Merge pull request #411 from mtrmac/podman-sequoia

WIP: Install podman-sequoia in rawhide images
Install podman-sequoia in rawhide images
2025-08-19 20:31:41 +02:00 · 2025-08-12 19:33:06 +02:00 · 2025-07-30 20:55:44 +02:00 · 2025-07-23 19:08:48 +02:00 · 2025-07-21 14:11:23 -04:00 · 2025-07-01 10:14:23 +02:00
79 changed files with 1803 additions and 1623 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@ -10,7 +10,10 @@ env:
    CIRRUS_CLONE_DEPTH: 50
    # Version of packer to use when building images
    PACKER_VERSION: &PACKER_VERSION "1.8.3"
    # Registry/namespace prefix where container images live
    REGPFX: "quay.io/libpod"
    #IMG_SFX = <See IMG_SFX file and .cirrus.star script>
    #IMPORT_IMG_SFX = <See IMPORT_IMG_SFX file and .cirrus.star script>
 gcp_credentials: ENCRYPTED[823fdbc2fee3c27fa054ba1e9cfca084829b5e71572f1703a28e0746b1a924ee5860193f931adce197d40bf89e7027fe]
@ -44,7 +47,7 @@ image_builder_task:
    # Packer needs time to clean up partially created VM images
    auto_cancellation: $CI != "true"
    stateful: true
-    timeout_in: 40m
+    timeout_in: 50m
    container:
        dockerfile: "image_builder/Containerfile"
        cpu: 2
@ -68,7 +71,7 @@ container_images_task: &container_images
    skip: *ci_docs_tooling
    depends_on:
        - image_builder
-    timeout_in: 30m
+    timeout_in: &cntr_timeout 40m
    gce_instance: &ibi_vm
        image_project: "libpod-218412"
        # Trust whatever was built most recently is functional
@ -80,7 +83,7 @@ container_images_task: &container_images
          env:
            TARGET_NAME: 'fedora_podman'
            # Add a 'c' to the tag for consistency with VM Image names
-            DEST_FQIN: &fqin 'quay.io/libpod/${TARGET_NAME}:c$IMG_SFX'
+            DEST_FQIN: &fqin '${REGPFX}/${TARGET_NAME}:c$IMG_SFX'
        - name: *name
          env:
            TARGET_NAME: 'prior-fedora_podman'
@ -96,39 +99,59 @@ container_images_task: &container_images
        #     TARGET_NAME: 'debian'
        #     DEST_FQIN: *fqin
    env: &image_env
-        # For quay.io/libpod namespace
+        # For $REGPFX namespace, select FQINs only.
-        REG_USERNAME: ENCRYPTED[de755aef351c501ee480231c24eae25b15e2b2a2b7c629f477c1d427fc5269e360bb358a53bd8914605bae588e99b52a]
+        REG_USERNAME: ENCRYPTED[df4efe530b9a6a731cfea19233e395a5206d24dfac25e84329de035393d191e94ead8c39b373a0391fa025cab15470f8]
-        REG_PASSWORD: ENCRYPTED[52268944bb0d6642c33efb1c5d7fb82d0c40f9e6988448de35827f9be2cc547c1383db13e8b21516dbd7a0a69a7ae536]
+        REG_PASSWORD: ENCRYPTED[255ec05057707c20237a6c7d15b213422779c534f74fe019b8ca565f635dba0e11035a034e533a6f39e146e7435d87b5]
    script: ci/make_container_images.sh;
    package_cache: &package_cache
-        folder: "/tmp/automation_images_tmp/.cache/**"
+        folder: "/var/tmp/automation_images_tmp/.cache/**"
        fingerprint_key: "${TARGET_NAME}-cache-version-1"
 # Most other tooling images depend on this one, build it first so the others
 # may build in parallel.
 imgts_build_task:
    alias: imgts_build
    name: 'Build IMGTS image'
    only_if: *is_pr
    skip: &ci_docs $CIRRUS_CHANGE_TITLE =~ '.*CI:DOCS.*'
    depends_on:
        - image_builder
    timeout_in: *cntr_timeout
    gce_instance: *ibi_vm
    env: *image_env
    script: |
        export TARGET_NAME=imgts
        export DEST_FQIN="${REGPFX}/${TARGET_NAME}:c${IMG_SFX}";
        ci/make_container_images.sh;
 tooling_images_task:
    alias: tooling_images
-    name: 'Build Tooling images'
+    name: 'Build Tooling image ${TARGET_NAME}'
-    only_if: $CIRRUS_CRON == ''
+    only_if: *is_pr
-    skip: &ci_docs $CIRRUS_CHANGE_TITLE =~ '.*CI:DOCS.*'
+    skip: *ci_docs
    depends_on:
-        - validate
+        - imgts_build
-    # TODO: This should not take this long, but it can :(
+    timeout_in: *cntr_timeout
    timeout_in: 40m
    gce_instance: *ibi_vm
-    env:
+    env: *image_env
-        <<: *image_env
+    matrix:
-        TARGET_NAMES: imgts imgobsolete imgprune gcsupld get_ci_vm orphanvms ccia
+      - env:
-        PUSH_LATEST: 1  # scripts force to 0 if $CIRRUS_PR
+          TARGET_NAME: imgobsolete
      - env:
          TARGET_NAME: imgprune
      - env:
          TARGET_NAME: gcsupld
      - env:
          TARGET_NAME: get_ci_vm
      - env:
          TARGET_NAME: orphanvms
      - env:
          TARGET_NAME: ccia
    script: |
-        for TARGET_NAME in $TARGET_NAMES; do
+        export DEST_FQIN="${REGPFX}/${TARGET_NAME}:c${IMG_SFX}";
-            export TARGET_NAME
+        ci/make_container_images.sh;
            export DEST_FQIN="quay.io/libpod/${TARGET_NAME}:c${IMG_SFX}";
            ci/make_container_images.sh;
        done
    package_cache:
        folder: "/tmp/automation_images_tmp/.cache/**"
        fingerprint_key: "tooling-cache-version-1"
 base_images_task:
    name: "Build VM Base-images"
@ -141,20 +164,21 @@ base_images_task:
    # Packer needs time to clean up partially created VM images
    auto_cancellation: $CI != "true"
    stateful: true
-    timeout_in: 45m
+    timeout_in: 70m
-    # Cannot use a container for this task, virt required for fedora image conversion
+    gce_instance: *ibi_vm
    gce_instance:
        <<: *ibi_vm
        # Nested-virt is required, need Intel Haswell or better CPU
        enable_nested_virtualization: true
        type: "n2-standard-2"
        scopes: ["cloud-platform"]
    matrix:
        - &base_image
          name: "${PACKER_BUILDS} Base Image"
          gce_instance: &nested_virt_vm
              <<: *ibi_vm
              # Nested-virt is required, need Intel Haswell or better CPU
              enable_nested_virtualization: true
              type: "n2-standard-16"
              scopes: ["cloud-platform"]
          env:
            PACKER_BUILDS: "fedora"
        - <<: *base_image
          gce_instance: *nested_virt_vm
          env:
            PACKER_BUILDS: "prior-fedora"
        - <<: *base_image
@ -169,6 +193,8 @@ base_images_task:
    env:
      GAC_JSON: &gac_json ENCRYPTED[7fba7fb26ab568ae39f799ab58a476123206576b0135b3d1019117c6d682391370c801e149f29324ff4b50133012aed9]
      AWS_INI: &aws_ini ENCRYPTED[4cd69097cd29a9899e51acf3bbacceeb83cb5c907d272ca1e2a8ccd515b03f2368a0680870c0d120fc32bc578bb0a930]
      AWS_MAX_ATTEMPTS: 300
      AWS_TIMEOUT_SECONDS: 3000
    script: "ci/make.sh base_images"
    manifest_artifacts:
        path: base_images/manifest.json
@ -186,7 +212,7 @@ cache_images_task:
    # Packer needs time to clean up partially created VM images
    auto_cancellation: $CI != "true"
    stateful: true
-    timeout_in: 45m
+    timeout_in: 90m
    container:
        dockerfile: "image_builder/Containerfile"
        cpu: 2
@ -203,10 +229,10 @@ cache_images_task:
            PACKER_BUILDS: "prior-fedora"
        - <<: *cache_image
          env:
-            PACKER_BUILDS: "fedora-netavark"
+            PACKER_BUILDS: "rawhide"
        - <<: *cache_image
          env:
-            PACKER_BUILDS: "fedora-podman-py"
+            PACKER_BUILDS: "fedora-netavark"
        - <<: *cache_image
          env:
            PACKER_BUILDS: "fedora-aws"
@ -225,6 +251,8 @@ cache_images_task:
    env:
      GAC_JSON: *gac_json
      AWS_INI: *aws_ini
      AWS_MAX_ATTEMPTS: 300
      AWS_TIMEOUT_SECONDS: 3000
    script: "ci/make.sh cache_images"
    manifest_artifacts:
        path: cache_images/manifest.json
@ -243,7 +271,6 @@ win_images_task:
    # Packer needs time to clean up partially created VM images
    auto_cancellation: $CI != "true"
    stateful: true
    timeout_in: 45m
    # Packer WinRM communicator is not reliable on container tasks
    gce_instance:
        <<: *ibi_vm
@ -256,18 +283,39 @@ win_images_task:
        path: win_images/manifest.json
        type: application/json
 # These targets are intended for humans, make sure they builds and function on a basic level
 test_debug_task:
    name: "Test ${TARGET} make target"
    alias: test_debug
    only_if: *is_pr
    skip: *ci_docs
    depends_on:
        - validate
    gce_instance: *nested_virt_vm
    matrix:
        - env:
            TARGET: ci_debug
        - env:
            TARGET: image_builder_debug
    env:
        HOME: "/root"
        GAC_FILEPATH: "/dev/null"
        AWS_SHARED_CREDENTIALS_FILE: "/dev/null"
        DBG_TEST_CMD: "true"
    script: make ${TARGET}
 # Test metadata addition to images (built or not) to ensure container functions
 # TODO: Requires manually examining the output log to confirm operation.
 test_imgts_task: &imgts
    name: "Test image timestamp/metadata updates"
    alias: test_imgts
-    only_if: $CIRRUS_CRON == ''
+    only_if: *is_pr
    skip: *ci_docs
-    depends_on:
+    depends_on: &imgts_deps
-        - tooling_images
+        - base_images
        - cache_images
        - imgts_build
    container:
-        image: 'quay.io/libpod/imgts:c$IMG_SFX'
+        image: '${REGPFX}/imgts:c$IMG_SFX'
        cpu: 2
        memory: '2G'
    env: &imgts_env
@ -289,12 +337,14 @@ test_imgts_task: &imgts
            fedora-c${IMG_SFX}
            prior-fedora-c${IMG_SFX}
            fedora-netavark-c${IMG_SFX}
-            fedora-podman-py-c${IMG_SFX}
+            rawhide-c${IMG_SFX}
            debian-c${IMG_SFX}
            build-push-c${IMG_SFX}
        EC2IMGNAMES: |
            fedora-aws-i${IMPORT_IMG_SFX}
            fedora-aws-b${IMG_SFX}
            fedora-aws-c${IMG_SFX}
            fedora-aws-arm64-i${IMPORT_IMG_SFX}
            fedora-aws-arm64-b${IMG_SFX}
            fedora-podman-aws-arm64-c${IMG_SFX}
            fedora-netavark-aws-arm64-c${IMG_SFX}
@ -309,9 +359,7 @@ imgts_task:
    alias: imgts
    only_if: *is_pr
    skip: *ci_docs_tooling
-    depends_on:
+    depends_on: *imgts_deps
        - base_images
        - cache_images
    env:
        <<: *imgts_env
        DRY_RUN: 0
@ -328,13 +376,13 @@ imgts_task:
 test_imgobsolete_task: &lifecycle_test
    name: "Test obsolete image detection"
    alias: test_imgobsolete
-    only_if: &only_prs $CIRRUS_PR != ''
+    only_if: *is_pr
    skip: *ci_docs
    depends_on:
        - tooling_images
        - imgts
    container:
-        image: 'quay.io/libpod/imgobsolete:c$IMG_SFX'
+        image: '${REGPFX}/imgobsolete:c$IMG_SFX'
        cpu: 2
        memory: '2G'
    env: &lifecycle_env
@ -353,9 +401,8 @@ test_orphanvms_task:
    <<: *lifecycle_test
    name: "Test orphan VMs detection"
    alias: test_orphanvms
    skip: *ci_docs
    container:
-        image: 'quay.io/libpod/orphanvms:c$IMG_SFX'
+        image: '$REGPFX/orphanvms:c$IMG_SFX'
        cpu: 2
        memory: '2G'
    env:
@ -364,6 +411,7 @@ test_orphanvms_task:
        GCPPROJECT: 'libpod-218412'
        GCPPROJECTS: 'libpod-218412' # value for testing, otherwise see gcpprojects.txt
        AWSINI: ENCRYPTED[1ab89ff7bc1515dc964efe7ef6e094e01164ba8dd2e11c9a01259c6af3b3968ab841dbe473fe4ab5b573f2f5fa3653e8]
        DRY_RUN: 1
        EVERYTHING: 1  # Alter age-limit from 3-days -> 3 seconds for a test-run.
    script: /usr/local/bin/entrypoint.sh
@ -372,24 +420,23 @@ test_imgprune_task:
    <<: *lifecycle_test
    name: "Test obsolete image removal"
    alias: test_imgprune
    skip: *ci_docs
    depends_on:
        - tooling_images
        - imgts
    container:
-        image: 'quay.io/libpod/imgprune:c$IMG_SFX'
+        image: '$REGPFX/imgprune:c$IMG_SFX'
 test_gcsupld_task:
    name: "Test uploading to GCS"
    alias: test_gcsupld
-    only_if: *only_prs
+    only_if: *is_pr
    skip: *ci_docs
    depends_on:
        - tooling_images
        - imgts
    container:
-        image: 'quay.io/libpod/gcsupld:c$IMG_SFX'
+        image: '$REGPFX/gcsupld:c$IMG_SFX'
        cpu: 2
        memory: '2G'
    env:
@ -402,13 +449,13 @@ test_gcsupld_task:
 test_get_ci_vm_task:
    name: "Test get_ci_vm entrypoint"
    alias: test_get_ci_vm
-    only_if: *only_prs
+    only_if: *is_pr
    skip: *ci_docs
    depends_on:
        - tooling_images
        - imgts
    container:
-        image: 'quay.io/libpod/get_ci_vm:c$IMG_SFX'
+        image: '$REGPFX/get_ci_vm:c$IMG_SFX'
        cpu: 2
        memory: '2G'
    env:
@ -419,44 +466,59 @@ test_get_ci_vm_task:
 test_ccia_task:
    name: "Test ccia entrypoint"
    alias: test_ccia
-    only_if: *only_prs
+    only_if: *is_pr
    skip: *ci_docs
    depends_on:
        - tooling_images
    container:
-        image: 'quay.io/libpod/ccia:c$IMG_SFX'
+        image: '$REGPFX/ccia:c$IMG_SFX'
        cpu: 2
        memory: '2G'
    env:
        TESTING_ENTRYPOINT: true
        CCIABIN: /usr/share/automation/bin/cirrus-ci_artifacts
    test_script: ./ccia/test.sh
 test_build-push_task:
    name: "Test build-push VM functions"
    alias: test_build-push
-    only_if: *only_prs
+    only_if: |
        $CIRRUS_PR != '' &&
        $CIRRUS_PR_LABELS !=~ ".*no_build-push.*"
    skip: *ci_docs_tooling
    depends_on:
        - cache_images
    gce_instance:
        image_project: "libpod-218412"
-        image_family: 'build-push-cache'
+        image_name: build-push-c${IMG_SFX}
        zone: "us-central1-a"
        disk: 200
        # More muscle to emulate multi-arch
        type: "n2-standard-4"
-    script: bash ./build-push/test.sh
+    script: |
        mkdir /tmp/context
        echo -e "FROM scratch\nENV foo=bar\n" > /tmp/context/Containerfile
        source /etc/automation_environment
        A_DEBUG=1 build-push.sh --nopush --arches=amd64,arm64,s390x,ppc64le example.com/foo/bar /tmp/context
 tag_latest_images_task:
    alias: tag_latest_images
    name: "Tag latest built container images."
    only_if: |
        $CIRRUS_CRON == '' &&
        $CIRRUS_BRANCH == $CIRRUS_DEFAULT_BRANCH
    skip: *ci_docs
    gce_instance: *ibi_vm
    env: *image_env
    script: ci/tag_latest.sh
 # N/B: "latest" image produced after PR-merge (branch-push)
 cron_imgobsolete_task: &lifecycle_cron
    name: "Periodicly mark old images obsolete"
    alias: cron_imgobsolete
-    only_if: $CIRRUS_PR == '' && $CIRRUS_CRON != ''
+    only_if: $CIRRUS_CRON == 'lifecycle'
    container:
-        image: 'quay.io/libpod/imgobsolete:latest'
+        image: '$REGPFX/imgobsolete:latest'
        cpu: 2
        memory: '2G'
    env:
@ -472,7 +534,7 @@ cron_imgprune_task:
    depends_on:
        - cron_imgobsolete
    container:
-        image: 'quay.io/libpod/imgprune:latest'
+        image: '$REGPFX/imgprune:latest'
 success_task:
@ -486,6 +548,7 @@ success_task:
        - base_images
        - cache_images
        - win_images
        - test_debug
        - test_imgts
        - imgts
        - test_imgobsolete
@ -495,6 +558,7 @@ success_task:
        - cron_imgprune
        - test_gcsupld
        - test_get_ci_vm
        - test_ccia
        - test_build-push
    container:
        <<: *ci_container
--- a/.codespelldict
+++ b/.codespelldict
@ -0,0 +1,2 @@
 IMGSFX,IMG-SFX->IMG_SFX
 Dockerfile->Containerfile
--- a/.codespellignore
+++ b/.codespellignore
--- a/.codespellrc
+++ b/.codespellrc
@ -0,0 +1,4 @@
 [codespell]
 ignore-words = .codespellignore
 dictionary = .codespelldict
 quiet-level = 3
--- a/.github/actions/bin/create_image_table.py
+++ b/.github/actions/bin/create_image_table.py
@ -13,9 +13,9 @@ import sys
 def msg(msg, newline=True):
    """Print msg to stderr with optional newline."""
-    nl = ''
+    nl = ""
    if newline:
-        nl = '\n'
+        nl = "\n"
    sys.stderr.write(f"{msg}{nl}")
    sys.stderr.flush()
@ -23,13 +23,13 @@ def msg(msg, newline=True):
 def stage_sort(item):
    """Return sorting-key for build-image-json item."""
    if item["stage"] == "import":
-        return str("0010"+item["name"])
+        return str("0010" + item["name"])
    elif item["stage"] == "base":
-        return str("0020"+item["name"])
+        return str("0020" + item["name"])
    elif item["stage"] == "cache":
-        return str("0030"+item["name"])
+        return str("0030" + item["name"])
    else:
-        return str("0100"+item["name"])
+        return str("0100" + item["name"])
 if "GITHUB_ENV" not in os.environ:
@ -40,46 +40,58 @@ github_workspace = os.environ.get("GITHUB_WORKSPACE", ".")
 # File written by a previous workflow step
 with open(f"{github_workspace}/built_images.json") as bij:
-  msg(f"Reading image build data from {bij.name}:")
+    msg(f"Reading image build data from {bij.name}:")
-  data = []
+    data = []
-  for build in json.load(bij):  # list of build data maps
+    for build in json.load(bij):  # list of build data maps
-    stage = build.get("stage", False)
+        stage = build.get("stage", False)
-    name = build.get("name", False)
+        name = build.get("name", False)
-    sfx = build.get("sfx", False)
+        sfx = build.get("sfx", False)
-    task = build.get("task", False)
+        task = build.get("task", False)
-    if bool(stage) and bool(name) and bool(sfx) and bool(task):
+        if bool(stage) and bool(name) and bool(sfx) and bool(task):
-        image_suffix = f'{stage[0]}{sfx}'
+            image_suffix = f"{stage[0]}{sfx}"
-        data.append(dict(stage=stage, name=name,
+            data.append(
-                         image_suffix=image_suffix, task=task))
+                dict(stage=stage, name=name, image_suffix=image_suffix, task=task)
-        if cirrus_ci_build_id is None:
+            )
-            cirrus_ci_build_id = sfx
+            if cirrus_ci_build_id is None:
-        msg(f"Including '{stage}' stage build '{name}' for task '{task}'.")
+                cirrus_ci_build_id = sfx
-    else:
+            msg(f"Including '{stage}' stage build '{name}' for task '{task}'.")
-        msg(f"Skipping  '{stage}' stage build '{name}' for task '{task}'.")
+        else:
            msg(f"Skipping  '{stage}' stage build '{name}' for task '{task}'.")
-url = 'https://cirrus-ci.com/task'
+url = "https://cirrus-ci.com/task"
 lines = []
 data.sort(key=stage_sort)
 for item in data:
-  lines.append('|*{0}*|[{1}]({2})|`{3}`|\n'.format(item['stage'],
+    image_suffix = item["image_suffix"]
-    item['name'], '{0}/{1}'.format(url, item['task']),
+    # Base-images should never actually be used, but it may be helpful
-    item['image_suffix']))
+    # to have them in the list in case some debugging is needed.
    if item["stage"] != "cache":
        image_suffix = "do-not-use"
    lines.append(
        "|*{0}*|[{1}]({2})|`{3}`|\n".format(
            item["stage"],
            item["name"],
            "{0}/{1}".format(url, item["task"]),
            image_suffix,
        )
    )
 # This is the mechanism required to set an multi-line env. var.
 # value to be consumed by future workflow steps.
-with open(os.environ["GITHUB_ENV"], "a") as ghenv, \
+with open(os.environ["GITHUB_ENV"], "a") as ghenv, open(
-     open(f'{github_workspace}/images.md', "w") as mdfile, \
+    f"{github_workspace}/images.md", "w"
-     open(f'{github_workspace}/images.json', "w") as images_json:
+) as mdfile, open(f"{github_workspace}/images.json", "w") as images_json:
-    env_header = ("IMAGE_TABLE<<EOF\n")
+    env_header = "IMAGE_TABLE<<EOF\n"
-    header = (f"[Cirrus CI build](https://cirrus-ci.com/build/{cirrus_ci_build_id})"
+    header = (
-               " successful. [Found built image names and"
+        f"[Cirrus CI build](https://cirrus-ci.com/build/{cirrus_ci_build_id})"
-              f' IDs](https://github.com/{os.environ["GITHUB_REPOSITORY"]}'
+        " successful. [Found built image names and"
-              f'/actions/runs/{os.environ["GITHUB_RUN_ID"]}):\n'
+        f' IDs](https://github.com/{os.environ["GITHUB_REPOSITORY"]}'
-               "\n")
+        f'/actions/runs/{os.environ["GITHUB_RUN_ID"]}):\n'
-    c_head = ("|*Stage*|**Image Name**|`IMAGE_SUFFIX`|\n"
+        "\n"
-              "|---|---|---|\n")
+    )
    c_head = "|*Stage*|**Image Name**|`IMAGE_SUFFIX`|\n" "|---|---|---|\n"
    # Different output destinations get slightly different content
    for dst in [ghenv, mdfile, sys.stderr]:
        if dst == ghenv:
@ -92,5 +104,7 @@ with open(os.environ["GITHUB_ENV"], "a") as ghenv, \
            dst.write("EOF\n\n")
    json.dump(data, images_json, indent=4, sort_keys=True)
-    msg(f"Wrote github env file '{ghenv.name}', md-file '{mdfile.name}',"
+    msg(
-        f" and json-file '{images_json.name}'")
+        f"Wrote github env file '{ghenv.name}', md-file '{mdfile.name}',"
        f" and json-file '{images_json.name}'"
    )
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@ -1,20 +1,12 @@
 /*
-   Renovate is a service similar to GitHub Dependabot, but with
+   Renovate is a service similar to GitHub Dependabot.
   (fantastically) more configuration options.  So many options
   in fact, if you're new I recommend glossing over this cheat-sheet
   prior to the official documentation:
-   https://www.augmentedmind.de/2021/07/25/renovate-bot-cheat-sheet
+   Please Manually validate any changes to this file with:
   Configuration Update/Change Procedure:
     1. Make changes
     2. Manually validate changes (from repo-root):
        podman run -it \
            -v ./.github/renovate.json5:/usr/src/app/renovate.json5:z \
-            docker.io/renovate/renovate:latest \
+            ghcr.io/renovatebot/renovate:latest \
            renovate-config-validator
     3. Commit.
   Configuration Reference:
   https://docs.renovatebot.com/configuration-options/
@ -22,11 +14,9 @@
   Monitoring Dashboard:
   https://app.renovatebot.com/dashboard#github/containers
-   Note: The Renovate bot will create/manage it's business on
+   Note: The Renovate bot will create/manage its business on
-         branches named 'renovate/*'.  Otherwise, and by
+         branches named 'renovate/*'.  The only copy of this
-         default, the only the copy of this file that matters
+         file that matters is the one on the `main` branch.
         is the one on the `main` branch.  No other branches
         will be monitored or touched in any way.
 */
 {
@ -44,12 +34,45 @@
    // This repo builds images, don't try to manage them.
    "docker:disable"
  ],
  /*************************************************
   *** Repository-specific configuration options ***
   *************************************************/
  // Don't leave dep. update. PRs "hanging", assign them to people.
  "assignees": ["cevich"],
-  // Don't build CI VM images for dep. update PRs
+  // Don't build CI VM images for dep. update PRs (by default)
-  commitMessagePrefix: "[CI:DOCS]",
+  "commitMessagePrefix": "[CI:DOCS]",
  "customManagers": [
    // Manage updates to the common automation library version
    {
      "customType": "regex",
      "fileMatch": "^lib.sh$",
      "matchStrings": ["INSTALL_AUTOMATION_VERSION=\"(?<currentValue>.+)\""],
      "depNameTemplate": "containers/automation",
      "datasourceTemplate": "github-tags",
      "versioningTemplate": "semver-coerced",
      // "v" included in tag, but should not be used in lib.sh
      "extractVersionTemplate": "^v(?<version>.+)$"
    }
  ],
  // N/B: LAST MATCHING RULE WINS, match statems are ANDed together.
  "packageRules": [
    // When automation library version updated, full CI VM image build
    // is needed, along with some other overrides not required in
    // (for example) github-action updates.
