     string `json:"diun_pub_key_insecure,omitempty" toml:"diun_pub_key_insecure,omitempty"`
 	// This is the output of:
 	// echo "sha256:$(openssl x509 -fingerprint -sha256 -noout -in diun_cert.pem | cut -d"=" -f2 | sed 's/://g')"
-	DiunPubKeyHash      string `json:"diun_pub_key_hash,omitempty" toml:"diun_pub_key_hash,omitempty"`
+	DiunPubKeyHash          string `json:"diun_pub_key_hash,omitempty" toml:"diun_pub_key_hash,omitempty"`
-	DiunPubKeyRootCerts string `json:"diun_pub_key_root_certs,omitempty" toml:"diun_pub_key_root_certs,omitempty"`
+	DiunPubKeyRootCerts     string `json:"diun_pub_key_root_certs,omitempty" toml:"diun_pub_key_root_certs,omitempty"`
+	DiMfgStringTypeMacIface string `json:"di_mfg_string_type_mac_iface,omitempty" toml:"di_mfg_string_type_mac_iface,omitempty"`
 }
 
 type KernelCustomization struct {

vendor/github.com/osbuild/images/pkg/blueprint/fsnode_customizations.go

@@ -11,8 +11,8 @@ import (
 	"strings"
 
 	"github.com/osbuild/images/internal/common"
-	"github.com/osbuild/images/internal/fsnode"
 	"github.com/osbuild/images/internal/pathpolicy"
+	"github.com/osbuild/images/pkg/customizations/fsnode"
 )
 
 // validateModeString checks that the given string is a valid mode octal number

vendor/github.com/osbuild/images/pkg/blueprint/repository_customizations.go

@@ -7,23 +7,24 @@ import (
 	"strings"
 
 	"github.com/osbuild/images/internal/common"
-	"github.com/osbuild/images/internal/fsnode"
+	"github.com/osbuild/images/pkg/customizations/fsnode"
 	"github.com/osbuild/images/pkg/rpmmd"
 )
 
 type RepositoryCustomization struct {
-	Id           string   `json:"id" toml:"id"`
+	Id             string   `json:"id" toml:"id"`
-	BaseURLs     []string `json:"baseurls,omitempty" toml:"baseurls,omitempty"`
+	BaseURLs       []string `json:"baseurls,omitempty" toml:"baseurls,omitempty"`
-	GPGKeys      []string `json:"gpgkeys,omitempty" toml:"gpgkeys,omitempty"`
+	GPGKeys        []string `json:"gpgkeys,omitempty" toml:"gpgkeys,omitempty"`
-	Metalink     string   `json:"metalink,omitempty" toml:"metalink,omitempty"`
+	Metalink       string   `json:"metalink,omitempty" toml:"metalink,omitempty"`
-	Mirrorlist   string   `json:"mirrorlist,omitempty" toml:"mirrorlist,omitempty"`
+	Mirrorlist     string   `json:"mirrorlist,omitempty" toml:"mirrorlist,omitempty"`
-	Name         string   `json:"name,omitempty" toml:"name,omitempty"`
+	Name           string   `json:"name,omitempty" toml:"name,omitempty"`
-	Priority     *int     `json:"priority,omitempty" toml:"priority,omitempty"`
+	Priority       *int     `json:"priority,omitempty" toml:"priority,omitempty"`
-	Enabled      *bool    `json:"enabled,omitempty" toml:"enabled,omitempty"`
+	Enabled        *bool    `json:"enabled,omitempty" toml:"enabled,omitempty"`
-	GPGCheck     *bool    `json:"gpgcheck,omitempty" toml:"gpgcheck,omitempty"`
+	GPGCheck       *bool    `json:"gpgcheck,omitempty" toml:"gpgcheck,omitempty"`
-	RepoGPGCheck *bool    `json:"repo_gpgcheck,omitempty" toml:"repo_gpgcheck,omitempty"`
+	RepoGPGCheck   *bool    `json:"repo_gpgcheck,omitempty" toml:"repo_gpgcheck,omitempty"`
-	SSLVerify    *bool    `json:"sslverify,omitempty" toml:"sslverify,omitempty"`
+	SSLVerify      *bool    `json:"sslverify,omitempty" toml:"sslverify,omitempty"`
-	Filename     string   `json:"filename,omitempty" toml:"filename,omitempty"`
+	ModuleHotfixes *bool    `json:"module_hotfixes,omitempty" toml:"module_hotfixes,omitempty"`
+	Filename       string   `json:"filename,omitempty" toml:"filename,omitempty"`
 }
 
 const repoFilenameRegex = "^[\\w.-]{1,250}\\.repo$"
@@ -117,16 +118,17 @@ func (repo RepositoryCustomization) customRepoToRepoConfig() rpmmd.RepoConfig {
 	copy(keys, repo.GPGKeys)
 
 	repoConfig := rpmmd.RepoConfig{
-		Id:           repo.Id,
+		Id:             repo.Id,
-		BaseURLs:     urls,
+		BaseURLs:       urls,
-		GPGKeys:      keys,
+		GPGKeys:        keys,
-		Name:         repo.Name,
+		Name:           repo.Name,
-		Metalink:     repo.Metalink,
+		Metalink:       repo.Metalink,
-		MirrorList:   repo.Mirrorlist,
+		MirrorList:     repo.Mirrorlist,
-		CheckGPG:     repo.GPGCheck,
+		CheckGPG:       repo.GPGCheck,
-		CheckRepoGPG: repo.RepoGPGCheck,
+		CheckRepoGPG:   repo.RepoGPGCheck,
-		Priority:     repo.Priority,
+		Priority:       repo.Priority,
-		Enabled:      repo.Enabled,
+		ModuleHotfixes: repo.ModuleHotfixes,
+		Enabled:        repo.Enabled,
 	}
 
 	if repo.SSLVerify != nil {

vendor/github.com/osbuild/images/pkg/customizations/fdo/fdo.go

@@ -3,10 +3,11 @@ package fdo
 import "github.com/osbuild/images/pkg/blueprint"
 
 type Options struct {
-	ManufacturingServerURL string
+	ManufacturingServerURL  string
-	DiunPubKeyInsecure     string
+	DiunPubKeyInsecure      string
-	DiunPubKeyHash         string
+	DiunPubKeyHash          string
-	DiunPubKeyRootCerts    string
+	DiunPubKeyRootCerts     string
+	DiMfgStringTypeMacIface string
 }
 
 func FromBP(bpFDO blueprint.FDOCustomization) *Options {

vendor/github.com/osbuild/images/pkg/customizations/oscap/oscap.go

@@ -5,7 +5,7 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/osbuild/images/internal/fsnode"
+	"github.com/osbuild/images/pkg/customizations/fsnode"
 )
 
 type Profile string

vendor/github.com/osbuild/images/pkg/disk/luks.go

@@ -5,6 +5,8 @@ import (
 	"math/rand"
 
 	"github.com/google/uuid"
+
+	"github.com/osbuild/images/internal/common"
 )
 
 type Argon2id struct {
@@ -96,5 +98,5 @@ func (lc *LUKSContainer) MetadataSize() uint64 {
 	}
 
 	// 16 MiB is the default size for the LUKS2 header
-	return 16 * 1024 * 1024
+	return 16 * common.MiB
 }

vendor/github.com/osbuild/images/pkg/disk/lvm.go

@@ -138,7 +138,7 @@ func (vg *LVMVolumeGroup) MetadataSize() uint64 {
 	// of the metadata and its location and thus the start of the physical
 	// extent. For now we assume the default which results in a start of
 	// the physical extent 1 MiB
-	return 1024 * 1024
+	return 1 * common.MiB
 }
 
 type LVMLogicalVolume struct {

vendor/github.com/osbuild/images/pkg/disk/partition_table.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/google/uuid"
 
+	"github.com/osbuild/images/internal/common"
 	"github.com/osbuild/images/pkg/blueprint"
 )
 
