diff --git a/Containerfile.openshift b/Containerfile.openshift
new file mode 100644
index 00000000..186f7af2
--- /dev/null
+++ b/Containerfile.openshift
@@ -0,0 +1,33 @@
+# This builds the final OCP node image on top of the base RHCOS image. The
+# latter may be RHEL or CentOS Stream-based. This is currently only buildable
+# using podman/buildah as it uses some mounting options only available there.
+#
+# To build this, you will want to pass `--security-opt=label=disable` to avoid
+# having to relabel the context directory. Any repos found in `/run/yum.repos.d`
+# will be imported into `/etc/yum.repos.d/` and then removed in the same step (so
+# as to not end up in the final image).
+#
+# Use `--from` to override the base RHCOS image. E.g.:
+#
+# podman build --from quay.io/openshift-release-dev/ocp-v4.0-art-dev:rhel-coreos-base-9.4 ...
+#
+# Or to use a locally built OCI archive:
+#
+# podman build --from oci-archive:builds/latest/x86_64/scos-9-20240416.dev.0-ostree.x86_64.ociarchive ...
+
+# If consuming from repos hosted within the RH network, you'll want to mount in
+# certs too:
+#
+# podman build -v /etc/pki/ca-trust:/etc/pki-ca-trust:ro ...
+#
+# Example invocation:
+#
+# podman build --from oci-archive:$(ls builds/latest/x86_64/*.ociarchive) \
+#   -v rhel-9.4.repo:/run/yum.repos.d/rhel-9.4.repo:ro \
+#   -v /etc/pki/ca-trust:/etc/pki/ca-trust:ro \
+#   --security-opt label=disable -t localhost/openshift-node-c9s \
+#   -f src/config/Containerfile.openshift
+
+FROM quay.io/openshift-release-dev/ocp-v4.0-art-dev:rhel-coreos-base-c9s
+RUN --mount=type=bind,target=/run/src /run/src/scripts/apply-manifest /run/src/packages-openshift.yaml && \
+  ostree container commit
diff --git a/manifest-c9s.yaml b/manifest-c9s.yaml
index c74cc648..df12d1c2 100644
--- a/manifest-c9s.yaml
+++ b/manifest-c9s.yaml
@@ -1,9 +1,9 @@
-# Manifest for CentOS Stream CoreOS (SCOS)
+# Manifest for CentOS Stream 9 CoreOS Base
 
 rojig:
   license: MIT
   name: scos
-  summary: OKD 4
+  summary: CentOS Stream 9 CoreOS
 
 variables:
   osversion: "c9s"
@@ -12,13 +12,6 @@ variables:
 # common to RHEL 9 & C9S variants
 include:
   - common.yaml
-  - packages-openshift.yaml
-  # Order *after* packages-openshift.yaml because we want to affect
-  # postprocess scripts in it. Confusingly, rpm-ostree include semantics
-  # means that postprocess scripts in latter includes happen before earlier
-  # ones and it's probably too risky to change that now. See also comment in
-  # scos-os-release.yaml
-  - scos-os-release.yaml
 
 # Starting from here, everything should be specific to SCOS
 
@@ -26,42 +19,29 @@ include:
 repos:
   - baseos
   - appstream
-  # CentOS Extras Common repo for SIG RPM GPG keys
-  - extras-common
-  # CentOS NFV SIG repo for openvswitch
-  - sig-nfv
-  # CentOS Cloud SIG repo for cri-o, cri-tools and conmon-rs
-  - sig-cloud-okd
-  # Include RHCOS 9 repo for oc, hyperkube
-  - rhel-9.2-server-ose-4.16
 
