From 3e7e5b8041683be5abe77f2ac90fbffea452059d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= <tim@siosm.fr>
Date: Tue, 21 Jun 2022 10:30:10 +0000
Subject: [PATCH 1/3] Rework default variant selection

See https://github.com/coreos/coreos-assembler/pull/2934
---
 .gitignore            |  2 ++
 ci/prow-entrypoint.sh | 28 ++++++++++++++--------------
 extensions.yaml       |  1 -
 manifest.yaml         |  1 -
 select_version.sh     | 35 -----------------------------------
 variant_default       |  1 +
 variant_rhcos         |  1 +
 variant_rhel-8.6      |  1 +
 8 files changed, 19 insertions(+), 51 deletions(-)
 delete mode 120000 extensions.yaml
 delete mode 120000 manifest.yaml
 delete mode 100755 select_version.sh
 create mode 120000 variant_default
 create mode 120000 variant_rhcos
 create mode 100644 variant_rhel-8.6

diff --git a/.gitignore b/.gitignore
index b4d89b587..3bf5c6d47 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,4 @@
 /*.repo
 /content_sets.yaml
+/manifest.yaml
+/extensions.yaml
diff --git a/ci/prow-entrypoint.sh b/ci/prow-entrypoint.sh
index d4d114fb7..8f39ad925 100755
--- a/ci/prow-entrypoint.sh
+++ b/ci/prow-entrypoint.sh
@@ -44,17 +44,13 @@ cosa_init() {
     echo "Using $cosa_dir for build"
     cd "$cosa_dir"
 
-    # Setup source tree
-    cosa init --transient "${tmp_src}/os"
-    # Select RHEL os CentOS Stream version
-    # This must be defined for each test job entry point
-    if [[ -z ${RHELVER+x} ]]; then
+    # Require the CI jobs to explicitly setup the variant to avoid mistakes
+    if [[ -z ${OSVER+x} ]]; then
         echo "No RHEL or CentOS Stream version selected to build RHCOS/SCOS"
         exit 1
     fi
-    pushd src/config
-    ./select_version.sh "${RHELVER}"
-    popd
+    # Setup source tree, selecting a variant
+    cosa init --transient "${tmp_src}/os" "${OSVER}"
 }
 
 # Do a cosa build & cosa build-extensions only.
@@ -67,14 +63,18 @@ cosa_build() {
     # to X-Y format
     ocpver=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["mutate-os-release"]')
     ocpver_mut=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["mutate-os-release"]' | sed 's|\.|-|')
-    prev_build_url=${REDIRECTOR_URL}/rhcos-${ocpver}/
-    # Fetch the previous build
-    cosa buildfetch --url="${prev_build_url}"
+
+    # Temporary workaround until we publish builds for other versions
+    if [[ "${OSVER}" == "rhel-8.6" ]]; then
+        prev_build_url=${REDIRECTOR_URL}/rhcos-${ocpver}/
+        # Fetch the previous build
+        cosa buildfetch --url="${prev_build_url}"
+    fi
 
     # Fetch the repos corresponding to the release we are building
     # Temporarily double checked until we have uniformity for all RHEL and
     # CentOS versions
-    if [[ "${RHELVER}" == "rhel-8.6" ]]; then
+    if [[ "${OSVER}" == "rhel-8.6" ]]; then
         rhelver=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["automatic-version-prefix"]' | cut -f2 -d.)