@@ -630,7 +631,7 @@ func (pt *PartitionTable) ensureLVM() error {
 	// we need a /boot partition to boot LVM, ensure one exists
 	bootPath := entityPath(pt, "/boot")
 	if bootPath == nil {
-		_, err := pt.CreateMountpoint("/boot", 512*1024*1024)
+		_, err := pt.CreateMountpoint("/boot", 512*common.MiB)
 
 		if err != nil {
 			return err

vendor/github.com/osbuild/images/pkg/distro/fedora/distro.go

@@ -8,9 +8,9 @@ import (
 
 	"github.com/osbuild/images/internal/common"
 	"github.com/osbuild/images/internal/environment"
-	"github.com/osbuild/images/internal/fsnode"
-	"github.com/osbuild/images/internal/oscap"
 	"github.com/osbuild/images/pkg/arch"
+	"github.com/osbuild/images/pkg/customizations/fsnode"
+	"github.com/osbuild/images/pkg/customizations/oscap"
 	"github.com/osbuild/images/pkg/distro"
 	"github.com/osbuild/images/pkg/osbuild"
 	"github.com/osbuild/images/pkg/platform"
@@ -38,6 +38,9 @@ const (
 
 	// Added kernel command line options for ami, qcow2, openstack, vhd and vmdk types
 	cloudKernelOptions = "ro no_timer_check console=ttyS0,115200n8 biosdevname=0 net.ifnames=0"
+
+	// location for saving openscap remediation data
+	oscapDataDir = "/oscap_data"
 )
 
 var (

vendor/github.com/osbuild/images/pkg/distro/fedora/images.go

@@ -5,14 +5,14 @@ import (
 	"math/rand"
 
 	"github.com/osbuild/images/internal/common"
-	"github.com/osbuild/images/internal/fdo"
-	"github.com/osbuild/images/internal/fsnode"
-	"github.com/osbuild/images/internal/ignition"
-	"github.com/osbuild/images/internal/oscap"
-	"github.com/osbuild/images/internal/users"
 	"github.com/osbuild/images/internal/workload"
 	"github.com/osbuild/images/pkg/blueprint"
 	"github.com/osbuild/images/pkg/container"
+	"github.com/osbuild/images/pkg/customizations/fdo"
+	"github.com/osbuild/images/pkg/customizations/fsnode"
+	"github.com/osbuild/images/pkg/customizations/ignition"
+	"github.com/osbuild/images/pkg/customizations/oscap"
+	"github.com/osbuild/images/pkg/customizations/users"
 	"github.com/osbuild/images/pkg/distro"
 	"github.com/osbuild/images/pkg/image"
 	"github.com/osbuild/images/pkg/manifest"
@@ -165,14 +165,25 @@ func osCustomizations(
 		if t.rpmOstree {
 			panic("unexpected oscap options for ostree image type")
 		}
+
+		// although the osbuild stage will create this directory,
+		// it's probably better to ensure that it is created here
+		dataDirNode, err := fsnode.NewDirectory(oscapDataDir, nil, nil, nil, true)
+		if err != nil {
+			panic("unexpected error creating OpenSCAP data directory")
+		}
+
+		osc.Directories = append(osc.Directories, dataDirNode)
+
 		var datastream = oscapConfig.DataStream
 		if datastream == "" {
 			datastream = oscap.DefaultFedoraDatastream()
 		}
 
 		oscapStageOptions := osbuild.OscapConfig{
-			Datastream: datastream,
+			Datastream:  datastream,
-			ProfileID:  oscapConfig.ProfileID,
+			ProfileID:   oscapConfig.ProfileID,
+			Compression: true,
 		}
 
 		if oscapConfig.Tailoring != nil {
@@ -182,14 +193,15 @@ func osCustomizations(
 			}
 
 			tailoringOptions := osbuild.OscapAutotailorConfig{
+				NewProfile: newProfile,
+				Datastream: datastream,
+				ProfileID:  oscapConfig.ProfileID,
 				Selected:   oscapConfig.Tailoring.Selected,
 				Unselected: oscapConfig.Tailoring.Unselected,
-				NewProfile: newProfile,
 			}
 
 			osc.OpenSCAPTailorConfig = osbuild.NewOscapAutotailorStageOptions(
 				tailoringFilepath,
-				oscapStageOptions,
 				tailoringOptions,
 			)
 
@@ -201,7 +213,7 @@ func osCustomizations(
 			osc.Directories = append(osc.Directories, tailoringDir)
 		}
 
-		osc.OpenSCAPConfig = osbuild.NewOscapRemediationStageOptions(oscapStageOptions)
+		osc.OpenSCAPConfig = osbuild.NewOscapRemediationStageOptions(oscapDataDir, oscapStageOptions)
 	}
 
 	osc.ShellInit = imageConfig.ShellInit

vendor/github.com/osbuild/images/pkg/distro/fedora/imagetype.go

@@ -7,11 +7,11 @@ import (
 
 	"github.com/osbuild/images/internal/common"
 	"github.com/osbuild/images/internal/environment"
-	"github.com/osbuild/images/internal/oscap"
 	"github.com/osbuild/images/internal/pathpolicy"
 	"github.com/osbuild/images/internal/workload"
 	"github.com/osbuild/images/pkg/blueprint"
 	"github.com/osbuild/images/pkg/container"
+	"github.com/osbuild/images/pkg/customizations/oscap"
 	"github.com/osbuild/images/pkg/disk"
 	"github.com/osbuild/images/pkg/distro"
 	"github.com/osbuild/images/pkg/image"

vendor/github.com/osbuild/images/pkg/distro/image_config.go

@@ -4,8 +4,8 @@ import (
 	"fmt"
 	"reflect"
 
-	"github.com/osbuild/images/internal/fsnode"
+	"github.com/osbuild/images/pkg/customizations/fsnode"
-	"github.com/osbuild/images/internal/shell"
+	"github.com/osbuild/images/pkg/customizations/shell"
 	"github.com/osbuild/images/pkg/osbuild"
 	"github.com/osbuild/images/pkg/subscription"
 )

vendor/github.com/osbuild/images/pkg/distro/rhel7/distro.go

@@ -22,6 +22,9 @@ const (
 
 	// blueprint package set name
 	blueprintPkgsKey = "blueprint"
+
+	// location for saving openscap remediation data
+	oscapDataDir = "/oscap_data"
 )
 
 // RHEL-based OS image configuration defaults

vendor/github.com/osbuild/images/pkg/distro/rhel7/images.go

@@ -5,11 +5,11 @@ import (
 	"math/rand"
 
 	"github.com/osbuild/images/internal/common"
-	"github.com/osbuild/images/internal/users"
 	"github.com/osbuild/images/internal/workload"
 	"github.com/osbuild/images/pkg/arch"
 	"github.com/osbuild/images/pkg/blueprint"
 	"github.com/osbuild/images/pkg/container"
+	"github.com/osbuild/images/pkg/customizations/users"
 	"github.com/osbuild/images/pkg/distro"
 	"github.com/osbuild/images/pkg/image"
 	"github.com/osbuild/images/pkg/manifest"
@@ -131,9 +131,11 @@ func osCustomizations(
 
 	if oscapConfig := c.GetOpenSCAP(); oscapConfig != nil {
 		osc.OpenSCAPConfig = osbuild.NewOscapRemediationStageOptions(
+			oscapDataDir,
 			osbuild.OscapConfig{
-				Datastream: oscapConfig.DataStream,
+				Datastream:  oscapConfig.DataStream,
-				ProfileID:  oscapConfig.ProfileID,
+				ProfileID:   oscapConfig.ProfileID,
+				Compression: true,
 			},
 		)
 	}

vendor/github.com/osbuild/images/pkg/distro/rhel8/azure.go

@@ -2,8 +2,8 @@ package rhel8
 
 import (
 	"github.com/osbuild/images/internal/common"
-	"github.com/osbuild/images/internal/shell"
 	"github.com/osbuild/images/pkg/arch"
+	"github.com/osbuild/images/pkg/customizations/shell"
 	"github.com/osbuild/images/pkg/disk"
 	"github.com/osbuild/images/pkg/distro"
 	"github.com/osbuild/images/pkg/osbuild"

vendor/github.com/osbuild/images/pkg/distro/rhel8/distro.go

@@ -7,8 +7,8 @@ import (
 	"strings"
 
 	"github.com/osbuild/images/internal/common"
-	"github.com/osbuild/images/internal/oscap"
 	"github.com/osbuild/images/pkg/arch"
+	"github.com/osbuild/images/pkg/customizations/oscap"
 	"github.com/osbuild/images/pkg/distro"
 	"github.com/osbuild/images/pkg/osbuild"
 	"github.com/osbuild/images/pkg/platform"

vendor/github.com/osbuild/images/pkg/distro/rhel8/edge.go

@@ -4,8 +4,8 @@ import (
 	"fmt"
 