    {
      "matchManagers": ["custom.regex"],
      "matchFileNames": ["lib.sh"],
      "schedule": ["at any time"],
      "commitMessagePrefix": null,
      "draftPR": true,
      "prBodyNotes": [
        "\
 {{#if isMajor}}\
 :warning: Changes are **likely** required for build-scripts and/or downstream CI VM \
 image users. Please check very carefully. :warning:\
 {{else}}\
 :warning: Changes may be required for build-scripts and/or downstream CI VM \
 image users. Please double-check. :warning:\
 {{/if}}"
      ]
    }
  ]
 }
--- a/.github/workflows/check_cirrus_cron.yml
+++ b/.github/workflows/check_cirrus_cron.yml
@ -13,5 +13,10 @@ on:
 jobs:
  # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows
  call_cron_failures:
-    uses: containers/buildah/.github/workflows/check_cirrus_cron.yml@main
+    uses: containers/podman/.github/workflows/check_cirrus_cron.yml@main
-    secrets: inherit
+    secrets:
      SECRET_CIRRUS_API_KEY: ${{secrets.SECRET_CIRRUS_API_KEY}}
      ACTION_MAIL_SERVER: ${{secrets.ACTION_MAIL_SERVER}}
      ACTION_MAIL_USERNAME: ${{secrets.ACTION_MAIL_USERNAME}}
      ACTION_MAIL_PASSWORD: ${{secrets.ACTION_MAIL_PASSWORD}}
      ACTION_MAIL_SENDER: ${{secrets.ACTION_MAIL_SENDER}}
--- a/.github/workflows/orphan_vms.yml
+++ b/.github/workflows/orphan_vms.yml
@ -25,12 +25,12 @@ jobs:
    orphan_vms:
        runs-on: ubuntu-latest
        steps:
-            - uses: actions/checkout@v3
+            - uses: actions/checkout@v4
              with:
                  persist-credentials: false
            # Avoid duplicating cron-fail_addrs.csv
-            - uses: actions/checkout@v3
+            - uses: actions/checkout@v4
              with:
                  repository: containers/podman
                  path: '_podman'
@ -44,14 +44,14 @@ jobs:
                GCPPROJECT: 'libpod-218412'
              run: |
                export GCPNAME GCPJSON AWSINI GCPPROJECT
-                export GCPPROJECTS=$(egrep -vx '^#+.*$' $GITHUB_WORKSPACE/gcpprojects.txt | tr -s '[:space:]' ' ')
+                export GCPPROJECTS=$(grep -E -vx '^#+.*$' $GITHUB_WORKSPACE/gcpprojects.txt | tr -s '[:space:]' ' ')
                podman run --rm \
                    -e GCPNAME -e GCPJSON -e AWSINI -e GCPPROJECT -e GCPPROJECTS \
                    quay.io/libpod/orphanvms:latest \
                    > /tmp/orphanvms_output.txt
            - if: always()
-              uses: actions/upload-artifact@v3
+              uses: actions/upload-artifact@v4
              with:
                  name: orphanvms_output
                  path: /tmp/orphanvms_output.txt
@ -59,7 +59,7 @@ jobs:
            - name: Count number of orphaned VMs
              id: orphans
              run: |
-                count=$(egrep -x '\* VM .+' /tmp/orphanvms_output.txt | wc -l)
+                count=$(grep -E -x '\* VM .+' /tmp/orphanvms_output.txt | wc -l)
                # Assist with debugging job (step-outputs are otherwise hidden)
                printf "Orphan VMs count:%d\n" $count
                if [[ "$count" =~ ^[0-9]+$ ]]; then
@ -86,20 +86,20 @@ jobs:
            - if: steps.orphans.outputs.count > 0
              name: Send orphan notification e-mail
              # Ref: https://github.com/dawidd6/action-send-mail
-              uses: dawidd6/action-send-mail@v3.7.1
+              uses: dawidd6/action-send-mail@v3.12.0
              with:
                server_address: ${{ secrets.ACTION_MAIL_SERVER }}
                server_port: 465
                username: ${{ secrets.ACTION_MAIL_USERNAME }}
                password: ${{ secrets.ACTION_MAIL_PASSWORD }}
-                subject: Orphaned GCP VMs
+                subject: Orphaned CI VMs detected
                to: ${{env.RCPTCSV}}
                from: ${{ secrets.ACTION_MAIL_SENDER }}
                body: file:///tmp/email_body.txt
            - if: failure()
              name: Send error notification e-mail
-              uses: dawidd6/action-send-mail@v3.7.1
+              uses: dawidd6/action-send-mail@v3.12.0
              with:
                server_address: ${{secrets.ACTION_MAIL_SERVER}}
                server_port: 465
@ -108,4 +108,4 @@ jobs:
                subject: Github workflow error on ${{github.repository}}
                to: ${{env.RCPTCSV}}
                from: ${{secrets.ACTION_MAIL_SENDER}}
-                body: "Job failed: https://github.com/${{github.repository}}/runs/${{github.job}}?check_suite_focus=true"
+                body: "Job failed: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}"
--- a/.github/workflows/pr_image_id.yml
+++ b/.github/workflows/pr_image_id.yml
@ -58,7 +58,7 @@ jobs:
                  fi
            - if: steps.retro.outputs.is_pr == 'true'
-              uses: actions/checkout@v3
+              uses: actions/checkout@v4
              with:
                  persist-credentials: false
@ -71,11 +71,7 @@ jobs:
              # fall back to using the latest built CCIA image.
              run: |
                PODMAN="podman run --rm -v $GITHUB_WORKSPACE:/data -w /data"
-                PR_CCIA="quay.io/libpod/ccia:c${{ steps.retro.outputs.bid }}"
+                $PODMAN quay.io/libpod/ccia:latest --verbose "${{ steps.retro.outputs.bid }}" ".*/manifest.json"
                UP_CCIA="quay.io/libpod/ccia:latest"
                declare -a ARGS
                ARGS=("--verbose" "${{ steps.retro.outputs.bid }}" ".*/manifest.json")
                $PODMAN $PR_CCIA "${ARGS[@]}" || $PODMAN $UP_CCIA "${ARGS[@]}"
            - if: steps.retro.outputs.is_pr == 'true'
              name: Count the number of manifest.json files downloaded
@ -136,12 +132,10 @@ jobs:
            - if: steps.manifests.outputs.count > 0
              name: Post PR comment with image name/id table
-              uses: jungwinter/comment@v1.1.0
+              uses: thollander/actions-comment-pull-request@v3
              with:
-                  issue_number: '${{ steps.retro.outputs.prn }}'
+                  pr-number: '${{ steps.retro.outputs.prn }}'
-                  type: 'create'
+                  message: |
                  token: '${{ secrets.GITHUB_TOKEN }}'
                  body: |
                    ${{ env.IMAGE_TABLE }}
            # Ref: https://github.com/marketplace/actions/deploy-to-gist
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,3 @@
 */*.json
 /.cache
 .pre-commit-config.yaml
--- a/.pre-commit-hooks.yaml
+++ b/.pre-commit-hooks.yaml
@ -0,0 +1,20 @@
 ---
 # Ref: https://pre-commit.com/#creating-new-hooks
 - id: check-imgsfx
  name: Check IMG_SFX for accidental reuse.
  description: |
    Every PR intended to produce CI VM or container images must update
    the `IMG_SFX` file via `make IMG_SFX`.  The exact value will be
    validated against global suffix usage (encoded as tags on the
    `imgts` container image).  This pre-commit hook verifies on every
    push, the IMG_SFX file's value has not been pushed previously.
    It's intended as a simple/imperfect way to save developers time
    by avoiding force-pushes that will most certainly fail validation.
  entry: ./check-imgsfx.sh
  language: system
  exclude: '.*'  # Not examining any specific file/dir/link
  always_run: true  # ignore no matching files
  fail_fast: true
  pass_filenames: false
  stages: ["pre-push"]
--- a/2
+++ b/2
@ -1 +1 @@
-20230223t153813z-f37f36d12
+20250812t173301z-f42f41d13
--- a/285
+++ b/285
@ -1,4 +1,7 @@
 # Default is sh, which has scripting limitations
 SHELL := $(shell command -v bash;)
 ##### Functions #####
 # Evaluates to $(1) if $(1) non-empty, otherwise evaluates to $(2)
@ -15,18 +18,20 @@ if_ci_else = $(if $(findstring true,$(CI)),$(1),$(2))
 ##### Important image release and source details #####
-export CENTOS_STREAM_RELEASE = 8
+export CENTOS_STREAM_RELEASE = 9
-export FEDORA_RELEASE = 37
+# Warning: Beta Fedora releases are not supported.  Verifiy EC2 AMI availability
-export PRIOR_FEDORA_RELEASE = 36
+# here: https://fedoraproject.org/cloud/download
 export FEDORA_RELEASE = 42
 export PRIOR_FEDORA_RELEASE = 41
-# See import_images/README.md
+# This should always be one-greater than $FEDORA_RELEASE (assuming it's actually the latest)
-export FEDORA_IMPORT_IMG_SFX = 1669819494
+export RAWHIDE_RELEASE = 43
 # Automation assumes the actual release number (after SID upgrade)
 # is always one-greater than the latest DEBIAN_BASE_FAMILY (GCE image).
-export DEBIAN_RELEASE = 12
+export DEBIAN_RELEASE = 13
-export DEBIAN_BASE_FAMILY = debian-11
+export DEBIAN_BASE_FAMILY = debian-12
 IMPORT_FORMAT = vhdx
@ -106,6 +111,12 @@ export PACKER_CACHE_DIR = $(call err_if_empty,_TEMPDIR)
 # AWS CLI default, in case caller needs to override
 export AWS := aws --output json --region us-east-1
 # Needed for container-image builds
 GIT_HEAD = $(shell git rev-parse HEAD)
 # Save some typing
 _IMGTS_FQIN := quay.io/libpod/imgts:c$(_IMG_SFX)
 ##### Targets #####
 # N/B: The double-# after targets is gawk'd out as the target description
@ -120,12 +131,39 @@ help: ## Default target, parses special in-line comments as documentation.
 # There are length/character limitations (a-z, 0-9, -) in GCE for image
 # names and a max-length of 63.
 .PHONY: IMG_SFX
-IMG_SFX:  ## Generate a new date-based image suffix, store in the file IMG_SFX
+IMG_SFX:  timebomb-check ## Generate a new date-based image suffix, store in the file IMG_SFX
-	$(file >$@,$(shell date --utc +%Y%m%dt%H%M%Sz)-f$(FEDORA_RELEASE)f$(PRIOR_FEDORA_RELEASE)d$(subst .,,$(DEBIAN_RELEASE)))
+	@echo "$$(date -u +%Y%m%dt%H%M%Sz)-f$(FEDORA_RELEASE)f$(PRIOR_FEDORA_RELEASE)d$(subst .,,$(DEBIAN_RELEASE))" > "$@"
-	@echo "$(file <IMG_SFX)"
+	@cat IMG_SFX
 # Prevent us from wasting CI time when we have expired timebombs
 .PHONY: timebomb-check
 timebomb-check:
 	@now=$$(date -u +%Y%m%d); \
 	    found=; \
 	    while read -r bomb; do \
 	        when=$$(echo "$$bomb" | sed -E -e 's/^.*timebomb ([0-9]+).*/\1/'); \
 	        if [ "$$when" -le "$$now" ]; then \
 	            echo "$$bomb"; \
 	            found=found; \
 	        fi; \
 	    done < <(git grep --line-number '^[ ]*timebomb '); \
 	    if [[ -n "$$found" ]]; then \
 	        echo ""; \
 	        echo "****** FATAL: Please check/fix expired timebomb(s) ^^^^^^"; \
 	        false; \
 	    fi
 # Given the path to a file containing 'sha256:<image id>' return <image id>
 # or throw error if empty.
 define imageid
 	$(if $(file < $(1)),$(subst sha256:,,$(file < $(1))),$(error Container IID file $(1) doesn't exist or is empty))
 endef
 # This is intended for use by humans, to debug the image_builder_task in .cirrus.yml
 # as well as the scripts under the ci subdirectory.  See the 'image_builder_debug`
 # target if debugging of the packer builds is necessary.
 .PHONY: ci_debug
-ci_debug: $(_TEMPDIR)/ci_debug.tar ## Build and enter container for local development/debugging of container-based Cirrus-CI tasks
+ci_debug: $(_TEMPDIR)/ci_debug.iid ## Build and enter container for local development/debugging of container-based Cirrus-CI tasks
 	/usr/bin/podman run -it --rm \
 		--security-opt label=disable \
 		-v $(_MKFILE_DIR):$(_MKFILE_DIR) -w $(_MKFILE_DIR) \
@ -137,23 +175,19 @@ ci_debug: $(_TEMPDIR)/ci_debug.tar ## Build and enter container for local develo
 		-e GAC_FILEPATH=$(GAC_FILEPATH) \
 		-e AWS_SHARED_CREDENTIALS_FILE=$(AWS_SHARED_CREDENTIALS_FILE) \
 		-e TEMPDIR=$(_TEMPDIR) \
-		docker-archive:$<
+		$(call imageid,$<) $(if $(DBG_TEST_CMD),$(DBG_TEST_CMD),)
-# Takes 4 arguments: export filepath, FQIN, context dir, package cache key
+# Takes 3 arguments: IID filepath, FQIN, context dir
 define podman_build
 	podman build -t $(2) \
-		--security-opt seccomp=unconfined \
+		--iidfile=$(1) \
 		-v $(_TEMPDIR)/.cache/$(4):/var/cache/dnf:Z \
 		-v $(_TEMPDIR)/.cache/$(4):/var/cache/apt:Z \
 		--build-arg CENTOS_STREAM_RELEASE=$(CENTOS_STREAM_RELEASE) \
 		--build-arg PACKER_VERSION=$(call err_if_empty,PACKER_VERSION) \
 		-f $(3)/Containerfile .
 	rm -f $(1)
 	podman save --quiet -o $(1) $(2)
 endef
-$(_TEMPDIR)/ci_debug.tar: $(_TEMPDIR)/.cache/fedora $(wildcard ci/*)
+$(_TEMPDIR)/ci_debug.iid: $(_TEMPDIR) $(wildcard ci/*)
-	$(call podman_build,$@,ci_debug,ci,fedora)
+	$(call podman_build,$@,ci_debug,ci)
 $(_TEMPDIR):
 	mkdir -p $@
@ -161,12 +195,6 @@ $(_TEMPDIR):
 $(_TEMPDIR)/bin: $(_TEMPDIR)
 	mkdir -p $@
 $(_TEMPDIR)/.cache: $(_TEMPDIR)
 	mkdir -p $@
 $(_TEMPDIR)/.cache/%: $(_TEMPDIR)/.cache
 	mkdir -p $@
 $(_TEMPDIR)/packer.zip: $(_TEMPDIR)
 	curl -L --silent --show-error "$(_PACKER_URL)" -o "$@"
@ -201,7 +229,7 @@ $(_TEMPDIR)/user-data: $(_TEMPDIR) $(_TEMPDIR)/cidata.ssh.pub $(_TEMPDIR)/cidata
 cidata: $(_TEMPDIR)/user-data $(_TEMPDIR)/meta-data
 define build_podman_container
-	$(MAKE) $(_TEMPDIR)/$(1).tar BASE_TAG=$(2)
+	$(MAKE) $(_TEMPDIR)/$(1).iid BASE_TAG=$(2)
 endef
 # First argument is the path to the template JSON
@ -229,14 +257,17 @@ image_builder: image_builder/manifest.json ## Create image-building image and im
 image_builder/manifest.json: image_builder/gce.json image_builder/setup.sh lib.sh systemd_banish.sh $(PACKER_INSTALL_DIR)/packer
 	$(call packer_build,image_builder/gce.json)
-# Note: We assume this repo is checked out somewhere under the caller's
+# Note: It's assumed there are important files in the callers $HOME
-# home-dir for bind-mounting purposes.  Otherwise possibly necessary
+# needed for debugging (.gitconfig, .ssh keys, etc.).  It's unsafe
-# files/directories like $HOME/.gitconfig or $HOME/.ssh/ won't be available
+# to assume $(_MKFILE_DIR) is also under $HOME.  Both are mounted
-# from inside the debugging container.
+# for good measure.
 .PHONY: image_builder_debug
-image_builder_debug: $(_TEMPDIR)/image_builder_debug.tar ## Build and enter container for local development/debugging of targets requiring packer + virtualization
+image_builder_debug: $(_TEMPDIR)/image_builder_debug.iid ## Build and enter container for local development/debugging of targets requiring packer + virtualization
 	/usr/bin/podman run -it --rm \
-		--security-opt label=disable -v $$HOME:$$HOME -w $(_MKFILE_DIR) \
+		--security-opt label=disable \
 		-v $$HOME:$$HOME \
 		-v $(_MKFILE_DIR):$(_MKFILE_DIR) \
 		-w $(_MKFILE_DIR) \
 		-v $(_TEMPDIR):$(_TEMPDIR) \
 		-v $(call err_if_empty,GAC_FILEPATH):$(GAC_FILEPATH) \
 		-v $(call err_if_empty,AWS_SHARED_CREDENTIALS_FILE):$(AWS_SHARED_CREDENTIALS_FILE) \
@ -246,114 +277,10 @@ image_builder_debug: $(_TEMPDIR)/image_builder_debug.tar ## Build and enter cont
 		-e IMG_SFX=$(call err_if_empty,_IMG_SFX) \
 		-e GAC_FILEPATH=$(GAC_FILEPATH) \
 		-e AWS_SHARED_CREDENTIALS_FILE=$(AWS_SHARED_CREDENTIALS_FILE) \
-		docker-archive:$<
+		$(call imageid,$<) $(if $(DBG_TEST_CMD),$(DBG_TEST_CMD))
-$(_TEMPDIR)/image_builder_debug.tar: $(_TEMPDIR)/.cache/centos $(wildcard image_builder/*)
+$(_TEMPDIR)/image_builder_debug.iid: $(_TEMPDIR) $(wildcard image_builder/*)
-	$(call podman_build,$@,image_builder_debug,image_builder,centos)
+	$(call podman_build,$@,image_builder_debug,image_builder)
 # Avoid re-downloading unnecessarily
 # Ref: https://www.gnu.org/software/make/manual/html_node/Special-Targets.html#Special-Targets
 .PRECIOUS: $(_TEMPDIR)/fedora-aws-$(_IMG_SFX).$(IMPORT_FORMAT)
 $(_TEMPDIR)/fedora-aws-$(_IMG_SFX).$(IMPORT_FORMAT): $(_TEMPDIR)
 	bash import_images/handle_image.sh \
 		$@ \
 		$(call err_if_empty,FEDORA_IMAGE_URL) \
 		$(call err_if_empty,FEDORA_CSUM_URL)
 $(_TEMPDIR)/fedora-aws-arm64-$(_IMG_SFX).$(IMPORT_FORMAT): $(_TEMPDIR)
 	bash import_images/handle_image.sh \
 		$@ \
 		$(call err_if_empty,FEDORA_ARM64_IMAGE_URL) \
 		$(call err_if_empty,FEDORA_ARM64_CSUM_URL)
 $(_TEMPDIR)/%.md5: $(_TEMPDIR)/%.$(IMPORT_FORMAT)
 	openssl md5 -binary $< | base64 > $@.tmp
 	mv $@.tmp $@
 # MD5 metadata value checked by AWS after upload + 5 retries.
 # Cache disabled to avoid sync. issues w/ vmimport service if
 # image re-uploaded.
 # TODO: Use sha256 from ..._CSUM_URL file instead of recalculating
 # https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html
 # Avoid re-uploading unnecessarily
 .SECONDARY: $(_TEMPDIR)/%.uploaded
 $(_TEMPDIR)/%.uploaded: $(_TEMPDIR)/%.$(IMPORT_FORMAT) $(_TEMPDIR)/%.md5
 	-$(AWS) s3 rm --quiet s3://packer-image-import/%.$(IMPORT_FORMAT)
 	$(AWS) s3api put-object \
 		--content-md5 "$(file < $(_TEMPDIR)/$*.md5)" \
 		--content-encoding binary/octet-stream \
 		--cache-control no-cache \
 		--bucket packer-image-import \
 		--key $*.$(IMPORT_FORMAT) \
 		--body $(_TEMPDIR)/$*.$(IMPORT_FORMAT) > $@.tmp
 	mv $@.tmp $@
 # For whatever reason, the 'Format' value must be all upper-case.
 # Avoid creating unnecessary/duplicate import tasks
 .SECONDARY: $(_TEMPDIR)/%.import_task_id
 $(_TEMPDIR)/%.import_task_id: $(_TEMPDIR)/%.uploaded
 	$(AWS) ec2 import-snapshot \
 		--disk-container Format=$(shell tr '[:lower:]' '[:upper:]'<<<"$(IMPORT_FORMAT)"),UserBucket="{S3Bucket=packer-image-import,S3Key=$*.$(IMPORT_FORMAT)}" > $@.tmp.json
 	@cat $@.tmp.json
 	jq -r -e .ImportTaskId $@.tmp.json > $@.tmp
 	mv $@.tmp $@
 # Avoid importing multiple snapshots for the same image
 .PRECIOUS: $(_TEMPDIR)/%.snapshot_id
 $(_TEMPDIR)/%.snapshot_id: $(_TEMPDIR)/%.import_task_id
 	bash import_images/wait_import_task.sh "$<" > $@.tmp
 	mv $@.tmp $@
 define _register_sed
 	sed -r \
 		-e 's/@@@NAME@@@/$(1)/' \
 		-e 's/@@@IMG_SFX@@@/$(_IMG_SFX)/' \
 		-e 's/@@@ARCH@@@/$(2)/' \
 		-e 's/@@@SNAPSHOT_ID@@@/$(3)/' \
 		import_images/register.json.in \
 	> $(4)
 endef
 $(_TEMPDIR)/fedora-aws-$(_IMG_SFX).register.json: $(_TEMPDIR)/fedora-aws-$(_IMG_SFX).snapshot_id import_images/register.json.in
 	$(call _register_sed,fedora-aws,x86_64,$(file <$<),$@)
 $(_TEMPDIR)/fedora-aws-arm64-$(_IMG_SFX).register.json: $(_TEMPDIR)/fedora-aws-arm64-$(_IMG_SFX).snapshot_id import_images/register.json.in
 	$(call _register_sed,fedora-aws-arm64,arm64,$(file <$<),$@)
 # Avoid multiple registrations for the same image
 .PRECIOUS: $(_TEMPDIR)/%.ami.id
 $(_TEMPDIR)/%.ami.id: $(_TEMPDIR)/%.register.json
 	$(AWS) ec2 register-image --cli-input-json "$$(<$<)" > $@.tmp.json
 	cat $@.tmp.json
 	jq -r -e .ImageId $@.tmp.json > $@.tmp
 	mv $@.tmp $@
 $(_TEMPDIR)/%.ami.name: $(_TEMPDIR)/%.register.json
 	jq -r -e .Name $< > $@.tmp
 	mv $@.tmp $@
 $(_TEMPDIR)/%.ami.json: $(_TEMPDIR)/%.ami.id $(_TEMPDIR)/%.ami.name
 	$(AWS) ec2 create-tags \
 		--resources "$$(<$(_TEMPDIR)/$*.ami.id)" \
 		--tags \
 			Key=Name,Value=$$(<$(_TEMPDIR)/$*.ami.name) \
 			Key=automation,Value=false
 	$(AWS) --output table ec2 describe-images --image-ids "$$(<$(_TEMPDIR)/$*.ami.id)" \
 		| tee $@
 .PHONY: import_images
 import_images: $(_TEMPDIR)/fedora-aws-$(_IMG_SFX).ami.json $(_TEMPDIR)/fedora-aws-arm64-$(_IMG_SFX).ami.json import_images/manifest.json.in  ## Import generic Fedora cloud images into AWS EC2.
 	sed -r \
 		-e 's/@@@IMG_SFX@@@/$(_IMG_SFX)/' \
 		-e 's/@@@CIRRUS_TASK_ID@@@/$(CIRRUS_TASK_ID)/' \
 		import_images/manifest.json.in \
 	> import_images/manifest.json
 	@echo "Image import(s) successful."
 	@echo "############################################################"
 	@echo "Please update Makefile value:"
 	@echo ""
 	@echo "    FEDORA_IMPORT_IMG_SFX = $(_IMG_SFX)"
 	@echo "############################################################"
 .PHONY: base_images
 # This needs to run in a virt/nested-virt capable environment
@ -381,82 +308,80 @@ fedora_podman:  ## Build Fedora podman development container
 prior-fedora_podman:  ## Build Prior-Fedora podman development container
 	$(call build_podman_container,$@,$(PRIOR_FEDORA_RELEASE))
-$(_TEMPDIR)/%_podman.tar: podman/Containerfile podman/setup.sh $(wildcard base_images/*.sh) $(wildcard cache_images/*.sh) $(_TEMPDIR)/.cache/%
+$(_TEMPDIR)/%_podman.iid: podman/Containerfile podman/setup.sh $(wildcard base_images/*.sh) $(_TEMPDIR) $(wildcard cache_images/*.sh)
 	podman build -t $*_podman:$(call err_if_empty,_IMG_SFX) \
 		--security-opt seccomp=unconfined \
 		--iidfile=$@ \
 		--build-arg=BASE_NAME=$(subst prior-,,$*) \
 		--build-arg=BASE_TAG=$(call err_if_empty,BASE_TAG) \
 		--build-arg=PACKER_BUILD_NAME=$(subst _podman,,$*) \
-		-v $(_TEMPDIR)/.cache/$*:/var/cache/dnf:Z \
+		--build-arg=IMG_SFX=$(_IMG_SFX) \
-		-v $(_TEMPDIR)/.cache/$*:/var/cache/apt:Z \
+		--build-arg=CIRRUS_TASK_ID=$(CIRRUS_TASK_ID) \
 		--build-arg=GIT_HEAD=$(call err_if_empty,GIT_HEAD) \
 		-f podman/Containerfile .