         curl -L "http://base-${ocpver_mut}-rhel${rhelver}.ocp.svc.cluster.local" -o "src/config/ocp.repo"
     fi
@@ -171,14 +171,14 @@ main () {
             cosa_build
             ;;
         "rhcos-cosa-prow-pr-ci" | "rhcos-86-build-test-qemu")
-            RHELVER="rhel-8.6"
+            OSVER="rhel-8.6"
             setup_user
             cosa_init
             cosa_build
             kola_test_qemu
             ;;
         "rhcos-86-build-test-metal")
-            RHELVER="rhel-8.6"
+            OSVER="rhel-8.6"
             setup_user
             cosa_init
             cosa_build
diff --git a/extensions.yaml b/extensions.yaml
deleted file mode 120000
index 051d254e5..000000000
--- a/extensions.yaml
+++ /dev/null
@@ -1 +0,0 @@
-extensions-rhel-8.6.yaml
\ No newline at end of file
diff --git a/manifest.yaml b/manifest.yaml
deleted file mode 120000
index e3f5abc13..000000000
--- a/manifest.yaml
+++ /dev/null
@@ -1 +0,0 @@
-rhel-8.6.yaml
\ No newline at end of file
diff --git a/select_version.sh b/select_version.sh
deleted file mode 100755
index 75364c762..000000000
--- a/select_version.sh
+++ /dev/null
@@ -1,35 +0,0 @@
-#!/bin/bash
-# Select the version of RHCOS or SCOS that you want to build from this repo
-set -euxo pipefail
-
-# The current default for RHCOS in OCP 4.11 and later is RHEL 8.6
-RHELVER="rhel-8.6"
-
-main() {
-    local osver=""
-    local content_sets_required="false"
-    if [[ "$#" -ne 1 ]]; then
-        osver="$RHELVER"
-    else
-        osver="$1"
-    fi
-
-    case "$osver" in
-        "rhel-8.6")
-            echo "Building RHCOS based on ${osver}"
-            content_sets_required="true"
-            ;;
-        *)
-            echo "Unknown OS version: ${osver}"
-            exit 1
-            ;;
-    esac
-
-    ln -snf "extensions-${osver}.yaml" "extensions.yaml"
-    ln -snf "${osver}.yaml" "manifest.yaml"
-    if [[ "${content_sets_required}" == "true" ]]; then
-        ln -snf "content_sets-${osver}.yaml" "content_sets.yaml"
-    fi
-}
-
-main "${@}"
diff --git a/variant_default b/variant_default
new file mode 120000
index 000000000..e5959cac9
--- /dev/null
+++ b/variant_default
@@ -0,0 +1 @@
+variant_rhel-8.6
\ No newline at end of file
diff --git a/variant_rhcos b/variant_rhcos
new file mode 120000
index 000000000..e5959cac9
--- /dev/null
+++ b/variant_rhcos
@@ -0,0 +1 @@
+variant_rhel-8.6
\ No newline at end of file
diff --git a/variant_rhel-8.6 b/variant_rhel-8.6
new file mode 100644
index 000000000..23c7ea772
--- /dev/null
+++ b/variant_rhel-8.6
@@ -0,0 +1 @@
+rhel-8.6

From 48b6ef47063b8c3a50ae3f18ae35d5181259088c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= <tim@siosm.fr>
Date: Tue, 21 Jun 2022 10:34:14 +0000
Subject: [PATCH 2/3] manifest & ci: Add RHEL 9.0 variant

---
 ci/prow-entrypoint.sh    |  20 ++++-
 extensions-rhel-9.0.yaml |  62 +++++++++++++++
 rhel-9.0.yaml            | 161 +++++++++++++++++++++++++++++++++++++++
 variant_rhel-9.0         |   1 +
 4 files changed, 243 insertions(+), 1 deletion(-)
 create mode 100644 extensions-rhel-9.0.yaml
 create mode 100644 rhel-9.0.yaml
 create mode 100644 variant_rhel-9.0

diff --git a/ci/prow-entrypoint.sh b/ci/prow-entrypoint.sh
index 8f39ad925..c5a6f8b7b 100755
--- a/ci/prow-entrypoint.sh
+++ b/ci/prow-entrypoint.sh
@@ -77,6 +77,10 @@ cosa_build() {
     if [[ "${OSVER}" == "rhel-8.6" ]]; then
         rhelver=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["automatic-version-prefix"]' | cut -f2 -d.)
         curl -L "http://base-${ocpver_mut}-rhel${rhelver}.ocp.svc.cluster.local" -o "src/config/ocp.repo"
+    elif [[ "${OSVER}" == "rhel-9.0" ]]; then
+        # Temporary workaround until we have all packages for RHCOS 9
+        curl -L "http://base-${ocpver_mut}-rhel86.ocp.svc.cluster.local" -o "src/config/ocp.repo"
+        curl -L "http://base-${ocpver_mut}-rhel90.ocp.svc.cluster.local" -o "src/config/ocp.repo"
     fi
 
     # Fetch packages
@@ -184,7 +188,21 @@ main () {
             cosa_build
             kola_test_metal
             ;;
-        "rhcos-90-build-test-qemu" | "rhcos-90-build-test-metal" | "scos-9-build-test-qemu" | "scos-9-build-test-metal")
+        "rhcos-90-build-test-qemu")
+            OSVER="rhel-9.0"
+            setup_user
+            cosa_init
+            cosa_build
+            kola_test_qemu
+            ;;
+        "rhcos-90-build-test-metal" )
+            OSVER="rhel-9.0"
+            setup_user
+            cosa_init
+            cosa_build
+            kola_test_metal
+            ;;
+        "scos-9-build-test-qemu" | "scos-9-build-test-metal")
             echo "Disabled tests"
             exit 0
             ;;
diff --git a/extensions-rhel-9.0.yaml b/extensions-rhel-9.0.yaml
new file mode 100644
index 000000000..f3e241d8a
--- /dev/null
+++ b/extensions-rhel-9.0.yaml
@@ -0,0 +1,62 @@
+# RPMs as operating system extensions, distinct from the base ostree commit/image
+# https://github.com/openshift/enhancements/blob/master/enhancements/rhcos/extensions.md
+# and https://github.com/coreos/fedora-coreos-tracker/issues/401
+
+repos:
+  - rhel-9-nfv
+
+extensions:
+  # https://github.com/coreos/fedora-coreos-tracker/issues/326
+  usbguard:
+    packages:
+      - usbguard
+  kerberos:
+    packages:
+      - krb5-workstation
+      - libkadm5
+  # https://github.com/kmods-via-containers/kmods-via-containers/issues/3
+  # https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/866
+  # These are currently overlaid onto the host so that they can be bind-mounted
+  # into build containers... in the future they should be a `development`
+  # extension: https://github.com/openshift/machine-config-operator/pull/2143.