 	"github.com/osbuild/images/internal/common"
-	"github.com/osbuild/images/internal/fsnode"
 	"github.com/osbuild/images/pkg/arch"
+	"github.com/osbuild/images/pkg/customizations/fsnode"
 	"github.com/osbuild/images/pkg/distro"
 	"github.com/osbuild/images/pkg/rpmmd"
 )

vendor/github.com/osbuild/images/pkg/distro/rhel8/images.go

@@ -4,15 +4,15 @@ import (
 	"fmt"
 	"math/rand"
 
-	"github.com/osbuild/images/internal/fdo"
-	"github.com/osbuild/images/internal/fsnode"
-	"github.com/osbuild/images/internal/ignition"
-	"github.com/osbuild/images/internal/oscap"
-	"github.com/osbuild/images/internal/users"
 	"github.com/osbuild/images/internal/workload"
 	"github.com/osbuild/images/pkg/arch"
 	"github.com/osbuild/images/pkg/blueprint"
 	"github.com/osbuild/images/pkg/container"
+	"github.com/osbuild/images/pkg/customizations/fdo"
+	"github.com/osbuild/images/pkg/customizations/fsnode"
+	"github.com/osbuild/images/pkg/customizations/ignition"
+	"github.com/osbuild/images/pkg/customizations/oscap"
+	"github.com/osbuild/images/pkg/customizations/users"
 	"github.com/osbuild/images/pkg/distro"
 	"github.com/osbuild/images/pkg/image"
 	"github.com/osbuild/images/pkg/manifest"
@@ -186,14 +186,25 @@ func osCustomizations(
 		if t.rpmOstree {
 			panic("unexpected oscap options for ostree image type")
 		}
+
+		// although the osbuild stage will create this directory,
+		// it's probably better to ensure that it is created here
+		dataDirNode, err := fsnode.NewDirectory(oscapDataDir, nil, nil, nil, true)
+		if err != nil {
+			panic("unexpected error creating OpenSCAP data directory")
+		}
+
+		osc.Directories = append(osc.Directories, dataDirNode)
+
 		var datastream = oscapConfig.DataStream
 		if datastream == "" {
 			datastream = oscap.DefaultRHEL8Datastream(t.arch.distro.isRHEL())
 		}
 
 		oscapStageOptions := osbuild.OscapConfig{
-			Datastream: datastream,
+			Datastream:  datastream,
-			ProfileID:  oscapConfig.ProfileID,
+			ProfileID:   oscapConfig.ProfileID,
+			Compression: true,
 		}
 
 		if oscapConfig.Tailoring != nil {
@@ -203,14 +214,15 @@ func osCustomizations(
 			}
 
 			tailoringOptions := osbuild.OscapAutotailorConfig{
+				NewProfile: newProfile,
+				Datastream: datastream,
+				ProfileID:  oscapConfig.ProfileID,
 				Selected:   oscapConfig.Tailoring.Selected,
 				Unselected: oscapConfig.Tailoring.Unselected,
-				NewProfile: newProfile,
 			}
 
 			osc.OpenSCAPTailorConfig = osbuild.NewOscapAutotailorStageOptions(
 				tailoringFilepath,
-				oscapStageOptions,
 				tailoringOptions,
 			)
 
@@ -222,7 +234,7 @@ func osCustomizations(
 			osc.Directories = append(osc.Directories, tailoringDir)
 		}
 
-		osc.OpenSCAPConfig = osbuild.NewOscapRemediationStageOptions(oscapStageOptions)
+		osc.OpenSCAPConfig = osbuild.NewOscapRemediationStageOptions(oscapDataDir, oscapStageOptions)
 	}
 
 	osc.ShellInit = imageConfig.ShellInit

vendor/github.com/osbuild/images/pkg/distro/rhel8/imagetype.go

@@ -10,11 +10,11 @@ import (
 
 	"github.com/osbuild/images/internal/common"
 	"github.com/osbuild/images/internal/environment"
-	"github.com/osbuild/images/internal/oscap"
 	"github.com/osbuild/images/internal/pathpolicy"
 	"github.com/osbuild/images/internal/workload"
 	"github.com/osbuild/images/pkg/blueprint"
 	"github.com/osbuild/images/pkg/container"
+	"github.com/osbuild/images/pkg/customizations/oscap"
 	"github.com/osbuild/images/pkg/disk"
 	"github.com/osbuild/images/pkg/distro"
 	"github.com/osbuild/images/pkg/image"
@@ -37,6 +37,9 @@ const (
 
 	// blueprint package set name
 	blueprintPkgsKey = "blueprint"
+
+	// location for saving openscap remediation data
+	oscapDataDir = "/oscap_data"
 )
 
 type imageFunc func(workload workload.Workload, t *imageType, customizations *blueprint.Customizations, options distro.ImageOptions, packageSets map[string]rpmmd.PackageSet, containers []container.SourceSpec, rng *rand.Rand) (image.ImageKind, error)

vendor/github.com/osbuild/images/pkg/distro/rhel9/distro.go

@@ -7,8 +7,8 @@ import (
 	"strings"
 
 	"github.com/osbuild/images/internal/common"
-	"github.com/osbuild/images/internal/oscap"
 	"github.com/osbuild/images/pkg/arch"
+	"github.com/osbuild/images/pkg/customizations/oscap"
 	"github.com/osbuild/images/pkg/distro"
 	"github.com/osbuild/images/pkg/osbuild"
 	"github.com/osbuild/images/pkg/platform"

vendor/github.com/osbuild/images/pkg/distro/rhel9/edge.go

@@ -5,8 +5,8 @@ import (
 
 	"github.com/osbuild/images/internal/common"
 	"github.com/osbuild/images/internal/environment"
-	"github.com/osbuild/images/internal/fsnode"
 	"github.com/osbuild/images/pkg/arch"
+	"github.com/osbuild/images/pkg/customizations/fsnode"
 	"github.com/osbuild/images/pkg/disk"
 	"github.com/osbuild/images/pkg/distro"
 	"github.com/osbuild/images/pkg/osbuild"
@@ -400,7 +400,7 @@ func edgeBasePartitionTables(t *imageType) (disk.PartitionTable, bool) {
 							Description: "built with lvm2 and osbuild",
 							LogicalVolumes: []disk.LVMLogicalVolume{
 								{
-									Size: 9 * 1024 * 1024 * 1024, // 9 GB
+									Size: 9 * common.GiB, // 9 GiB
 									Name: "rootlv",
 									Payload: &disk.Filesystem{
 										Type:         "xfs",
@@ -471,7 +471,7 @@ func edgeBasePartitionTables(t *imageType) (disk.PartitionTable, bool) {
 							Description: "built with lvm2 and osbuild",
 							LogicalVolumes: []disk.LVMLogicalVolume{
 								{
-									Size: 9 * 1024 * 1024 * 1024, // 9 GB
+									Size: 9 * common.GiB, // 9 GiB
 									Name: "rootlv",
 									Payload: &disk.Filesystem{
 										Type:         "xfs",

vendor/github.com/osbuild/images/pkg/distro/rhel9/images.go

@@ -5,14 +5,14 @@ import (
 	"math/rand"
 