-# We include hours/minutes to avoid version number reuse
-automatic-version-prefix: "416.9.<date:%Y%m%d%H%M>"
-# This ensures we're semver-compatible which OpenShift wants
-automatic-version-suffix: "-"
-# Keep this is sync with the version in postprocess
-mutate-os-release: "4.16"
+# Match the format of c9s compose IDs. This field will be driven in the pipeline
+# anyway to match exactly the same compose ID we're composing with so the value
+# here is purely for developer builds.
+automatic-version-prefix: "9-<date:%Y%m%d>.dev"
+
+mutate-os-release: "9"
+
+# Mark the OS as of the CoreOS variant.
+# XXX: should be part of a centos-release subpackage instead
+postprocess:
+  - |
+     #!/usr/bin/bash
+     set -euo pipefail
+     cat >> /usr/lib/os-release <<EOF
+     VARIANT=CoreOS
+     VARIANT_ID=coreos
+     EOF
+
+     # And put "CoreOS" in NAME and PRETTY_NAME
+     sed -i -e 's/^NAME="\(.*\)"/NAME="\1 CoreOS"/' /usr/lib/os-release
+     . /usr/lib/os-release
+     sed -i -e "s/^PRETTY_NAME=.*/PRETTY_NAME=\"$NAME $VERSION\"/" /usr/lib/os-release
 