+  kernel-devel:
+    packages:
+      - kernel-devel
+      - kernel-headers
+    match-base-evr: kernel
+  # These are already in the base, so they're not OS extensions, but they're
+  # useful to have in RPM form to install in kmod build containers.
+  kernel:
+    kind: development
+    packages:
+      - kernel
+      - kernel-core
+      - kernel-modules
+      - kernel-modules-extra
+    match-base-evr: kernel
+  # GRPA-2822
+  # https://github.com/openshift/machine-config-operator/pull/1330
+  # https://github.com/openshift/enhancements/blob/master/enhancements/support-for-realtime-kernel.md
+  kernel-rt:
+    architectures:
+      - x86_64
+    packages:
+      - kernel-rt-core
+      - kernel-rt-kvm
+      - kernel-rt-modules
+      - kernel-rt-modules-extra
+      - kernel-rt-devel
+  # https://github.com/openshift/machine-config-operator/pull/2456
+  # https://github.com/openshift/enhancements/blob/master/enhancements/sandboxed-containers/sandboxed-containers-tech-preview.md
+  # GRPA-3123
+  # - kata-containers (RHAOS)
+  sandboxed-containers:
+    architectures:
+      - x86_64
+    modules:
+      enable:
+        - virt:rhel
+    repos:
+      - rhel-9-appstream
+    packages:
+      - kata-containers
diff --git a/rhel-9.0.yaml b/rhel-9.0.yaml
new file mode 100644
index 000000000..43f0b77f4
--- /dev/null
+++ b/rhel-9.0.yaml
@@ -0,0 +1,161 @@
+# Manifest for RHCOS based on RHEL 9.0
+
+rojig:
+  license: MIT
+  name: rhcos
+  summary: OpenShift 4
+
+variables:
+  distro: "rhel"
+  version: "9.0"
+
+# Include manifests common to all RHEL and CentOS Stream versions
+include:
+  - common.yaml
+
+# Starting from here, everything should be specific to RHCOS based on RHEL 9.0
+
+# See README.md
+# and https://github.com/openshift/release/blob/master/core-services/release-controller/README.md#rpm-mirrors
+repos:
+  - rhel-9-baseos
+  - rhel-9-appstream
+  - rhel-9-fast-datapath
+  # Temporarily disabled until available
+  # - rhel-9-server-ose
+  - rhel-8-server-ose
+
+# We include hours/minutes to avoid version number reuse
+automatic-version-prefix: "412.90.<date:%Y%m%d%H%M>"
+# This ensures we're semver-compatible which OpenShift wants
+automatic-version-suffix: "-"
+# Keep this is sync with the version in postprocess
+mutate-os-release: "4.12"
+
+postprocess:
+  - |
+     #!/usr/bin/env bash
+     set -xeo pipefail
+
+     # Tweak /usr/lib/os-release
+     grep -v "OSTREE_VERSION" /etc/os-release > /usr/lib/os-release.rhel
+     OCP_RELEASE="4.12"
+     (
+     . /etc/os-release
+     cat > /usr/lib/os-release <<EOF
+     NAME="${NAME} CoreOS"
+     ID="rhcos"
+     ID_LIKE="rhel fedora"
+     VERSION="${OSTREE_VERSION}"
+     VERSION_ID="${OCP_RELEASE}"
+     VARIANT="CoreOS"
+     VARIANT_ID=coreos
+     PLATFORM_ID="${PLATFORM_ID}"
+     PRETTY_NAME="${NAME} CoreOS ${OSTREE_VERSION} (Plow)"
+     ANSI_COLOR="${ANSI_COLOR}"
+     CPE_NAME="${CPE_NAME%baseos}coreos"