 	"github.com/osbuild/images/internal/common"
-	"github.com/osbuild/images/internal/fdo"
-	"github.com/osbuild/images/internal/fsnode"
-	"github.com/osbuild/images/internal/ignition"
-	"github.com/osbuild/images/internal/oscap"
-	"github.com/osbuild/images/internal/users"
 	"github.com/osbuild/images/internal/workload"
 	"github.com/osbuild/images/pkg/blueprint"
 	"github.com/osbuild/images/pkg/container"
+	"github.com/osbuild/images/pkg/customizations/fdo"
+	"github.com/osbuild/images/pkg/customizations/fsnode"
+	"github.com/osbuild/images/pkg/customizations/ignition"
+	"github.com/osbuild/images/pkg/customizations/oscap"
+	"github.com/osbuild/images/pkg/customizations/users"
 	"github.com/osbuild/images/pkg/distro"
 	"github.com/osbuild/images/pkg/image"
 	"github.com/osbuild/images/pkg/manifest"
@@ -183,14 +183,25 @@ func osCustomizations(
 		if t.rpmOstree {
 			panic("unexpected oscap options for ostree image type")
 		}
+
+		// although the osbuild stage will create this directory,
+		// it's probably better to ensure that it is created here
+		dataDirNode, err := fsnode.NewDirectory(oscapDataDir, nil, nil, nil, true)
+		if err != nil {
+			panic("unexpected error creating OpenSCAP data directory")
+		}
+
+		osc.Directories = append(osc.Directories, dataDirNode)
+
 		var datastream = oscapConfig.DataStream
 		if datastream == "" {
 			datastream = oscap.DefaultRHEL9Datastream(t.arch.distro.isRHEL())
 		}
 
 		oscapStageOptions := osbuild.OscapConfig{
-			Datastream: datastream,
+			Datastream:  datastream,
-			ProfileID:  oscapConfig.ProfileID,
+			ProfileID:   oscapConfig.ProfileID,
+			Compression: true,
 		}
 
 		if oscapConfig.Tailoring != nil {
@@ -200,14 +211,15 @@ func osCustomizations(
 			}
 
 			tailoringOptions := osbuild.OscapAutotailorConfig{
+				NewProfile: newProfile,
+				Datastream: datastream,
+				ProfileID:  oscapConfig.ProfileID,
 				Selected:   oscapConfig.Tailoring.Selected,
 				Unselected: oscapConfig.Tailoring.Unselected,
-				NewProfile: newProfile,
 			}
 
 			osc.OpenSCAPTailorConfig = osbuild.NewOscapAutotailorStageOptions(
 				tailoringFilepath,
-				oscapStageOptions,
 				tailoringOptions,
 			)
 
@@ -219,7 +231,7 @@ func osCustomizations(
 			osc.Directories = append(osc.Directories, tailoringDir)
 		}
 
-		osc.OpenSCAPConfig = osbuild.NewOscapRemediationStageOptions(oscapStageOptions)
+		osc.OpenSCAPConfig = osbuild.NewOscapRemediationStageOptions(oscapDataDir, oscapStageOptions)
 	}
 
 	osc.ShellInit = imageConfig.ShellInit

vendor/github.com/osbuild/images/pkg/distro/rhel9/imagetype.go

@@ -10,11 +10,11 @@ import (
 
 	"github.com/osbuild/images/internal/common"
 	"github.com/osbuild/images/internal/environment"
-	"github.com/osbuild/images/internal/oscap"
 	"github.com/osbuild/images/internal/pathpolicy"
 	"github.com/osbuild/images/internal/workload"
 	"github.com/osbuild/images/pkg/blueprint"
 	"github.com/osbuild/images/pkg/container"
+	"github.com/osbuild/images/pkg/customizations/oscap"
 	"github.com/osbuild/images/pkg/disk"
 	"github.com/osbuild/images/pkg/distro"
 	"github.com/osbuild/images/pkg/image"
@@ -40,6 +40,9 @@ const (
 
 	// blueprint package set name
 	blueprintPkgsKey = "blueprint"
+
+	// location for saving openscap remediation data
+	oscapDataDir = "/oscap_data"
 )
 
 type imageFunc func(workload workload.Workload, t *imageType, customizations *blueprint.Customizations, options distro.ImageOptions, packageSets map[string]rpmmd.PackageSet, containers []container.SourceSpec, rng *rand.Rand) (image.ImageKind, error)

vendor/github.com/osbuild/images/pkg/image/anaconda_live_installer.go

@@ -46,7 +46,7 @@ func (img *AnacondaLiveInstaller) InstantiateManifest(m *manifest.Manifest,
 	repos []rpmmd.RepoConfig,
 	runner runner.Runner,
 	rng *rand.Rand) (*artifact.Artifact, error) {
-	buildPipeline := manifest.NewBuild(m, runner, repos)
+	buildPipeline := manifest.NewBuild(m, runner, repos, nil)
 	buildPipeline.Checkpoint()
 
 	livePipeline := manifest.NewAnacondaInstaller(m,

vendor/github.com/osbuild/images/pkg/image/anaconda_ostree_installer.go

@@ -5,9 +5,9 @@ import (
 	"math/rand"
 
 	"github.com/osbuild/images/internal/common"
-	"github.com/osbuild/images/internal/users"
 	"github.com/osbuild/images/pkg/arch"
 	"github.com/osbuild/images/pkg/artifact"
+	"github.com/osbuild/images/pkg/customizations/users"
 	"github.com/osbuild/images/pkg/disk"
 	"github.com/osbuild/images/pkg/manifest"
 	"github.com/osbuild/images/pkg/ostree"
@@ -53,7 +53,7 @@ func (img *AnacondaOSTreeInstaller) InstantiateManifest(m *manifest.Manifest,
 	repos []rpmmd.RepoConfig,
 	runner runner.Runner,
 	rng *rand.Rand) (*artifact.Artifact, error) {
-	buildPipeline := manifest.NewBuild(m, runner, repos)
+	buildPipeline := manifest.NewBuild(m, runner, repos, nil)
 	buildPipeline.Checkpoint()
 
 	anacondaPipeline := manifest.NewAnacondaInstaller(m,

vendor/github.com/osbuild/images/pkg/image/anaconda_tar_installer.go

@@ -7,10 +7,10 @@ import (
 
 	"github.com/osbuild/images/internal/common"
 	"github.com/osbuild/images/internal/environment"
-	"github.com/osbuild/images/internal/users"
 	"github.com/osbuild/images/internal/workload"
 	"github.com/osbuild/images/pkg/arch"
 	"github.com/osbuild/images/pkg/artifact"
+	"github.com/osbuild/images/pkg/customizations/users"
 	"github.com/osbuild/images/pkg/disk"
 	"github.com/osbuild/images/pkg/manifest"
 	"github.com/osbuild/images/pkg/platform"
@@ -63,7 +63,7 @@ func (img *AnacondaTarInstaller) InstantiateManifest(m *manifest.Manifest,
 	repos []rpmmd.RepoConfig,
 	runner runner.Runner,
 	rng *rand.Rand) (*artifact.Artifact, error) {
-	buildPipeline := manifest.NewBuild(m, runner, repos)
+	buildPipeline := manifest.NewBuild(m, runner, repos, nil)
 	buildPipeline.Checkpoint()
 
 	anacondaPipeline := manifest.NewAnacondaInstaller(m,

vendor/github.com/osbuild/images/pkg/image/archive.go

@@ -31,7 +31,7 @@ func (img *Archive) InstantiateManifest(m *manifest.Manifest,
 	repos []rpmmd.RepoConfig,
 	runner runner.Runner,
 	rng *rand.Rand) (*artifact.Artifact, error) {
-	buildPipeline := manifest.NewBuild(m, runner, repos)
+	buildPipeline := manifest.NewBuild(m, runner, repos, nil)
 	buildPipeline.Checkpoint()
 
 	osPipeline := manifest.NewOS(m, buildPipeline, img.Platform, repos)

vendor/github.com/osbuild/images/pkg/image/container.go

@@ -31,7 +31,7 @@ func (img *BaseContainer) InstantiateManifest(m *manifest.Manifest,
 	repos []rpmmd.RepoConfig,
 	runner runner.Runner,
 	rng *rand.Rand) (*artifact.Artifact, error) {
-	buildPipeline := manifest.NewBuild(m, runner, repos)
+	buildPipeline := manifest.NewBuild(m, runner, repos, nil)
 	buildPipeline.Checkpoint()
 
 	osPipeline := manifest.NewOS(m, buildPipeline, img.Platform, repos)

vendor/github.com/osbuild/images/pkg/image/disk.go

@@ -49,7 +49,7 @@ func (img *DiskImage) InstantiateManifest(m *manifest.Manifest,
 	repos []rpmmd.RepoConfig,
 	runner runner.Runner,
 	rng *rand.Rand) (*artifact.Artifact, error) {
-	buildPipeline := manifest.NewBuild(m, runner, repos)
+	buildPipeline := manifest.NewBuild(m, runner, repos, nil)
 	buildPipeline.Checkpoint()
 