 	rm -f $@
 	podman save --quiet -o $@ $*_podman:$(_IMG_SFX)
 .PHONY: skopeo_cidev
-skopeo_cidev: $(_TEMPDIR)/skopeo_cidev.tar  ## Build Skopeo development and CI container
+skopeo_cidev: $(_TEMPDIR)/skopeo_cidev.iid  ## Build Skopeo development and CI container
-$(_TEMPDIR)/skopeo_cidev.tar: $(wildcard skopeo_base/*) $(_TEMPDIR)/.cache/fedora
+$(_TEMPDIR)/skopeo_cidev.iid: $(_TEMPDIR) $(wildcard skopeo_base/*)
 	podman build -t skopeo_cidev:$(call err_if_empty,_IMG_SFX) \
 		--iidfile=$@ \
 		--security-opt seccomp=unconfined \
 		--build-arg=BASE_TAG=$(FEDORA_RELEASE) \
 		-v $(_TEMPDIR)/.cache/fedora:/var/cache/dnf:Z \
 		skopeo_cidev
 	rm -f $@
 	podman save --quiet -o $@ skopeo_cidev:$(_IMG_SFX)
 # TODO: Temporarily force F36 due to:
 # https://github.com/aio-libs/aiohttp/issues/6600
 .PHONY: ccia
-ccia: $(_TEMPDIR)/ccia.tar  ## Build the Cirrus-CI Artifacts container image
+ccia: $(_TEMPDIR)/ccia.iid  ## Build the Cirrus-CI Artifacts container image
-$(_TEMPDIR)/ccia.tar: ccia/Containerfile
+$(_TEMPDIR)/ccia.iid: ccia/Containerfile $(_TEMPDIR)
-	podman build -t ccia:$(call err_if_empty,_IMG_SFX) \
+	$(call podman_build,$@,ccia:$(call err_if_empty,_IMG_SFX),ccia)
 		--security-opt seccomp=unconfined \
 		--build-arg=BASE_TAG=36 \
 		ccia
 	rm -f $@
 	podman save --quiet -o $@ ccia:$(_IMG_SFX)
 # Note: This target only builds imgts:c$(_IMG_SFX) it does not push it to
 # any container registry which may be required for targets which
 # depend on it as a base-image.  In CI, pushing is handled automatically
 # by the 'ci/make_container_images.sh' script.
 .PHONY: imgts
-imgts: $(_TEMPDIR)/imgts.tar  ## Build the VM image time-stamping container image
+imgts: imgts/Containerfile imgts/entrypoint.sh imgts/google-cloud-sdk.repo imgts/lib_entrypoint.sh $(_TEMPDIR)  ## Build the VM image time-stamping container image
-$(_TEMPDIR)/imgts.tar: imgts/Containerfile imgts/entrypoint.sh imgts/google-cloud-sdk.repo imgts/lib_entrypoint.sh $(_TEMPDIR)/.cache/centos
+	$(call podman_build,/dev/null,imgts:$(call err_if_empty,_IMG_SFX),imgts)
-	$(call podman_build,$@,imgts:$(call err_if_empty,_IMG_SFX),imgts,centos)
+	-rm $(_TEMPDIR)/$@.iid
 # Helper function to build images which depend on imgts:latest base image
 # N/B: There is no make dependency resolution on imgts.iid on purpose,
 # imgts:c$(_IMG_SFX) is assumed to have already been pushed to quay.
 # See imgts target above.
 define imgts_base_podman_build
-	podman load -i $(_TEMPDIR)/imgts.tar
+	podman image exists $(_IMGTS_FQIN) || podman pull $(_IMGTS_FQIN)
-	podman tag imgts:$(call err_if_empty,_IMG_SFX) imgts:latest
+	podman image exists imgts:latest || podman tag $(_IMGTS_FQIN) imgts:latest
-	$(call podman_build,$@,$(1):$(call err_if_empty,_IMG_SFX),$(1),centos)
+	$(call podman_build,$@,$(1):$(call err_if_empty,_IMG_SFX),$(1))
 endef
 .PHONY: imgobsolete
-imgobsolete: $(_TEMPDIR)/imgobsolete.tar  ## Build the VM Image obsoleting container image
+imgobsolete: $(_TEMPDIR)/imgobsolete.iid  ## Build the VM Image obsoleting container image
-$(_TEMPDIR)/imgobsolete.tar: $(_TEMPDIR)/imgts.tar imgts/lib_entrypoint.sh imgobsolete/Containerfile imgobsolete/entrypoint.sh $(_TEMPDIR)/.cache/centos
+$(_TEMPDIR)/imgobsolete.iid: imgts/lib_entrypoint.sh imgobsolete/Containerfile imgobsolete/entrypoint.sh $(_TEMPDIR)
 	$(call imgts_base_podman_build,imgobsolete)
 .PHONY: imgprune
-imgprune: $(_TEMPDIR)/imgprune.tar  ## Build the VM Image pruning container image
+imgprune: $(_TEMPDIR)/imgprune.iid  ## Build the VM Image pruning container image
-$(_TEMPDIR)/imgprune.tar: $(_TEMPDIR)/imgts.tar imgts/lib_entrypoint.sh imgprune/Containerfile imgprune/entrypoint.sh $(_TEMPDIR)/.cache/centos
+$(_TEMPDIR)/imgprune.iid: imgts/lib_entrypoint.sh imgprune/Containerfile imgprune/entrypoint.sh $(_TEMPDIR)
 	$(call imgts_base_podman_build,imgprune)
 .PHONY: gcsupld
-gcsupld: $(_TEMPDIR)/gcsupld.tar  ## Build the GCS Upload container image
+gcsupld: $(_TEMPDIR)/gcsupld.iid  ## Build the GCS Upload container image
-$(_TEMPDIR)/gcsupld.tar: $(_TEMPDIR)/imgts.tar imgts/lib_entrypoint.sh gcsupld/Containerfile gcsupld/entrypoint.sh $(_TEMPDIR)/.cache/centos
+$(_TEMPDIR)/gcsupld.iid: imgts/lib_entrypoint.sh gcsupld/Containerfile gcsupld/entrypoint.sh $(_TEMPDIR)
 	$(call imgts_base_podman_build,gcsupld)
 .PHONY: orphanvms
-orphanvms: $(_TEMPDIR)/orphanvms.tar  ## Build the Orphaned VM container image
+orphanvms: $(_TEMPDIR)/orphanvms.iid  ## Build the Orphaned VM container image
-$(_TEMPDIR)/orphanvms.tar: $(_TEMPDIR)/imgts.tar imgts/lib_entrypoint.sh orphanvms/Containerfile orphanvms/entrypoint.sh orphanvms/_gce orphanvms/_ec2 $(_TEMPDIR)/.cache/centos
+$(_TEMPDIR)/orphanvms.iid: imgts/lib_entrypoint.sh orphanvms/Containerfile orphanvms/entrypoint.sh orphanvms/_gce orphanvms/_ec2 $(_TEMPDIR)
 	$(call imgts_base_podman_build,orphanvms)
 .PHONY: .get_ci_vm
-get_ci_vm: $(_TEMPDIR)/get_ci_vm.tar  ## Build the get_ci_vm container image
+get_ci_vm: $(_TEMPDIR)/get_ci_vm.iid  ## Build the get_ci_vm container image
-$(_TEMPDIR)/get_ci_vm.tar: lib.sh get_ci_vm/Containerfile get_ci_vm/entrypoint.sh get_ci_vm/setup.sh $(_TEMPDIR)
+$(_TEMPDIR)/get_ci_vm.iid: lib.sh get_ci_vm/Containerfile get_ci_vm/entrypoint.sh get_ci_vm/setup.sh $(_TEMPDIR)
-	podman build -t get_ci_vm:$(call err_if_empty,_IMG_SFX) -f get_ci_vm/Containerfile .
+	podman build --iidfile=$@ -t get_ci_vm:$(call err_if_empty,_IMG_SFX) -f get_ci_vm/Containerfile ./
 	rm -f $@
 	podman save --quiet -o $@ get_ci_vm:$(_IMG_SFX)
 .PHONY: clean
 clean: ## Remove all generated files referenced in this Makefile
 	-rm -rf $(_TEMPDIR)
 	-rm -f image_builder/*.json
 	-rm -f *_images/{*.json,cidata*,*-data}
-	-rm -f ci_debug.tar
+	-podman rmi imgts:latest
 	-podman rmi $(_IMGTS_FQIN)
--- a/README-simplified.md
+++ b/README-simplified.md
@ -0,0 +1,108 @@
 The README here is waaaaaay too complicated for Ed. So here is a
 simplified version of the typical things you need to do.
 Super Duper Simplest Case
 =========================
 This is by far the most common case, and the simplest to understand.
 You do this when you want to build VMs with newer package versions than
 whatever VMs are currently set up in CI. You really need to
 understand this before you get into anything more complicated.
 ```
 $ git checkout -b lets-see-what-happens
 $ make IMG_SFX
 $ git commit -asm"Let's just see what happens"
 ```
 ...and push that as a PR.
 If you're lucky, in about an hour you will get an email from `github-actions[bot]`
 with a nice table of base and cache images, with links. I strongly encourage you
 to try to get Ed's
 [cirrus-vm-get-versions](https://github.com/edsantiago/containertools/tree/main/cirrus-vm-get-versions)
 script working, because this will give you a very quick easy reliable
 list of what packages have changed. You don't need this, but life will be painful
 for you without it.
 (If you're not lucky, the build will break. There are infinite ways for
 this to happen, so you're on your own here. Ask for help! This is a great
 team, and one or more people may quickly realize the problem.)
 Once you have new VMs built, **test in an actual project**! Usually podman
 and buildah, but you may want the varks too:
 ```
 $ cd ~/src/github/containers/podman     ! or wherever
 $ git checkout -b test-new-vms
 $ vim .cirrus.yml
 [ search for "c202", and replace with your new IMG_SFX.]
 [ Don't forget the leading "c"! ]
 $ git commit -as
 [ Please include a link to the automation_images PR! ]
 ```
 Push this PR and see what happens. If you're very lucky, it will
 pass on this and other repos. Get your podman/buildah/vark PRs
 reviewed and merged, and then review-merge the automation_images one.
 Pushing (har har) Your Luck
 ---------------------------
 Feel lucky? Tag this VM build, so `dependabot` will create PRs
 on all the myriad container repos:
 ```
 $ git tag $(<IMG_SFX)
 $ git push --no-verify upstream $(<IMG_SFX)
 ```
 Within a few hours you'll see a ton of PRs. It is very likely that
 something will go wrong in one or two, and if so, it's impossible to
 cover all possibilities. As above, ask for help.
 More Complicated Cases
 ======================
 These are the next two most common.
 Bumping One Package
 -------------------
 Quite often we need an emergency bump of only one package that
 is not yet stable. Here are examples of the two most typical
 cases,
 [crun](https://github.com/containers/automation_images/pull/386/files) and
 [pasta](https://github.com/containers/automation_images/pull/383/files).
 Note the `timebomb` directives. Please use these: the time you save
 may be your own, one future day. And please use 2-6 week times.
 A timebomb that expires in a year is going to be hard to understand
 when it goes off.
 Bumping Distros
 ---------------
 Like Fedora 40 to 41. Edit `Makefile`. Change `FEDORA`, `PRIOR_FEDORA`,
 and `RAWHIDE`, then proceed with Simple Case.
 There is almost zero chance that this will work on the first try.
 Sorry, that's just the way it is. See the
 [F40 to F41 PR](https://github.com/containers/automation_images/pull/392/files)
 for a not-atypical example.
 STRONG RECOMMENDATION
 =====================
 Read [check-imgsfx.sh](check-imgsfx.sh) and follow its instructions. Ed
 likes to copy that to `.git/hooks/pre-push`, Chris likes using some
 external tool that Ed doesn't trust. Use your judgment.
 The reason for this is that you are going to forget to `make IMG_SFX`
 one day, and then you're going to `git push --force` an update and walk
 away, and come back to a failed run because `IMG_SFX` must always
 always always be brand new.
 Weak Recommendation
 -------------------
 Ed likes to fiddle with `IMG_SFX`, zeroing out to the nearest
 quarter hour. Absolutely unnecessary, but easier on the eyes
 when trying to see which VMs are in use or when comparing
 diffs.
--- a/README.md
+++ b/README.md
@ -52,7 +52,7 @@ However, all steps are listed below for completeness.
 For more information on the overall process of importing custom GCE VM
 Images, please [refer to the documentation](https://cloud.google.com/compute/docs/import/import-existing-image).  For references to the latest pre-build AWS
 EC2 Fedora AMI's see [the
-upstream cloud page](https://alt.fedoraproject.org/cloud/).
+upstream cloud page](https://fedoraproject.org/cloud/download).
 For more information on the primary tool (*packer*) used for this process,
 please [see it's documentation page](https://www.packer.io/docs).
@ -264,13 +264,11 @@ then automatically pushed to:
 * https://quay.io/repository/libpod/fedora_podman
 * https://quay.io/repository/libpod/prior-fedora_podman
 * https://quay.io/repository/libpod/debian_podman
 The meaning of *prior* and *current*, is defined by the contents of
-the `*_release` files within the `podman` subdirectory.  This is
+the `*_RELEASE` values in the `Makefile`.  The images will be tagged
-necessary to support the Makefile target being used manually
+with the value within the `IMG_SFX` file.  Additionally, the most
-(e.g. debugging).  These files must be updated manually when introducing
+recently merged PR on this repo will tag its images `latest`.
 a new VM image version.
 ### Tooling
@ -292,8 +290,7 @@ the following are built:
 In all cases, when automation runs on a branch (i.e. after a PR is merged)
 the actual image tagged `latest` will be pushed.  When running in a PR,
-only validation and test images are produced.  This behavior is controled
+only validation and test images are produced.
 by a combination of the `$PUSH_LATEST` and `$CIRRUS_PR` variables.
 ## The Base Images (overview step 3)
@ -377,10 +374,11 @@ infinite-growth of the VM image count.
 # Debugging / Locally driving VM Image production
-Because the entire automated build process is containerized, it may easily be
+Much of the CI and image-build process is containerized, so it may be debugged
-performed locally on your laptop/workstation.  However, this process will
+locally on your laptop/workstation.  However, this process will
 still involve interfacing with GCE and AWS.  Therefore, you must be in possession
-of a *Google Application Credentials* (GAC) JSON and AWS credentials INI file.
+of a *Google Application Credentials* (GAC) JSON and
 [AWS credentials INI file](https://docs.aws.amazon.com/sdkref/latest/guide/file-format.html#file-format-creds).
 The GAC JSON file should represent a service account (contrasted to a user account,
 which always uses OAuth2).  The name of the service account doesn't matter,
@ -401,44 +399,52 @@ one the following (custom) IAM policies enabled:
 Somebody familiar with Google and AWS IAM will need to provide you with the
 credential files and ensure correct account configuration.  Having these files
 stored *in your home directory* on your laptop/workstation, the process of
-producing images proceeds as follows:
+building and entering the debug containers is as follows:
 1. Ensure you have podman installed, and lots of available network and CPU
   resources (i.e. turn off YouTube, shut down background VMs and other hungry
-   tasks).  Build the image-builder container image, by executing
+   tasks).
 2. Build and enter either the `ci_debug` or the `image_builder_debug` container
   image, by executing:
   ```
-   make image_builder_debug GAC_FILEPATH=</home/path/to/gac.json> \
+   make <ci_debug|image_builder_debug> \
-                            AWS_SHARED_CREDENTIALS_FILE=</path/to/credentials>
+        GAC_FILEPATH=</home/path/to/gac.json> \
        AWS_SHARED_CREDENTIALS_FILE=</path/to/credentials>
   ```
-2. You will be dropped into a debugging container, inside a volume-mount of
+   * The `ci_debug` image is significantly smaller, and only intended for rudimentary
-   the repository root.  This container is practically identical to the VM
+     cases, for example running the scripts under the `ci` subdirectory.
-   produced and used in *overview step 1*.  If changes are made, the container
+   * The `image_builder_debug` image is larger, and has KVM virtualization enabled.
-   image should be re-built to reflect them.
+     It's needed for more extensive debugging of the packer-based image builds.
-3. If you wish to build only a subset of available images, list the names
+3. Both containers will place you in the default shell, inside a volume-mount of
-   you want as comma-separated values of the `PACKER_BUILDS` variable.  Be
+   the repository root.  This environment is practically identical to what is
-   sure you *export* this variable so that `make` has access to it.  For
+   used in Cirrus-CI.
   example, `export PACKER_BUILDS=debian,prior-fedora`.
-4. Still within the container, again ensure you have plenty of network and CPU
+4. For the `image_builder_debug` container, If you wish to build only a subset
   of available images, list the names you want as comma-separated values of the
   `PACKER_BUILDS` variable.  Be sure you *export* this variable so that `make`
   has access to it.  For example, `export PACKER_BUILDS=debian,prior-fedora`.
 5. Still within the container, again ensure you have plenty of network and CPU
   resources available.  Build the VM Base images by executing the command
   ``make base_images``. This is the equivalent operation as documented by
   *overview step 2*.  ***N/B*** The GCS -> GCE image conversion can take
   some time, be patient.  Packer may not produce any output for several minutes
   while the conversion is happening.
-5. When successful, the names of the produced images will all be referenced
+6. When successful, the names of the produced images will all be referenced
   in the `base_images/manifest.json` file.  If there are problems, fix them
   and remove the `manifest.json` file.  Then re-run the same *make* command
   as before, packer will force-overwrite any broken/partially created
   images automatically.
-6. Produce the VM Cache Images, equivalent to the operations outlined
+7. Produce the VM Cache Images, equivalent to the operations outlined
   in *overview step 3*.  Execute the following command (still within the
   debug image-builder container): ``make cache_images``.
-7. Again when successful, you will find the image names are written into
+8. Again when successful, you will find the image names are written into
   the `cache_images/manifest.json` file.  If there is a problem, remove
   this file, fix the problem, and re-run the `make` command.  No cleanup
   is necessary, leftover/disused images will be automatically cleaned up
--- a/base_images/cloud.yml
+++ b/base_images/cloud.yml
@ -26,8 +26,6 @@ variables:  # Empty value means it must be passed in on command-line
    PRIOR_FEDORA_IMAGE_URL: "{{env `PRIOR_FEDORA_IMAGE_URL`}}"
    PRIOR_FEDORA_CSUM_URL: "{{env `PRIOR_FEDORA_CSUM_URL`}}"
    FEDORA_IMPORT_IMG_SFX: "{{env `FEDORA_IMPORT_IMG_SFX`}}"
    DEBIAN_RELEASE: "{{env `DEBIAN_RELEASE`}}"
    DEBIAN_BASE_FAMILY: "{{env `DEBIAN_BASE_FAMILY`}}"
@ -63,6 +61,7 @@ builders:
      type: 'qemu'
      accelerator: "kvm"
      qemu_binary: '/usr/libexec/qemu-kvm'  # Unique to CentOS, not fedora :(
      memory: 12288
      iso_url: '{{user `FEDORA_IMAGE_URL`}}'
      disk_image: true
      format: "raw"
@ -75,12 +74,12 @@ builders:
      headless: true
      # qemu_binary: "/usr/libexec/qemu-kvm"
      qemuargs:  # List-of-list format required to override packer-generated args
-        - - "-m"
+        - - "-display"
-          - "1024"
+          - "none"
        - - "-device"
          - "virtio-rng-pci"
        - - "-chardev"
-          - "tty,id=pts,path={{user `TTYDEV`}}"
+          - "file,id=pts,path={{user `TTYDEV`}}"
        - - "-device"
          - "isa-serial,chardev=pts"
        - - "-netdev"
@ -108,20 +107,18 @@ builders:
    - &fedora-aws
      name: 'fedora-aws'
      type: 'amazon-ebs'
-      source_ami_filter:  # Will fail if >1 or no AMI found
+      source_ami_filter:
        # Many of these search filter values (like account ID and name) aren't publicized
        # anywhere.  They were found by examining AWS EC2 AMIs published/referenced from
        # the AWS sections on https://fedoraproject.org/cloud/download
        owners:
-            # Docs are wrong, specifying the Account ID required to make AMIs private.
+            - &fedora_accountid 125523088429
-            # The Account ID is hard-coded here out of expediency, since passing in
+        most_recent: true  # Required b/c >1 search result likely to be returned
            # more packer args from the command-line (in Makefile) is non-trivial.
            - &accountid '449134212816'
        # It's necessary to 'search' for the base-image by these criteria.  If
        # more than one image is found, Packer will fail the build (and display
        # the conflicting AMI IDs).
        filters: &ami_filters
            architecture: 'x86_64'
            image-type: 'machine'
-            is-public: 'false'
+            is-public: 'true'
-            name: '{{build_name}}-i{{user `FEDORA_IMPORT_IMG_SFX`}}'
+            name: 'Fedora-Cloud-Base*-{{user `FEDORA_RELEASE`}}-*'
            root-device-type: 'ebs'
            state: 'available'
            virtualization-type: 'hvm'
@ -145,7 +142,6 @@ builders:
          volume_type: 'gp2'
          delete_on_termination: true
      # These are critical and used by security-polciy to enforce instance launch limits.
      tags: &awstags
        <<: *imgcpylabels
        # EC2 expects "Name" to be capitalized
@ -159,7 +155,7 @@ builders:
      # This is necessary for security - The CI service accounts are not permitted
      # to use AMI's from any other account, including public ones.
      ami_users:
-        - *accountid
+        - &accountid '449134212816'
      ssh_username: 'fedora'
      ssh_clear_authorized_keys: true
      # N/B: Required Packer >= 1.8.0
@ -170,7 +166,8 @@ builders:
      name: 'fedora-aws-arm64'
      source_ami_filter:
        owners:
-            - *accountid
+            - *fedora_accountid
        most_recent: true  # Required b/c >1 search result likely to be returned
        filters:
            <<: *ami_filters
            architecture: 'arm64'
@ -187,23 +184,23 @@ provisioners:  # Debian images come bundled with GCE integrations provisioned
    - type: 'shell'
      inline:
        - 'set -e'
-        - 'mkdir -p /tmp/automation_images'
+        - 'mkdir -p /var/tmp/automation_images'
    - type: 'file'
      source: '{{ pwd }}/'
-      destination: '/tmp/automation_images/'
+      destination: '/var/tmp/automation_images/'
    - except: ['debian']
      type: 'shell'
      inline:
        - 'set -e'
-        - '/bin/bash /tmp/automation_images/base_images/fedora_base-setup.sh'
+        - '/bin/bash /var/tmp/automation_images/base_images/fedora_base-setup.sh'
    - only: ['debian']
      type: 'shell'
      inline:
        - 'set -e'
-        - '/bin/bash /tmp/automation_images/base_images/debian_base-setup.sh'
+        - 'env DEBIAN_FRONTEND=noninteractive DEBIAN_RELEASE={{user `DEBIAN_RELEASE`}} /bin/bash /var/tmp/automation_images/base_images/debian_base-setup.sh'
 post-processors:
    # Must be double-nested to guarantee execution order
--- a/base_images/debian_base-setup.sh
+++ b/base_images/debian_base-setup.sh
@ -16,8 +16,17 @@ REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../")
 # shellcheck source=./lib.sh
 source "$REPO_DIRPATH/lib.sh"
-# Switch to Debian Unstable (SID)
+# Cloud-networking in general can sometimes be flaky.
-cat << EOF | sudo tee /etc/apt/sources.list
+# Increase Apt's tolerance levels.
 cat << EOF | $SUDO tee -a /etc/apt/apt.conf.d/99timeouts
 // Added during CI VM image build
 Acquire::Retries "3";
 Acquire::http::timeout "300";
 Acquire::https::timeout "300";
 EOF
 echo "Switch sources to Debian Unstable (SID)"
 cat << EOF | $SUDO tee /etc/apt/sources.list
 deb http://deb.debian.org/debian/ unstable main
 deb-src http://deb.debian.org/debian/ unstable main
 EOF
@ -28,7 +37,6 @@ PKGS=( \
    curl
    cloud-init
    gawk
    git
    openssh-client
    openssh-server
    rng-tools5
@ -36,40 +44,46 @@ PKGS=( \
 )
 echo "Updating package source lists"
-$SUDO apt-get -qq -y update
+( set -x; $SUDO apt-get -q -y update; )
 # Only deps for automation tooling
 ( set -x; $SUDO apt-get -q -y install git )
 install_automation_tooling
 # Ensure automation library is loaded
 source "$REPO_DIRPATH/lib.sh"
 # Workaround 12->13 forward-incompatible change in grub scripts.
 # Without this, updating to the SID kernel may fail.
 echo "Upgrading grub-common"
 ( set -x; $SUDO apt-get -q -y upgrade grub-common; )
 echo "Upgrading to SID"
-$SUDO apt-get -qq -y full-upgrade
+( set -x; $SUDO apt-get -q -y full-upgrade; )
 echo "Installing basic, necessary packages."
-$SUDO apt-get -qq -y install "${PKGS[@]}"
+( set -x; $SUDO apt-get -q -y install "${PKGS[@]}"; )
 # compatibility / usefullness of all automated scripting (which is bash-centric)
-$SUDO DEBCONF_DB_OVERRIDE='File{'$SCRIPT_DIRPATH/no_dash.dat'}' \
+( set -x; $SUDO DEBCONF_DB_OVERRIDE='File{'$SCRIPT_DIRPATH/no_dash.dat'}' \
-    dpkg-reconfigure dash
+    dpkg-reconfigure dash; )
 # Ref: https://wiki.debian.org/DebianReleases
-# CI automation needs a *sortable* OS version/release number to select/perform/apply
+# CI automation needs an OS version/release number for a variety of uses.
-# runtime configuration and workarounds.  Since switching to Unstable/SID, a
+# However, After switching to Unstable/SID, the value from the usual source
-# numeric release version is not available. While an imperfect solution,
+# is not available. Simply use the value passed through packer by the Makefile.
-# base an artificial version off the 'base-files' package version, right-padded with
+req_env_vars DEBIAN_RELEASE
-# zeros to ensure sortability (i.e. "12.02" < "12.13").
+# shellcheck disable=SC2154
-base_files_version=$(dpkg -s base-files | awk '/Version:/{print $2}')
+warn "Setting '$DEBIAN_RELEASE' as the release number for CI-automation purposes."
-base_major=$(cut -d. -f 1 <<<"$base_files_version")
+( set -x; echo "VERSION_ID=\"$DEBIAN_RELEASE\"" | \
-base_minor=$(cut -d. -f 2 <<<"$base_files_version")
+    $SUDO tee -a /etc/os-release; )
 sortable_version=$(printf "%02d.%02d" $base_major $base_minor)
 echo "WARN: This is NOT an official version number.  It's for CI-automation purposes only."
 echo "VERSION_ID=\"$sortable_version\"" | \
    $SUDO tee -a /etc/os-release
 install_automation_tooling
 if ! ((CONTAINER)); then
    custom_cloud_init
-    $SUDO systemctl enable rngd
+    ( set -x; $SUDO systemctl enable rngd; )
    # Cloud-config fails to enable this for some reason or another
-    $SUDO sed -i -r \
+    ( set -x; $SUDO sed -i -r \
      -e 's/^PermitRootLogin no/PermitRootLogin prohibit-password/' \
-      /etc/ssh/sshd_config
+      /etc/ssh/sshd_config; )
 fi
 finalize
--- a/base_images/fedora_base-setup.sh
+++ b/base_images/fedora_base-setup.sh
@ -18,7 +18,6 @@ source "$REPO_DIRPATH/lib.sh"
 declare -a PKGS
 PKGS=(rng-tools git coreutils cloud-init)
 XARGS=--disablerepo=updates
 if ! ((CONTAINER)); then
    # Packer defines this automatically for us
    # shellcheck disable=SC2154
@ -30,20 +29,28 @@ if ! ((CONTAINER)); then
        if ((OS_RELEASE_VER<35)); then
            PKGS+=(google-compute-engine-tools)
        else
-            PKGS+=(google-compute-engine-guest-configs)
+            PKGS+=(google-compute-engine-guest-configs google-guest-agent)
        fi
    fi
 fi
-# Due to https://bugzilla.redhat.com/show_bug.cgi?id=1907030
+# The Fedora CI VM base images are built using nested-virt with
-# updates cannot be installed or even looked at during this stage.
+# limited resources available.  Further, cloud-networking in
-# Pawn the problem off to the cache-image stage where more memory
+# general can sometimes be flaky.  Increase DNF's tolerance
-# is available and debugging is also easier.  Try to save some more
+# levels.
-# memory by pre-populating repo metadata prior to any transactions.
+cat << EOF | $SUDO tee -a /etc/dnf/dnf.conf
-$SUDO dnf makecache $XARGS
+
-# Updates disable, see comment above
+# Added during CI VM image build
-# $SUDO dnf -y update $XARGS
+minrate=100
-$SUDO dnf -y install $XARGS "${PKGS[@]}"
+timeout=60
 EOF
 $SUDO dnf makecache
 $SUDO dnf -y update
 $SUDO dnf -y install "${PKGS[@]}"
 # Occasionally following an install, there are more updates available.
 # This may be due to activation of suggested/recommended dependency resolution.
 $SUDO dnf -y update
 if ! ((CONTAINER)); then
    $SUDO systemctl enable rngd
@ -83,7 +90,9 @@ if ! ((CONTAINER)); then
        # This is necessary to prevent permission-denied errors on service-start
        # and also on the off-chance the package gets updated and context reset.
        $SUDO semanage fcontext --add --type bin_t /usr/bin/cloud-init
-        $SUDO restorecon -v /usr/bin/cloud-init
+        # This used restorecon before so we don't have to specify the file_contexts.local
        # manually, however with f42 that stopped working: https://bugzilla.redhat.com/show_bug.cgi?id=2360183
        $SUDO setfiles -v /etc/selinux/targeted/contexts/files/file_contexts.local /usr/bin/cloud-init
    else  # GCP Image
        echo "Setting GCP startup service (for Cirrus-CI agent) SELinux unconfined"
        # ref: https://cloud.google.com/compute/docs/startupscript
@ -95,10 +104,4 @@ if ! ((CONTAINER)); then
        /lib/$METADATA_SERVICE_PATH | $SUDO tee -a /etc/$METADATA_SERVICE_PATH
 fi
 if [[ "$OS_RELEASE_ID" == "fedora" ]] && ((OS_RELEASE_VER>=33)); then
    # Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783509
    echo "Disabling automatic /tmp (tmpfs) mount"
    $SUDO systemctl mask tmp.mount
 fi
 finalize
--- a/build-push/.install.sh
+++ b/build-push/.install.sh
@ -1,26 +0,0 @@
 #!/bin/bash
 # This script is intended to be used from two places only:
 # 1) When building the build-push VM image, to install the scripts as-is
 #    in a PR in order for CI testing to operate on them.
 # 2) From the autoupdate.sh script, when $BUILDPUSHAUTOUPDATED is unset
 #    or '0'.  This clones the latest repository to install (possibly)
 #    updated scripts.
 #
 # WARNING: Use under any other circumstances will probably screw things up.
 if [[ -z "$BUILDPUSHAUTOUPDATED" ]];
 then
    echo "This script must only be run under Packer or autoupdate.sh"
    exit 1
 fi
 source /etc/automation_environment
 source "$AUTOMATION_LIB_PATH/common_lib.sh"
 #shellcheck disable=SC2154
 cd $(dirname "$SCRIPT_FILEPATH") || exit 1
 # Must be installed into $AUTOMATION_LIB_PATH/../bin which is on $PATH
 cp ./bin/* $AUTOMATION_LIB_PATH/../bin/
 cp ./lib/* $AUTOMATION_LIB_PATH/
 chmod +x $AUTOMATION_LIB_PATH/../bin/*
--- a/build-push/README.md
+++ b/build-push/README.md
@ -1,5 +0,0 @@
 # DO NOT USE
 This directory contains scripts/data used by the Cirrus-CI
 `test_build-push` task.  It is not intended to be used otherwise
 and may cause harm.