+     HOME_URL="${HOME_URL}"
+     DOCUMENTATION_URL="https://docs.openshift.com/container-platform/${OCP_RELEASE}/"
+     BUG_REPORT_URL="https://bugzilla.redhat.com/"
+     REDHAT_BUGZILLA_PRODUCT="OpenShift Container Platform"
+     REDHAT_BUGZILLA_PRODUCT_VERSION="${OCP_RELEASE}"
+     REDHAT_SUPPORT_PRODUCT="OpenShift Container Platform"
+     REDHAT_SUPPORT_PRODUCT_VERSION="${OCP_RELEASE}"
+     OPENSHIFT_VERSION="${OCP_RELEASE}"
+     RHEL_VERSION="${VERSION_ID}"
+     OSTREE_VERSION="${OSTREE_VERSION}"
+     EOF
+     )
+     rm -f /etc/os-release
+     ln -s ../usr/lib/os-release /etc/os-release
+
+     # Tweak /etc/system-release, /etc/system-release-cpe & /etc/redhat-release
+     (
+     . /etc/os-release
+     cat > /usr/lib/system-release-cpe <<EOF
+     ${CPE_NAME}
+     EOF
+     cat > /usr/lib/system-release <<EOF
+     ${NAME} release ${VERSION_ID}
+     EOF
+     rm -f /etc/system-release-cpe /etc/system-release /etc/redhat-release
+     ln -s /usr/lib/system-release-cpe /etc/system-release-cpe
+     ln -s /usr/lib/system-release /etc/system-release
+     ln -s /usr/lib/system-release /etc/redhat-release
+     )
+
+     # Tweak /usr/lib/issue
+     cat > /usr/lib/issue <<EOF
+     \S \S{VERSION_ID}
+     EOF
+     rm -f /etc/issue /etc/issue.net
+     ln -s /usr/lib/issue /etc/issue
+     ln -s /usr/lib/issue /etc/issue.net
+
+     # Let's have a non-boring motd, just like CL (although theirs is more subdued
+     # nowadays compared to early versions with ASCII art).  One thing we do here
+     # is add --- as a "separator"; the idea is that any "dynamic" information should
+     # be below that.
+     # See: https://projects.engineering.redhat.com/browse/COREOS-1029
+     . /etc/os-release
+     cat > /etc/motd <<EOF
+     Red Hat Enterprise Linux CoreOS $VERSION
+       Part of OpenShift ${OPENSHIFT_VERSION}, RHCOS is a Kubernetes native operating system
+       managed by the Machine Config Operator (\`clusteroperator/machine-config\`).
+
+     WARNING: Direct SSH access to machines is not recommended; instead,
+     make configuration changes via \`machineconfig\` objects:
+       https://docs.openshift.com/container-platform/${OPENSHIFT_VERSION}/architecture/architecture-rhcos.html
+
+     ---
+     EOF
+  # Collection of workarounds specific to RHEL 9.0 based RHCOS
+  - |
+     #!/usr/bin/env bash
+     set -xeo pipefail
+
+     # FIXME: Force enable dbus-broker to get the dbus.service → dbus-broker.service
+     systemctl enable dbus-broker
+
+     # FIXME: Why is this only broken here?  NM isn't removing the link?
+     sed -i '/etc.resolv/d' /usr/lib/tmpfiles.d/etc.conf
+
+     # crio should stop hardcoding things in their config file!
+     # We are apparently somehow pulling in a conmon override in RHCOS
+     # that contains /usr/libexec/crio/conmon - WHY?
+     # sed -i '/conmon.*=/d' /etc/crio/crio.conf
+     # Oh right but the MCO overrides that too so...