 	osPipeline := manifest.NewOS(m, buildPipeline, img.Platform, repos)

vendor/github.com/osbuild/images/pkg/image/ostree_archive.go

@@ -47,7 +47,7 @@ func (img *OSTreeArchive) InstantiateManifest(m *manifest.Manifest,
 	repos []rpmmd.RepoConfig,
 	runner runner.Runner,
 	rng *rand.Rand) (*artifact.Artifact, error) {
-	buildPipeline := manifest.NewBuild(m, runner, repos)
+	buildPipeline := manifest.NewBuild(m, runner, repos, nil)
 	buildPipeline.Checkpoint()
 
 	osPipeline := manifest.NewOS(m, buildPipeline, img.Platform, repos)

vendor/github.com/osbuild/images/pkg/image/ostree_container.go

@@ -44,7 +44,7 @@ func (img *OSTreeContainer) InstantiateManifest(m *manifest.Manifest,
 	repos []rpmmd.RepoConfig,
 	runner runner.Runner,
 	rng *rand.Rand) (*artifact.Artifact, error) {
-	buildPipeline := manifest.NewBuild(m, runner, repos)
+	buildPipeline := manifest.NewBuild(m, runner, repos, nil)
 	buildPipeline.Checkpoint()
 
 	osPipeline := manifest.NewOS(m, buildPipeline, img.Platform, repos)

vendor/github.com/osbuild/images/pkg/image/ostree_disk.go

@@ -4,11 +4,11 @@ import (
 	"fmt"
 	"math/rand"
 
-	"github.com/osbuild/images/internal/fsnode"
-	"github.com/osbuild/images/internal/users"
 	"github.com/osbuild/images/internal/workload"
 	"github.com/osbuild/images/pkg/artifact"
 	"github.com/osbuild/images/pkg/container"
+	"github.com/osbuild/images/pkg/customizations/fsnode"
+	"github.com/osbuild/images/pkg/customizations/users"
 	"github.com/osbuild/images/pkg/disk"
 	"github.com/osbuild/images/pkg/manifest"
 	"github.com/osbuild/images/pkg/ostree"
@@ -53,6 +53,10 @@ type OSTreeDiskImage struct {
 	// Lock the root account in the deployment unless the user defined root
 	// user options in the build configuration.
 	LockRoot bool
+
+	// Container buildable tweaks the buildroot to be container friendly,
+	// i.e. to not rely on an installed osbuild-selinux
+	ContainerBuildable bool
 }
 
 func NewOSTreeDiskImageFromCommit(commit ostree.SourceSpec) *OSTreeDiskImage {
@@ -102,11 +106,14 @@ func baseRawOstreeImage(img *OSTreeDiskImage, m *manifest.Manifest, buildPipelin
 	return manifest.NewRawOStreeImage(buildPipeline, osPipeline, img.Platform)
 }
 
+// replaced in testing
+var manifestNewBuild = manifest.NewBuild
+
 func (img *OSTreeDiskImage) InstantiateManifest(m *manifest.Manifest,
 	repos []rpmmd.RepoConfig,
 	runner runner.Runner,
 	rng *rand.Rand) (*artifact.Artifact, error) {
-	buildPipeline := manifest.NewBuild(m, runner, repos)
+	buildPipeline := manifestNewBuild(m, runner, repos, &manifest.BuildOptions{ContainerBuildable: img.ContainerBuildable})
 	buildPipeline.Checkpoint()
 
 	// don't support compressing non-raw images

vendor/github.com/osbuild/images/pkg/image/ostree_simplified_installer.go

@@ -6,11 +6,11 @@ import (
 
 	"github.com/osbuild/images/internal/common"
 	"github.com/osbuild/images/internal/environment"
-	"github.com/osbuild/images/internal/fdo"
-	"github.com/osbuild/images/internal/ignition"
 	"github.com/osbuild/images/internal/workload"
 	"github.com/osbuild/images/pkg/arch"
 	"github.com/osbuild/images/pkg/artifact"
+	"github.com/osbuild/images/pkg/customizations/fdo"
+	"github.com/osbuild/images/pkg/customizations/ignition"
 	"github.com/osbuild/images/pkg/disk"
 	"github.com/osbuild/images/pkg/manifest"
 	"github.com/osbuild/images/pkg/platform"
@@ -73,7 +73,7 @@ func (img *OSTreeSimplifiedInstaller) InstantiateManifest(m *manifest.Manifest,
 	repos []rpmmd.RepoConfig,
 	runner runner.Runner,
 	rng *rand.Rand) (*artifact.Artifact, error) {
-	buildPipeline := manifest.NewBuild(m, runner, repos)
+	buildPipeline := manifest.NewBuild(m, runner, repos, nil)
 	buildPipeline.Checkpoint()
 
 	imageFilename := "image.raw.xz"
@@ -127,6 +127,9 @@ func (img *OSTreeSimplifiedInstaller) InstantiateManifest(m *manifest.Manifest,
 		if img.FDO.DiunPubKeyRootCerts != "" {
 			kernelOpts = append(kernelOpts, "fdo.diun_pub_key_root_certs=/fdo_diun_pub_key_root_certs.pem")
 		}
+		if img.FDO.DiMfgStringTypeMacIface != "" {
+			kernelOpts = append(kernelOpts, "fdo.di_mfg_string_type_mac_iface="+img.FDO.DiMfgStringTypeMacIface)
+		}
 	}
 
 	bootTreePipeline.KernelOpts = kernelOpts

vendor/github.com/osbuild/images/pkg/manifest/anaconda_installer.go

@@ -4,10 +4,10 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/osbuild/images/internal/fsnode"
-	"github.com/osbuild/images/internal/users"
 	"github.com/osbuild/images/pkg/arch"
 	"github.com/osbuild/images/pkg/container"
+	"github.com/osbuild/images/pkg/customizations/fsnode"
+	"github.com/osbuild/images/pkg/customizations/users"
 	"github.com/osbuild/images/pkg/osbuild"
 	"github.com/osbuild/images/pkg/ostree"
 	"github.com/osbuild/images/pkg/platform"
@@ -309,14 +309,11 @@ func (p *AnacondaInstaller) serialize() osbuild.Pipeline {
 
 	if p.Type == AnacondaInstallerTypePayload {
 		if p.InteractiveDefaults != nil {
-			kickstartOptions, err := osbuild.NewKickstartStageOptions(
+			kickstartOptions, err := osbuild.NewKickstartStageOptionsWithLiveIMG(
 				"/usr/share/anaconda/interactive-defaults.ks",
-				p.InteractiveDefaults.TarPath,
 				p.Users,
 				p.Groups,
-				"",
+				p.InteractiveDefaults.TarPath,
-				"",
-				"",
 			)
 
 			if err != nil {

vendor/github.com/osbuild/images/pkg/manifest/anaconda_installer_iso_tree.go

@@ -4,8 +4,8 @@ import (
 	"fmt"
 	"path"
 
-	"github.com/osbuild/images/internal/users"
 	"github.com/osbuild/images/pkg/container"
+	"github.com/osbuild/images/pkg/customizations/users"
 	"github.com/osbuild/images/pkg/disk"
 	"github.com/osbuild/images/pkg/osbuild"
 	"github.com/osbuild/images/pkg/ostree"
@@ -272,7 +272,13 @@ func (p *AnacondaInstallerISOTree) serialize() osbuild.Pipeline {
 		))
 