-# Packages that are only in SCOS and not in RHCOS or that have special
-# constraints that do not apply to RHCOS
 packages:
- # We include the generic release package and tweak the os-release info in a
- # post-proces script
  - centos-stream-release
- # RPM GPG keys for CentOS SIG repos
- - centos-release-cloud-common
- - centos-release-nfv-common
- - centos-release-virt-common
-
-# Packages pinned to specific repos in SCOS 9
-repo-packages:
-  # We always want the kernel from BaseOS
-  - repo: baseos
-    packages:
-      - kernel
-  - repo: appstream
-    packages:
-      # We want the one shipping in C9S, not the equivalently versioned one in RHAOS
-      - nss-altfiles
-      # Use the new containers/toolbox
-      - toolbox
diff --git a/scos-os-release.yaml b/scos-os-release.yaml
deleted file mode 100644
index bef5a03a..00000000
--- a/scos-os-release.yaml
+++ /dev/null
@@ -1,63 +0,0 @@
-# This manifest modifies `/etc/os-release` to contain SCOS information. It
-# should no longer be necessary in the future when the base SCOS image is pure
-# CentOS. For now, we split it out so that it can be executed before the bits in
-# `packages-openshift.yaml` which rely on some of the fields set here to update
-# `/etc/motd`.
-
-postprocess:
-  - |
-     #!/usr/bin/env bash
-     set -xeo pipefail
-
-     # Tweak /usr/lib/os-release
-     grep -v "OSTREE_VERSION" /etc/os-release > /usr/lib/os-release.stream
-     OCP_RELEASE="4.16"
-     (
-     . /etc/os-release
-     cat > /usr/lib/os-release <<EOF
-     NAME="${NAME} CoreOS"
-     ID="scos"
-     ID_LIKE="rhel fedora"
-     VERSION="${OSTREE_VERSION}"
-     VERSION_ID="${OCP_RELEASE}"
-     VARIANT="CoreOS"
-     VARIANT_ID=coreos
-     PLATFORM_ID="${PLATFORM_ID}"
-     PRETTY_NAME="${NAME} CoreOS ${OSTREE_VERSION}"
-     ANSI_COLOR="${ANSI_COLOR}"
-     CPE_NAME="${CPE_NAME}::coreos"
-     HOME_URL="${HOME_URL}"
-     DOCUMENTATION_URL="https://docs.okd.io/latest/welcome/index.html"
-     BUG_REPORT_URL="https://access.redhat.com/labs/rhir/"
-     REDHAT_BUGZILLA_PRODUCT="OpenShift Container Platform"
-     REDHAT_BUGZILLA_PRODUCT_VERSION="${OCP_RELEASE}"
-     REDHAT_SUPPORT_PRODUCT="OpenShift Container Platform"
-     REDHAT_SUPPORT_PRODUCT_VERSION="${OCP_RELEASE}"
-     OSTREE_VERSION="${OSTREE_VERSION}"
-     EOF
-     )
-     rm -f /etc/os-release
-     ln -s ../usr/lib/os-release /etc/os-release
-
-     # Tweak /etc/system-release, /etc/system-release-cpe & /etc/redhat-release
-     (
-     . /etc/os-release
-     cat > /usr/lib/system-release-cpe <<EOF
-     ${CPE_NAME}
-     EOF
-     cat > /usr/lib/system-release <<EOF
-     ${NAME} release ${VERSION_ID}
-     EOF
-     rm -f /etc/system-release-cpe /etc/system-release /etc/redhat-release
-     ln -s /usr/lib/system-release-cpe /etc/system-release-cpe
-     ln -s /usr/lib/system-release /etc/system-release
-     ln -s /usr/lib/system-release /etc/redhat-release
-     )
-
-     # Tweak /usr/lib/issue
-     cat > /usr/lib/issue <<EOF
-     \S \S{VERSION_ID}
-     EOF
-     rm -f /etc/issue /etc/issue.net
-     ln -s /usr/lib/issue /etc/issue
-     ln -s /usr/lib/issue /etc/issue.net
diff --git a/scripts/apply-manifest b/scripts/apply-manifest
new file mode 100755
index 00000000..993e91c1
--- /dev/null
+++ b/scripts/apply-manifest
@@ -0,0 +1,75 @@
+#!/usr/bin/python3 -u
+
+# This is a hacky temporary script to apply an rpm-ostree manifest as part of a
+# derived container build. It's only required because we're in this transitional
+# state where some streams use the old way, and others use layering. Once all
+# streams use layering, we should stop using manifests for tha layered bits. (An
+# obvious question here is whether we should keep extending the `rpm-ostree ex
+# rebuild` stuff to keep using manifests even in a layered build. Though likely
+# similar functionality will live in dnf instead.)
+
+# Note this only supports the subset of the manifest spec actually used in
+# `packages-openshift.yaml`.
+
+import os
+import shutil
+import subprocess
+import sys
+import yaml
+
+
+def runcmd(args):
+    print("Running:", ' '.join(args))
+    subprocess.check_call(args)
+
+
+manifest_file = sys.argv[1]
+manifest_dir = os.path.dirname(manifest_file)
+
+with open(manifest_file) as f:
+    manifest = yaml.safe_load(f)
+
+if len(manifest.get('packages', [])):
+
+    packages = []
+    for pkg in manifest['packages']:
+        packages += pkg.split()
+    rpmostree_install = ['rpm-ostree', 'install', '-y'] + packages
+
+    # XXX: temporary hack for cri-o, which wants to create dirs under /opt
+    # https://github.com/CentOS/centos-bootc/issues/393
+    if 'cri-o' in packages:
+        os.makedirs("/var/opt", exist_ok=True)
+
+    # inject mounted-in repo files
+    extra_repos_dir = '/run/yum.repos.d'
+    copied_repo_files = []
+    if os.path.isdir(extra_repos_dir):
+        for file in os.listdir(extra_repos_dir):
+            src_path = os.path.join(extra_repos_dir, file)
+            if not os.path.isfile(src_path):
+                continue
+            if not file.endswith(".repo"):
+                continue
+            dest_path = os.path.join('/etc/yum.repos.d', file)
+            if os.path.exists(dest_path):
+                raise Exception(f"Repo file {dest_path} already exists")
+            print(f"Copying repo file {file} to /etc/yum.repos.d/")
+            shutil.copy(src_path, dest_path)
+            copied_repo_files += [dest_path]
+
+    runcmd(rpmostree_install)
+
+    # delete the repo files we injected
+    for repo in copied_repo_files:
+        os.unlink(repo)
+
+
+if len(manifest.get('postprocess', [])):
+    for i, script in enumerate(manifest['postprocess']):
+        name = f"/tmp/postprocess-script-{i}"
+        with open(name, 'w') as f:
+            f.write(script)
+        os.chmod(name, 0o755)
+        runcmd([name])
+        os.unlink(name)
diff --git a/tests/kola/version/rhel-major-version b/tests/kola/version/rhel-major-version
index d3b56ee3..f0e00c9b 100755
--- a/tests/kola/version/rhel-major-version
+++ b/tests/kola/version/rhel-major-version
@@ -10,6 +10,9 @@ set -xeuo pipefail
 