+     mkdir -p /usr/libexec/crio
+     ln -sr /usr/bin/conmon /usr/libexec/crio/conmon
+
+     # Use crun by default
+     sed -i '/\[crio.runtime\]/a default_runtime="crun"' /etc/crio/crio.conf
+     cat >> /etc/crio/crio.conf <<EOF
+     [crio.runtime.runtimes.crun]
+     runtime_path="/usr/bin/crun"
+     EOF
+
+# Packages that are only in RHCOS and not in SCOS or that have special
+# constraints that do not apply to SCOS
+packages:
+ # We include the generic release package and tweak the os-release info in a
+ # post-proces script
+ - redhat-release
+ # SCOS package name does not include a version number
+ - openvswitch2.17
+
+# Packages pinned to specific repos in RHCOS
+repo-packages:
+  # we always want the kernel from BaseOS
+  - repo: rhel-9-baseos
+    packages:
+      - kernel
+  # we want the one shipping in RHEL, not the equivalently versioned one in RHAOS
+  - repo: rhel-9-appstream
+    packages:
+      - nss-altfiles
+  - repo: rhel-9-server-ose
+    packages:
+      # eventually, we want the one from the container-tools module, but we're
+      # not there yet
+      - toolbox
diff --git a/variant_rhel-9.0 b/variant_rhel-9.0
new file mode 100644
index 000000000..b08f637c1
--- /dev/null
+++ b/variant_rhel-9.0
@@ -0,0 +1 @@
+rhel-9.0

From 56da2c6e948c6fc20fcd0af0b3048ffad2f265c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= <tim@siosm.fr>
Date: Tue, 21 Jun 2022 10:34:56 +0000
Subject: [PATCH 3/3] manifest & ci: Add SCOS variant

---
 c9s.yaml                           | 142 +++++++++++++++++++++++++++++
 ci/prow-entrypoint.sh              |  23 ++++-
 extensions-c9s.yaml                |  62 +++++++++++++
 repos/c9s.repo                     |  39 ++++++++
 rpm-gpg/RPM-GPG-KEY-centosofficial |  30 ++++++
 variant_c9s                        |   1 +
 variant_scos                       |   1 +
 7 files changed, 297 insertions(+), 1 deletion(-)
 create mode 100644 c9s.yaml
 create mode 100644 extensions-c9s.yaml
 create mode 100644 repos/c9s.repo
 create mode 100644 rpm-gpg/RPM-GPG-KEY-centosofficial
 create mode 100644 variant_c9s
 create mode 120000 variant_scos

diff --git a/c9s.yaml b/c9s.yaml
new file mode 100644
index 000000000..e6641463f
--- /dev/null
+++ b/c9s.yaml
@@ -0,0 +1,142 @@
+# Manifest for CentOS Stream CoreOS (SCOS)
+
+rojig:
+  license: MIT
+  name: scos
+  summary: OKD 4
+
+variables:
+  distro: "scos"
+  version: "9"
+
+# Include manifests common to all RHEL and CentOS Stream versions
+include:
+  - common.yaml
+
+# Starting from here, everything should be specific to SCOS
+
+# CentOS Stream 9 repos + internal repos for now
+repos:
+  - baseos
+  - appstream
+  - openvswitch
+  # Temporarily inlcude internal repo for cri-o, oc & hyperkube
+  - rhel-8-server-ose
+
+# We include hours/minutes to avoid version number reuse
+automatic-version-prefix: "412.91.<date:%Y%m%d%H%M>"
+# This ensures we're semver-compatible which OpenShift wants
+automatic-version-suffix: "-"
+# Keep this is sync with the version in postprocess
+mutate-os-release: "4.12"
+
+postprocess:
+  - |
+     #!/usr/bin/env bash
+     set -xeo pipefail
+
+     # Tweak /usr/lib/os-release
+     grep -v "OSTREE_VERSION" /etc/os-release > /usr/lib/os-release.stream
+     OCP_RELEASE="4.12"
+     (
+     . /etc/os-release
+     cat > /usr/lib/os-release <<EOF
+     NAME="${NAME} CoreOS"
+     ID="scos"
+     ID_LIKE="rhel fedora"
+     VERSION="${OSTREE_VERSION}"
+     VERSION_ID="${OCP_RELEASE}"
+     VARIANT="CoreOS"
+     VARIANT_ID=coreos
+     PLATFORM_ID="${PLATFORM_ID}"
+     PRETTY_NAME="${NAME} CoreOS ${OSTREE_VERSION}"
+     ANSI_COLOR="${ANSI_COLOR}"
+     CPE_NAME="${CPE_NAME}::coreos"
+     HOME_URL="${HOME_URL}"
+     DOCUMENTATION_URL="https://docs.okd.io/latest/welcome/index.html"
+     BUG_REPORT_URL="https://bugzilla.redhat.com/"
+     REDHAT_BUGZILLA_PRODUCT="OpenShift Container Platform"
+     REDHAT_BUGZILLA_PRODUCT_VERSION="${OCP_RELEASE}"
+     REDHAT_SUPPORT_PRODUCT="OpenShift Container Platform"
+     REDHAT_SUPPORT_PRODUCT_VERSION="${OCP_RELEASE}"
+     OPENSHIFT_VERSION="${OCP_RELEASE}"
+     OSTREE_VERSION="${OSTREE_VERSION}"
+     EOF
+     )
+     rm -f /etc/os-release
+     ln -s ../usr/lib/os-release /etc/os-release
+
+     # Tweak /etc/system-release, /etc/system-release-cpe & /etc/redhat-release
+     (
+     . /etc/os-release
+     cat > /usr/lib/system-release-cpe <<EOF
+     ${CPE_NAME}
+     EOF
+     cat > /usr/lib/system-release <<EOF
+     ${NAME} release ${VERSION_ID}
+     EOF
+     rm -f /etc/system-release-cpe /etc/system-release /etc/redhat-release
+     ln -s /usr/lib/system-release-cpe /etc/system-release-cpe
+     ln -s /usr/lib/system-release /etc/system-release
+     ln -s /usr/lib/system-release /etc/redhat-release
+     )
+
+     # Tweak /usr/lib/issue
+     cat > /usr/lib/issue <<EOF
+     \S \S{VERSION_ID}
+     EOF
+     rm -f /etc/issue /etc/issue.net
+     ln -s /usr/lib/issue /etc/issue
+     ln -s /usr/lib/issue /etc/issue.net
+
+     # Let's have a non-boring motd, just like CL (although theirs is more subdued
+     # nowadays compared to early versions with ASCII art).  One thing we do here
+     # is add --- as a "separator"; the idea is that any "dynamic" information should
+     # be below that.