 		// Configure the kickstart file with the payload and any user options
-		kickstartOptions, err := osbuild.NewKickstartStageOptions(p.KSPath, "", p.Users, p.Groups, makeISORootPath(p.PayloadPath), p.ostreeCommitSpec.Ref, p.OSName)
+		kickstartOptions, err := osbuild.NewKickstartStageOptionsWithOSTreeCommit(
+			p.KSPath,
+			p.Users,
+			p.Groups,
+			makeISORootPath(p.PayloadPath),
+			p.ostreeCommitSpec.Ref,
+			p.OSName)
 
 		if err != nil {
 			panic("failed to create kickstartstage options")
@@ -288,7 +294,12 @@ func (p *AnacondaInstallerISOTree) serialize() osbuild.Pipeline {
 		// If the KSPath is set, we need to add the kickstart stage to this (bootiso-tree) pipeline.
 		// If it's not specified here, it should have been added to the InteractiveDefaults in the anaconda-tree.
 		if p.KSPath != "" {
-			kickstartOptions, err := osbuild.NewKickstartStageOptions(p.KSPath, makeISORootPath(p.PayloadPath), p.Users, p.Groups, "", "", p.OSName)
+			kickstartOptions, err := osbuild.NewKickstartStageOptionsWithLiveIMG(
+				p.KSPath,
+				p.Users,
+				p.Groups,
+				makeISORootPath(p.PayloadPath))
+
 			if err != nil {
 				panic("failed to create kickstartstage options")
 			}

vendor/github.com/osbuild/images/pkg/manifest/build.go

@@ -22,17 +22,31 @@ type Build struct {
 	dependents   []Pipeline
 	repos        []rpmmd.RepoConfig
 	packageSpecs []rpmmd.PackageSpec
+
+	containerBuildable bool
+}
+
+type BuildOptions struct {
+	// ContainerBuildable tweaks the buildroot to be container friendly,
+	// i.e. to not rely on an installed osbuild-selinux
+	ContainerBuildable bool
 }
 
 // NewBuild creates a new build pipeline from the repositories in repos
 // and the specified packages.
-func NewBuild(m *Manifest, runner runner.Runner, repos []rpmmd.RepoConfig) *Build {
+func NewBuild(m *Manifest, runner runner.Runner, repos []rpmmd.RepoConfig, opts *BuildOptions) *Build {
+	if opts == nil {
+		opts = &BuildOptions{}
+	}
+
 	name := "build"
 	pipeline := &Build{
 		Base:       NewBase(m, name, nil),
 		runner:     runner,
 		dependents: make([]Pipeline, 0),
 		repos:      filterRepos(repos, name),
+
+		containerBuildable: opts.ContainerBuildable,
 	}
 	m.addPipeline(pipeline)
 	return pipeline
@@ -109,6 +123,10 @@ func (p *Build) getSELinuxLabels() map[string]string {
 		switch pkg.Name {
 		case "coreutils":
 			labels["/usr/bin/cp"] = "system_u:object_r:install_exec_t:s0"
+			if p.containerBuildable {
+				labels["/usr/bin/mount"] = "system_u:object_r:install_exec_t:s0"
+				labels["/usr/bin/umount"] = "system_u:object_r:install_exec_t:s0"
+			}
 		case "tar":
 			labels["/usr/bin/tar"] = "system_u:object_r:install_exec_t:s0"
 		}

vendor/github.com/osbuild/images/pkg/manifest/coi_iso_tree.go

@@ -4,7 +4,7 @@ import (
 	"crypto/sha256"
 	"fmt"
 
-	"github.com/osbuild/images/internal/users"
+	"github.com/osbuild/images/pkg/customizations/users"
 	"github.com/osbuild/images/pkg/disk"
 	"github.com/osbuild/images/pkg/osbuild"
 )

vendor/github.com/osbuild/images/pkg/manifest/coreos_installer.go

@@ -3,10 +3,10 @@ package manifest
 import (
 	"fmt"
 
-	"github.com/osbuild/images/internal/fdo"
-	"github.com/osbuild/images/internal/ignition"
 	"github.com/osbuild/images/pkg/arch"
 	"github.com/osbuild/images/pkg/container"
+	"github.com/osbuild/images/pkg/customizations/fdo"
+	"github.com/osbuild/images/pkg/customizations/ignition"
 	"github.com/osbuild/images/pkg/osbuild"
 	"github.com/osbuild/images/pkg/ostree"
 	"github.com/osbuild/images/pkg/platform"

vendor/github.com/osbuild/images/pkg/manifest/os.go

@@ -7,12 +7,12 @@ import (
 
 	"github.com/osbuild/images/internal/common"
 	"github.com/osbuild/images/internal/environment"
-	"github.com/osbuild/images/internal/fsnode"
-	"github.com/osbuild/images/internal/shell"
-	"github.com/osbuild/images/internal/users"
 	"github.com/osbuild/images/internal/workload"
 	"github.com/osbuild/images/pkg/arch"
 	"github.com/osbuild/images/pkg/container"
+	"github.com/osbuild/images/pkg/customizations/fsnode"
+	"github.com/osbuild/images/pkg/customizations/shell"
+	"github.com/osbuild/images/pkg/customizations/users"
 	"github.com/osbuild/images/pkg/disk"
 	"github.com/osbuild/images/pkg/osbuild"
 	"github.com/osbuild/images/pkg/ostree"
@@ -220,7 +220,7 @@ func (p *OS) getPackageSetChain(Distro) []rpmmd.PackageSet {
 	}
 
 	if p.OpenSCAPConfig != nil {
-		packages = append(packages, "openscap-scanner", "scap-security-guide")
+		packages = append(packages, "openscap-scanner", "scap-security-guide", "xz")
 	}
 
 	// Make sure the right packages are included for subscriptions

vendor/github.com/osbuild/images/pkg/manifest/ostree_deployment.go

@@ -6,9 +6,9 @@ import (
 	"strings"
 
 	"github.com/osbuild/images/internal/common"
-	"github.com/osbuild/images/internal/fsnode"
-	"github.com/osbuild/images/internal/users"
 	"github.com/osbuild/images/pkg/container"
+	"github.com/osbuild/images/pkg/customizations/fsnode"
+	"github.com/osbuild/images/pkg/customizations/users"
 	"github.com/osbuild/images/pkg/disk"
 	"github.com/osbuild/images/pkg/osbuild"
 	"github.com/osbuild/images/pkg/ostree"

vendor/github.com/osbuild/images/pkg/osbuild/fips.go

@@ -4,7 +4,7 @@ import (
 	"os"
 
 	"github.com/osbuild/images/internal/common"
-	"github.com/osbuild/images/internal/fsnode"
+	"github.com/osbuild/images/pkg/customizations/fsnode"
 	"github.com/osbuild/images/pkg/disk"
 )
 

vendor/github.com/osbuild/images/pkg/osbuild/fsnode.go

@@ -4,7 +4,7 @@ import (
 	"crypto/sha256"
 	"fmt"
 
-	"github.com/osbuild/images/internal/fsnode"
+	"github.com/osbuild/images/pkg/customizations/fsnode"
 )
 
 // GenFileNodesStages generates the stages for a list of file nodes.

vendor/github.com/osbuild/images/pkg/osbuild/groups_stage.go

@@ -1,7 +1,7 @@
 package osbuild
 
 import (
-	"github.com/osbuild/images/internal/users"
+	"github.com/osbuild/images/pkg/customizations/users"
 )
 
 type GroupsStageOptions struct {

vendor/github.com/osbuild/images/pkg/osbuild/kickstart_stage.go

@@ -1,31 +1,40 @@
 package osbuild
 
-import "github.com/osbuild/images/internal/users"
+import "github.com/osbuild/images/pkg/customizations/users"
 
 type KickstartStageOptions struct {
 	// Where to place the kickstart file
 	Path string `json:"path"`
 
-	OSTree *OSTreeOptions `json:"ostree,omitempty"`
+	OSTreeCommit    *OSTreeCommitOptions    `json:"ostree,omitempty"`
+	OSTreeContainer *OSTreeContainerOptions `json:"ostreecontainer,omitempty"`
 
-	LiveIMG *LiveIMG `json:"liveimg,omitempty"`
+	LiveIMG *LiveIMGOptions `json:"liveimg,omitempty"`
 
 	Users map[string]UsersStageOptionsUser `json:"users,omitempty"`
 
 	Groups map[string]GroupsStageOptionsGroup `json:"groups,omitempty"`
 }
 
-type LiveIMG struct {
+type LiveIMGOptions struct {
 	URL string `json:"url"`
 }
 
-type OSTreeOptions struct {
+type OSTreeCommitOptions struct {
 	OSName string `json:"osname"`
 	URL    string `json:"url"`
 	Ref    string `json:"ref"`
 	GPG    bool   `json:"gpg"`
 }
 
+type OSTreeContainerOptions struct {
+	StateRoot             string `json:"stateroot"`
+	URL                   string `json:"url"`
+	Transport             string `json:"transport"`
+	Remote                string `json:"remote"`
+	SignatureVerification bool   `json:"signatureverification"`
+}
+
 func (KickstartStageOptions) isStageOptions() {}
 