--- a/build-push/bin/main.sh
+++ b/build-push/bin/main.sh
@ -1,175 +0,0 @@
 #!/bin/bash
 # This script is not intended for humans.  It should be run by automation
 # at the branch-level in automation for the skopeo, buildah, and podman
 # repositories.  It's purpose is to produce a multi-arch container image
 # based on the contents of context subdirectory.  At runtime, $PWD is assumed
 # to be the root of the cloned git repository.
 #
 # The first argument to the script, should be the URL of the git repository
 # in question.  Though at this time, this is only used for labeling the
 # resulting image.
 #
 # The second argument to this script is the relative path to the build context
 # subdirectory.  The basename of this subdirectory may indicates the
 # image flavor (i.e. `upstream`, `testing`, or `stable`). Depending
 # on this value, the image may be pushed to multiple container registries
 # under slightly different rules (see the next option).
 #
 # If the basename of the context directory (second argument) does NOT reflect
 # the image flavor, this name may be passed in as a third argument.  Handling
 # of this argument may be repository-specific, so check the actual code below
 # to understand it's behavior.
 set -eo pipefail
 if [[ -r "/etc/automation_environment" ]]; then
    source /etc/automation_environment  # defines AUTOMATION_LIB_PATH
    #shellcheck disable=SC1090,SC2154
    source "$AUTOMATION_LIB_PATH/common_lib.sh"
    #shellcheck source=../lib/autoupdate.sh
    source "$AUTOMATION_LIB_PATH/autoupdate.sh"
 else
    echo "Expecting to find automation common library installed."
    exit 1
 fi
 # Careful: Changing the error message below could break auto-update test.
 if [[ "$#" -lt 2 ]]; then
    #shellcheck disable=SC2145
    die "Must be called with at least two arguments, got '$@'"
 fi
 if [[ -z $(type -P build-push.sh) ]]; then
    die "It does not appear that build-push.sh is installed properly"
 fi
 if ! [[ -d "$PWD/.git" ]]; then
    die "The current directory ($PWD) does not appear to be the root of a git repo."
 fi
 # Assume transitive debugging state for build-push.sh if set
 if [[ "$(automation_version | cut -d '.' -f 1)" -ge 4 ]]; then
    # Valid for version 4.0.0 and above only
    export A_DEBUG
 else
    export DEBUG
 fi
 # Arches to build by default - may be overridden for testing
 ARCHES="${ARCHES:-amd64,ppc64le,s390x,arm64}"
 # First arg (REPO_URL) is the clone URL for repository for informational purposes
 REPO_URL="$1"
 REPO_NAME=$(basename "${REPO_URL%.git}")
 # Second arg (CTX_SUB) is the context subdirectory relative to the clone path
 CTX_SUB="$2"
 # Historically, the basename of second arg set the image flavor(i.e. `upstream`,
 # `testing`, or `stable`).  For cases where this convention doesn't fit,
 # it's possible to pass the flavor-name as the third argument.  Both methods
 # will populate a "FLAVOR" build-arg value.
 if [[ "$#" -lt 3 ]]; then
    FLAVOR_NAME=$(basename "$CTX_SUB")
 elif [[ "$#" -ge 3 ]]; then
    FLAVOR_NAME="$3"  # An empty-value is valid
 else
    die "Expecting a non-empty third argument indicating the FLAVOR build-arg value."
 fi
 _REG="quay.io"
 if [[ "$REPO_NAME" =~ testing ]]; then
    _REG="example.com"
 fi
 REPO_FQIN="$_REG/$REPO_NAME/$FLAVOR_NAME"
 req_env_vars REPO_URL REPO_NAME CTX_SUB FLAVOR_NAME
 # Common library defines SCRIPT_FILENAME
 # shellcheck disable=SC2154
 dbg "$SCRIPT_FILENAME operating constants:
    REPO_URL=$REPO_URL
    REPO_NAME=$REPO_NAME
    CTX_SUB=$CTX_SUB
    FLAVOR_NAME=$FLAVOR_NAME
    REPO_FQIN=$REPO_FQIN
 "
 # Set non-zero to avoid actually executing build-push, simply print
 # the command-line that would have been executed
 DRYRUN=${DRYRUN:-0}
 _DRNOPUSH=""
 if ((DRYRUN)); then
    _DRNOPUSH="--nopush"
    warn "Operating in dry-run mode with $_DRNOPUSH"
 fi
 ### MAIN
 declare -a build_args
 if [[ -n "$FLAVOR_NAME" ]]; then
    build_args=(--build-arg "FLAVOR=$FLAVOR_NAME")
 fi
 head_sha=$(git rev-parse HEAD)
 dbg "HEAD is $head_sha"
 # Labels to add to all images
 # N/B: These won't show up in the manifest-list itself, only it's constituents.
 lblargs="\
    --label=org.opencontainers.image.source=$REPO_URL \
    --label=org.opencontainers.image.revision=$head_sha \
    --label=org.opencontainers.image.created=$(date -u --iso-8601=seconds)"
 dbg "lblargs=$lblargs"
 modcmdarg="tag_version.sh $FLAVOR_NAME"
 # For stable images, the version number of the command is needed for tagging.
 if [[ "$FLAVOR_NAME" == "stable" ]]; then
    # only native arch is needed to extract the version
    dbg "Building local-arch image to extract stable version number"
    podman build -t $REPO_FQIN "${build_args[@]}" ./$CTX_SUB
    case "$REPO_NAME" in
        skopeo) version_cmd="--version" ;;
        buildah) version_cmd="buildah --version" ;;
        podman) version_cmd="podman --version" ;;
        testing) version_cmd="cat FAKE_VERSION" ;;
        *) die "Unknown/unsupported repo '$REPO_NAME'" ;;
    esac
    pvcmd="podman run -i --rm $REPO_FQIN $version_cmd"
    dbg "Extracting version with command: $pvcmd"
    version_output=$($pvcmd)
    dbg "version output:
    $version_output
    "
    img_cmd_version=$(awk -r -e '/^.+ version /{print $3}' <<<"$version_output")
    dbg "parsed version: $img_cmd_version"
    test -n "$img_cmd_version"
    lblargs="$lblargs --label=org.opencontainers.image.version=$img_cmd_version"
    # Prevent temporary build colliding with multi-arch manifest list (built next)
    # but preserve image (by ID) for use as cache.
    dbg "Un-tagging $REPO_FQIN"
    podman untag $REPO_FQIN
    # tag-version.sh expects this arg. when FLAVOR_NAME=stable
    modcmdarg+=" $img_cmd_version"
    # Stable images get pushed to 'containers' namespace as latest & version-tagged
    build-push.sh \
        $_DRNOPUSH \
        --arches=$ARCHES \
        --modcmd="$modcmdarg" \
        $_REG/containers/$REPO_NAME \
        ./$CTX_SUB \
        $lblargs \
        "${build_args[@]}"
 fi
 # All images are pushed to quay.io/<reponame>, both
 # latest and version-tagged (if available).
 build-push.sh \
    $_DRNOPUSH \
    --arches=$ARCHES \
    --modcmd="$modcmdarg" \
    $REPO_FQIN \
    ./$CTX_SUB \
    $lblargs \
    "${build_args[@]}"
--- a/build-push/bin/tag_version.sh
+++ b/build-push/bin/tag_version.sh
@ -1,69 +0,0 @@
 #!/bin/bash
 # This script is not intended for humans.  It should only be referenced
 # as an argument to the build-push.sh `--modcmd` option.  It's purpose
 # is to ensure stable images are re-tagged with a verison-number
 # cooresponding to the included tool's version.
 set -eo pipefail
 if [[ -r "/etc/automation_environment" ]]; then
    source /etc/automation_environment  # defines AUTOMATION_LIB_PATH
    #shellcheck disable=SC1090,SC2154
    source "$AUTOMATION_LIB_PATH/common_lib.sh"
 else
    echo "Unexpected operating environment"
    exit 1
 fi
 # Vars defined by build-push.sh spec. for mod scripts
 req_env_vars SCRIPT_FILENAME SCRIPT_FILEPATH RUNTIME PLATFORMOS FQIN CONTEXT \
             PUSH ARCHES REGSERVER NAMESPACE IMGNAME MODCMD
 if [[ "$#" -ge 1 ]]; then
    FLAVOR_NAME="$1"  # upstream, testing, or stable
 fi
 if [[ "$#" -ge 2 ]]; then
    # Enforce all version-tags start with a 'v'
    VERSION="v${2#v}"  # output of $version_cmd
 fi
 if [[ -z "$FLAVOR_NAME" ]]; then
    # Defined by common_lib.sh
    # shellcheck disable=SC2154
    warn "$SCRIPT_FILENAME passed empty flavor-name argument (optional)."
 elif [[ -z "$VERSION" ]]; then
    warn "$SCRIPT_FILENAME received empty version argument (req. for FLAVOR_NAME=stable)."
 fi
 # shellcheck disable=SC2154
 dbg "Mod-command operating on $FQIN in '$FLAVOR_NAME' flavor"
 if [[ "$FLAVOR_NAME" == "stable" ]]; then
    # Stable images must all be tagged with a version number.
    # Confirm this value is passed in by caller.
    req_env_vars VERSION
    VERSION=v${VERSION#v}
    if egrep -q '^v[0-9]+\.[0-9]+\.[0-9]+'<<<"$VERSION"; then
        msg "Found image command version '$VERSION'"
    else
        die "Encountered unexpected/non-conforming version '$VERSION'"
    fi
    # shellcheck disable=SC2154
    $RUNTIME tag $FQIN:latest $FQIN:$VERSION
    msg "Successfully tagged $FQIN:$VERSION"
    # Tag as x.y to provide a consistent tag even for a future z+1
    xy_ver=$(awk -F '.' '{print $1"."$2}'<<<"$VERSION")
    $RUNTIME tag $FQIN:latest $FQIN:$xy_ver
    msg "Successfully tagged $FQIN:$xy_ver"
    # Tag as x to provide consistent tag even for a future y+1
    x_ver=$(awk -F '.' '{print $1}'<<<"$xy_ver")
    $RUNTIME tag $FQIN:latest $FQIN:$x_ver
    msg "Successfully tagged $FQIN:$x_ver"
 else
    warn "$SCRIPT_FILENAME not version-tagging for '$FLAVOR_NAME' stage of '$FQIN'"
 fi
--- a/build-push/lib/autoupdate.sh
+++ b/build-push/lib/autoupdate.sh
@ -1,36 +0,0 @@
 # This script is not intended for humans.  It should only be sourced by
 # main.sh.  If BUILDPUSHAUTOUPDATED!=0 this it will be a no-op.  Otherwise,
 # it will download the latest version of the build-push scripts and re-exec
 # main.sh.  This allows the scripts to be updated without requiring new VM
 # images to be composed and deployed.
 #
 # WARNING: Changes to this script _do_ require new VM images as auto-updating
 # the auto-update script would be complex and hard to test.
 # Must be exported - .install.sh checks this is set.
 export BUILDPUSHAUTOUPDATED="${BUILDPUSHAUTOUPDATED:-0}"
 if ! ((BUILDPUSHAUTOUPDATED)); then
    msg "Auto-updating build-push operational scripts..."
    #shellcheck disable=SC2154
    GITTMP=$(mktemp -p '' -d "$MKTEMP_FORMAT")
    trap "rm -rf $GITTMP" EXIT
    msg "Obtaining latest version..."
    git clone --quiet --depth=1 \
        https://github.com/containers/automation_images.git \
        "$GITTMP"
    msg "Installing..."
    cd $GITTMP/build-push || exit 1
    bash ./.install.sh
    # Important: Return to directory main.sh was started from
    cd - || exit 1
    rm -rf "$GITTMP"
    #shellcheck disable=SC2145
    msg "Re-executing main.sh $@..."
    export BUILDPUSHAUTOUPDATED=1
    exec main.sh "$@"  # guaranteed on $PATH
 fi
--- a/build-push/test.sh
+++ b/build-push/test.sh
@ -1,200 +0,0 @@
 # DO NOT USE - This script is intended to be called by the Cirrus-CI
 # `test_build-push` task.  It is not intended to be used otherwise
 # and may cause harm.  It's purpose is to confirm the 'main.sh' script
 # behaves in an expected way, given a local test repository as input.
 set -eo pipefail
 SCRIPT_DIRPATH=$(dirname $(realpath "${BASH_SOURCE[0]}"))
 source $SCRIPT_DIRPATH/../lib.sh
 req_env_vars CIRRUS_CI
 # No need to test if image wasn't built
 if TARGET_NAME=build-push skip_on_pr_label; then exit 0; fi
 # Architectures to test with (golang standard names)
 TESTARCHES="amd64 arm64"
 # main.sh is sensitive to this value
 ARCHES=$(tr " " ","<<<"$TESTARCHES")
 export ARCHES
 # Contrived "version" for testing purposes
 FAKE_VER_X=$RANDOM
 FAKE_VER_Y=$RANDOM
 FAKE_VER_Z=$RANDOM
 FAKE_VERSION="$FAKE_VER_X.$FAKE_VER_Y.$FAKE_VER_Z"
 # Contrived source repository for testing
 SRC_TMP=$(mktemp -p '' -d tmp-build-push-test-XXXX)
 # Do not change, main.sh is sensitive to the 'testing' name
 TEST_FQIN=example.com/testing/stable
 # Stable build should result in manifest list tagged this
 TEST_FQIN2=example.com/containers/testing
 # Don't allow main.sh or tag_version.sh to auto-update at runtime
 export BUILDPUSHAUTOUPDATED=1
 trap "rm -rf $SRC_TMP" EXIT
 # main.sh expects $PWD to be a git repository.
 msg "
 ##### Constructing local test repository #####"
 cd $SRC_TMP
 showrun git init -b main testing
 cd testing
 git config --local user.name "Testy McTestface"
 git config --local user.email "test@example.com"
 git config --local advice.detachedHead "false"
 git config --local commit.gpgsign "false"
 # The following paths match the style of sub-dir in the actual
 # skopeo/buildah/podman repositories.  Only the 'stable' flavor
 # is tested here, since it involves the most complex workflow.
 mkdir -vp "contrib/testimage/stable"
 cd "contrib/testimage/stable"
 echo "build-push-test version v$FAKE_VERSION" | tee "FAKE_VERSION"
 cat <<EOF | tee "Containerfile"
 FROM registry.fedoraproject.org/fedora:latest
 ARG FLAVOR
 ADD /FAKE_VERSION /
 RUN echo "FLAVOUR=\$FLAVOR" > /FLAVOUR
 EOF
 # As an additional test, build and check images when pasing
 # the 'stable' flavor name as a command-line arg instead
 # of using the subdirectory dirname (old method).
 cd $SRC_TMP/testing/contrib/testimage
 cp stable/* ./
 cd $SRC_TMP/testing
 # The images will have the repo & commit ID set as labels
 git add --all
 git commit -m 'test repo initial commit'
 TEST_REVISION=$(git rev-parse HEAD)
 # Given the flavor-name as the first argument, verify built image
 # expectations.  For 'stable' image, verify that main.sh will properly
 # version-tagged both FQINs.  For other flavors, verify expected labels
 # on the `latest` tagged FQINs.
 verify_built_images() {
    local _fqin _arch xy_ver x_ver img_ver img_src img_rev _fltr
    local _test_tag expected_flavor _test_fqins
    expected_flavor="$1"
    msg "
 ##### Testing execution of '$expected_flavor' images for arches $TESTARCHES #####"
    podman --version
    req_env_vars TESTARCHES FAKE_VERSION TEST_FQIN TEST_FQIN2
    declare -a _test_fqins
    _test_fqins=("${TEST_FQIN%stable}$expected_flavor")
    if [[ "$expected_flavor" == "stable" ]]; then
        _test_fqins+=("$TEST_FQIN2")
        test_tag="v$FAKE_VERSION"
        xy_ver="v$FAKE_VER_X.$FAKE_VER_Y"
        x_ver="v$FAKE_VER_X"
    else
        test_tag="latest"
        xy_ver="latest"
        x_ver="latest"
    fi
    for _fqin in "${_test_fqins[@]}"; do
        for _arch in $TESTARCHES; do
            msg "Testing container can execute '/bin/true'"
            showrun podman run -i --arch=$_arch --rm "$_fqin:$test_tag" /bin/true
            msg "Testing container FLAVOR build-arg passed correctly"
            showrun podman run -i --arch=$_arch --rm "$_fqin:$test_tag" \
                cat /FLAVOUR | tee /dev/stderr | fgrep -xq "FLAVOUR=$expected_flavor"
            if [[ "$expected_flavor" == "stable" ]]; then
                msg "Testing tag '$xy_ver'"
                if ! showrun podman manifest exists $_fqin:$xy_ver; then
                    die "Failed to find manifest-list tagged '$xy_ver'"
                fi
                msg "Testing tag '$x_ver'"
                if ! showrun podman manifest exists $_fqin:$x_ver; then
                    die "Failed to find manifest-list tagged '$x_ver'"
                fi
            fi
        done
        if [[ "$expected_flavor" == "stable" ]]; then
            msg "Testing image $_fqin:$test_tag version label"
            _fltr='.[].Config.Labels."org.opencontainers.image.version"'
            img_ver=$(podman inspect $_fqin:$test_tag | jq -r -e "$_fltr")
            showrun test "$img_ver" == "v$FAKE_VERSION"
        fi
        msg "Testing image $_fqin:$test_tag source label"
        _fltr='.[].Config.Labels."org.opencontainers.image.source"'
        img_src=$(podman inspect $_fqin:$test_tag | jq -r -e "$_fltr")
        showrun test "$img_src" == "git://testing"
        msg "Testing image $_fqin:$test_tag source revision"
        _fltr='.[].Config.Labels."org.opencontainers.image.revision"'
        img_rev=$(podman inspect $_fqin:$test_tag | jq -r -e "$_fltr")
        showrun test "$img_rev" == "$TEST_REVISION"
    done
 }
 remove_built_images() {
    buildah --version
    for _fqin in $TEST_FQIN $TEST_FQIN2; do
        for tag in latest v$FAKE_VERSION v$FAKE_VER_X.$FAKE_VER_Y v$FAKE_VER_X; do
            # Don't care if this fails
            podman manifest rm $_fqin:$tag || true
        done
    done
 }
 msg "
 ##### Testing build-push subdir-flavor run of '$TEST_FQIN' & '$TEST_FQIN2' #####"
 cd $SRC_TMP/testing
 export DRYRUN=1  # Force main.sh not to push anything
 req_env_vars ARCHES DRYRUN
 # main.sh is sensitive to 'testing' value.
 # Also confirms main.sh is on $PATH
 env A_DEBUG=1 main.sh git://testing contrib/testimage/stable
 verify_built_images stable
 msg "
 ##### Testing build-push flavour-arg run for '$TEST_FQIN' & '$TEST_FQIN2' #####"
 remove_built_images
 env A_DEBUG=1 main.sh git://testing contrib/testimage foobarbaz
 verify_built_images foobarbaz
 # This script verifies it's only/ever running inside CI.  Use a fake
 # main.sh to verify it auto-updates itself w/o actually performing
 # a build.  N/B: This test must be run last, in a throw-away environment,
 # it _WILL_ modify on-disk contents!
 msg "
 ##### Testing auto-update capability #####"
 cd $SRC_TMP
 #shellcheck disable=SC2154
 cat >main.sh<< EOF
 #!/bin/bash
 source /etc/automation_environment  # defines AUTOMATION_LIB_PATH
 source "$AUTOMATION_LIB_PATH/common_lib.sh"
 source "$AUTOMATION_LIB_PATH/autoupdate.sh"
 EOF
 chmod +x main.sh
 # Back to where we were
 cd -
 # Expect the real main.sh to bark one of two error messages
 # and exit non-zero.
 EXP_RX1="Must.be.called.with.at.least.two.arguments"
 EXP_RX2="does.not.appear.to.be.the.root.of.a.git.repo"
 if output=$(env --ignore-environment \
            BUILDPUSHAUTOUPDATED=0 \
            AUTOMATION_LIB_PATH=$AUTOMATION_LIB_PATH \
            $SRC_TMP/main.sh 2>&1); then
    die "Fail.  Expected main.sh to exit non-zero"
 else
    if [[ "$output" =~ $EXP_RX1 ]] || [[ "$output" =~ $EXP_RX2 ]]; then
        echo "PASS"
    else
        die "Fail.  Expecting match to '$EXP_RX1' or '$EXP_RX2', got:
 $output"
    fi
 fi
--- a/cache_images/build-push_packaging.sh
+++ b/cache_images/build-push_packaging.sh
@ -27,8 +27,10 @@ INSTALL_PACKAGES=(\
    git
    jq
    podman
    python3-pip
    qemu-user-static
    skopeo
    unzip
 )
 echo "Installing general build/test dependencies"
@ -37,11 +39,7 @@ bigto $SUDO dnf install -y "${INSTALL_PACKAGES[@]}"
 # It was observed in F33, dnf install doesn't always get you the latest/greatest
 lilto $SUDO dnf update -y
-# Re-install with the 'build-push' component
+# Re-install would append to this, making a mess.
-install_automation_tooling build-push
+$SUDO rm -f /etc/automation_environment
-
+# Re-install the latest version with the 'build-push' component
-# Install main scripts into directory on $PATH
+install_automation_tooling latest build-push
 cd $REPO_DIRPATH/build-push
 set -x
 # Do not auto-update to allow testing inside a PR
 $SUDO env BUILDPUSHAUTOUPDATED=1 bash ./.install.sh
--- a/cache_images/cloud.yml
+++ b/cache_images/cloud.yml
@ -19,6 +19,7 @@ variables:  # Empty value means it must be passed in on command-line
    # See Makefile for definitions
    FEDORA_RELEASE: "{{env `FEDORA_RELEASE`}}"
    PRIOR_FEDORA_RELEASE: "{{env `PRIOR_FEDORA_RELEASE`}}"
    RAWHIDE_RELEASE: "{{env `RAWHIDE_RELEASE`}}"
    DEBIAN_RELEASE: "{{env `DEBIAN_RELEASE`}}"
 builders:
@ -48,6 +49,15 @@ builders:
      # Permit running nested VM's to support specialized testing
      image_licenses: ["projects/vm-options/global/licenses/enable-vmx"]
    - <<: *gce_hosted_image
      name: 'rawhide'
      # The latest fedora base image will be "upgraded" to rawhide
      source_image: 'fedora-b{{user `IMG_SFX`}}'
      labels:
        <<: *gce_labels
        src: 'fedora-b{{user `IMG_SFX` }}'
        release: 'rawhide-{{user `RAWHIDE_RELEASE`}}'
    - <<: *gce_hosted_image
      name: 'fedora'
      labels: &fedora_gce_labels
@ -65,9 +75,6 @@ builders:
      source_image_family: 'fedora-base'
      labels: *fedora_gce_labels
    - <<: *aux_fed_img
      name: 'fedora-podman-py'
    - <<: *aux_fed_img
      name: 'fedora-netavark'
@ -173,23 +180,30 @@ provisioners:
    - type: 'shell'
      inline:
        - 'set -e'
-        - 'mkdir -p /tmp/automation_images'
+        - 'mkdir -p /var/tmp/automation_images'
    - type: 'file'
      source: '{{ pwd }}/'
-      destination: "/tmp/automation_images"
+      destination: "/var/tmp/automation_images"
    - only: ['rawhide']
      type: 'shell'
      expect_disconnect: true  # VM will be rebooted at end of script
      inline:
        - 'set -e'
        - '/bin/bash /var/tmp/automation_images/cache_images/rawhide_setup.sh'
    - except: ['debian']
      type: 'shell'
      inline:
        - 'set -e'
-        - '/bin/bash /tmp/automation_images/cache_images/fedora_setup.sh'
+        - '/bin/bash /var/tmp/automation_images/cache_images/fedora_setup.sh'
    - only: ['debian']
      type: 'shell'
      inline:
        - 'set -e'
-        - '/bin/bash /tmp/automation_images/cache_images/debian_setup.sh'
+        - 'env DEBIAN_FRONTEND=noninteractive /bin/bash /var/tmp/automation_images/cache_images/debian_setup.sh'
 post-processors:
    # This is critical for human-interaction.  Copntents will be used
--- a/cache_images/debian_packaging.sh
+++ b/cache_images/debian_packaging.sh
@ -14,12 +14,9 @@ REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../")
 # shellcheck source=./lib.sh
 source "$REPO_DIRPATH/lib.sh"
-echo "Updating/Installing repos and packages for $OS_REL_VER"
+msg "Updating/Installing repos and packages for $OS_REL_VER"
-
+lilto ooe.sh $SUDO apt-get -q -y update
-lilto ooe.sh $SUDO apt-get -qq -y update
+bigto ooe.sh $SUDO apt-get -q -y upgrade
 bigto ooe.sh $SUDO apt-get -qq -y upgrade
 echo "Configuring additional package repositories"
 INSTALL_PACKAGES=(\
    apache2-utils
@ -42,12 +39,12 @@ INSTALL_PACKAGES=(\
    crun
    dnsmasq
    e2fslibs-dev
    emacs-nox
    file
    fuse3
    fuse-overlayfs
    gcc
    gettext
-    git-daemon-run
+    git
    gnupg2
    go-md2man
    golang
@ -62,7 +59,6 @@ INSTALL_PACKAGES=(\
    libdevmapper-dev
    libdevmapper1.02.1
    libfuse-dev
    libfuse2
    libfuse3-dev
    libglib2.0-dev
    libgpgme11-dev
@ -70,6 +66,7 @@ INSTALL_PACKAGES=(\
    libnet1
    libnet1-dev
    libnl-3-dev
    libostree-dev
    libprotobuf-c-dev
    libprotobuf-dev
    libseccomp-dev
@ -84,8 +81,8 @@ INSTALL_PACKAGES=(\
    ncat
    openssl
    parallel
    pkg-config
    passt
    pkg-config
    podman
    protobuf-c-compiler
    protobuf-compiler
@ -96,7 +93,8 @@ INSTALL_PACKAGES=(\
    python3-pip
    python3-protobuf
    python3-psutil
-    python3-pytoml
+    python3-toml
    python3-tomli
    python3-requests
    python3-setuptools
    rsync
@ -105,22 +103,31 @@ INSTALL_PACKAGES=(\
    skopeo
    slirp4netns
    socat
    libsqlite3-0
    libsqlite3-dev
    systemd-container
    sudo
    time
    unzip
    vim
    wget
    xfsprogs
    xz-utils
    zip
    zlib1g-dev
    zstd
 )
-# Necessary to update cache of newly added repos
+# bpftrace is only needed on the host as containers cannot run ebpf
-lilto $SUDO apt-get -q -y update
+# programs anyway and it is very big so we should not bloat the container
 # images unnecessarily.
 if ! ((CONTAINER)); then
    INSTALL_PACKAGES+=( \
        bpftrace
    )
 fi
-echo "Installing general build/testing dependencies"
+msg "Installing general build/testing dependencies"
 bigto $SUDO apt-get -q -y install "${INSTALL_PACKAGES[@]}"
 # The nc installed by default is missing many required options
@ -145,10 +152,9 @@ curl --fail --silent --location \
    $SUDO tee /etc/apt/trusted.gpg.d/docker_com.gpg &> /dev/null
 # Buildah CI does conformance testing vs the most recent Docker version.
-# However, there is no Docker release for SID, so just use latest stable
+# FIXME: As of 7-2023, there is no 'trixie' dist for docker. Fix the next lines once that changes.
