packages: add minios package

[sky1122]

Description of changes:
Add a minimal release package that combines first-party binaries and system configuration into a single package. Includes containerd support, SELinux, filesystem setup, D-Bus (whippet), ghostdog, corndog, certdog, and core systemd configuration. Removes apiserver, settings pipeline, in-place updates, networking, FIPS, TPM, and host containers.

In some systemd config and rules there are few things I didn't delete because I'm not sure, but happy to hear any feedback.

Testing done:
test with aws-dev and variant definition is in below

[package]
name = "aws-dev"
version = "0.1.0"
edition = "2021"
publish = false
build = "../build.rs"
# Don't rebuild crate just because of changes to README.
exclude = ["README.md"]

[package.metadata.build-variant.image-features]
uefi-secure-boot = false
xfs-data-partition = false
in-place-updates = false
host-containers = false
erofs-root-partition = true
external-kmod-development = false

[package.metadata.build-variant]
kernel-parameters = [
    "console=tty0",
    "console=ttyS0,115200n8",
    # Only reserve if there are at least 2GB
    "crashkernel=2G-:256M",
    "net.ifnames=0",
    "netdog.default-interface=eth0:dhcp4,dhcp6?",
    "quiet",
]
included-packages = [
# core
    "minios",
    "kernel-6.18",
    "containerd-2.1",
    "systemd-257",
    "nftables",
# boot (needed for EC2/UEFI)
    "grub",
    "shim",
# docker
    "docker-cli-29",
    "docker-engine-29",
    "docker-init",
# tools
    "iputils",
    "strace",
    "login",
]

[lib]
path = "../variants.rs"

[build-dependencies]
settings-defaults = { path = "../../packages/settings-defaults" }
settings-plugins = { path = "../../packages/settings-plugins" }
settings-migrations = { path = "../../packages/settings-migrations" }

Docker Hello World

bash-5.3# docker run --rm hello-world

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

bash-5.3#

systemctl status

● localhost
    State: running
    Units: 306 loaded (incl. loaded aliases)
     Jobs: 0 queued
   Failed: 0 units
    Since: Thu 2026-06-11 22:09:53 UTC; 17h ago
  systemd: 257.9
  Tainted: unmerged-bin
   CGroup: /
           ├─init.scope
           │ └─1 /sbin/init systemd.log_target=journal-or-kmsg systemd.log_color=0 systemd.show_status=true
           ├─runtime.slice
           │ └─containerd.service
           │   └─1448 /usr/bin/containerd
           └─system.slice
             ├─docker.service
             │ └─1491 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
             ├─system-getty.slice
             │ └─getty@tty1.service
             │   └─1387 /sbin/agetty -o "-- \\u" --noreset --noclear - linux
             ├─system-serial\x2dgetty.slice
             │ └─serial-getty@ttyS0.service
             │   ├─1391 bash --login
             │   ├─1865 systemctl status
             │   └─1866 "(pager)"
             ├─systemd-journald.service
             │ └─620 /x86_64-bottlerocket-linux-gnu/sys-root/usr/lib/systemd/systemd-journald
             ├─systemd-logind.service
             │ └─1452 /x86_64-bottlerocket-linux-gnu/sys-root/usr/lib/systemd/systemd-logind
             ├─systemd-udevd.service
             │ └─udev
             │   └─1142 /x86_64-bottlerocket-linux-gnu/sys-root/usr/lib/systemd/systemd-udevd
             └─whippet.service
               ├─ 663 /usr/bin/whippet
               └─1199 /usr/bin/dbus-broker --log 12 --controller 11 --machine-id ec2ec341e7c528f94e76371addb0fd66 --max-bytes 536870912 --max-fds 4096 --max-matches 16384

overlay mount status

tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,seclabel,size=7960812k,nr_inodes=1048576)
/dev/nvme1n1p1 on /local type ext4 (rw,nosuid,nodev,noatime,seclabel,mb_optimize_scan=0)
/dev/nvme1n1p1 on /opt type ext4 (rw,nosuid,nodev,noatime,seclabel,mb_optimize_scan=0)
/dev/nvme1n1p1 on /var type ext4 (rw,nosuid,nodev,noatime,seclabel,mb_optimize_scan=0)
/dev/nvme1n1p1 on /mnt type ext4 (rw,nosuid,nodev,noatime,seclabel,mb_optimize_scan=0)
/dev/dm-0 on /local/opt type erofs (ro,nosuid,nodev,noexec,relatime,seclabel,user_xattr,acl,cache_strategy=readaround)
/dev/dm-0 on /local/mnt type erofs (ro,nosuid,nodev,noexec,relatime,seclabel,user_xattr,acl,cache_strategy=readaround)
/dev/dm-0 on /local/var type erofs (ro,nosuid,nodev,noexec,relatime,seclabel,user_xattr,acl,cache_strategy=readaround)
overlay on /x86_64-bottlerocket-linux-gnu/sys-root/usr/lib/modules type overlay (rw,nosuid,nodev,noexec,noatime,context=system_u:object_r:state_t:s0,lowerdir=/lib/modules,upperdir=/var/lib/kernel-modules/.overlay/upper,workdir=/var/lib/kernel-modules/.overlay/work,uuid=on)
/dev/dm-0 on /var/lib/kernel-devel/.overlay/lower type erofs (ro,relatime,seclabel,user_xattr,acl,cache_strategy=readaround)
overlay on /x86_64-bottlerocket-linux-gnu/sys-root/usr/src/kernels type overlay (rw,nosuid,nodev,noatime,context=system_u:object_r:state_t:s0,lowerdir=/var/lib/kernel-devel/.overlay/lower,upperdir=/var/lib/kernel-devel/.overlay/upper,workdir=/var/lib/kernel-devel/.overlay/work,uuid=on)
bash-5.3# 

