Inherit from fedora-bootc's tier-x on Fedora 42+

[jlebon]

There is a new tier-x in the fedora-bootc project whose goal is to provide a common base that all variants (including tier-1) can share.

Move FCOS over to use this new tier, but only starting from Fedora 42.

This is a profound change and the start of an exciting new future! This formalizes our relationship to other image-mode variants, encouraging us to innovate and solve problems together in a more direct way.

Put more practically, e.g. bug fixes, new features, or temporary workarounds that concern all/most tier-x derivatives should probably be carried out at the tier-x level rather than the CoreOS level.

Eventually, this inheritance will be made even more explicit by having FCOS be built FROM the tier-x image. For now, we share at the manifest level, which is a stepping stone towards that goal.

Patches to actually dedupe our manifests with tier-x will follow. Though note there is no change in the resulting package set here.

[jlebon]

Targeting rawhide for now to exercise it in CI. Will retarget testing-devel once this is ready to go.

Other outstanding items:

• [x] verify configbot handling of git submodules
• [x] prepare openshift/os changes in advance

[jlebon]

Some diff stats:

testing-devel

• No package diff
• No initramfs diff
• OSTree diff:

  $ ostree diff 40.20240922.dev.0 40.20240922.dev.1
  M    /usr/etc/pki/ca-trust/extracted/java/cacerts
  M    /usr/lib/os-release
  M    /usr/lib/modules/6.10.10-200.fc40.x86_64/initramfs.img
  M    /usr/lib/sysimage/rpm-ostree-base-db/rpmdb.sqlite
  M    /usr/share/rpm/rpmdb.sqlite
  M    /usr/share/rpm-ostree/treefile.json
  A    /usr/bin/systemd-firstboot
  A    /usr/lib/.build-id/07/052139ba8f88405bf6bef78a8f51b67894a761
  A    /usr/lib/systemd/system/systemd-firstboot.service

  These are all expected. See related commit for the systemd-firstboot-related one. The others churn naturally.

rawhide

• No package diff

• Initramfs diff

  -rw-r--r--   1 root     root           27 Dec 31  1969 usr/lib/ostree/prepare-root.conf
  -rw-r--r--   1 root     root           52 Dec 31  1969 usr/lib/ostree/prepare-root.conf

  This is from prepare-root.conf now also including the sysroot.readonly, which should also squash this warning from ostree-prepare-root:

  ostree-prepare-root[1319]: Found legacy sysroot.readonly flag, not configured in ostree/prepare-root.conf

  (Compare what we ship to what's in tier-0.)

• OSTree diff:

  $ ostree diff 42.20240922.dev.0 42.20240922.dev.1
  M    /usr/etc/pki/ca-trust/extracted/java/cacerts
  M    /usr/lib/os-release
  M    /usr/lib/modules/6.12.0-0.rc0.20240920gitbaeb9a7d8b60.7.fc42.x86_64/initramfs.img
  M    /usr/lib/ostree/prepare-root.conf
  M    /usr/lib/sysimage/rpm-ostree-base-db/rpmdb.sqlite
  M    /usr/lib/tmpfiles.d/provision.conf
  M    /usr/share/rpm/rpmdb.sqlite
  M    /usr/share/rpm-ostree/treefile.json
  A    /usr/bin/systemd-firstboot
  A    /usr/lib/.build-id/df/db1101b9d05b622ff69b938d29783028f69ad5
  A    /usr/lib/dracut/dracut.conf.d/20-bootc-base.conf
  A    /usr/lib/dracut/dracut.conf.d/22-bootc-generic.conf
  A    /usr/lib/dracut/dracut.conf.d/49-bootc-tpm2-tss.conf
  A    /usr/lib/dracut/dracut.conf.d/59-altfiles.conf
  A    /usr/lib/systemd/system/systemd-firstboot.service

  These are all expected. See related commit for the systemd-firstboot-related one. The dracut dropins are redundant with our current settings, so no change there. The prepare-root.conf change is explained above. The others churn naturally.

[jlebon]

Huh, looks like the submodule isn't getting initialized in CI. Investigating. Edit: https://github.com/coreos/coreos-ci-lib/pull/160

[cgwalters]

Sounds like this one isn't blocked, just needs a rebase and socializing?