-# release for Docker, whatever debian release that cooresponds to.
+#docker_debian_release=$(source /etc/os-release; echo "$VERSION_CODENAME")
-# Ref: https://wiki.debian.org/DebianReleases
+docker_debian_release="bookworm"
 docker_debian_release=bullseye
 echo "deb https://download.docker.com/linux/debian $docker_debian_release stable" | \
    ooe.sh $SUDO tee /etc/apt/sources.list.d/docker.list &> /dev/null
--- a/cache_images/debian_setup.sh
+++ b/cache_images/debian_setup.sh
@ -17,14 +17,44 @@ fi
 # shellcheck source=./lib.sh
 source "$REPO_DIRPATH/lib.sh"
 # Generate en_US.UTF-8 locale as this is required for a podman test (https://github.com/containers/podman/pull/19635).
 $SUDO sed -i '/en_US.UTF-8/s/^#//g' /etc/locale.gen
 $SUDO locale-gen
 # Debian doesn't mount tmpfs on /tmp as default but we want this to speed tests up so
 # they don't have to write to persistent disk.
 # https://github.com/containers/podman/pull/22533
 $SUDO mkdir -p /etc/systemd/system/local-fs.target.wants/
 cat <<EOF | $SUDO tee /etc/systemd/system/tmp.mount
 [Unit]
 Description=Temporary Directory /tmp
 ConditionPathIsSymbolicLink=!/tmp
 DefaultDependencies=no
 Conflicts=umount.target
 Before=local-fs.target umount.target
 After=swap.target
 [Mount]
 What=tmpfs
 Where=/tmp
 Type=tmpfs
 Options=size=75%%,mode=1777
 EOF
 # enable the unit by default
 $SUDO ln -s ../tmp.mount /etc/systemd/system/local-fs.target.wants/tmp.mount
 req_env_vars PACKER_BUILD_NAME
 bash $SCRIPT_DIRPATH/debian_packaging.sh
 # dnsmasq is set to bind 0.0.0.0:53, that will conflict with our dns tests.
 # We don't need a local resolver.
 $SUDO systemctl disable dnsmasq.service
 $SUDO systemctl mask dnsmasq.service
 if ! ((CONTAINER)); then
    warn "Making Debian kernel enable cgroup swap accounting"
-    warn "Forcing CgroupsV1"
+    SEDCMD='s/^GRUB_CMDLINE_LINUX="(.*)"/GRUB_CMDLINE_LINUX="\1 cgroup_enable=memory swapaccount=1"/'
    SEDCMD='s/^GRUB_CMDLINE_LINUX="(.*)"/GRUB_CMDLINE_LINUX="\1 cgroup_enable=memory swapaccount=1 systemd.unified_cgroup_hierarchy=0"/'
    ooe.sh $SUDO sed -re "$SEDCMD" -i /etc/default/grub.d/*
    ooe.sh $SUDO sed -re "$SEDCMD" -i /etc/default/grub
    ooe.sh $SUDO update-grub
@ -32,6 +62,10 @@ fi
 nm_ignore_cni
 if ! ((CONTAINER)); then
    initialize_local_cache_registry
 fi
 finalize
 echo "SUCCESS!"
--- a/cache_images/fedora-netavark_packaging.sh
+++ b/cache_images/fedora-netavark_packaging.sh
@ -88,8 +88,9 @@ if [[ $(uname -m) == "aarch64" ]]; then
    $SUDO env PATH=$PATH CARGO_HOME=$CARGO_HOME rustup target add aarch64-unknown-linux-gnu
 fi
-msg "Install mandown to generate man pages"
+msg "Install tool to generate man pages"
-$SUDO env PATH=$PATH CARGO_HOME=$CARGO_HOME cargo install mandown
+$SUDO go install github.com/cpuguy83/go-md2man/v2@latest
 $SUDO install /root/go/bin/go-md2man /usr/local/bin/
 # Downstream users of this image are specifically testing netavark & aardvark-dns
 # code changes.  We want to start with using the RPMs because they deal with any
--- a/cache_images/fedora-podman-py_packaging.sh
+++ b/cache_images/fedora-podman-py_packaging.sh
@ -1,98 +0,0 @@
 #!/bin/bash
 # This script is called from fedora_setup.sh and various Dockerfiles.
 # It's not intended to be used outside of those contexts.  It assumes the lib.sh
 # library has already been sourced, and that all "ground-up" package-related activity
 # needs to be done, including repository setup and initial update.
 set -e
 SCRIPT_FILEPATH=$(realpath "${BASH_SOURCE[0]}")
 SCRIPT_DIRPATH=$(dirname "$SCRIPT_FILEPATH")
 REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../")
 # shellcheck source=./lib.sh
 source "$REPO_DIRPATH/lib.sh"
 # shellcheck disable=SC2154
 warn "Enabling updates-testing repository for $PACKER_BUILD_NAME"
 lilto ooe.sh $SUDO dnf install -y 'dnf-command(config-manager)'
 lilto ooe.sh $SUDO dnf config-manager --set-enabled updates-testing
 msg "Updating/Installing repos and packages for $OS_REL_VER"
 bigto ooe.sh $SUDO dnf update -y
 INSTALL_PACKAGES=(\
    bash-completion
    bridge-utils
    buildah
    bzip2
    curl
    findutils
    fuse3
    gcc
    git
    git-daemon
    glib2-devel
    glibc-devel
    hostname
    httpd-tools
    iproute
    iptables
    jq
    libtool
    lsof
    make
    nmap-ncat
    openssl
    openssl-devel
    pkgconfig
    podman
    policycoreutils
    protobuf
    protobuf-devel
    python-pip-wheel
    python-setuptools-wheel
    python-toml
    python-wheel-wheel
    python3-PyYAML
    python3-coverage
    python3-dateutil
    python3-docker
    python3-fixtures
    python3-libselinux
    python3-libsemanage
    python3-libvirt
    python3-pip
    python3-psutil
    python3-pylint
    python3-pytest
    python3-pyxdg
    python3-requests
    python3-requests-mock
    python3-virtualenv
    python3.6
    python3.8
    python3.9
    redhat-rpm-config
    rsync
    sed
    skopeo
    socat
    tar
    time
    tox
    unzip
    vim
    wget
    xz
    zip
    zstd
 )
 echo "Installing general build/test dependencies"
 bigto $SUDO dnf install -y "${INSTALL_PACKAGES[@]}"
 # It was observed in F33, dnf install doesn't always get you the latest/greatest
 lilto $SUDO dnf update -y
--- a/cache_images/fedora_packaging.sh
+++ b/cache_images/fedora_packaging.sh
@ -18,21 +18,17 @@ source "$REPO_DIRPATH/lib.sh"
 # for both VM and container image build workflows.
 req_env_vars PACKER_BUILD_NAME
-# Do not enable updates-testing on the 'prior' Fedora release images
+# Only enable updates-testing on all 'latest' Fedora images (except rawhide)
 # as a matter of general policy.  Historically there have been many
 # problems with non-uniform behavior when both supported Fedora releases
 # receive container-related dependency updates at the same time.  Since
 # the 'prior' release has the shortest support lifetime, keep it's behavior
 # stable by only using released updates.
 # shellcheck disable=SC2154
-if [[ ! "$PACKER_BUILD_NAME" =~ prior ]]; then
+if [[ "$PACKER_BUILD_NAME" == "fedora" ]] && [[ ! "$PACKER_BUILD_NAME" =~ "prior" ]]; then
    warn "Enabling updates-testing repository for $PACKER_BUILD_NAME"
    lilto ooe.sh $SUDO dnf install -y 'dnf-command(config-manager)'
-    lilto ooe.sh $SUDO dnf config-manager --set-enabled updates-testing
+    lilto ooe.sh $SUDO dnf config-manager setopt updates-testing.enabled=1
    # Could be on prior-fedora also, but copr isn't installed by default
    warn "Enabling sbrivio/passt repo. for passt packages"
    $SUDO dnf copr enable -y sbrivio/passt
 else
    warn "NOT enabling updates-testing repository for $PACKER_BUILD_NAME"
 fi
@ -60,7 +56,7 @@ INSTALL_PACKAGES=(\
    curl
    device-mapper-devel
    dnsmasq
-    docker-compose
+    docker-distribution
    e2fsprogs-devel
    emacs-nox
    fakeroot
@ -69,10 +65,12 @@ INSTALL_PACKAGES=(\
    fuse3
    fuse3-devel
    gcc
    gh
    git
    git-daemon
    glib2-devel
    glibc-devel
    glibc-langpack-en
    glibc-static
    gnupg
    go-md2man
@ -85,6 +83,7 @@ INSTALL_PACKAGES=(\
    iproute
    iptables
    jq
    koji
    krb5-workstation
    libassuan
    libassuan-devel
@ -104,7 +103,7 @@ INSTALL_PACKAGES=(\
    libxslt-devel
    lsof
    make
-    mlocate
+    man-db
    msitools
    nfs-utils
    nmap-ncat
@ -114,42 +113,31 @@ INSTALL_PACKAGES=(\
    pandoc
    parallel
    passt
    perl-Clone
    perl-FindBin
    pigz
    pkgconfig
    podman
    podman-remote
    pre-commit
    procps-ng
    protobuf
    protobuf-c
    protobuf-c-devel
    protobuf-devel
-    python-pip-wheel
+    python3-fedora-distro-aliases
-    python-setuptools-wheel
+    python3-koji-cli-plugins
    python-toml
    python-wheel-wheel
    python2
    python3-PyYAML
    python3-coverage
    python3-dateutil
    python3-devel
    python3-docker
    python3-fixtures
    python3-libselinux
    python3-libsemanage
    python3-libvirt
    python3-pip
    python3-psutil
    python3-pylint
    python3-pyxdg
    python3-requests
    python3-requests-mock
    redhat-rpm-config
    rpcbind
    rsync
    runc
    sed
    ShellCheck
    skopeo
    slirp4netns
    socat
    sqlite-libs
    sqlite-devel
    squashfs-tools
    tar
    time
@ -163,44 +151,77 @@ INSTALL_PACKAGES=(\
    zstd
 )
-# Test with CNI in Fedora N-1
+# Rawhide images don't need these packages
-EXARG=""
+if [[ "$PACKER_BUILD_NAME" =~ fedora ]]; then
-if [[ "$PACKER_BUILD_NAME" =~ prior ]]; then
+    INSTALL_PACKAGES+=( \
-    EXARG="--exclude=netavark --exclude=aardvark-dns"
+        python-pip-wheel
        python-setuptools-wheel
        python-toml
        python-wheel-wheel
        python3-PyYAML
        python3-coverage
        python3-dateutil
        python3-devel
        python3-docker
        python3-fixtures
        python3-libselinux
        python3-libsemanage
        python3-libvirt
        python3-pip
        python3-psutil
        python3-pylint
        python3-pyxdg
        python3-requests
        python3-requests-mock
    )
 else # podman-sequoia is only available in Rawhide
    timebomb 20251101 "Also install the package in future Fedora releases, and enable Sequoia support in users of the images."
    INSTALL_PACKAGES+=( \
        podman-sequoia
    )
 fi
 # Workarond: Around the time of this commit, the `criu` package
 # was found to be missing a recommends-dependency on criu-libs.
 # Until a fixed rpm lands in the Fedora repositories, manually
 # include it here.  This workaround should be removed once the
 # package is corrected (likely > 3.17.1-3).
 INSTALL_PACKAGES+=(criu-libs)
 # When installing during a container-build, having this present
 # will seriously screw up future dnf operations in very non-obvious ways.
 # bpftrace is only needed on the host as containers cannot run ebpf
 # programs anyway and it is very big so we should not bloat the container
 # images unnecessarily.
 if ! ((CONTAINER)); then
    INSTALL_PACKAGES+=( \
        bpftrace
        composefs
        container-selinux
        fuse-overlayfs
        libguestfs-tools
        selinux-policy-devel
        policycoreutils
    )
    # Extra packages needed by podman-machine-os
    INSTALL_PACKAGES+=( \
        podman-machine
        osbuild
        osbuild-tools
        osbuild-ostree
        xfsprogs
        e2fsprogs
    )
 fi
 # Download these package files, but don't install them; Any tests
 # wishing to, may install them using their native tools at runtime.
 DOWNLOAD_PACKAGES=(\
    oci-umount
    parallel
    podman-docker
-    podman-plugins
+    python3-devel
    python3-pip
    python3-pytest
    python3-virtualenv
 )
 msg "Installing general build/test dependencies"
-bigto $SUDO dnf install -y $EXARG "${INSTALL_PACKAGES[@]}"
+bigto $SUDO dnf install -y "${INSTALL_PACKAGES[@]}"
 msg "Downloading packages for optional installation at runtime, as needed."
 $SUDO mkdir -p "$PACKAGE_DOWNLOAD_DIR"
@ -214,6 +235,6 @@ $SUDO curl --fail --silent --location -O \
    https://storage.googleapis.com/minikube/releases/latest/minikube-latest.x86_64.rpm
 cd -
-
+# Occasionally following an install, there are more updates available.
-# It was observed in F33, dnf install doesn't always get you the latest/greatest
+# This may be due to activation of suggested/recommended dependency resolution.
 lilto $SUDO dnf update -y
--- a/cache_images/fedora_setup.sh
+++ b/cache_images/fedora_setup.sh
@ -17,6 +17,12 @@ fi
 # shellcheck source=./lib.sh
 source "$REPO_DIRPATH/lib.sh"
 # Make /tmp tmpfs bigger, by default we only get 50%. Bump it to 75% so the tests have more storage.
 # Do not use 100% so we do not run out of memory for the process itself if tests start leaking big
 # files on /tmp.
 $SUDO mkdir -p /etc/systemd/system/tmp.mount.d
 echo -e "[Mount]\nOptions=size=75%%,mode=1777\n" | $SUDO tee /etc/systemd/system/tmp.mount.d/override.conf
 # packer and/or a --build-arg define this envar value uniformly
 # for both VM and container image build workflows.
 req_env_vars PACKER_BUILD_NAME
@ -24,17 +30,10 @@ req_env_vars PACKER_BUILD_NAME
 # shellcheck disable=SC2154
 if [[ "$PACKER_BUILD_NAME" =~ "netavark" ]]; then
    bash $SCRIPT_DIRPATH/fedora-netavark_packaging.sh
 elif [[ "$PACKER_BUILD_NAME" =~ "podman-py" ]]; then
    bash $SCRIPT_DIRPATH/fedora-podman-py_packaging.sh
 elif [[ "$PACKER_BUILD_NAME" =~ "build-push" ]]; then
    bash $SCRIPT_DIRPATH/build-push_packaging.sh
    # Registers qemu emulation for non-native execution
    $SUDO systemctl enable systemd-binfmt
    for arch in amd64 s390x ppc64le arm64; do
        msg "Caching latest $arch fedora image..."
        $SUDO podman pull --quiet --arch=$arch \
            registry.fedoraproject.org/fedora:$OS_RELEASE_VER
    done
 else
    bash $SCRIPT_DIRPATH/fedora_packaging.sh
 fi
@ -48,6 +47,8 @@ if ! ((CONTAINER)); then
    else
        msg "Enabling cgroup management from containers"
        ooe.sh $SUDO setsebool -P container_manage_cgroup true
        initialize_local_cache_registry
    fi
 fi
--- a/cache_images/local-cache-registry
+++ b/cache_images/local-cache-registry
@ -0,0 +1,345 @@
 #! /bin/bash
 #
 # local-cache-registry - set up and manage a local registry with cached images
 #
 # Used in containers CI, to reduce exposure to registry flakes.
 #
 # We start with the docker registry image. Pull it, extract the registry
 # binary and config, tweak the config, and create a systemd unit file that
 # will start the registry at boot.
 #
 # We also populate that registry with a (hardcoded) list of container
 # images used in CI tests. That way a CI VM comes up alreay ready,
 # and CI tests do not need to do remote pulls. The image list is
 # hardcoded right here in this script file, in the automation_images
 # repo. See below for reasons.
 #
 ME=$(basename $0)
 ###############################################################################
 # BEGIN defaults
 # FQIN of registry image. From this image, we extract the registry to run.
 PODMAN_REGISTRY_IMAGE=quay.io/libpod/registry:2.8.2
 # Fixed path to registry setup. This is the directory used by the registry.
 PODMAN_REGISTRY_WORKDIR=/var/cache/local-registry
 # Fixed port on which registry listens. This is hardcoded and must be
 # shared knowledge among all CI repos that use this registry.
 REGISTRY_PORT=60333
 # Podman binary to run
 PODMAN=${PODMAN:-/usr/bin/podman}
 # Temporary directories for podman, so we don't clobber any system files.
 # Wipe them upon script exit.
 PODMAN_TMPROOT=$(mktemp -d --tmpdir $ME.XXXXXXX)
 trap 'status=$?; rm -rf $PODMAN_TMPROOT && exit $status' 0
 # Images to cache. Default prefix is "quay.io/libpod/"
 #
 # It seems evil to hardcode this list as part of the script itself
 # instead of a separate file or resource but there's a good reason:
 # keeping code and data together in one place makes it possible for
 # a podman (and some day other repo?) developer to run a single
 # command, contrib/cirrus/get-local-registry-script, which will
 # fetch this script and allow the dev to run it to start a local
 # registry on their system.
 #
 # As of 2024-07-02 this list includes podman and buildah images
 #
 # FIXME: periodically run this to look for no-longer-needed images:
 #
 #     for i in $(sed -ne '/IMAGELIST=/,/^[^ ]/p' <cache_images/local-cache-registry | sed -ne 's/^  *//p');do grep -q -R $i ../podman/test ../buildah/tests || echo "unused $i";done
 #
 declare -a IMAGELIST=(
    alpine:3.10.2
    alpine:latest
    alpine_healthcheck:latest
    alpine_nginx:latest
    alpine@sha256:634a8f35b5f16dcf4aaa0822adc0b1964bb786fca12f6831de8ddc45e5986a00
    alpine@sha256:f270dcd11e64b85919c3bab66886e59d677cf657528ac0e4805d3c71e458e525
    alpine@sha256:fa93b01658e3a5a1686dc3ae55f170d8de487006fb53a28efcd12ab0710a2e5f
    autoupdatebroken:latest
    badhealthcheck:latest
    busybox:1.30.1
    busybox:glibc
    busybox:latest
    busybox:musl
    cirros:latest
    fedora/python-311:latest
    healthcheck:config-only
    k8s-pause:3.5
    podman_python:latest
    redis:alpine
    registry:2.8.2
    registry:volume_omitted
    systemd-image:20240124
    testartifact:20250206-single
    testartifact:20250206-multi
    testartifact:20250206-multi-no-title
    testartifact:20250206-evil
    testdigest_v2s2
    testdigest_v2s2:20200210
    testimage:00000000
    testimage:00000004
    testimage:20221018
    testimage:20241011
    testimage:multiimage
    testimage@sha256:1385ce282f3a959d0d6baf45636efe686c1e14c3e7240eb31907436f7bc531fa
    testdigest_v2s2:20200210
    testdigest_v2s2@sha256:755f4d90b3716e2bf57060d249e2cd61c9ac089b1233465c5c2cb2d7ee550fdb
    volume-plugin-test-img:20220623
    podman/stable:v4.3.1
    podman/stable:v4.8.0
    skopeo/stable:latest
    ubuntu:latest
 )
 # END   defaults
 ###############################################################################
 # BEGIN help messages
 missing=" argument is missing; see $ME -h for details"
 usage="Usage: $ME [options] [initialize | cache IMAGE...]
 $ME manages a local instance of a container registry.
 When called to initialize a registry, $ME will pull
 this image into a local temporary directory:
   $PODMAN_REGISTRY_IMAGE
 ...then extract the registry binary and config, tweak the config,
 start the registry, and populate it with a list of images needed by tests:
    \$ $ME initialize
 To fetch individual images into the cache:
    \$ $ME cache libpod/testimage:21120101
 Override the default image and/or port with:
  -i IMAGE      registry image to pull (default: $PODMAN_REGISTRY_IMAGE)
  -P PORT       port to bind to (on 127.0.0.1) (default: $REGISTRY_PORT)
 Other options:
  -h            display usage message
 "
 die () {
    echo "$ME: $*" >&2
    exit 1
 }
 # END   help messages
 ###############################################################################
 # BEGIN option processing
 while getopts "i:P:hv" opt; do
    case "$opt" in
        i)         PODMAN_REGISTRY_IMAGE=$OPTARG ;;
        P)         REGISTRY_PORT=$OPTARG  ;;
        h)         echo "$usage"; exit 0;;
        v)         verbose=1 ;;
        \?)        echo "Run '$ME -h' for help" >&2; exit 1;;
    esac
 done
 shift $((OPTIND-1))
 # END   option processing
 ###############################################################################
 # BEGIN helper functions
 function podman() {
    ${PODMAN} --root    ${PODMAN_TMPROOT}/root        \
              --runroot ${PODMAN_TMPROOT}/runroot     \
              --tmpdir  ${PODMAN_TMPROOT}/tmp         \
              "$@"
 }
 ###############
 #  must_pass  #  Run a command quietly; abort with error on failure
 ###############
 function must_pass() {
    local log=${PODMAN_TMPROOT}/log
    "$@" &> $log
    if [ $? -ne 0 ]; then
        echo "$ME: Command failed: $*" >&2
        cat $log                       >&2
        # If we ever get here, it's a given that the registry is not running.
        exit 1
    fi
 }
 ###################
 #  wait_for_port  #  Returns once port is available on localhost
 ###################
 function wait_for_port() {
    local port=$1                      # Numeric port
    local host=127.0.0.1
    local _timeout=5
    # Wait
    while [ $_timeout -gt 0 ]; do
        { exec {unused_fd}<> /dev/tcp/$host/$port; } &>/dev/null && return
        sleep 1
        _timeout=$(( $_timeout - 1 ))
    done
    die "Timed out waiting for port $port"
 }
 #################
 #  cache_image  #  (singular) fetch one remote image
 #################
 function cache_image() {
    local img=$1
    # Almost all our images are under libpod; no need to repeat that part
    if ! expr "$img" : "^\(.*\)/" >/dev/null; then
        img="libpod/$img"
    fi
    # Almost all our images are from quay.io, but "domain.tld" prefix overrides
    registry=$(expr "$img" : "^\([^/.]\+\.[^/]\+\)/" || true)
    if [[ -n "$registry" ]]; then
        img=$(expr "$img" : "[^/]\+/\(.*\)")
    else
        registry=quay.io
    fi
    echo
    echo "...caching: $registry / $img"
    # FIXME: inspect, and only pull if missing?
    for retry in 1 2 3 0;do
        skopeo --registries-conf /dev/null \
               copy --all --dest-tls-verify=false \
               docker://$registry/$img \
               docker://127.0.0.1:${REGISTRY_PORT}/$img \
            && return
        sleep $((retry * 30))
    done
    die "Too many retries; unable to cache $registry/$img"
 }
 ##################
 #  cache_images  #  (plural) fetch all remote images
 ##################
 function cache_images() {
    for img in "${IMAGELIST[@]}"; do
        cache_image "$img"
    done
 }
 # END   helper functions
 ###############################################################################
 # BEGIN action processing
 ###################
 #  do_initialize  #  Start, then cache images
 ###################
 #
 # Intended to be run only from automation_images repo, or by developer
 # on local workstation. This should never be run from podman/buildah/etc
 # because it defeats the entire purpose of the cache -- a dead registry
 # will cause this to fail.
 #
 function do_initialize() {
    # This action can only be run as root
    if [[ "$(id -u)" != "0" ]]; then
        die "this script must be run as root"
    fi
    # For the next few commands, die on any error
    set -e
    mkdir -p ${PODMAN_REGISTRY_WORKDIR}
    # Copy of this script
    if ! [[ $0 =~ ${PODMAN_REGISTRY_WORKDIR} ]]; then
        rm -f ${PODMAN_REGISTRY_WORKDIR}/$ME
        cp $0 ${PODMAN_REGISTRY_WORKDIR}/$ME
    fi
    # Give it three tries, to compensate for flakes
    podman pull ${PODMAN_REGISTRY_IMAGE}      &>/dev/null ||
        podman pull ${PODMAN_REGISTRY_IMAGE}  &>/dev/null ||
        must_pass podman pull ${PODMAN_REGISTRY_IMAGE}
    # Mount the registry image...
    registry_root=$(podman image mount ${PODMAN_REGISTRY_IMAGE})
    # ...copy the registry binary into our own bin...
    cp ${registry_root}/bin/registry /usr/bin/docker-registry
    # ...and copy the config, making a few adjustments to it.
    sed -e "s;/var/lib/registry;${PODMAN_REGISTRY_WORKDIR};" \
        -e "s;:5000;127.0.0.1:${REGISTRY_PORT};" \
        < ${registry_root}/etc/docker/registry/config.yml \
        > /etc/local-registry.yml
    podman image umount -a
    # Create a systemd unit file. Enable it (so it starts at boot)
    # and also start it --now.
    cat > /etc/systemd/system/$ME.service <<EOF
 [Unit]
 Description=Local Cache Registry for CI tests
 [Service]
 ExecStart=/usr/bin/docker-registry serve /etc/local-registry.yml
 Type=exec
 [Install]
 WantedBy=multi-user.target
 EOF
    systemctl daemon-reload
    systemctl enable --now $ME.service
    wait_for_port ${REGISTRY_PORT}
    cache_images
 }
 ##############
 #  do_cache  #  Cache one or more images
 ##############
 function do_cache() {
    if [[ -z "$*" ]]; then
        die "missing args to 'cache'"
    fi
    for img in "$@"; do
        cache_image "$img"
    done
 }
 # END   action processing
 ###############################################################################
 # BEGIN command-line processing
 # First command-line arg must be an action
 action=${1?ACTION$missing}
 shift
 case "$action" in
    init|initialize)  do_initialize ;;
    cache)            do_cache "$@" ;;
    *)      die "Unknown action '$action'; must be init | cache IMAGE" ;;
 esac
 # END   command-line processing
 ###############################################################################
 exit 0
--- a/cache_images/rawhide_setup.sh
+++ b/cache_images/rawhide_setup.sh
@ -0,0 +1,38 @@
 #!/bin/bash
 # This script is called by packer on the rawhide VM, to update and reboot using
 # the rawhide kernel.  It's not intended to be used outside of this context.
 set -e
 SCRIPT_FILEPATH=$(realpath "${BASH_SOURCE[0]}")
 SCRIPT_DIRPATH=$(dirname "$SCRIPT_FILEPATH")
 REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../")
 # shellcheck source=./lib.sh
 source "$REPO_DIRPATH/lib.sh"
 # packer and/or a --build-arg define this envar value uniformly
 # for both VM and container image build workflows.
 req_env_vars PACKER_BUILD_NAME
 warn "Upgrading Fedora '$OS_RELEASE_VER' to rawhide, this might break."
 # shellcheck disable=SC2154
 warn "If so, this script may be found in the repo. as '$SCRIPT_DIRPATH/$SCRIPT_FILENAME'."