+     # See: https://projects.engineering.redhat.com/browse/COREOS-1029
+     . /etc/os-release
+     cat > /etc/motd <<EOF
+     CentOS Stream CoreOS $VERSION
+       Part of OKD ${OPENSHIFT_VERSION}, SCOS is a Kubernetes native operating system
+       managed by the Machine Config Operator (\`clusteroperator/machine-config\`).
+
+     WARNING: Direct SSH access to machines is not recommended; instead,
+     make configuration changes via \`machineconfig\` objects:
+       https://docs.openshift.com/container-platform/${OPENSHIFT_VERSION}/architecture/architecture-rhcos.html
+
+     ---
+     EOF
+  # Collection of workarounds specific to SCOS
+  - |
+     #!/usr/bin/env bash
+     set -xeo pipefail
+
+     # FIXME: Force enable dbus-broker to get the dbus.service → dbus-broker.service
+     systemctl enable dbus-broker
+
+     # FIXME: Why is this only broken here?  NM isn't removing the link?
+     sed -i '/etc.resolv/d' /usr/lib/tmpfiles.d/etc.conf
+
+     # crio should stop hardcoding things in their config file!
+     # We are apparently somehow pulling in a conmon override in RHCOS
+     # that contains /usr/libexec/crio/conmon - WHY?
+     # sed -i '/conmon.*=/d' /etc/crio/crio.conf
+     # Oh right but the MCO overrides that too so...
+     mkdir -p /usr/libexec/crio
+     ln -sr /usr/bin/conmon /usr/libexec/crio/conmon
+
+     # Use crun by default
+     sed -i '/\[crio.runtime\]/a default_runtime="crun"' /etc/crio/crio.conf
+     cat >> /etc/crio/crio.conf <<EOF
+     [crio.runtime.runtimes.crun]
+     runtime_path="/usr/bin/crun"
+     EOF
+
+# Packages that are only in SCOS and not in RHCOS or that have special
+# constraints that do not apply to RHCOS
+packages:
+ # We include the generic release package and tweak the os-release info in a
+ # post-proces script
+ - centos-release
+ # RHCOS package name includes a version number
+ - openvswitch2.16
diff --git a/ci/prow-entrypoint.sh b/ci/prow-entrypoint.sh
index c5a6f8b7b..373845455 100755
--- a/ci/prow-entrypoint.sh
+++ b/ci/prow-entrypoint.sh
@@ -81,6 +81,13 @@ cosa_build() {
         # Temporary workaround until we have all packages for RHCOS 9
         curl -L "http://base-${ocpver_mut}-rhel86.ocp.svc.cluster.local" -o "src/config/ocp.repo"
         curl -L "http://base-${ocpver_mut}-rhel90.ocp.svc.cluster.local" -o "src/config/ocp.repo"
+    elif [[ "${OSVER}" == "c9s" ]]; then
+        sed "s|file:///tmp|file://${PWD}/src/config/rpm-gpg|" "src/config/repos/c9s.repo" > "src/config/c9s.repo"
+        # Temporary workaround until we have all packages for SCOS
+        curl -L "http://base-${ocpver_mut}-rhel86.ocp.svc.cluster.local" -o "src/config/tmp.repo"
+        awk '/rhel-8-server-ose/,/^$/' "src/config/tmp.repo" > "src/config/ocp.repo"
+        echo "includepkgs=cri-o,cri-tools,openshift-clients,openshift-hyperkube" >> "src/config/ocp.repo"
+        rm "src/config/tmp.repo"
     fi
 
     # Fetch packages
@@ -202,7 +209,21 @@ main () {
             cosa_build
             kola_test_metal
             ;;