 // Creates an Anaconda kickstart file
@@ -38,12 +47,8 @@ func NewKickstartStage(options *KickstartStageOptions) *Stage {
 
 func NewKickstartStageOptions(
 	path string,
-	imageURL string,
 	userCustomizations []users.User,
-	groupCustomizations []users.Group,
+	groupCustomizations []users.Group) (*KickstartStageOptions, error) {
-	ostreeURL string,
-	ostreeRef string,
-	osName string) (*KickstartStageOptions, error) {
 
 	var users map[string]UsersStageOptionsUser
 	if usersOptions, err := NewUsersStageOptions(userCustomizations, false); err != nil {
@@ -57,27 +62,91 @@ func NewKickstartStageOptions(
 		groups = groupsOptions.Groups
 	}
 
-	var ostreeOptions *OSTreeOptions
+	return &KickstartStageOptions{
+		Path:         path,
+		OSTreeCommit: nil,
+		LiveIMG:      nil,
+		Users:        users,
+		Groups:       groups,
+	}, nil
+}
+
+func NewKickstartStageOptionsWithOSTreeCommit(
+	path string,
+	userCustomizations []users.User,
+	groupCustomizations []users.Group,
+	ostreeURL string,
+	ostreeRef string,
+	osName string) (*KickstartStageOptions, error) {
+
+	options, err := NewKickstartStageOptions(path, userCustomizations, groupCustomizations)
+
+	if err != nil {
+		return nil, err
+	}
+
 	if ostreeURL != "" {
-		ostreeOptions = &OSTreeOptions{
+		ostreeCommitOptions := &OSTreeCommitOptions{
 			OSName: osName,
 			URL:    ostreeURL,
 			Ref:    ostreeRef,
 			GPG:    false,
 		}
+
+		options.OSTreeCommit = ostreeCommitOptions
+	}
+
+	return options, nil
+}
+
+func NewKickstartStageOptionsWithOSTreeContainer(
+	path string,
+	userCustomizations []users.User,
+	groupCustomizations []users.Group,
+	containerURL string,
+	containerTransport string,
+	containerRemote string,
+	containerStateRoot string) (*KickstartStageOptions, error) {
+
+	options, err := NewKickstartStageOptions(path, userCustomizations, groupCustomizations)
+
+	if err != nil {
+		return nil, err
+	}
+
+	if containerURL != "" {
+		ostreeContainerOptions := &OSTreeContainerOptions{
+			StateRoot:             containerStateRoot,
+			URL:                   containerURL,
+			Remote:                containerRemote,
+			Transport:             containerTransport,
+			SignatureVerification: false,
+		}
+
+		options.OSTreeContainer = ostreeContainerOptions
+	}
+
+	return options, nil
+}
+
+func NewKickstartStageOptionsWithLiveIMG(
+	path string,
+	userCustomizations []users.User,
+	groupCustomizations []users.Group,
+	imageURL string) (*KickstartStageOptions, error) {
+
+	options, err := NewKickstartStageOptions(path, userCustomizations, groupCustomizations)
+
+	if err != nil {
+		return nil, err
 	}
 
-	var liveImg *LiveIMG
 	if imageURL != "" {
-		liveImg = &LiveIMG{
+		liveImg := &LiveIMGOptions{
 			URL: imageURL,
 		}
+		options.LiveIMG = liveImg
 	}
-	return &KickstartStageOptions{
+
-		Path:    path,
+	return options, nil
-		OSTree:  ostreeOptions,
-		LiveIMG: liveImg,
-		Users:   users,
-		Groups:  groups,
-	}, nil
 }

vendor/github.com/osbuild/images/pkg/osbuild/oscap_autotailor_stage.go

@@ -6,9 +6,11 @@ type OscapAutotailorStageOptions struct {
 	Filepath string                `json:"filepath"`
 	Config   OscapAutotailorConfig `json:"config"`
 }
+
 type OscapAutotailorConfig struct {
-	OscapConfig
 	NewProfile string   `json:"new_profile"`
+	Datastream string   `json:"datastream" toml:"datastream"`
+	ProfileID  string   `json:"profile_id" toml:"profile_id"`
 	Selected   []string `json:"selected,omitempty"`
 	Unselected []string `json:"unselected,omitempty"`
 }
@@ -16,11 +18,16 @@ type OscapAutotailorConfig struct {
 func (OscapAutotailorStageOptions) isStageOptions() {}
 
 func (c OscapAutotailorConfig) validate() error {
+	if c.Datastream == "" {
+		return fmt.Errorf("'datastream' must be specified")
+	}
+	if c.ProfileID == "" {
+		return fmt.Errorf("'profile_id' must be specified")
+	}
 	if c.NewProfile == "" {
 		return fmt.Errorf("'new_profile' must be specified")
 	}
-	// reuse the oscap validation
+	return nil
-	return c.OscapConfig.validate()
 }
 
 func NewOscapAutotailorStage(options *OscapAutotailorStageOptions) *Stage {
@@ -34,14 +41,15 @@ func NewOscapAutotailorStage(options *OscapAutotailorStageOptions) *Stage {
 	}
 }
 
-func NewOscapAutotailorStageOptions(filepath string, oscapOptions OscapConfig, autotailorOptions OscapAutotailorConfig) *OscapAutotailorStageOptions {
+func NewOscapAutotailorStageOptions(filepath string, autotailorOptions OscapAutotailorConfig) *OscapAutotailorStageOptions {
 	return &OscapAutotailorStageOptions{
 		Filepath: filepath,
 		Config: OscapAutotailorConfig{
-			OscapConfig: oscapOptions,
+			NewProfile: autotailorOptions.NewProfile,
-			NewProfile:  autotailorOptions.NewProfile,
+			Datastream: autotailorOptions.Datastream,
-			Selected:    autotailorOptions.Selected,
+			ProfileID:  autotailorOptions.ProfileID,
-			Unselected:  autotailorOptions.Unselected,
+			Selected:   autotailorOptions.Selected,
+			Unselected: autotailorOptions.Unselected,
 		},
 	}
 }

vendor/github.com/osbuild/images/pkg/osbuild/oscap_remediation_stage.go

@@ -15,6 +15,7 @@ type OscapRemediationStageOptions struct {
 	DataDir string      `json:"data_dir,omitempty"`
 	Config  OscapConfig `json:"config"`
 }
+
 type OscapConfig struct {
 	Datastream   string              `json:"datastream" toml:"datastream"`
 	ProfileID    string              `json:"profile_id" toml:"profile_id"`
@@ -23,10 +24,11 @@ type OscapConfig struct {
 	BenchmarkID  string              `json:"benchmark_id,omitempty" toml:"benchmark_id,omitempty"`
 	Tailoring    string              `json:"tailoring,omitempty" toml:"tailoring,omitempty"`
 	TailoringID  string              `json:"tailoring_id,omitempty" toml:"tailoring_id,omitempty"`
-	ArfResult    string              `json:"arf_result,omitempty" toml:"arf_result,omitempty"`
+	ArfResult    string              `json:"arf_results,omitempty" toml:"arf_results,omitempty"`
 	HtmlReport   string              `json:"html_report,omitempty" toml:"html_report,omitempty"`
 	VerboseLog   string              `json:"verbose_log,omitempty" toml:"verbose_log,omitempty"`
 	VerboseLevel OscapVerbosityLevel `json:"verbose_level,omitempty" toml:"verbose_level,omitempty"`
+	Compression  bool                `json:"compress_results,omitempty" toml:"compress_results,omitempty"`
 }
 
 func (OscapRemediationStageOptions) isStageOptions() {}
@@ -70,8 +72,9 @@ func NewOscapRemediationStage(options *OscapRemediationStageOptions) *Stage {
 	}
 }
 
-func NewOscapRemediationStageOptions(options OscapConfig) *OscapRemediationStageOptions {
+func NewOscapRemediationStageOptions(dataDir string, options OscapConfig) *OscapRemediationStageOptions {
 	return &OscapRemediationStageOptions{
+		DataDir: dataDir,
 		Config: OscapConfig{
 			ProfileID:    options.ProfileID,
 			Datastream:   options.Datastream,
@@ -83,6 +86,7 @@ func NewOscapRemediationStageOptions(options OscapConfig) *OscapRemediationStage
 			HtmlReport:   options.HtmlReport,
 			VerboseLog:   options.VerboseLog,
 			VerboseLevel: options.VerboseLevel,
+			Compression:  options.Compression,
 		},
 	}
 }

vendor/github.com/osbuild/images/pkg/osbuild/shell_init_stage.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"regexp"
 