 # Show what's happening
 set -x
 # Rawhide often has GPG issues, don't bother checking
 $SUDO sed -i -r -e 's/^gpgcheck=.+/gpgcheck=False/' /etc/dnf/dnf.conf
 $SUDO sed -i -r -e 's/^gpgcheck=.+/gpgcheck=0/' /etc/yum.repos.d/*.repo
 # Called as `dnf5` here to confirm "old" dnf has been replaced.
 $SUDO dnf5 -y distro-sync --releasever=rawhide --allowerasing
 $SUDO dnf5 upgrade -y
 # A shared fedora_packaging.sh script is called next that doesn't always support dnf5
 $SUDO ln -s $(type -P dnf5) /usr/local/bin/dnf
 # Packer will try to run 'cache_images/fedora_setup.sh' next, make sure the system
 # is actually running rawhide (and verify it boots).
 $SUDO reboot
--- a/ccia/Containerfile
+++ b/ccia/Containerfile
@ -1,10 +1,14 @@
 ARG BASE_NAME=registry.fedoraproject.org/fedora-minimal
-ARG BASE_TAG=latest
+# FIXME FIXME FIXME! 2023-11-16: revert "38" to "latest"
 # ...38 is because as of this moment, latest is 39, which
 # has python-3.12, which causes something to barf:
 #         aiohttp/_websocket.c:3744:45: error: ‘PyLongObject’ {aka ‘struct _longobject’} has no member named ‘ob_digit’
 # Possible cause: https://github.com/cython/cython/issues/5238
 ARG BASE_TAG=38
 FROM ${BASE_NAME}:${BASE_TAG} as updated_base
-RUN microdnf update -y && \
+RUN microdnf upgrade -y && \
-    microdnf clean all && \
+    microdnf clean all
    rm -rf /var/cache/dnf
 ENV _RUNTIME_DEPS="bash python3"
 ENV _BUILD_DEPS="coreutils curl git python3 python3-pip python3-virtualenv python3-devel gcc g++"
@ -15,17 +19,18 @@ FROM updated_base as builder
 RUN microdnf install -y ${_RUNTIME_DEPS} ${_BUILD_DEPS} && \
    export INSTALL_PREFIX=/usr/share && \
    curl -sL \
-        https://raw.githubusercontent.com/containers/automation/master/bin/install_automation.sh | \
+        https://raw.githubusercontent.com/containers/automation/main/bin/install_automation.sh | \
        bash -s latest cirrus-ci_artifacts
 FROM updated_base as final
-RUN microdnf install -y ${_BUILD_DEPS} && \
+RUN microdnf install -y ${_RUNTIME_DEPS} && \
-    microdnf clean all && \
+    microdnf clean all
    rm -rf /var/cache/dnf
 COPY --from=builder /usr/share/automation /usr/share/automation
 COPY --from=builder /etc/automation_environment /etc/automation_environment
 # Env. is used by test.sh script.
 ENV CCIABIN=/usr/share/automation/bin/cirrus-ci_artifacts
 ENTRYPOINT ["/usr/share/automation/bin/cirrus-ci_artifacts"]
--- a/Image/manifest/cache_images/manifest.json
+++ b/Image/manifest/cache_images/manifest.json
@ -1,17 +0,0 @@
 {
  "builds": [
    {
      "name": "fedora-podman-py",
      "builder_type": "googlecompute",
      "build_time": 1658176090,
      "files": null,
      "artifact_id": "fedora-podman-py-c5419329914142720",
      "packer_run_uuid": "e5b1e6ab-37a5-a695-624d-47bf0060b272",
      "custom_data": {
        "IMG_SFX": "5419329914142720",
        "STAGE": "cache"
      }
    }
  ],
  "last_run_uuid": "e5b1e6ab-37a5-a695-624d-47bf0060b272"
 }
--- a/check-imgsfx.sh
+++ b/check-imgsfx.sh
@ -0,0 +1,36 @@
 #!/bin/bash
 #
 # 2024-01-25 esm
 # 2024-06-28 cevich
 #
 # This script is intended to be used by the `pre-commit` utility, or it may
 # be manually copied (or symlinked) as local `.git/hooks/pre-push` file.
 # It's purpose is to keep track of image-suffix values which have already
 # been pushed, to avoid them being immediately rejected by CI validation.
 # To use it with the `pre-commit` utility, simply add something like this
 # to your `.pre-commit-config.yaml`:
 #
 # ---
 # repos:
 #   - repo: https://github.com/containers/automation_images.git
 #     rev: <tag or commit sha>
 #     hooks:
 #       - id: check-imgsfx
 set -eo pipefail
 # Ensure CWD is the repo root
 cd $(dirname "${BASH_SOURCE[0]}")
 imgsfx=$(<IMG_SFX)
 imgsfx_history=".git/hooks/imgsfx.history"
 if [[ -e $imgsfx_history ]]; then
    if grep -q "$imgsfx" $imgsfx_history; then
        echo "FATAL: $imgsfx has already been used" >&2
        echo "Please rerun 'make IMG_SFX'" >&2
        exit 1
    fi
 fi
 echo $imgsfx >>$imgsfx_history
--- a/ci/Containerfile
+++ b/ci/Containerfile
@ -1,4 +1,4 @@
-# This dockerfile defines the environment for Cirrus-CI when
+# This Containerfile defines the environment for Cirrus-CI when
 # running automated checks and tests. It may also be used
 # for development/debugging or manually building most
 # Makefile targets.
@ -8,17 +8,17 @@ FROM registry.fedoraproject.org/fedora:${FEDORA_RELEASE}
 ARG PACKER_VERSION
 MAINTAINER https://github.com/containers/automation_images/ci
-ENV CIRRUS_WORKING_DIR=/tmp/automation_images \
+ENV CIRRUS_WORKING_DIR=/var/tmp/automation_images \
    PACKER_INSTALL_DIR=/usr/local/bin \
    PACKER_VERSION=$PACKER_VERSION \
    CONTAINER=1
-# When using the dockerfile-as-ci feature of Cirrus-CI, it's unsafe
+# When using the containerfile-as-ci feature of Cirrus-CI, it's unsafe
 # to rely on COPY or ADD instructions.  See documentation for warning.
 RUN test -n "$PACKER_VERSION"
 RUN dnf update -y && \
-    dnf mark remove $(rpm -qa | grep -Ev '(gpg-pubkey)|(dnf)|(sudo)') && \
+    dnf -y mark dependency $(rpm -qa | grep -Ev '(gpg-pubkey)|(dnf)|(sudo)') && \
-    dnf install -y --exclude selinux-policy-targeted \
+    dnf install -y \
        ShellCheck \
        bash-completion \
        coreutils \
@ -38,7 +38,7 @@ RUN dnf update -y && \
        util-linux \
        unzip \
        && \
-    dnf mark install dnf sudo $_ && \
+    dnf -y mark user dnf sudo $_ && \
    dnf autoremove -y && \
    dnf clean all
--- a/ci/make.sh
+++ b/ci/make.sh
@ -35,6 +35,14 @@ if [[ -n "$AWS_INI" ]]; then
    set_aws_filepath
 fi
 id
 # FIXME: ssh-keygen seems to fail to create keys with Permission denied
 # in the base_images make target, I have no idea why but all CI jobs are
 # broken because of this. Let's try without selinux.
 if [[ "$(getenforce)" == "Enforcing" ]]; then
    setenforce 0
 fi
 set -x
 cd "$REPO_DIRPATH"
 export IMG_SFX=$IMG_SFX
--- a/ci/make_container_images.sh
+++ b/ci/make_container_images.sh
@ -44,13 +44,6 @@ SRC_FQIN="$TARGET_NAME:$IMG_SFX"
 make "$TARGET_NAME" IMG_SFX=$IMG_SFX
 # Prevent pushing 'latest' images from PRs, only branches and tags
 # shellcheck disable=SC2154
 if [[ $PUSH_LATEST -eq 1 ]] && [[ -n "$CIRRUS_PR" ]]; then
    echo -e "\nWarning: Refusing to push 'latest' images when testing from a PR.\n"
    PUSH_LATEST=0
 fi
 # Don't leave credential file sticking around anywhere
 trap "podman logout --all" EXIT INT CONT
 set +x  # protect username/password values
@ -64,9 +57,3 @@ set -x  # Easier than echo'ing out status for everything
 # shellcheck disable=SC2154
 podman tag "$SRC_FQIN" "$DEST_FQIN"
 podman push "$DEST_FQIN"
 if ((PUSH_LATEST)); then
    LATEST_FQIN="${DEST_FQIN%:*}:latest"
    podman tag "$SRC_FQIN" "$LATEST_FQIN"
    podman push "$LATEST_FQIN"
 fi
--- a/ci/tag_latest.sh
+++ b/ci/tag_latest.sh
@ -0,0 +1,36 @@
 #!/bin/bash
 set -eo pipefail
 if [[ -z "$CI" ]] || [[ "$CI" != "true" ]] || [[ -z "$IMG_SFX" ]]; then
    echo "This script is intended to be run by CI and nowhere else."
    exit 1
 fi
 # This envar is set by the CI system
 # shellcheck disable=SC2154
 if [[ "$CIRRUS_CHANGE_MESSAGE" =~ .*CI:DOCS.* ]]; then
    echo "This script must never tag anything after a [CI:DOCS] PR merge"
    exit 0
 fi
 # Ensure no secrets leak via debugging var expansion
 set +x
 # This secret envar is set by the CI system
 # shellcheck disable=SC2154
 echo "$REG_PASSWORD" | \
    skopeo login --password-stdin --username "$REG_USERNAME" "$REGPFX"
 declare -a imgnames
 imgnames=( imgts imgobsolete imgprune gcsupld get_ci_vm orphanvms ccia )
 # A [CI:TOOLING] build doesn't produce CI VM images
 if [[ ! "$CIRRUS_CHANGE_MESSAGE" =~ .*CI:TOOLING.* ]]; then
    imgnames+=( skopeo_cidev fedora_podman prior-fedora_podman )
 fi
 for imgname in "${imgnames[@]}"; do
    echo "##### Tagging $imgname -> latest"
    # IMG_SFX is defined by CI system
    # shellcheck disable=SC2154
    skopeo copy "docker://$REGPFX/$imgname:c${IMG_SFX}" "docker://$REGPFX/${imgname}:latest"
 done
--- a/ci/validate.sh
+++ b/ci/validate.sh
@ -13,12 +13,24 @@ REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../")
 # shellcheck source=./lib.sh
 source "$REPO_DIRPATH/lib.sh"
-req_env_vars CIRRUS_PR CIRRUS_BASE_SHA CIRRUS_CHANGE_TITLE
+req_env_vars CIRRUS_PR CIRRUS_PR_TITLE CIRRUS_USER_PERMISSION CIRRUS_BASE_BRANCH
 show_env_vars
 # die() will add a reference to this file and line number.
 [[ "$CIRRUS_CI" == "true" ]] || \
  die "This script is only/ever intended to be run by Cirrus-CI."
 # This is imperfect security-wise, but attempt to catch an accidental
 # change in Cirrus-CI Repository settings.  Namely the hard-to-read
 # "slider" that enables non-contributors to run jobs.  We don't want
 # that on this repo, ever. because there are sensitive secrets in use.
 # This variable is set by CI and validated non-empty above
 # shellcheck disable=SC2154
 if [[ "$CIRRUS_USER_PERMISSION" != "write" ]] && [[ "$CIRRUS_USER_PERMISSION" != "admin" ]]; then
  die "CI Execution not supported with permission level '$CIRRUS_USER_PERMISSION'"
 fi
 for target in image_builder/gce.json base_images/cloud.json \
              cache_images/cloud.json win_images/win-server-wsl.json; do
  if ! make $target; then
@ -32,18 +44,28 @@ if [[ -z "$CIRRUS_PR" ]]; then
  exit 0
 fi
 # For Docs-only PRs, no further checks are needed
 # Variable is defined by Cirrus-CI at runtime
 # shellcheck disable=SC2154
-if [[ ! "$CIRRUS_CHANGE_TITLE" =~ CI:DOCS ]] && \
+if [[ "$CIRRUS_PR_TITLE" =~ CI:DOCS ]]; then
-   ! git diff --name-only ${CIRRUS_BASE_SHA}..HEAD | grep -q IMG_SFX; then
+  msg "This looks like a docs-only PR, skipping further validation checks."
  exit 0
 fi
 # Fix "Not a valid object name main" error from Cirrus's
 # incomplete checkout.
 git remote update origin
 # Determine where PR branched off of $CIRRUS_BASE_BRANCH
 # shellcheck disable=SC2154
 base_sha=$(git merge-base origin/${CIRRUS_BASE_BRANCH:-main} HEAD)
 if ! git diff --name-only ${base_sha}..HEAD | grep -q IMG_SFX; then
  die "Every PR that builds images must include an updated IMG_SFX file.
 Simply run 'make IMG_SFX', commit the result, and re-push."
 else
  IMG_SFX="$(<./IMG_SFX)"
  # IMG_SFX was modified vs PR's base-branch, confirm version moved forward
-  # shellcheck disable=SC2154
+  v_prev=$(git show ${base_sha}:IMG_SFX 2>&1 || true)
  v_prev=$(git show ${CIRRUS_BASE_SHA}:IMG_SFX 2>&1 || true)
  # Verify new IMG_SFX value always version-sorts later than previous value.
  # This prevents screwups due to local timezone, bad, or unset clocks, etc.
  new_img_ver=$(awk -F 't' '{print $1"."$2}'<<<"$IMG_SFX" | cut -dz -f1)
--- a/dot_pre-commit-config.yaml.example
+++ b/dot_pre-commit-config.yaml.example
@ -0,0 +1,43 @@
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
 repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.6.0
    hooks:
      - id: trailing-whitespace
      - id: end-of-file-fixer
      - id: check-yaml
      - id: check-added-large-files
      - id: check-symlinks
      - id: mixed-line-ending
      - id: no-commit-to-branch
        args: [--branch, main]
  - repo: https://github.com/codespell-project/codespell
    rev: v2.3.0
    hooks:
      - id: codespell
        args: [--config, .codespellrc]
  - repo: https://github.com/jumanjihouse/pre-commit-hooks
    rev: 3.0.0
    hooks:
      - id: forbid-binary
        exclude: >
          (?x)^(
            get_ci_vm/good_repo_test/dot_git.tar.gz
          )$
      - id: script-must-have-extension
      - id: shellcheck
        # These come from ci/shellcheck.sh
        args:
            - --color=always
            - --format=tty
            - --shell=bash
            - --external-sources
            - --enable=add-default-case,avoid-nullary-conditions,check-unassigned-uppercase
            - --exclude=SC2046,SC2034,SC2090,SC2064
            - --wiki-link-count=0
            - --severity=warning
  - repo: https://github.com/containers/automation_images.git
    rev: 2e5a2acfe21cc4b13511b453733b8875e592ad9c
    hooks:
      - id: check-imgsfx
--- a/gcpprojects.txt
+++ b/gcpprojects.txt
@ -1,14 +1,13 @@
-# This is a listing of GCP Project IDs which use images produced by
+# This is a listing of Google Cloud Platform Project IDs for
-# this repo.  It's used by the "Orphan VMs" github action to monitor
+# orphan VM monitoring and possibly other automation tasks.
-# for any leftover/lost VMs.
+# Note: CI VM images produced by this repo are all stored within
 # the libpod-218412 project (in addition to some AWS EC2)
 buildah
 conmon-222014
 containers-build-source-image
 dnsname-8675309
 libpod-218412
 netavark-2021
 oci-seccomp-bpf-hook
 podman-py
 skopeo
 storage-240716
 udica-247612
--- a/get_ci_vm/Containerfile
+++ b/get_ci_vm/Containerfile
@ -19,8 +19,7 @@ RUN bash ./get_ci_vm/setup.sh
 # conflicts.
 ADD /get_ci_vm/entrypoint.sh ./get_ci_vm/
-# Add this late to optomize cache effecacy for development workflows
+ENTRYPOINT ["/usr/bin/ssh-agent", "/bin/bash", "/usr/src/automation_images/get_ci_vm/entrypoint.sh"]
 ENTRYPOINT ["/bin/bash", "/usr/src/automation_images/get_ci_vm/entrypoint.sh"]
 WORKDIR "/root"
 ENV HOME="/root" \
    SRCDIR="" \
--- a/get_ci_vm/README.md
+++ b/get_ci_vm/README.md
@ -5,6 +5,36 @@ This directory contains the source for building [the
 This image image is used by many containers-org repos. `hack/get_ci_vm.sh` script.
 It is not intended to be called via any other mechanism.
 In general/high-level terms, the architecture and operation is:
 1. [containers/automation hosts cirrus-ci_env](https://github.com/containers/automation/tree/main/cirrus-ci_env),
   a python mini-implementation of a `.cirrus.yml` parser. It's only job is to extract all required envars,
   given a task name (including from a matrix element).  It's highly dependent on
   [certain YAML formatting requirements](README.md#downstream-repository-cirrusyml-requirements).  If the target
   repo. doesn't follow those standards, nasty/ugly python errors will vomit forth.  Mainly this has to do with
   Cirrus-CI's use of a non-standard YAML parser, allowing things like certain duplicate dictionary keys.
 1. [containers/automation_images hosts get_ci_vm](https://github.com/containers/automation_images/tree/main/get_ci_vm),
   a bundling of the `cirrus-ci_env` python script with an `entrypoint.sh` script inside a container image.
 1. When a user runs `hack/get_ci_vm.sh` inside a target repo, the container image is entered, and `.cirrus.yml`
   is parsed based on the CLI task-name.  A VM is then provisioned based on specific envars (see the "Env. Vars."
   entries in the sections for [APIv1](README.md#env-vars) and [APIv2](README.md#env-vars-1) sections below).
   This is the most complex part of the process.
 1. The remote system will not have **any** of the otherwise automatic Cirrus-CI operations performed (like "clone")
   nor any magic CI variables defined.  Having a VM ready, the container entrypoint script transfers a copy of
   the local repo (including any uncommited changes).
 1. The container entrypoint script then performs **_remote_** execution of the `hack/get_ci_vm.sh` script
   including the magic `--setup` parameter.  Though it varies by repo, typically this will establish everything
   necessary to simulate a CI environment, via a call to the repo's own `setup.sh` or equivalent.  Typically
   The repo's setup scripts will persist any required envars into a `/etc/ci_environment` or similar.  Though
   this isn't universal.
 1. Lastly, the user is dropped into a shell on the VM, inside the repo copy, with all envars defined and
   ready to start running tests.
 _Note_:  If there are any envars found to be missing, they must be defined by updating either the repo normal CI
 setup scripts (preferred), or in the `hack/get_ci_vm.sh` `--setup` section.
 # Building
 Example build (from repository root):
 ```bash
--- a/get_ci_vm/bad_repo_test/hack/get_ci_vm.sh
+++ b/get_ci_vm/bad_repo_test/hack/get_ci_vm.sh
@ -66,9 +66,9 @@ delvm() {
 }
 image_hints() {
-    _BIS=$(egrep -m 1 '_BUILT_IMAGE_SUFFIX:[[:space:]+"[[:print:]]+"' \
+    _BIS=$(grep -E -m 1 '_BUILT_IMAGE_SUFFIX:[[:space:]+"[[:print:]]+"' \
        "$SECCOMPHOOKROOT/.cirrus.yml" | cut -d: -f 2 | tr -d '"[:blank:]')
-    egrep '[[:space:]]+[[:alnum:]].+_CACHE_IMAGE_NAME:[[:space:]+"[[:print:]]+"' \
+    grep -E '[[:space:]]+[[:alnum:]].+_CACHE_IMAGE_NAME:[[:space:]+"[[:print:]]+"' \
        "$SECCOMPHOOKROOT/.cirrus.yml" | cut -d: -f 2 | tr -d '"[:blank:]' | \
        sed -r -e "s/\\\$[{]_BUILT_IMAGE_SUFFIX[}]/$_BIS/" | sort -u
 }
@ -141,7 +141,7 @@ cd $SECCOMPHOOKROOT
 # Attempt to determine if named 'oci-seccomp-bpf-hook' gcloud configuration exists
 showrun $PGCLOUD info > $TMPDIR/gcloud-info
-if egrep -q "Account:.*None" $TMPDIR/gcloud-info
+if grep -E -q "Account:.*None" $TMPDIR/gcloud-info
 then
    echo -e "\n${YEL}WARNING: Can't find gcloud configuration for 'oci-seccomp-bpf-hook', running init.${NOR}"
    echo -e "         ${RED}Please choose '#1: Re-initialize' and 'login' if asked.${NOR}"
@ -151,7 +151,7 @@ then
    # Verify it worked (account name == someone@example.com)
    $PGCLOUD info > $TMPDIR/gcloud-info-after-init
-    if egrep -q "Account:.*None" $TMPDIR/gcloud-info-after-init
+    if grep -E -q "Account:.*None" $TMPDIR/gcloud-info-after-init
    then
        echo -e "${RED}ERROR: Could not initialize 'oci-seccomp-bpf-hook' configuration in gcloud.${NOR}"
        exit 5
--- a/get_ci_vm/entrypoint.sh
+++ b/get_ci_vm/entrypoint.sh
@ -235,7 +235,7 @@ has_valid_aws_credentials() {
    _awsoutput=$($AWSCLI configure list 2>&1 || true)
    dbg "$AWSCLI configure list"
    dbg "$_awsoutput"
-    if egrep -qx 'The config profile.+could not be found'<<<"$_awsoutput"; then
+    if grep -E -qx 'The config profile.+could not be found'<<<"$_awsoutput"; then
        dbg "AWS config/credentials are missing"
        return 1
    elif [[ ! -r "$EC2_SSH_KEY" ]] || [[ ! -r "${EC2_SSH_KEY}.pub" ]]; then
@ -413,6 +413,9 @@ make_setup_tarball() {
    status "Preparing setup tarball for instance."
    req_env_vars DESTDIR _TMPDIR SRCDIR UPSTREAM_REPO
    mkdir -p "${_TMPDIR}$DESTDIR"
    # Mark the volume-mounted source repo as safe system-wide (w/in the container)
    git config --global --add safe.directory "$SRCDIR"
    git config --global --add safe.directory "$SRCDIR/.git"
    # We have no way of knowing what state or configuration the user's
    # local repository is in.  Work from a local clone, so we can
    # specify our own setup and prevent unexpected script breakage.
@ -515,8 +518,8 @@ init_gcevm() {
    DNS_NAME=$INST_NAME  # gcloud compute ssh wrapper will resolve this
    GCLOUD="${GCLOUD:-gcloud} --configuration=$GCLOUD_CFG --project=$GCLOUD_PROJECT"
    _args="--force-key-file-overwrite --strict-host-key-checking=no --zone=$GCLOUD_ZONE"
-    SSH_CMD="$GCLOUD compute ssh $_args root@$DNS_NAME --"
+    SSH_CMD="$GCLOUD compute ssh --ssh-flag=-o=AddKeysToAgent=yes $_args root@$DNS_NAME --"
-    SCP_CMD="$GCLOUD compute scp $_args"
+    SCP_CMD="$GCLOUD compute scp --scp-flag=-o=AddKeysToAgent=yes $_args"
    CREATE_CMD="$GCLOUD compute instances create \
        --zone=$GCLOUD_ZONE --image-project=$GCLOUD_IMGPROJECT \
        --image=$INST_IMAGE --custom-cpu=$GCLOUD_CPUS \
@ -533,9 +536,6 @@ init_gcevm() {
 Can't find valid GCP credentials, attempting to (re)initialize.
 If asked, please choose '#1: Re-initialize', 'login', and a nearby
 GCLOUD_ZONE, otherwise simply follow the prompts.
 Note: If asked to set a SSH-key passphrase, DO NOT SET ONE, it
      will make your life miserable! Set an empty password for the key.
 "
        $GCLOUD init --project=$GCLOUD_PROJECT --console-only --skip-diagnostics
        if ! has_valid_gcp_credentials; then
--- a/get_ci_vm/setup.sh
+++ b/get_ci_vm/setup.sh
@ -2,9 +2,9 @@
 # This script is intended to be executed as part of the container
 # image build process.  Using it under any other context is virtually
-# guarantied to cause you much pain and suffering.
+# guaranteed to cause you much pain and suffering.