-        "scos-9-build-test-qemu" | "scos-9-build-test-metal")
+        "scos-9-build-test-qemu")
+            OSVER="c9s"
+            setup_user
+            cosa_init
+            cosa_build
+            kola_test_qemu
+            ;;
+        "scos-9-build-test-metal" )
+            OSVER="c9s"
+            setup_user
+            cosa_init
+            cosa_build
+            kola_test_metal
+            ;;
+        "explicitely-disabled-test")
             echo "Disabled tests"
             exit 0
             ;;
diff --git a/extensions-c9s.yaml b/extensions-c9s.yaml
new file mode 100644
index 000000000..bc841d11c
--- /dev/null
+++ b/extensions-c9s.yaml
@@ -0,0 +1,62 @@
+# RPMs as operating system extensions, distinct from the base ostree commit/image
+# https://github.com/openshift/enhancements/blob/master/enhancements/rhcos/extensions.md
+# and https://github.com/coreos/fedora-coreos-tracker/issues/401
+
+repos:
+  - nfv
+
+extensions:
+  # https://github.com/coreos/fedora-coreos-tracker/issues/326
+  usbguard:
+    packages:
+      - usbguard
+  kerberos:
+    packages:
+      - krb5-workstation
+      - libkadm5
+  # https://github.com/kmods-via-containers/kmods-via-containers/issues/3
+  # https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/866
+  # These are currently overlaid onto the host so that they can be bind-mounted
+  # into build containers... in the future they should be a `development`
+  # extension: https://github.com/openshift/machine-config-operator/pull/2143.
+  kernel-devel:
+    packages:
+      - kernel-devel
+      - kernel-headers
+    match-base-evr: kernel
+  # These are already in the base, so they're not OS extensions, but they're
+  # useful to have in RPM form to install in kmod build containers.
+  kernel:
+    kind: development
+    packages:
+      - kernel
+      - kernel-core
+      - kernel-modules
+      - kernel-modules-extra
+    match-base-evr: kernel
+  # GRPA-2822
+  # https://github.com/openshift/machine-config-operator/pull/1330
+  # https://github.com/openshift/enhancements/blob/master/enhancements/support-for-realtime-kernel.md
+  kernel-rt:
+    architectures:
+      - x86_64
+    packages:
+      - kernel-rt-core
+      - kernel-rt-kvm
+      - kernel-rt-modules
+      - kernel-rt-modules-extra
+      - kernel-rt-devel
+  # https://github.com/openshift/machine-config-operator/pull/2456
+  # https://github.com/openshift/enhancements/blob/master/enhancements/sandboxed-containers/sandboxed-containers-tech-preview.md
+  # GRPA-3123
+  # - kata-containers (RHAOS)
+  sandboxed-containers:
+    architectures:
+      - x86_64
+    modules:
+      enable:
+        - virt:rhel
+    repos:
+      - appstream
+    packages:
+      - kata-containers
diff --git a/repos/c9s.repo b/repos/c9s.repo
new file mode 100644
index 000000000..0433a5ce4
--- /dev/null
+++ b/repos/c9s.repo
@@ -0,0 +1,39 @@
+[baseos]
+name=CentOS Stream 9 - BaseOS
+baseurl=http://mirror.stream.centos.org/9-stream/BaseOS/$basearch/os
+gpgcheck=1
+repo_gpgcheck=0
+enabled=1