[jlebon]

This was unblocked by https://gitlab.com/fedora/bootc/base-images/-/merge_requests/63. I'm planning to get back to it soon.

[jlebon]

Rebased this now that https://gitlab.com/fedora/bootc/tracker/-/issues/39 is resolved and updated for comments!

Also started tracking some of the outstanding items in https://github.com/coreos/fedora-coreos-config/pull/3177#issuecomment-2369125628.

[jlebon]

OK, this is ready now! Confirmed that config-bot can handle git submodules fine. Also got the openshift/os changes ready to go, but it'll need to be bundled with the f-c-c submodule bump that brings this change in. For reference, the change is just:

diff --git a/common.yaml b/common.yaml
index d9c9c3f..6df06c8 100644
--- a/common.yaml
+++ b/common.yaml
@@ -7,7 +7,7 @@ include:
   - fedora-coreos-config/manifests/networking-tools.yaml
   - fedora-coreos-config/manifests/user-experience.yaml
   - fedora-coreos-config/manifests/shared-workarounds.yaml
-  - fedora-coreos-config/manifests/bootupd.yaml
+  - fedora-coreos-config/manifests/tier-x.yaml
   # RHCOS owned packages
   - packages-rhcos.yaml

@@ -51,6 +51,9 @@ conditional-include:

 documentation: false

+# historical default
+recommends: true
+
 postprocess:
   # Mark the OS as of the CoreOS variant.
   # XXX: should be part of a centos/redhat-release subpackage instead

CI green against rawhide. Changed target branch to testing-devel.

[jlebon]

On the RHCOS side, we should wait until 4.18 branches at this point to roll this out, not only to recude risk, but also because it brings in composefs, which is targeted for 4.19.

[jlebon]

Did a final sanity-check of the f41 diff:

diff --git a/41.20241118.dev.1/usr/bin/systemd-firstboot b/41.20241118.dev.1/usr/bin/systemd-firstboot
new file mode 100755
index 0000000..685fba0
Binary files /dev/null and b/41.20241118.dev.1/usr/bin/systemd-firstboot differ
diff --git a/41.20241118.dev.0/usr/etc/pki/ca-trust/extracted/java/cacerts b/41.20241118.dev.1/usr/etc/pki/ca-trust/extracted/java/cacerts
index ee9ab18..50e8ac1 100644
Binary files a/41.20241118.dev.0/usr/etc/pki/ca-trust/extracted/java/cacerts and b/41.20241118.dev.1/usr/etc/pki/ca-trust/extracted/java/cacerts differ
diff --git a/41.20241118.dev.1/usr/lib/.build-id/e7/95e9082536fa7561c41a4e02fd761dd69d91af b/41.20241118.dev.1/usr/lib/.build-id/e7/95e9082536fa7561c41a4e02fd761dd69d91af
new file mode 120000
index 0000000..c52f669
--- /dev/null
+++ b/41.20241118.dev.1/usr/lib/.build-id/e7/95e9082536fa7561c41a4e02fd761dd69d91af
@@ -0,0 +1 @@
+../../../../usr/bin/systemd-firstboot
\ No newline at end of file
diff --git a/41.20241118.dev.0/usr/lib/modules/6.11.7-300.fc41.x86_64/initramfs.img b/41.20241118.dev.1/usr/lib/modules/6.11.7-300.fc41.x86_64/initramfs.img
index 95e53d8..df219d7 100644
Binary files a/41.20241118.dev.0/usr/lib/modules/6.11.7-300.fc41.x86_64/initramfs.img and b/41.20241118.dev.1/usr/lib/modules/6.11.7-300.fc41.x86_64/initramfs.img differ
diff --git a/41.20241118.dev.0/usr/lib/os-release b/41.20241118.dev.1/usr/lib/os-release
index c6d5e2c..1606c54 100644
--- a/41.20241118.dev.0/usr/lib/os-release
+++ b/41.20241118.dev.1/usr/lib/os-release
@@ -1,11 +1,11 @@
 NAME="Fedora Linux"
-VERSION="41.20241118.dev.0 (CoreOS)"
+VERSION="41.20241118.dev.1 (CoreOS)"
 RELEASE_TYPE=stable
 ID=fedora
 VERSION_ID=41
 VERSION_CODENAME=""
 PLATFORM_ID="platform:f41"
-PRETTY_NAME="Fedora CoreOS 41.20241118.dev.0"
+PRETTY_NAME="Fedora CoreOS 41.20241118.dev.1"
 ANSI_COLOR="0;38;2;60;110;180"
 LOGO=fedora-logo-icon
 CPE_NAME="cpe:/o:fedoraproject:fedora:41"
@@ -20,4 +20,4 @@ REDHAT_SUPPORT_PRODUCT_VERSION=41
 SUPPORT_END=2025-12-15
 VARIANT="CoreOS"
 VARIANT_ID=coreos
-OSTREE_VERSION='41.20241118.dev.0'
+OSTREE_VERSION='41.20241118.dev.1'
diff --git a/41.20241118.dev.0/usr/lib/sysimage/rpm-ostree-base-db/rpmdb.sqlite b/41.20241118.dev.1/usr/lib/sysimage/rpm-ostree-base-db/rpmdb.sqlite
index a3a8689..dcfc2f7 100644
Binary files a/41.20241118.dev.0/usr/lib/sysimage/rpm-ostree-base-db/rpmdb.sqlite and b/41.20241118.dev.1/usr/lib/sysimage/rpm-ostree-base-db/rpmdb.sqlite differ
diff --git a/41.20241118.dev.1/usr/lib/systemd/system/systemd-firstboot.service b/41.20241118.dev.1/usr/lib/systemd/system/systemd-firstboot.service
new file mode 100644
index 0000000..78a4087
--- /dev/null
+++ b/41.20241118.dev.1/usr/lib/systemd/system/systemd-firstboot.service
@@ -0,0 +1,45 @@
+#  SPDX-License-Identifier: LGPL-2.1-or-later
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=First Boot Wizard
+Documentation=man:systemd-firstboot(1)
+
+ConditionPathIsReadWrite=/etc
+ConditionFirstBoot=yes
+
+DefaultDependencies=no
+# This service may need to write to the file system:
+After=systemd-remount-fs.service
+# Both systemd-sysusers and systemd-tmpfiles may create the root account
+# (via factory files or credentials), obviating the need for us to do that:
+After=systemd-sysusers.service systemd-tmpfiles-setup.service
+# Let vconsole-setup do its setup before starting user interaction:
+After=systemd-vconsole-setup.service
+
+Wants=first-boot-complete.target
+Before=first-boot-complete.target sysinit.target
+Conflicts=shutdown.target
+Before=shutdown.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=systemd-firstboot --prompt-locale --prompt-timezone --prompt-root-password
+StandardOutput=tty
+StandardInput=tty
+StandardError=tty
+
+# Optionally, pick up basic fields from credentials passed to the service
+# manager. This is useful for importing this data from nspawn's
+# --set-credential= switch.
+ImportCredential=passwd.hashed-password.root
+ImportCredential=passwd.plaintext-password.root
+ImportCredential=passwd.shell.root
+ImportCredential=firstboot.*
diff --git a/41.20241118.dev.0/usr/share/rpm/rpmdb.sqlite b/41.20241118.dev.1/usr/share/rpm/rpmdb.sqlite
index a3a8689..dcfc2f7 100644
Binary files a/41.20241118.dev.0/usr/share/rpm/rpmdb.sqlite and b/41.20241118.dev.1/usr/share/rpm/rpmdb.sqlite differ
diff --git a/41.20241118.dev.0/usr/share/rpm-ostree/treefile.json b/41.20241118.dev.1/usr/share/rpm-ostree/treefile.json
index 81cfe0b..9fd2a96 100644
--- a/41.20241118.dev.0/usr/share/rpm-ostree/treefile.json
+++ b/41.20241118.dev.1/usr/share/rpm-ostree/treefile.json
@@ -246,8 +246,6 @@
     ],
     [
       "systemd",
-      "/usr/bin/systemd-firstboot",
-      "/usr/lib/systemd/system/systemd-firstboot.service",
       "/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service"
     ],
     [

So basically, the main difference is that systemd-firstboot is no longer nuked (but again, it's still disabled).

[travier]

Hum, RHCOS failed on the booupd metadata generation: https://github.com/openshift/os/pull/1644#issuecomment-2485789472

Not completely sure if it's related to this one yet.