-set -eo pipefail
+set -xeo pipefail
 SCRIPT_FILEPATH=$(realpath "${BASH_SOURCE[0]}")
 SCRIPT_DIRPATH=$(dirname "$SCRIPT_FILEPATH")
@ -14,6 +14,7 @@ source "$REPO_DIRPATH/lib.sh"
 declare -a PKGS
 PKGS=( \
    aws-cli
    coreutils
    curl
    gawk
@ -30,9 +31,7 @@ apk upgrade
 apk add --no-cache "${PKGS[@]}"
 rm -rf /var/cache/apk/*
-pip3 install --upgrade pip
+aws --version  # Confirm that aws actually runs
 pip3 install --no-cache-dir awscli
 aws --version  # Confirm it actually runs
 install_automation_tooling cirrus-ci_env
--- a/get_ci_vm/test.sh
+++ b/get_ci_vm/test.sh
@ -78,7 +78,7 @@ testf() {
        echo "# $@" > /dev/stderr
    fi
-    # Using egrep vs file safer than shell builtin test
+    # Using grep -E vs file safer than shell builtin test
    local a_out_f
    local a_exit=0
    a_out_f=$(mktemp -p '' "tmp_${FUNCNAME[0]}_XXXXXXXX")
@ -109,7 +109,7 @@ testf() {
        if ((TEST_DEBUG)); then
            echo "Received $(wc -l $a_out_f | awk '{print $1}') output lines of $(wc -c $a_out_f | awk '{print $1}') bytes total"
        fi
-        if egrep -q "$e_out_re" "${a_out_f}.oneline"; then
+        if grep -E -q "$e_out_re" "${a_out_f}.oneline"; then
            _test_report "Command $1 exited as expected with expected output" "0" "$a_out_f"
        else
            _test_report "Expecting regex '$e_out_re' match to (whitespace-squashed) output" "1" "$a_out_f"
--- a/get_fedora_url.sh
+++ b/get_fedora_url.sh
@ -67,7 +67,7 @@ else
 fi
 # Support both '.CHECKSUM' and '-CHECKSUM' at the end
-filename=$(egrep -i -m 1 -- "$extension$" <<<"$by_arch" || true)
+filename=$(grep -E -i -m 1 -- "$extension$" <<<"$by_arch" || true)
 [[ -n "$filename" ]] || \
    die "No '$extension' targets among $by_arch"
--- a/image_builder/Containerfile
+++ b/image_builder/Containerfile
@ -4,7 +4,7 @@
 # at the root of this repository.  It should be built with
 # the repository root as the context directory.
-ARG CENTOS_STREAM_RELEASE=8
+ARG CENTOS_STREAM_RELEASE=9
 FROM quay.io/centos/centos:stream${CENTOS_STREAM_RELEASE}
 ARG PACKER_VERSION
 MAINTAINER https://github.com/containers/automation_images/image_builder
--- a/image_builder/gce.yml
+++ b/image_builder/gce.yml
@ -45,16 +45,16 @@ provisioners:
    - type: 'shell'
      inline:
        - 'set -e'
-        - 'mkdir -p /tmp/automation_images'
+        - 'mkdir -p /var/tmp/automation_images'
    - type: 'file'
      source: '{{ pwd }}/'
-      destination: '/tmp/automation_images/'
+      destination: '/var/tmp/automation_images/'
    - type: 'shell'
      inline:
        - 'set -e'
-        - '/bin/bash /tmp/automation_images/image_builder/setup.sh'
+        - '/bin/bash /var/tmp/automation_images/image_builder/setup.sh'
 post-processors:
    # Must be double-nested to guarantee execution order
--- a/image_builder/google-cloud-sdk.repo
+++ b/image_builder/google-cloud-sdk.repo
@ -1,16 +1,9 @@
-[google-compute-engine]
+# Copy-pasted from https://cloud.google.com/sdk/docs/install#red-hatfedoracentos
-name=Google Compute Engine
+
-baseurl=https://packages.cloud.google.com/yum/repos/google-compute-engine-el8-x86_64-stable
+[google-cloud-cli]
 name=Google Cloud CLI
 baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el9-x86_64
 enabled=1
 gpgcheck=1
-repo_gpgcheck=1
+repo_gpgcheck=0
-gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg
+gpgkey=https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
       https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
 [google-cloud-sdk]
 name=Google Cloud SDK
 baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el8-x86_64
 enabled=1
 gpgcheck=1
 repo_gpgcheck=1
 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg
       https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
--- a/image_builder/install_packages.sh
+++ b/image_builder/install_packages.sh
@ -23,6 +23,19 @@ source "$REPO_DIRPATH/lib.sh"
 dnf update -y
 dnf -y install epel-release
-dnf install -y $(<"$INST_PKGS_FP")
+# Allow erasing pre-installed curl-minimal package
 dnf install -y --allowerasing $(<"$INST_PKGS_FP")
 # As of 2024-04-24 installing the EPEL `awscli` package results in error:
 # nothing provides python3.9dist(docutils) >= 0.10
 # Grab the binary directly from amazon instead
 # https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
 AWSURL="https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"
 cd /tmp
 curl --fail --location -O "${AWSURL}"
 # There's little reason to see every single file extracted
 unzip -q awscli*.zip
 ./aws/install -i /usr/local/share/aws-cli -b /usr/local/bin
 rm -rf awscli*.zip ./aws
 install_automation_tooling
--- a/image_builder/install_packages.txt
+++ b/image_builder/install_packages.txt
@ -1,4 +1,3 @@
 awscli
 buildah
 bash-completion
 curl
@ -6,12 +5,13 @@ findutils
 gawk
 genisoimage
 git
-google-cloud-sdk
+google-cloud-cli
 jq
 libvirt
 libvirt-admin
 libvirt-client
 libvirt-daemon
 libxcrypt-compat
 make
 openssh
 openssl
@ -24,6 +24,7 @@ rng-tools
 rootfiles
 rsync
 sed
 skopeo
 tar
 unzip
 util-linux
--- a/imgobsolete/entrypoint.sh
+++ b/imgobsolete/entrypoint.sh
@ -11,13 +11,13 @@ set -eo pipefail
 # shellcheck source=imgts/lib_entrypoint.sh
 source /usr/local/bin/lib_entrypoint.sh
-req_env_vars GCPJSON GCPNAME GCPPROJECT AWSINI
+req_env_vars GCPJSON GCPNAME GCPPROJECT AWSINI IMG_SFX
 gcloud_init
 # Set this to 1 for testing
 DRY_RUN="${DRY_RUN:-0}"
-OBSOLETE_LIMIT=10
+OBSOLETE_LIMIT=50
 THEFUTURE=$(date --date='+1 hour' +%s)
 TOO_OLD_DAYS='30'
 TOO_OLD_DESC="$TOO_OLD_DAYS days ago"
@ -40,8 +40,8 @@ $GCLOUD compute images list --format="$FORMAT" --filter="$FILTER" | \
        count_image
        reason=""
        created_ymd=$(date --date=$creationTimestamp --iso-8601=date)
-        permanent=$(egrep --only-matching --max-count=1 --ignore-case 'permanent=true' <<< $labels || true)
+        permanent=$(grep -E --only-matching --max-count=1 --ignore-case 'permanent=true' <<< $labels || true)
-        last_used=$(egrep --only-matching --max-count=1 'last-used=[[:digit:]]+' <<< $labels || true)
+        last_used=$(grep -E --only-matching --max-count=1 'last-used=[[:digit:]]+' <<< $labels || true)
        LABELSFX="labels: '$labels'"
@ -54,6 +54,14 @@ $GCLOUD compute images list --format="$FORMAT" --filter="$FILTER" | \
            continue
        fi
        # Any image matching the currently in-use IMG_SFX must always be preserved
        # Value is defined in cirrus.yml
        # shellcheck disable=SC2154
        if [[ "$name" =~ $IMG_SFX ]]; then
            msg "Retaining current (latest) image $name | $labels"
            continue
        fi
        # No label was set
        if [[ -z "$last_used" ]]
        then # image lacks any tracking labels
@ -91,7 +99,7 @@ aws_init
 # The AWS cli returns a huge blob of data we mostly don't need.
 # Use query statement to simplify the results.  N/B: The get_tag_value()
 # function expects to find a "TAGS" item w/ list value.
-ami_query='Images[*].{ID:ImageId,CREATED:CreationDate,STATE:State,TAGS:Tags}'
+ami_query='Images[*].{ID:ImageId,CREATED:CreationDate,STATE:State,TAGS:Tags,DEP:DeprecationTime}'
 all_amis=$($AWS ec2 describe-images --owners self --query "$ami_query")
 nr_amis=$(jq -r -e length<<<"$all_amis")
@ -109,15 +117,16 @@ lltcmd=(\
 req_env_vars all_amis nr_amis
 for (( i=nr_amis ; i ; i-- )); do
-    unset ami ami_id state created created_ymd name name_tag
+    unset ami ami_id state created created_ymd name name_tag dep
    ami=$(jq -r -e ".[$((i-1))]"<<<"$all_amis")
    ami_id=$(jq -r -e ".ID"<<<"$ami")
    state=$(jq -r -e ".STATE"<<<"$ami")
    created=$(jq -r -e ".CREATED"<<<"$ami")
    created_ymd=$(date --date="$created" --iso-8601=date)
    dep=$(jq -r -e ".DEP"<<<"$ami")
    unset tags
-    # The name-tag is easier on human eys if on is set.
+    # The name-tag is easier on human eys if one is set.
    name="$ami_id"
    if name_tag=$(get_tag_value "Name" "$ami"); then
        name="$name_tag"
@ -138,13 +147,23 @@ for (( i=nr_amis ; i ; i-- )); do
    done
    unset automation permanent reason
-    automation=$(egrep --only-matching --max-count=1 \
+    automation=$(grep -E --only-matching --max-count=1 \
                 --ignore-case 'automation=true' <<< $tags || true)
-    permanent=$(egrep --only-matching --max-count=1 \
+    permanent=$(grep -E --only-matching --max-count=1 \
                --ignore-case 'permanent=true' <<< $tags || true)
    if [[ -n "$permanent" ]]; then
        msg "Retaining forever $name | $tags"
        # Permanent AMIs should never ever have a deprecation date set
        $AWS ec2 disable-image-deprecation --image-id "$ami_id" > /dev/null
        continue
    fi
    # Any image matching the currently in-use IMG_SFX
    # must always be preserved.  Values are defined in cirrus.yml
    # shellcheck disable=SC2154
    if [[ "$name" =~ $IMG_SFX ]]; then
        msg "Retaining current (latest) image $name | $tags"
        continue
    fi
@ -173,18 +192,24 @@ for (( i=nr_amis ; i ; i-- )); do
        continue
    else
        msg "Retaining $ami_id | $created_ymd | $state | $tags"
        if [[ "$dep" != "null" ]]; then
            msg "    Removing previously set AMI deprecation timestamp: $dep"
            # Ignore confirmation output.
            $AWS ec2 disable-image-deprecation --image-id "$ami_id" > /dev/null
        fi
    fi
 done
 COUNT=$(<"$IMGCOUNT")
 CANDIDATES=$(wc -l <$TOOBSOLETE)
 msg "########################################################################"
-msg "Obsoleting $OBSOLETE_LIMIT random images of $COUNT examined:"
+msg "Obsoleting $OBSOLETE_LIMIT random image candidates ($CANDIDATES/$COUNT total):"
 # Require a minimum number of images to exist.  Also if there is some
 # horrible scripting accident, this limits the blast-radius.
-if [[ "$COUNT" -lt $OBSOLETE_LIMIT ]]
+if [[ "$CANDIDATES" -lt $OBSOLETE_LIMIT ]]
 then
-    die 0 "Safety-net Insufficient images ($COUNT) to process ($OBSOLETE_LIMIT required)"
+    die 0 "Safety-net Insufficient images ($CANDIDATES) to process ($OBSOLETE_LIMIT required)"
 fi
 # Don't let one bad apple ruin the whole bunch
--- a/imgprune/entrypoint.sh
+++ b/imgprune/entrypoint.sh
@ -11,14 +11,14 @@ set -e
 # shellcheck source=imgts/lib_entrypoint.sh
 source /usr/local/bin/lib_entrypoint.sh
-req_env_vars GCPJSON GCPNAME GCPPROJECT
+req_env_vars GCPJSON GCPNAME GCPPROJECT AWSINI IMG_SFX
 gcloud_init
 # Set this to 1 for testing
 DRY_RUN="${DRY_RUN:-0}"
 # For safety's sake limit nr deletions
-DELETE_LIMIT=10
+DELETE_LIMIT=50
 ABOUTNOW=$(date --iso-8601=date)  # precision is not needed for this use
 # Format Ref: https://cloud.google.com/sdk/gcloud/reference/topic/formats
 # Field list from `gcloud compute images list --limit=1 --format=text`
@ -31,7 +31,7 @@ PROJRE="/v1/projects/$GCPPROJECT/global/"
 FILTER="selfLink~$PROJRE AND deprecated.state=OBSOLETE AND deprecated.deleted<$ABOUTNOW"
 TODELETE=$(mktemp -p '' todelete.XXXXXX)
-msg "Searching for obsolete images using filter:${NOR} $FILTER"
+msg "Searching for obsolete GCP images using filter:${NOR} $FILTER"
 # Ref: https://cloud.google.com/compute/docs/images/create-delete-deprecate-private-images#deprecating_an_image
 $GCLOUD compute images list --show-deprecated \
    --format="$FORMAT" --filter="$FILTER" | \
@ -39,32 +39,108 @@ $GCLOUD compute images list --show-deprecated \
    do
        count_image
        reason=""
-        permanent=$(egrep --only-matching --max-count=1 --ignore-case 'permanent=true' <<< $labels || true)
+        permanent=$(grep -E --only-matching --max-count=1 --ignore-case 'permanent=true' <<< $labels || true)
        [[ -z "$permanent" ]] || \
            die 1 "Refusing to delete a deprecated image labeled permanent=true.  Please use gcloud utility to set image active, then research the cause of deprecation."
        [[ "$dep_state" == "OBSOLETE" ]] || \
            die 1 "Unexpected depreciation-state encountered for $name: $dep_state; labels: $labels"
        # Any image matching the currently in-use IMG_SFX must always be preserved.
        # Values are defined in cirrus.yml
        # shellcheck disable=SC2154
        if [[ "$name" =~ $IMG_SFX ]]; then
            msg "    Skipping current (latest) image $name"
            continue
        fi
        reason="Obsolete as of $del_date; labels: $labels"
-        echo "$name $reason" >> $TODELETE
+        echo "GCP $name $reason" >> $TODELETE
    done
 msg "Searching for deprecated EC2 images prior to${NOR} $ABOUTNOW"
 aws_init
 # The AWS cli returns a huge blob of data we mostly don't need.
 # # Use query statement to simplify the results.  N/B: The get_tag_value()
 # # function expects to find a "TAGS" item w/ list value.
 ami_query='Images[*].{ID:ImageId,TAGS:Tags,DEP:DeprecationTime,SNAP:BlockDeviceMappings[0].Ebs.SnapshotId}'
 all_amis=$($AWS ec2 describe-images --owners self --query "$ami_query")
 nr_amis=$(jq -r -e length<<<"$all_amis")
 req_env_vars all_amis nr_amis
 for (( i=nr_amis ; i ; i-- )); do
    count_image
    unset ami ami_id dep snap permanent
    ami=$(jq -r -e ".[$((i-1))]"<<<"$all_amis")
    ami_id=$(jq -r -e ".ID"<<<"$ami")
    dep=$(jq -r -e ".DEP"<<<"$ami")
    if [[ "$dep" == null ]] || [[ -z "$dep" ]]; then continue; fi
    dep_ymd=$(date --date="$dep" --iso-8601=date)
    snap=$(jq -r -e ".SNAP"<<<$ami)
    if permanent=$(get_tag_value "permanent" "$ami") && \
       [[ "$permanent" == "true" ]]
    then
        warn 0 "Found permanent image '$ami_id' with deprecation '$dep_ymd'.  Clearing deprecation date."
        $AWS ec2 disable-image-deprecation --image-id "$ami_id" > /dev/null
        continue
    fi
    unset name
    if ! name=$(get_tag_value "Name" "$ami"); then
        warn 0 "    EC2 AMI ID '$ami_id' is missing a 'Name' tag"
    fi
    # Any image matching the currently in-use IMG_SFX
    # must always be preserved.
    if [[ "$name" =~ $IMG_SFX ]]; then
        warn 0 "    Retaining current (latest) image $name id $ami_id"
        $AWS ec2 disable-image-deprecation --image-id "$ami_id" > /dev/null
        continue
    fi
    if [[ $(echo -e "$ABOUTNOW\n$dep_ymd" | sort | tail -1) == "$ABOUTNOW" ]]; then
      reason="Obsolete as of '$dep_ymd'; snap=$snap"
      echo "EC2 $ami_id $reason" >> $TODELETE
    fi
 done
 COUNT=$(<"$IMGCOUNT")
 CANDIDATES=$(wc -l <$TODELETE)
 msg "########################################################################"
-msg "Deleting up to $DELETE_LIMIT random images of $COUNT examined:"
+msg "Deleting up to $DELETE_LIMIT random image candidates ($CANDIDATES/$COUNT total)::"
 # Require a minimum number of images to exist
-if [[ "$COUNT" -lt $DELETE_LIMIT ]]
+if [[ "$CANDIDATES" -lt $DELETE_LIMIT ]]
 then
-    die 0 "Safety-net Insufficient images ($COUNT) to process deletions ($DELETE_LIMIT required)"
+    die 0 "Safety-net Insufficient images ($CANDIDATES) to process deletions ($DELETE_LIMIT required)"
 fi
 sort --random-sort $TODELETE | tail -$DELETE_LIMIT | \
-    while read -r image_name reason; do
+    while read -r cloud image_name reason; do
-    msg "Deleting $image_name:${NOR} $reason"
+    msg "Deleting $cloud $image_name:${NOR} $reason"
    if ((DRY_RUN)); then
        msg "Dry-run: No changes made"
-    else
+    elif [[ "$cloud" == "GCP" ]]; then
        $GCLOUD compute images delete $image_name
    elif [[ "$cloud" == "EC2" ]]; then
        # Snapshot ID's always start with 'snap-' followed by a hexadecimal string
        snap_id=$(echo "$reason" | sed -r -e 's/.* snap=(snap-[a-f0-9]+).*/\1/')
        [[ -n "$snap_id" ]] || \
            die 1 "Failed to parse EC2 snapshot ID for '$image_name' from string: '$reason'"
        # Because it aims to be as helpful and useful as possible, not all failure conditions
        # result in a non-zero exit >:(
        unset output
        output=$($AWS ec2 deregister-image --image-id "$image_name")
        [[ ! "$output" =~ An\ error\ occurred ]] || \
          die 1 "$output"
        msg " ...deleting snapshot $snap_id:${NOR} (formerly used by $image_name)"
        output=$($AWS ec2 delete-snapshot --snapshot-id "$snap_id")
        [[ ! "$output" =~ An\ error\ occurred ]] || \
          die 1 "$output"
    else
        die 1 "Unknown/Unsupported cloud '$cloud' record encountered in \$TODELETE file"
    fi
 done
--- a/imgts/Containerfile
+++ b/imgts/Containerfile
@ -1,19 +1,18 @@
-ARG CENTOS_STREAM_RELEASE=8
+ARG CENTOS_STREAM_RELEASE=9
 FROM quay.io/centos/centos:stream${CENTOS_STREAM_RELEASE}
 ARG dnfycache="dnf -y --setopt=keepcache=true"
 # Only needed for installing build-time dependencies
 COPY /imgts/google-cloud-sdk.repo /etc/yum.repos.d/google-cloud-sdk.repo
-RUN ${dnfycache} update && \
+RUN dnf -y update && \
-    ${dnfycache} install epel-release && \
+    dnf -y install epel-release && \
-    ${dnfycache} install python3 jq && \
+    dnf -y install python3 jq libxcrypt-compat && \
-    ${dnfycache} --exclude=google-cloud-sdk-366.0.0-1 \
+    dnf -y install google-cloud-sdk && \
-        install google-cloud-sdk
+    dnf clean all
 # https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
 ARG AWSURL="https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"
-RUN ${dnfycache} install unzip glibc groff-base less && \
+RUN dnf -y install unzip glibc groff-base less && \
    dnf clean all && \
    cd /tmp && \
    curl --fail --location -O "${AWSURL}" && \
    unzip awscli*.zip && \
--- a/imgts/entrypoint.sh
+++ b/imgts/entrypoint.sh
@ -181,6 +181,10 @@ if [[ -n "$EC2IMGNAMES" ]]; then
        else
            msg "${DRPREFIX}Updated image $image ($amiid) metadata."
        fi
        # Ensure image wasn't previously marked as deprecated.  Ignore
        # confirmation output.
        $AWS ec2 disable-image-deprecation --image-id "$amiid" > /dev/null
    done
 fi
--- a/imgts/google-cloud-sdk.repo
+++ b/imgts/google-cloud-sdk.repo
@ -1,19 +1,9 @@
-# From https://github.com/GoogleCloudPlatform/compute-image-packages
+# Copy-pasted from https://cloud.google.com/sdk/docs/install#red-hatfedoracentos
 [google-compute-engine]
 name=Google Compute Engine
 baseurl=https://packages.cloud.google.com/yum/repos/google-compute-engine-el8-x86_64-stable
 enabled=1
 gpgcheck=1
 repo_gpgcheck=1
 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg
       https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
-# From https://cloud.google.com/sdk/docs/install#rpm
+[google-cloud-cli]
-[google-cloud-sdk]
+name=Google Cloud CLI
-name=Google Cloud SDK
+baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el9-x86_64
 baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el8-x86_64
 enabled=1
 gpgcheck=1
 repo_gpgcheck=0
-gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg
+gpgkey=https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
       https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
--- a/imgts/lib_entrypoint.sh
+++ b/imgts/lib_entrypoint.sh
@ -5,7 +5,7 @@ set -e
 RED="\e[1;31m"
 YEL="\e[1;33m"
 NOR="\e[0m"
-SENTINEL="__unknown__"  # default set in dockerfile
+SENTINEL="__unknown__"  # default set in Containerfile
 # Disable all input prompts
 # https://cloud.google.com/sdk/docs/scripting-gcloud
 GCLOUD="gcloud --quiet"
@ -55,7 +55,7 @@ gcloud_init() {
    then
        TMPF="$1"
    else
-        TMPF=$(mktemp -p '' .$(uuidgen)_XXXX.json)
+        TMPF=$(mktemp -p '' .XXXXXXXX)
        trap "rm -f $TMPF &> /dev/null" EXIT
        # Required variable must be set by caller
        # shellcheck disable=SC2154
@ -77,7 +77,7 @@ aws_init() {
    then
        TMPF="$1"
    else
-        TMPF=$(mktemp -p '' .$(uuidgen)_XXXX.ini)
+        TMPF=$(mktemp -p '' .XXXXXXXX)
    fi
    # shellcheck disable=SC2154
    echo "$AWSINI" > $TMPF
--- a/import_images/README.md
+++ b/import_images/README.md
@ -1,94 +0,0 @@
 # Semi-manual image imports
 ## Overview
 [Due to a bug in
 packer](https://github.com/hashicorp/packer-plugin-amazon/issues/264) and
 the sheer complexity of EC2 image imports, this process is impractical for
 full automation.  It tends toward nearly always requiring supervision of a
 human:
 * There are multiple failure-points, some are not well reported to
  the user by tools here or by AWS itself.
 * The upload of the image to s3 can be unreliable.  Silently corrupting image
  data.
 * The import-process is managed by a hosted AWS service which can be slow
  and is occasionally unreliable.
 * Failure often results in one or more leftover/incomplete resources
  (s3 objects, EC2 snapshots, and AMIs)
 ## Requirements
 * You're generally familiar with the (manual)
  [EC2 snapshot import process](https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-import-snapshot.html).
 * You are in possession of an AWS EC2 account, with the [IAM policy
  `vmimport`](https://docs.aws.amazon.com/vm-import/latest/userguide/required-permissions.html#vmimport-role) attached.
 * Both "Access Key" and "Secret Access Key" values set in [a credentials
  file](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).
 * Podman is installed and functional
 * At least 10gig free space under `/tmp`, more if there are failures / multiple runs.
 * *Network bandwidth sufficient for downloading and uploading many GBs of
  data, potentially multiple times.*
 ## Process
 Unless there is a problem with the current contents or age of the
 imported images, this process does not need to be followed.  The
 normal PR-based build workflow can simply be followed as usual.
 This process is only needed to bring newly updated Fedora images into
 AWS to build CI images from.  For example, due to a new Beta or GA release.
 ***Note:*** Most of the steps below will happen within a container environment.
 Any exceptions are noted in the individual steps below with *[HOST]*
 1. *[HOST]* Edit the `Makefile`, update the Fedora release numbers
   under the section
   `##### Important image release and source details #####`
 1. *[HOST]* Run
   ```bash
   $ make image_builder_debug \
         IMG_SFX=$(date +%s) \
         GAC_FILEPATH=/dev/null \
         AWS_SHARED_CREDENTIALS_FILE=/path/to/.aws/credentials
   ```
 1. Run `make import_images` (or `make --jobs=4 import_images` if you're brave).
 1. The following steps should all occur successfully for each imported image.
   1. Image is downloaded.
   1. Image checksum is downloaded.
   1. Image is verified against the checksum.
   1. Image is converted to `VHDX` format.
   1. The `VHDX` image is uploaded to the `packer-image-import` S3 bucket.
   1. AWS `import-snapshot` process is started (uses AWS vmimport service)
   1. Progress of snapshot import is monitored until completion or failure.
   1. The imported snapshot is converted into an AMI
   1. Essential tags are added to the AMI
   1. Details ascii-table about the new AMI is printed on success.
 1. Assuming all image imports were successful, a final success message will be
   printed by `make` with instructions for updating the `Makefile`.
 1. *[HOST]* Update the `Makefile` as instructed, commit the
   changes and push to a PR.  The automated image building process
   takes over and runs as usual.
 ## Failure responses
 This list is not exhaustive, and only represents common/likely failures.
 Normally there is no need to exit the build container.
 * If image download fails, double-check any error output, run `make clean`
  and retry.
 * If checksum validation fails,
  run `make clean`.
  Retry `make import_images`.
 * If s3 upload fails,
  Confirm service availability,
  retry `make import_images`.
 * If snapshot import fails with a `Disk validation failed` error,
  Retry `make import_images`.
 * If snapshot import fails with non-validation error,
  find snapshot in EC2 and delete it manually.
  Retry `make import_images`.
 * If AMI registration fails, remove any conflicting AMIs *and* snapshots.
  Retry `make import_images`.
 * If import was successful but AMI tagging failed, manually add
  the required tags to AMI: `automation=false` and `Name=<name>-i${IMG_SFX}`.
  Where `<name>` is `fedora-aws` or `fedora-aws-arm64`.
--- a/import_images/handle_image.sh
+++ b/import_images/handle_image.sh
@ -1,45 +0,0 @@
 #!/bin/bash
 # This script is intended to be run by packer, usage under any other
 # environment may behave badly. Its purpose is to download a VM
 # image and a checksum file. Verify the image's checksum matches.
 # If it does, convert the downloaded image into the format indicated
 # by the first argument's `.extension`.
 #
 # The first argument is the file path and name for the output image,
 # the second argument is the image download URL (ending in a filename).
 # The third argument is the download URL for a checksum file containing
 # details necessary to verify vs filename included in image download URL.
 set -eo pipefail
 SCRIPT_FILEPATH=$(realpath "${BASH_SOURCE[0]}")
 SCRIPT_DIRPATH=$(dirname "$SCRIPT_FILEPATH")
 REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../")
 # shellcheck source=./lib.sh
 source "$REPO_DIRPATH/lib.sh"
 [[ "$#" -eq 3 ]] || \
    die "Expected to be called with three arguments, not: $#"
 # Packer needs to provide the desired filename as it's unable to parse
 # a filename out of the URL or interpret output from this script.
 dest_dirpath=$(dirname "$1")
 dest_filename=$(basename "$1")
 dest_format=$(cut -d. -f2<<<"$dest_filename")
 src_url="$2"
 src_filename=$(basename "$src_url")
 cs_url="$3"
 req_env_vars dest_dirpath dest_filename dest_format src_url src_filename cs_url
 mkdir -p "$dest_dirpath"
 cd "$dest_dirpath"
 [[ -r "$src_filename" ]] || \
    curl --fail --location -O "$src_url"
 echo "Downloading & verifying checksums in $cs_url"
 curl --fail --location "$cs_url" -o - | \
    sha256sum --ignore-missing --check -
 echo "Converting '$src_filename' to ($dest_format format) '$dest_filename'"
 qemu-img convert "$src_filename" -O "$dest_format" "${dest_filename}"
--- a/import_images/manifest.json.in
+++ b/import_images/manifest.json.in
@ -1,31 +0,0 @@
 {
  "builds": [
    {
      "name": "fedora-aws",
      "builder_type": "hamsterwheel",
      "build_time": 0,
      "files": null,
      "artifact_id": "",
      "packer_run_uuid": null,
      "custom_data": {
        "IMG_SFX": "fedora-aws-i@@@IMG_SFX@@@",
        "STAGE": "import",
        "TASK": "@@@CIRRUS_TASK_ID@@@"
      }
    },
    {
      "name": "fedora-aws-arm64",
      "builder_type": "hamsterwheel",
      "build_time": 0,
      "files": null,
      "artifact_id": "",
      "packer_run_uuid": null,
      "custom_data": {
        "IMG_SFX": "fedora-aws-arm64-i@@@IMG_SFX@@@",
        "STAGE": "import",
        "TASK": "@@@CIRRUS_TASK_ID@@@"
      }
    }
  ],
  "last_run_uuid": "00000000-0000-0000-0000-000000000000"
 }
--- a/import_images/register.json.in
+++ b/import_images/register.json.in
@ -1,18 +0,0 @@
 {
 "Name": "@@@NAME@@@-i@@@IMG_SFX@@@",
 "VirtualizationType": "hvm",
 "Architecture": "@@@ARCH@@@",
 "EnaSupport": true,
 "RootDeviceName": "/dev/sda1",
 "BlockDeviceMappings": [
   {
     "DeviceName": "/dev/sda1",
     "Ebs": {
       "DeleteOnTermination": true,
       "SnapshotId": "@@@SNAPSHOT_ID@@@",
       "VolumeSize": 10,
       "VolumeType": "gp2"
     }
   }
 ]
 }
--- a/import_images/wait_import_task.sh
+++ b/import_images/wait_import_task.sh
@ -1,84 +0,0 @@
 #!/bin/bash
 # This script is intended to be called by the main Makefile
 # to wait for and confirm successful import and conversion
 # of an uploaded image object from S3 into EC2. It expects
 # the path to a file containing the import task ID as the
 # first argument.
 #
 # If the import is successful, the snapshot ID is written
 # to stdout. Otherwise, all output goes to stderr, and
 # the script exits non-zero on failure or timeout. On
 # failure, the file containing the import task ID will
 # be removed.
 set -eo pipefail
 AWS="${AWS:-aws --output json --region us-east-1}"
 # The import/conversion process can take a LONG time, have observed
 # > 10 minutes on occasion.  Normally, takes 2-5 minutes.
 SLEEP_SECONDS=10
 TIMEOUT_SECONDS=720
 TASK_ID_FILE="$1"
 tmpfile=$(mktemp -p '' tmp.$(basename ${BASH_SOURCE[0]}).XXXX)
 die() { echo "ERROR: ${1:-No error message provided}" > /dev/stderr; exit 1; }
 msg() { echo "${1:-No error message provided}" > /dev/stderr; }
 unset snapshot_id
 handle_exit() {
    set +e
    rm -f "$tmpfile" &> /dev/null
    if [[ -n "$snapshot_id" ]]; then
        msg "Success ($task_id): $snapshot_id"
        echo -n "$snapshot_id" > /dev/stdout
        return 0
    fi
    rm -f "$TASK_ID_FILE"
    die "Timeout or other error reported while waiting for snapshot import"
 }
 trap handle_exit EXIT
 [[ -n "$AWS_SHARED_CREDENTIALS_FILE" ]] || \
    die "\$AWS_SHARED_CREDENTIALS_FILE must not be unset/empty."