+gpgkey=file:///tmp/RPM-GPG-KEY-centosofficial
+
+[appstream]
+name=CentOS Stream 9 - AppStream
+baseurl=http://mirror.stream.centos.org/9-stream/AppStream/$basearch/os
+gpgcheck=1
+repo_gpgcheck=0
+enabled=1
+gpgkey=file:///tmp/RPM-GPG-KEY-centosofficial
+
+[nfv]
+name=CentOS Stream 9 - NFV
+baseurl=http://mirror.stream.centos.org/9-stream/NFV/$basearch/os
+gpgcheck=1
+repo_gpgcheck=0
+enabled=1
+gpgkey=file:///tmp/RPM-GPG-KEY-centosofficial
+
+[rt]
+name=CentOS Stream 9 - RT
+baseurl=http://mirror.stream.centos.org/9-stream/RT/$basearch/os
+gpgcheck=1
+repo_gpgcheck=0
+enabled=1
+gpgkey=file:///tmp/RPM-GPG-KEY-centosofficial
+
+[openvswitch]
+name=CentOS Stream 9 OpenvSwitch
+baseurl=http://mirror.stream.centos.org/SIGs/9-stream/nfv/x86_64/openvswitch-2/
+gpgcheck=0
+repo_gpgcheck=0
+enabled=1
+# gpgkey=file:///tmp/RPM-GPG-KEY-centosofficial
diff --git a/rpm-gpg/RPM-GPG-KEY-centosofficial b/rpm-gpg/RPM-GPG-KEY-centosofficial
new file mode 100644
index 000000000..30235a864
--- /dev/null
+++ b/rpm-gpg/RPM-GPG-KEY-centosofficial
@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQINBFzMWxkBEADHrskpBgN9OphmhRkc7P/YrsAGSvvl7kfu+e9KAaU6f5MeAVyn
+rIoM43syyGkgFyWgjZM8/rur7EMPY2yt+2q/1ZfLVCRn9856JqTIq0XRpDUe4nKQ
+8BlA7wDVZoSDxUZkSuTIyExbDf0cpw89Tcf62Mxmi8jh74vRlPy1PgjWL5494b3X
+5fxDidH4bqPZyxTBqPrUFuo+EfUVEqiGF94Ppq6ZUvrBGOVo1V1+Ifm9CGEK597c
+aevcGc1RFlgxIgN84UpuDjPR9/zSndwJ7XsXYvZ6HXcKGagRKsfYDWGPkA5cOL/e
+f+yObOnC43yPUvpggQ4KaNJ6+SMTZOKikM8yciyBwLqwrjo8FlJgkv8Vfag/2UR7
+JINbyqHHoLUhQ2m6HXSwK4YjtwidF9EUkaBZWrrskYR3IRZLXlWqeOi/+ezYOW0m
+vufrkcvsh+TKlVVnuwmEPjJ8mwUSpsLdfPJo1DHsd8FS03SCKPaXFdD7ePfEjiYk
+nHpQaKE01aWVSLUiygn7F7rYemGqV9Vt7tBw5pz0vqSC72a5E3zFzIIuHx6aANry
+Gat3aqU3qtBXOrA/dPkX9cWE+UR5wo/A2UdKJZLlGhM2WRJ3ltmGT48V9CeS6N9Y
+m4CKdzvg7EWjlTlFrd/8WJ2KoqOE9leDPeXRPncubJfJ6LLIHyG09h9kKQARAQAB
+tDpDZW50T1MgKENlbnRPUyBPZmZpY2lhbCBTaWduaW5nIEtleSkgPHNlY3VyaXR5
+QGNlbnRvcy5vcmc+iQI3BBMBAgAhBQJczFsZAhsDBgsJCAcDAgYVCAIJCgsDFgIB
+Ah4BAheAAAoJEAW1VbOEg8ZdjOsP/2ygSxH9jqffOU9SKyJDlraL2gIutqZ3B8pl
+Gy/Qnb9QD1EJVb4ZxOEhcY2W9VJfIpnf3yBuAto7zvKe/G1nxH4Bt6WTJQCkUjcs
+N3qPWsx1VslsAEz7bXGiHym6Ay4xF28bQ9XYIokIQXd0T2rD3/lNGxNtORZ2bKjD
+vOzYzvh2idUIY1DgGWJ11gtHFIA9CvHcW+SMPEhkcKZJAO51ayFBqTSSpiorVwTq
+a0cB+cgmCQOI4/MY+kIvzoexfG7xhkUqe0wxmph9RQQxlTbNQDCdaxSgwbF2T+gw
+byaDvkS4xtR6Soj7BKjKAmcnf5fn4C5Or0KLUqMzBtDMbfQQihn62iZJN6ZZ/4dg
+q4HTqyVpyuzMXsFpJ9L/FqH2DJ4exGGpBv00ba/Zauy7GsqOc5PnNBsYaHCply0X
+407DRx51t9YwYI/ttValuehq9+gRJpOTTKp6AjZn/a5Yt3h6jDgpNfM/EyLFIY9z
+V6CXqQQ/8JRvaik/JsGCf+eeLZOw4koIjZGEAg04iuyNTjhx0e/QHEVcYAqNLhXG
+rCTTbCn3NSUO9qxEXC+K/1m1kaXoCGA0UWlVGZ1JSifbbMx0yxq/brpEZPUYm+32
+o8XfbocBWljFUJ+6aljTvZ3LQLKTSPW7TFO+GXycAOmCGhlXh2tlc6iTc41PACqy
+yy+mHmSv
+=kkH7
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/variant_c9s b/variant_c9s
new file mode 100644
index 000000000..e3f4602a5
--- /dev/null
+++ b/variant_c9s
@@ -0,0 +1 @@
+c9s
diff --git a/variant_scos b/variant_scos
new file mode 120000
index 000000000..5dc410b05
--- /dev/null
+++ b/variant_scos
@@ -0,0 +1 @@
+variant_c9s
\ No newline at end of file