-	"github.com/osbuild/images/internal/shell"
+	"github.com/osbuild/images/pkg/customizations/shell"
 )
 
 const filenameRegex = "^[a-zA-Z0-9\\.\\-_]{1,250}$"

vendor/github.com/osbuild/images/pkg/osbuild/skopeo_source.go

@@ -39,13 +39,12 @@ func NewSkopeoSourceItem(name, digest string, tlsVerify *bool) SkopeoSourceItem
 }
 
 func (item SkopeoSourceItem) validate() error {
-
 	if item.Image.Name == "" {
-		return fmt.Errorf("source item has empty name")
+		return fmt.Errorf("source item %#v has empty name", item)
 	}
 
 	if !skopeoDigestPattern.MatchString(item.Image.Digest) {
-		return fmt.Errorf("source item has invalid digest")
+		return fmt.Errorf("source item %#v has invalid digest", item)
 	}
 
 	return nil
@@ -63,7 +62,7 @@ func NewSkopeoSource() *SkopeoSource {
 func (source *SkopeoSource) AddItem(name, digest, image string, tlsVerify *bool) {
 	item := NewSkopeoSourceItem(name, digest, tlsVerify)
 	if !skopeoDigestPattern.MatchString(image) {
-		panic("item has invalid image id")
+		panic(fmt.Errorf("item %#v has invalid image id", image))
 	}
 	source.Items[image] = item
 }

vendor/github.com/osbuild/images/pkg/osbuild/users_stage.go

@@ -1,8 +1,8 @@
 package osbuild
 
 import (
-	"github.com/osbuild/images/internal/users"
 	"github.com/osbuild/images/pkg/crypt"
+	"github.com/osbuild/images/pkg/customizations/users"
 )
 
 type UsersStageOptions struct {

vendor/github.com/osbuild/images/pkg/osbuild/yum_repos_stage.go

@@ -99,17 +99,18 @@ func repoConfigToYumRepository(repo rpmmd.RepoConfig) YumRepository {
 	}
 
 	yumRepo := YumRepository{
-		Id:           repo.Id,
+		Id:             repo.Id,
-		Name:         repo.Name,
+		Name:           repo.Name,
-		Mirrorlist:   repo.MirrorList,
+		Mirrorlist:     repo.MirrorList,
-		Metalink:     repo.Metalink,
+		Metalink:       repo.Metalink,
-		BaseURLs:     urls,
+		BaseURLs:       urls,
-		GPGKey:       keys,
+		GPGKey:         keys,
-		GPGCheck:     repo.CheckGPG,
+		GPGCheck:       repo.CheckGPG,
-		RepoGPGCheck: repo.CheckRepoGPG,
+		RepoGPGCheck:   repo.CheckRepoGPG,
-		Enabled:      repo.Enabled,
+		Enabled:        repo.Enabled,
-		Priority:     repo.Priority,
+		Priority:       repo.Priority,
-		SSLVerify:    sslVerify,
+		SSLVerify:      sslVerify,
+		ModuleHotfixes: repo.ModuleHotfixes,
 	}
 
 	return yumRepo

vendor/github.com/osbuild/images/pkg/rpmmd/repository.go

@@ -23,6 +23,7 @@ type repository struct {
 	CheckGPG       bool     `json:"check_gpg,omitempty"`
 	IgnoreSSL      bool     `json:"ignore_ssl,omitempty"`
 	RHSM           bool     `json:"rhsm,omitempty"`
+	ModuleHotfixes *bool    `json:"module_hotfixes,omitempty"`
 	MetadataExpire string   `json:"metadata_expire,omitempty"`
 	ImageTypeTags  []string `json:"image_type_tags,omitempty"`
 }
@@ -42,6 +43,7 @@ type RepoConfig struct {
 	Priority       *int     `json:"priority,omitempty"`
 	IgnoreSSL      *bool    `json:"ignore_ssl,omitempty"`
 	MetadataExpire string   `json:"metadata_expire,omitempty"`
+	ModuleHotfixes *bool    `json:"module_hotfixes,omitempty"`
 	RHSM           bool     `json:"rhsm,omitempty"`
 	Enabled        *bool    `json:"enabled,omitempty"`
 	ImageTypeTags  []string `json:"image_type_tags,omitempty"`
@@ -58,6 +60,12 @@ func (r *RepoConfig) Hash() string {
 	bpts := func(b *bool) string {
 		return fmt.Sprintf("%T", b)
 	}
+	bptsIgnoreNil := func(b *bool) string {
+		if b == nil {
+			return ""
+		}
+		return bts(*b)
+	}
 	ats := func(s []string) string {
 		return strings.Join(s, "")
 	}
@@ -69,7 +77,8 @@ func (r *RepoConfig) Hash() string {
 		bpts(r.CheckRepoGPG)+
 		bpts(r.IgnoreSSL)+
 		r.MetadataExpire+
-		bts(r.RHSM))))
+		bts(r.RHSM)+
+		bptsIgnoreNil(r.ModuleHotfixes))))
 }
 
 type DistrosRepoConfigs map[string]map[string][]RepoConfig
@@ -245,6 +254,7 @@ func loadRepositoriesFromFile(filename string) (map[string][]RepoConfig, error)
 				CheckGPG:       &repo.CheckGPG,
 				RHSM:           repo.RHSM,
 				MetadataExpire: repo.MetadataExpire,
+				ModuleHotfixes: repo.ModuleHotfixes,
 				ImageTypeTags:  repo.ImageTypeTags,
 			}
 

vendor/modules.txt

@@ -119,7 +119,7 @@ github.com/acarl005/stripansi
 # github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2
 ## explicit; go 1.13
 github.com/asaskevich/govalidator
-# github.com/aws/aws-sdk-go v1.48.13
+# github.com/aws/aws-sdk-go v1.49.0
 ## explicit; go 1.19
 github.com/aws/aws-sdk-go/aws
 github.com/aws/aws-sdk-go/aws/arn
@@ -190,7 +190,7 @@ github.com/cenkalti/backoff/v4
 # github.com/cespare/xxhash/v2 v2.2.0
 ## explicit; go 1.11
 github.com/cespare/xxhash/v2
-# github.com/containers/common v0.57.0
+# github.com/containers/common v0.57.1
 ## explicit; go 1.18
 github.com/containers/common/pkg/retry
 # github.com/containers/image/v5 v5.29.0
@@ -656,23 +656,23 @@ github.com/oracle/oci-go-sdk/v54/identity
 github.com/oracle/oci-go-sdk/v54/objectstorage
 github.com/oracle/oci-go-sdk/v54/objectstorage/transfer
 github.com/oracle/oci-go-sdk/v54/workrequests
-# github.com/osbuild/images v0.21.0
+# github.com/osbuild/images v0.24.0
 ## explicit; go 1.19
 github.com/osbuild/images/internal/common
 github.com/osbuild/images/internal/environment
-github.com/osbuild/images/internal/fdo
-github.com/osbuild/images/internal/fsnode
-github.com/osbuild/images/internal/ignition
-github.com/osbuild/images/internal/oscap
 github.com/osbuild/images/internal/pathpolicy
-github.com/osbuild/images/internal/shell
-github.com/osbuild/images/internal/users
 github.com/osbuild/images/internal/workload
 github.com/osbuild/images/pkg/arch
 github.com/osbuild/images/pkg/artifact
 github.com/osbuild/images/pkg/blueprint
 github.com/osbuild/images/pkg/container
 github.com/osbuild/images/pkg/crypt
+github.com/osbuild/images/pkg/customizations/fdo
+github.com/osbuild/images/pkg/customizations/fsnode
+github.com/osbuild/images/pkg/customizations/ignition
+github.com/osbuild/images/pkg/customizations/oscap
+github.com/osbuild/images/pkg/customizations/shell
+github.com/osbuild/images/pkg/customizations/users
 github.com/osbuild/images/pkg/disk
 github.com/osbuild/images/pkg/distro
 github.com/osbuild/images/pkg/distro/fedora