 [[ -r "$1" ]] || \
    die "Can't read task id from file '$TASK_ID_FILE'"
 task_id=$(<$TASK_ID_FILE)
 msg "Waiting up to $TIMEOUT_SECONDS seconds for '$task_id' import.  Checking progress every $SLEEP_SECONDS seconds."
 for (( i=$TIMEOUT_SECONDS ; i ; i=i-$SLEEP_SECONDS )); do \
    # Sleep first, to give AWS time to start meaningful work.
    sleep ${SLEEP_SECONDS}s
    $AWS ec2 describe-import-snapshot-tasks \
        --import-task-ids $task_id > $tmpfile
    if  ! st_msg=$(jq -r -e '.ImportSnapshotTasks[0].SnapshotTaskDetail.StatusMessage?' $tmpfile) && \
        [[ -n $st_msg ]] && \
        [[ ! "$st_msg" =~ null ]]
    then
        die "Unexpected result: $st_msg"
    elif egrep -iq '(error)|(fail)' <<<"$st_msg"; then
        die "$task_id: $st_msg"
    fi
    msg "$task_id: $st_msg (${i}s remaining)"
    # Why AWS you use StatusMessage && Status? Bad names! WHY!?!?!?!
    if  status=$(jq -r -e '.ImportSnapshotTasks[0].SnapshotTaskDetail.Status?' $tmpfile) && \
        [[ "$status" == "completed" ]] && \
        snapshot_id=$(jq -r -e '.ImportSnapshotTasks[0].SnapshotTaskDetail.SnapshotId?' $tmpfile)
    then
        msg "Import complete to: $snapshot_id"
        break
    else
        unset snapshot_id
    fi
 done
--- a/lib.sh
+++ b/lib.sh
@ -19,26 +19,11 @@ OS_REL_VER="$OS_RELEASE_ID-$OS_RELEASE_VER"
 # This location is checked by automation in other repos, please do not change.
 PACKAGE_DOWNLOAD_DIR=/var/cache/download
-INSTALL_AUTOMATION_VERSION="4.1.2"
+# N/B: This is managed by renovate
-
+INSTALL_AUTOMATION_VERSION="5.0.1"
 PUSH_LATEST="${PUSH_LATEST:-0}"
 # Mask secrets in show_env_vars() from automation library
-SECRET_ENV_RE='(ACCOUNT)|(.+_JSON)|(AWS.+)|(SSH)|(PASSWORD)|(TOKEN)'
+SECRET_ENV_RE='(^PATH$)|(^BASH_FUNC)|(^_.*)|(.*PASSWORD.*)|(.*TOKEN.*)|(.*SECRET.*)|(.*ACCOUNT.*)|(.+_JSON)|(AWS.+)|(.*SSH.*)|(.*GCP.*)'
 # Some platforms set and make this read-only
 [[ -n "$UID" ]] || \
    UID=$(getent passwd $USER | cut -d : -f 3)
 SUDO=""
 if [[ -n "$UID" ]] && [[ "$UID" -ne 0 ]]; then
    SUDO="sudo"
 fi
 if [[ "$OS_RELEASE_ID" == "debian" ]]; then
    export DEBIAN_FRONTEND=noninteractive
    SUDO="$SUDO env DEBIAN_FRONTEND=$DEBIAN_FRONTEND"
 fi
 if [[ -r "/etc/automation_environment" ]]; then
    source /etc/automation_environment
@ -55,13 +40,28 @@ else  # Automation common library not installed yet
    bigto() { die "Automation library not installed; Required for bigto()"; }
 fi
 # Setting noninteractive is critical, apt-get can hang w/o it.
 # N/B: Must be done _after_ potential loading of automation libraries
 export SUDO="env DEBIAN_FRONTEND=noninteractive"
 if [[ "$UID" -ne 0 ]]; then
    export SUDO="sudo env DEBIAN_FRONTEND=noninteractive"
 fi
 install_automation_tooling() {
    local version_arg
    version_arg="$INSTALL_AUTOMATION_VERSION"
    if [[ "$1" == "latest" ]]; then
      version_arg="latest"
      shift
    fi
    # This script supports installing all current and previous versions
    local installer_url="https://raw.githubusercontent.com/containers/automation/master/bin/install_automation.sh"
    curl --silent --show-error --location \
         --url "$installer_url" | \
         $SUDO env INSTALL_PREFIX=/usr/share /bin/bash -s - \
-        "$INSTALL_AUTOMATION_VERSION" "$@"
+        "$version_arg" "$@"
    # This defines AUTOMATION_LIB_PATH
    source /usr/share/automation/environment
    #shellcheck disable=SC1090
@ -168,9 +168,13 @@ skip_on_pr_label() {
 # print a space-separated list of labels when run under Cirrus-CI for a PR
 get_pr_labels() {
-    req_env_vars CIRRUS_CI CIRRUS_PR CIRRUS_REPO_CLONE_TOKEN
+    req_env_vars CIRRUS_CI CIRRUS_REPO_CLONE_TOKEN
    req_env_vars CIRRUS_REPO_OWNER CIRRUS_REPO_NAME
    # Empty for non-PRs
    # shellcheck disable=SC2154
    [[ -n "$CIRRUS_PR" ]] || return 0
    local query h_accept h_content api result fltrpfx
    local filter labels h_auth h_accept h_content
@ -234,7 +238,7 @@ remove_netavark_aardvark_files() {
    do
        # Sub-directories may contain unrelated/valuable stuff
        if [[ -d "$fullpath" ]]; then continue; fi
-        sudo rm -vf "$fullpath"
+        $SUDO rm -vf "$fullpath"
    done
 }
@ -282,6 +286,16 @@ unmanaged-devices=interface-name:*podman*;interface-name:veth*
 EOF
 }
 # Create a local registry, seed it with remote images
 initialize_local_cache_registry() {
    msg "Initializing local cache registry"
    #shellcheck disable=SC2154
    $SUDO ${SCRIPT_DIRPATH}/local-cache-registry initialize
    msg "du -sh /var/cache/local-registry"
    du -sh /var/cache/local-registry
 }
 common_finalize() {
    set -x  # extra detail is no-longer necessary
    cd /
@ -294,7 +308,7 @@ common_finalize() {
    $SUDO rm -rf /var/lib/cloud/instanc*
    $SUDO rm -rf /root/.ssh/*
    $SUDO rm -rf /etc/ssh/*key*
-    $SUDO rm -rf /tmp/*
+    $SUDO rm -rf /tmp/* /var/tmp/automation_images
    $SUDO rm -rf /tmp/.??*
    echo -n "" | $SUDO tee /etc/machine-id
    $SUDO sync
@ -316,7 +330,10 @@ rh_finalize() {
    # Packaging cache is preserved across builds of container images
    $SUDO rm -f /etc/udev/rules.d/*-persistent-*.rules
    $SUDO touch /.unconfigured  # force firstboot to run
-    common_finalize
+
    echo
    echo "# PACKAGE LIST"
    rpm -qa | sort
 }
 # Called during VM Image setup, not intended for general use.
@ -332,7 +349,9 @@ debian_finalize() {
    fi
    set -x
    # Packaging cache is preserved across builds of container images
-    common_finalize
+    # pipe-cat is not a NOP! It prevents using $PAGER and then hanging
    echo "# PACKAGE LIST"
    dpkg -l | cat
 }
 finalize() {
@ -345,4 +364,6 @@ finalize() {
    else
        die "Unknown/Unsupported Distro '$OS_RELEASE_ID'"
    fi
    common_finalize
 }
--- a/orphanvms/_ec2
+++ b/orphanvms/_ec2
@ -40,8 +40,10 @@ fi
 # I don't expect there will ever be more than maybe 0-20 instances at any time.
 for instance_index in $(seq 1 $(jq -e 'length'<<<"$simple_inst_list")); do
    instance=$(jq -e ".[$instance_index - 1]"<<<"$simple_inst_list")
    # aws commands require an instance ID
    instid=$(jq -r ".ID"<<<"$instance")
    # A Name-tag isn't guaranteed, default to stupid, unreadable, generated ID
-    name=$(jq -r ".ID"<<<"$instance")
+    name=$instid
    if name_tag=$(get_tag_value "Name" "$instance"); then
        # This is MUCH more human-friendly and easier to find in the WebUI.
        # If it was an instance leaked by Cirrus-CI, it may even include the
@ -69,6 +71,7 @@ for instance_index in $(seq 1 $(jq -e 'length'<<<"$simple_inst_list")); do
        continue
    fi
    # First part of the status line item to append in the e-mail
    line="* VM $name running $age_days days"
    # It would be nice to list all the tags like we do for GCE VMs,
@ -76,7 +79,39 @@ for instance_index in $(seq 1 $(jq -e 'length'<<<"$simple_inst_list")); do
    # Only print this handy-one (set by get_ci_vm) if it's there.
    if inuseby_tag=$(get_tag_value "in-use-by" "$instance"); then
        dbg "Found instance '$name' tagged in-use-by=$inuseby_tag."
-        line+=" tagged in-use-by=$inuseby_tag"
+        line+="; likely get_ci_vm, in-use-by=$inuseby_tag"
    elif ((DRY_RUN==0)); then # NOT a persistent or a get_ci_vm instance
        # Around Jun/Jul '23 an annoyingly steady stream of EC2 orphans were
        # reported to Cirrus-support.  They've taken actions to resolve,
        # but the failure-modes are many and complex.  Since most of the EC2
        # instances are rather expensive to keep needlessly running, and manual
        # cleanup is annoying, try to terminate them automatically.
        dbg "Attempting to terminate instance '$name'"
        # Operation runs asynchronously, no error reported for already terminated instance.
        # Any stdout/stderr here would make the eventual e-mail unreadable.
        if ! termout=$(aws ec2 terminate-instances --no-paginate --output json --instance-ids "$instid" 2>&1)
        then
            echo "::error::Auto-term. of '$instid' failed, 'aws' output: $termout" > /dev/stderr
            # Catch rare TOCTOU race, instance was running, terminated, and pruned while looping.
            # (terminated instances stick around for a while until purged automatically)
            if [[ "$termout" =~ InvalidInstanceID ]]; then
                line+="; auto-term. failed, instance vanished"
            else  # Something else horrible broke, let the operators know.
                line+="; auto-term. failed, see GHA workflow log"
            fi
        else
            dbg "Successful term. command output: '$termout'"
            # At this point, the script could sit around in a poll-loop, waiting to confirm
            # the `$termout` JSON contains `CurrentState: { Code: 48, Name: terminated }`.
            # However this could take _minutes_, and there may be a LOT of instances left
            # to process.  Do the next best thing: Hope the termination eventually works,
            # but also let the operator know an attempt was made.
            line+="; probably successful auto-termination"
        fi
    else  # no in-use-by tag, DRY_RUN==1
        dbg "DRY_RUN: Would normally have tried to terminate instance '$name' (ID $instid)"
    fi
    echo "$line" >> "$OUTPUT"
--- a/orphanvms/entrypoint.sh
+++ b/orphanvms/entrypoint.sh
@ -18,7 +18,9 @@ req_env_vars GCPJSON GCPNAME GCPPROJECT GCPPROJECTS AWSINI
 NOW=$(date +%s)
 TOO_OLD='3 days ago'  # Detect Friday Orphans on Monday
 EVERYTHING=${EVERYTHING:-0}  # set to '1' for testing
 DRY_RUN=${DRY_RUN:-0}
 if ((EVERYTHING)); then
    DRY_RUN=1
    TOO_OLD="3 seconds ago"
 fi
 # Anything older than this is "too old"
--- a/podman/Containerfile
+++ b/podman/Containerfile
@ -15,6 +15,16 @@ ARG PACKER_BUILD_NAME=
 ENV AI_PATH=/usr/src/automation_images \
    CONTAINER=1
 ARG IMG_SFX=
 ARG CIRRUS_TASK_ID=
 ARG GIT_HEAD=
 # Ref: https://github.com/opencontainers/image-spec/blob/main/annotations.md
 LABEL org.opencontainers.image.url="https://cirrus-ci.com/task/${CIRRUS_TASK_ID}"
 LABEL org.opencontainers.image.documentation="https://github.com/containers/automation_images/blob/${GIT_HEAD}/README.md#container-images-overview-step-2"
 LABEL org.opencontainers.image.source="https://github.com/containers/automation_images/blob/${GIT_HEAD}/podman/Containerfile"
 LABEL org.opencontainers.image.version="${IMG_SFX}"
 LABEL org.opencontainers.image.revision="${GIT_HEAD}"
 # Only add needed files to avoid invalidating build cache
 ADD /lib.sh "$AI_PATH/"
 ADD /podman/* "$AI_PATH/podman/"
--- a/skopeo_cidev/Containerfile
+++ b/skopeo_cidev/Containerfile
@ -12,7 +12,6 @@ RUN dnf -y update && \
    dnf clean all
 ENV REG_REPO="https://github.com/docker/distribution.git" \
    REG_COMMIT="b5ca020cfbe998e5af3457fda087444cf5116496" \
    REG_COMMIT_SCHEMA1="ec87e9b6971d831f0eff752ddb54fb64693e51cd" \
    OSO_REPO="https://github.com/openshift/origin.git" \
    OSO_TAG="v1.5.0-alpha.3"
--- a/skopeo_cidev/setup.sh
+++ b/skopeo_cidev/setup.sh
@ -9,7 +9,6 @@ set -e
 declare -a req_vars
 req_vars=(\
    REG_REPO
    REG_COMMIT
    REG_COMMIT_SCHEMA1
    OSO_REPO
    OSO_TAG
@ -43,12 +42,6 @@ cd "$REG_GOSRC"
 (
    # This is required to be set like this by the build system
    export GOPATH="$PWD/Godeps/_workspace:$GOPATH"
    # This comes in from the Containerfile
    # shellcheck disable=SC2154
    git checkout -q "$REG_COMMIT"
    go build -o /usr/local/bin/registry-v2 \
        github.com/docker/distribution/cmd/registry
    # This comes in from the Containerfile
    # shellcheck disable=SC2154
    git checkout -q "$REG_COMMIT_SCHEMA1"
@ -68,6 +61,10 @@ sed -i -e 's/\[\[ "\${go_version\[2]}" < "go1.5" ]]/false/' ./hack/common.sh
 # 8 characters long.  This can happen if/when systemd-resolved adds 'trust-ad'.
 sed -i  '/== "attempts:"/s/ 8 / 9 /' vendor/github.com/miekg/dns/clientconfig.go
 # Backport https://github.com/ugorji/go/commit/8286c2dc986535d23e3fad8d3e816b9dd1e5aea6
 # Go ≥ 1.22 panics with a base64 encoding using duplicated characters.
 sed -i -e 's,"encoding/base64","encoding/base32", ; s,base64.NewEncoding("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789__"),base32.NewEncoding("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef"),' vendor/github.com/ugorji/go/codec/gen.go
 make build
 make all WHAT=cmd/dockerregistry
 cp -a ./_output/local/bin/linux/*/* /usr/local/bin/
--- a/systemd_banish.sh
+++ b/systemd_banish.sh
@ -7,11 +7,12 @@
 set +e  # Not all of these exist on every platform
-SUDO=""
+# Setting noninteractive is critical, apt-get can hang w/o it.
-[[ "$UID" -eq 0 ]] || \
+if [[ "$UID" -ne 0 ]]; then
-    SUDO="sudo"
+    export SUDO="sudo env DEBIAN_FRONTEND=noninteractive"
 fi
-EVIL_UNITS="cron crond atd apt-daily-upgrade apt-daily fstrim motd-news systemd-tmpfiles-clean update-notifier-download mlocate-updatedb"
+EVIL_UNITS="cron crond atd apt-daily-upgrade apt-daily fstrim motd-news systemd-tmpfiles-clean update-notifier-download mlocate-updatedb plocate-updatedb"
 if [[ "$1" == "--list" ]]
 then
@ -41,3 +42,44 @@ if [[ -d "$EAAD" ]]; then
        echo "Checking/Patching $filename"
        $SUDO sed -i -r -e "s/$PERIODIC_APT_RE/"'\10"\;/' "$EAAD/$filename"; done
 fi
 # Early 2023: https://github.com/containers/podman/issues/16973
 #
 # We see countless instances of "lookup cdn03.quay.io" flakes.
 # Disabling the systemd resolver (Podman #17505) seems to have almost
 # eliminated those -- the exceptions are early-on steps that run
 # before that happens.
 #
 # Opinions differ on the merits of systemd-resolve, but the fact is
 # it breaks our CI testing. Here we disable it for all VMs.
 # shellcheck disable=SC2154
 if ! ((CONTAINER)); then
    nsswitch=/etc/authselect/nsswitch.conf
    if [[ -e $nsswitch ]]; then
        if grep -q -E 'hosts:.*resolve' $nsswitch; then
            echo "Disabling systemd-resolved"
            $SUDO sed -i -e 's/^\(hosts: *\).*/\1files dns myhostname/' $nsswitch
            $SUDO systemctl disable --now systemd-resolved
            $SUDO rm -f /etc/resolv.conf
            # NetworkManager may already be running, or it may not....
            $SUDO systemctl start NetworkManager
            sleep 1
            $SUDO systemctl restart NetworkManager
            # ...and it may create resolv.conf upon start/restart, or it
            # may not. Keep restarting until it does. (Yes, I realize
            # this is cargocult thinking. Don't care. Not worth the effort
            # to diagnose and solve properly.)
            retries=10
            while ! test -e /etc/resolv.conf;do
                retries=$((retries - 1))
                if [[ $retries -eq 0 ]]; then
                    die "Timed out waiting for resolv.conf"
                fi
                $SUDO systemctl restart NetworkManager
                sleep 5
            done
        fi
    fi
 fi
--- a/win_images/enable-rdp-userdata.xml
+++ b/win_images/enable-rdp-userdata.xml
@ -0,0 +1,4 @@
 <powershell>
 Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 0
 Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
 </powershell>
--- a/win_images/win-lib.ps1
+++ b/win_images/win-lib.ps1
@ -0,0 +1,50 @@
 $ErrorActionPreference = "stop"
 Set-ExecutionPolicy Bypass -Scope Process -Force
 function Check-Exit {
  param(
    [parameter(ValueFromRemainingArguments = $true)]
    [string[]] $codes = @(0)
  )
  if ($LASTEXITCODE -eq $null) {
    return
  }
  foreach ($code in $codes) {
    if ($LASTEXITCODE -eq $code) {
      return
    }
  }
  Exit $LASTEXITCODE
 }
 # Retry installation on failure or 5-minute timeout (for all packages)
 function retryInstall {
    param([Parameter(ValueFromRemainingArguments)] [string[]] $pkgs)
    foreach ($pkg in $pkgs) {
        for ($retries = 0; ; $retries++) {
            if ($retries -gt 5) {
                throw "Could not install package $pkg"
            }
            if ($pkg -match '(.[^\@]+)@(.+)') {
                $pkg = @("--version", $Matches.2, $Matches.1)
            }
            # Chocolatey best practices as of 2024-04:
            #   https://docs.chocolatey.org/en-us/choco/commands/#scripting-integration-best-practices-style-guide
            # Some of those are suboptimal, e.g., using "upgrade" to mean "install",
            # hardcoding a specific API URL. We choose to reject those.
            choco install $pkg -y --allow-downgrade --execution-timeout=300
            if ($LASTEXITCODE -eq 0) {
                break
            }
            Write-Host "Error installing, waiting before retry..."
            Start-Sleep -Seconds 6
        }
    }
 }
--- a/win_images/win-server-wsl.yml
+++ b/win_images/win-server-wsl.yml
@ -17,24 +17,29 @@ builders:
      most_recent: true
      owners:
        - amazon
-    # While this image should run on metal, we can build it on smaller/cheaper systems 
+    # While this image should run on metal, we can build it on smaller/cheaper systems
    instance_type: t3.large
    force_deregister: true  # Remove AMI with same name if exists
    force_delete_snapshot: true  # Also remove snapshots of force-removed AMI
    # Note that we do not set shutdown_behavior to terminate, as a clean shutdown is required
    # for windows provisioning to complete successfully.
    communicator: winrm
-    winrm_username: Administrator # AWS provisions Administrator, unlike GCE 
+    winrm_username: Administrator # AWS provisions Administrator, unlike GCE
    winrm_insecure: true
    winrm_use_ssl: true
    winrm_timeout: 25m
    # Script that runs on server start, needed to prep and enable winrm
-    user_data_file: '{{template_dir}}/bootstrap.ps1' 
+    user_data_file: '{{template_dir}}/bootstrap.ps1'
    # Required for network access, must be the 'default' group used by Cirrus-CI
    security_group_id: "sg-042c75677872ef81c"
    ami_name: &ami_name '{{build_name}}-c{{user `IMG_SFX`}}'
    ami_description: 'Built in https://cirrus-ci.com/task/{{user `CIRRUS_TASK_ID`}}'
-
+    launch_block_device_mappings:
      - device_name: '/dev/sda1'
        volume_size: 200
        volume_type: 'gp3'
        iops: 6000
        delete_on_termination: true
    # These are critical and used by security-polciy to enforce instance launch limits.
    tags: &awstags
        # EC2 expects "Name" to be capitalized
@ -53,18 +58,22 @@ builders:
 provisioners:
  - type: powershell
-    script: '{{template_dir}}/win_packaging.ps1'
+    inline:
      - '$ErrorActionPreference = "stop"'
      - 'New-Item -Path "c:\" -Name "temp" -ItemType "directory" -Force'
      - 'New-Item -Path "c:\temp" -Name "automation_images" -ItemType "directory" -Force'
  - type: 'file'
    source: '{{ pwd }}/'
    destination: "c:\\temp\\automation_images\\"
  - type: powershell
    inline:
      - 'c:\temp\automation_images\win_images\win_packaging.ps1'
  # Several installed items require a reboot, do that now in case it would
  # cause a problem with final image preperations.
  - type: windows-restart
  - type: powershell
    inline:
-      # Disable WinRM as a security precuation (cirrus launches an agent from user-data, so we don't need it)
+      - 'c:\temp\automation_images\win_images\win_finalization.ps1'
      - Set-Service winrm -StartupType Disabled
      # Also disable RDP (can be enabled via user-data manually)
      - Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1
      - Disable-NetFirewallRule -DisplayGroup "Remote Desktop"
  # Setup Autologon and reset, must be last, due to pw change
  - type: powershell
    script: '{{template_dir}}/auto_logon.ps1'
 post-processors:
@ -75,4 +84,3 @@ post-processors:
      IMG_SFX: '{{ user `IMG_SFX` }}'
      STAGE: cache
      TASK: '{{user `CIRRUS_TASK_ID`}}'
--- a/win_images/win_finalization.ps1
+++ b/win_images/win_finalization.ps1
@ -1,6 +1,13 @@
 $ErrorActionPreference = "stop"
 $username = "Administrator"
 . $PSScriptRoot\win-lib.ps1
 # Disable WinRM as a security precuation (cirrus launches an agent from user-data, so we don't need it)
 Set-Service winrm -StartupType Disabled
 # Also disable RDP (can be enabled via user-data manually)
 Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1
 Disable-NetFirewallRule -DisplayGroup "Remote Desktop"
 $username = "Administrator"
 # Temporary random password to allow autologon that will be replaced
 # before the instance is put into service.
 $syms = [char[]]([char]'a'..[char]'z'  `
@ -15,8 +22,8 @@ $encPass = ConvertTo-SecureString $password -AsPlainText -Force
 Set-LocalUser -Name $username -Password $encPass
 $winLogon= "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
-Set-ItemProperty $winLogon "AutoAdminLogon" -Value "1" -type String 
+Set-ItemProperty $winLogon "AutoAdminLogon" -Value "1" -type String
-Set-ItemProperty $winLogon "DefaultUsername" -Value $username -type String 
+Set-ItemProperty $winLogon "DefaultUsername" -Value $username -type String
 Set-ItemProperty $winLogon "DefaultPassword" -Value $password -type String
 # Lock the screen immediately, even though it's unattended, just in case
@ -28,6 +35,6 @@ Set-ItemProperty `
 # NOTE: For now, we do not run sysprep, since initialization with reboots
 # are exceptionally slow on metal nodes, which these target to run. This
 # will lead to a duplicate machine id, which is not ideal, but allows
-# instances to start instantly. So, instead of sysprep, trigger a reset so
+# instances to start quickly. So, instead of sysprep, trigger a reset so
-# that the admin password reset, and activation rerun on boot
+# that the admin password reset, and activation rerun on boot.
 & 'C:\Program Files\Amazon\EC2Launch\ec2launch' reset --block
--- a/win_images/win_packaging.ps1
+++ b/win_images/win_packaging.ps1
@ -1,36 +1,36 @@
 function CheckExit {
  param(
    [parameter(ValueFromRemainingArguments = $true)]
    [string[]] $codes = @(0)
  )
  if ($LASTEXITCODE -eq $null) {
    return
  }
  foreach ($code in $codes) {
    if ($LASTEXITCODE -eq $code) {
      return
    }
  }
  Exit $LASTEXITCODE
 }
 . $PSScriptRoot\win-lib.ps1
 # Disables runtime process virus scanning, which is not necessary
 Set-MpPreference -DisableRealtimeMonitoring 1
 $ErrorActionPreference = "stop"
 Set-ExecutionPolicy Bypass -Scope Process -Force
 [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072
 iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
-# Install Git, BZ2 archive support, Go, and the MingW (GCC for Win) compiler for CGO support
+# Install basic required tooling.
-# Add pstools to workaorund sess 0 WSL bug
+#   psexec needed to workaround session 0 WSL bug
-choco install -y git mingw archiver psexec; CheckExit
+retryInstall 7zip git archiver psexec golang mingw StrawberryPerl zstandard; Check-Exit
-choco install golang --version 1.19.2 -y; CheckExit
+
 # Update service is required for dotnet
 Set-Service -Name wuauserv -StartupType "Manual"; Check-Exit
 # Install dotnet as that's the best way to install WiX 4+
 # Choco does not support installing anything over WiX 3.14
 Invoke-WebRequest -Uri https://dotnet.microsoft.com/download/dotnet/scripts/v1/dotnet-install.ps1 -OutFile dotnet-install.ps1
 .\dotnet-install.ps1 -InstallDir 'C:\Program Files\dotnet'
 # Configure NuGet sources for dotnet to fetch wix (and other packages) from
 & 'C:\Program Files\dotnet\dotnet.exe' nuget add source https://api.nuget.org/v3/index.json -n nuget.org
 # Install wix
 & 'C:\Program Files\dotnet\dotnet.exe' tool install --global wix
 # Install Hyper-V
 Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -NoRestart
 Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Management-PowerShell -All -NoRestart
 Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Management-Clients -All -NoRestart
 # Install WSL, and capture text output which is not normally visible
-$x = wsl --install; CheckExit 0 1 # wsl returns 1 on reboot required
+$x = wsl --install; Check-Exit 0 1 # wsl returns 1 on reboot required
-Write-Output $x
+Write-Host $x
 Exit 0
		`@ -0,0 +1,2 @@`
							`IMGSFX,IMG-SFX->IMG_SFX`
							`Dockerfile->Containerfile`
`@ -1 +1 @@`
	`20230223t153813z-f37f36d12`	`20250812t173301z-f42f41d13`