partition

drwxr-xr-x.  2 root root 200 Jun 11 22:09 .
drwxr-xr-x. 10 root root 200 Jun 11 22:09 ..
lrwxrwxrwx.  1 root root  15 Jun 11 22:09 BIOS-BOOT -> ../../nvme0n1p1
lrwxrwxrwx.  1 root root  15 Jun 11 22:09 BOTTLEROCKET-BOOT-A -> ../../nvme0n1p3
lrwxrwxrwx.  1 root root  15 Jun 11 22:09 BOTTLEROCKET-DATA -> ../../nvme1n1p1
lrwxrwxrwx.  1 root root  15 Jun 11 22:09 BOTTLEROCKET-HASH-A -> ../../nvme0n1p5
lrwxrwxrwx.  1 root root  15 Jun 11 22:09 BOTTLEROCKET-PRIVATE -> ../../nvme0n1p7
lrwxrwxrwx.  1 root root  15 Jun 11 22:09 BOTTLEROCKET-RESERVED-A -> ../../nvme0n1p6
lrwxrwxrwx.  1 root root  15 Jun 11 22:09 BOTTLEROCKET-ROOT-A -> ../../nvme0n1p4
lrwxrwxrwx.  1 root root  15 Jun 11 22:09 EFI-SYSTEM -> ../../nvme0n1p2
total 0
drwxr-xr-x.  2 root root 220 Jun 11 22:09 .
drwxr-xr-x. 10 root root 200 Jun 11 22:09 ..
lrwxrwxrwx.  1 root root  15 Jun 11 22:09 nvme-ebs-05f77411-0c7d-4c2b-a84b-76f5b76d7dea -> ../../nvme0n1p1
lrwxrwxrwx.  1 root root  15 Jun 11 22:09 nvme-ebs-213dc301-da4d-40e0-b879-e2e414515131 -> ../../nvme0n1p7
lrwxrwxrwx.  1 root root  15 Jun 11 22:09 nvme-ebs-5b94e8df-28b8-485c-9d19-362263b5944c -> ../../nvme1n1p1
lrwxrwxrwx.  1 root root  15 Jun 11 22:09 nvme-ebs-69040874-417d-4e26-a764-7885f22007ea -> ../../nvme0n1p8
lrwxrwxrwx.  1 root root  15 Jun 11 22:09 nvme-ebs-6ee86304-4c75-4065-b574-bb8cfaf0c1c9 -> ../../nvme0n1p2
lrwxrwxrwx.  1 root root  15 Jun 11 22:09 nvme-ebs-807d592c-7b55-4683-bdf6-680d3ae905b2 -> ../../nvme0n1p4
lrwxrwxrwx.  1 root root  15 Jun 11 22:09 nvme-ebs-8bfc7120-34c6-41cc-ba68-f0e767f6e756 -> ../../nvme0n1p5
lrwxrwxrwx.  1 root root  15 Jun 11 22:09 nvme-ebs-8ca36dbe-7cc0-4790-bb18-aeb3d6640d9b -> ../../nvme0n1p3
lrwxrwxrwx.  1 root root  15 Jun 11 22:09 nvme-ebs-dc47b8fc-f503-4d09-abf8-a7585b911ceb -> ../../nvme0n1p6

what in private partition

bash-5.3# mkdir -p /tmp/private-check
bash-5.3# mount /dev/disk/by-partlabel/BOTTLEROCKET-PRIVATE /tmp/private-check
bash-5.3# ls -la /tmp/private-check/
total 24
drwxr-xr-x. 3 root root  4096 Jun 11 22:08 .
drwxrwxrwt. 4 root root    80 Jun 12 17:06 ..
-rw-r--r--. 1 root root   148 Jun 11 22:08 bootconfig.data
drwx------  2 root root 16384 Jun 11 22:08 lost+found
bash-5.3# cat /tmp/private-check/bootconfig.data
kernel.SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1
kernel.SYSTEMD_DEFAULT_MOUNT_RATE_LIMIT_BURST=25
kernel.module_blacklist = i8042
Ǫ'#BOOTCONFIG
bash-5.3# 
bash-5.3# 

**Terms of contribution:**

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[vigh-m]

Not sure if we need this since we're not concerned with network initialisation in minios

[sky1122]

I'm still keep this since this is the one set the fix name for the network interface between the kernel space and user space just in case and we could remove this later if not needed.

[vigh-m]

These rules, packages/minios/ephemeral-ebs-storage.rules, and packages/minios/ephemeral-storage.rules can be dropped or atleast modified since we don't expect to setup EBS volumes with the nested hypervisor.

[vigh-m]

I don't expect needing to run logdog from inside the nested hypervisor.

[vigh-m]

%package corndog will append %{_cross_os}minios- to the package name. Same for certdog and ghostdog

[vigh-m]

Missing Requires for whippet

[vigh-m]

Same as whippet

[vigh-m]

Instead of rebuilding these sources, can we depend on os-{ghostdog,corndog,etc}?
That way we don't have to build these packages twice

[sky1122]

Great idea. I was debating because that will introduce some dead config/template but I think that should be fine.

[vigh-m]

Nit: There's a lot of extra newlines in this file

[vigh-m]

These comments can be dropped

[vigh-m]

We don't need to include kernel-devel for nested hypervisor

[vigh-m]

Declared but not present or installed

[vigh-m]

Same. Sources are declared but not present in the package files or installed.

[sky1122]

forced push to address feedback. A con for reduce the double compilation will be inevitable pull in some died configuration file.

[sky1122]

forced pushed to fix the changes forget to add in the previous push.