 variant="$(source /etc/os-release; echo "${ID}")"
 case "${variant}" in
+    "centos")
+        osver="$(source /etc/os-release; echo "${VERSION_ID}")"
+        ;;
     "scos")
         osver="$(source /usr/lib/os-release.stream; echo "${VERSION}")"
         ;;
diff --git a/tests/kola/version/rhel-matches-rhcos-build b/tests/kola/version/rhel-matches-rhcos-build
index 2fb4b14e..8476b6bd 100755
--- a/tests/kola/version/rhel-matches-rhcos-build
+++ b/tests/kola/version/rhel-matches-rhcos-build
@@ -12,6 +12,11 @@ set -xeuo pipefail
 ocp_version="$(source /etc/os-release; echo "${VERSION}")"
 variant="$(source /etc/os-release; echo "${ID}")"
 case "${variant}" in
+    "centos")
+        # We skip this in the base SCOS case; our package set is pure CentOS and
+        # the version string matches the compose ID, so this test is invalid.
+        exit 0
+        ;;
     "scos")
         # on SCOS, this is just "9"
         osver="$(source /usr/lib/os-release.stream; echo "${VERSION_ID}")"
diff --git a/versionary b/versionary
new file mode 100755
index 00000000..e87ffeaf
--- /dev/null
+++ b/versionary
@@ -0,0 +1,134 @@
+#!/usr/bin/python3 -u
+
+# This script requires the yum repos used by our compose to be direct output
+# from pungi composes.
+
+import configparser
+import dnf
+import json
+import os
+import re
+import requests
+import subprocess
+import sys
+import yaml
+
+from urllib.parse import urlparse, urlunparse
+
+
+def main():
+    manifest_path = get_manifest_path()
+    manifest = get_flattened_manifest(manifest_path)
+    base = get_dnf_base('src/config')
+    repoids = manifest['repos']
+
+    # get base compose URL, verifying at the same time that all the repos point
+    # into the same pungi compose
+    compose_url = None
+    for id in repoids:
+        repo_compose_url = get_compose_url(base.repos[id])
+        if compose_url is None:
+            compose_url = repo_compose_url
+        else:
+            if compose_url != repo_compose_url:
+                raise Exception(f"inconsistent compose URLs detected: {compose_url} vs {repo_compose_url}")
+
+    config = configparser.ConfigParser()
+    config.read_string(requests.get(compose_url + '/.composeinfo').text)
+
+    composeid = config['product']['name'].removeprefix(config['product']['short'] + '-')
+    eprint(f"composeid: {composeid}")
+
+    next_iteration = get_next_iteration(composeid)
+
+    # XXX: we should verify before leaving that the cached rpmmd repos we have
+    # are from the compose we found to rule out race conditions between `cosa
+    # fetch` and `requests.get()` above (e.g. compare the sha256 of repomd.xml)
+
+    print(f"{composeid}.{next_iteration}")
+
+
+def get_compose_url(repo):
+    assert len(repo.baseurl) == 1
+    url = urlparse(repo.baseurl[0])
+    path = url.path.rstrip('/')
+    components = path.split('/')
+    assert components[-1] == 'os'
+    # go up three levels since the structure is e.g. .../compose/<variant>/
+    # <arch>/os and we want to get to .../compose
+    return urlunparse(url._replace(path='/'.join(components[:-3])))
+
+
+def get_dnf_base(basedir):
+    base = dnf.Base()
+    base.conf.reposdir = basedir
+    base.read_all_repos()
+    return base
+
+
+def setup_repos(base, treefile):
+    for repo in base.repos.values():
+        repo.disable()
+
+    eprint("Enabled repos:")
+    for repo in treefile['repos']:
+        base.repos[repo].enable()
+        eprint(f"- {repo}")
+
+
+def get_next_iteration(composeid):
+    try:
+        with open('builds/builds.json') as f:
+            builds = json.load(f)
+    except FileNotFoundError:
+        builds = {'builds': []}
+
+    if len(builds['builds']) == 0:
+        eprint("n: 0 (no previous builds)")
+        return 0
+
+    last_buildid = builds['builds'][0]['id']
+    last_version = parse_version(last_buildid)
+    if not last_version:
+        eprint(f"n: 0 (previous version {last_buildid} does not match scheme)")
+        return 0
+
+    last_composeid, last_iteration = last_version
+
+    if composeid != last_composeid:
+        eprint(f"n: 0 (previous version {last_buildid} compose ID does not match)")
+        return 0
+
+    n = last_iteration + 1
+    eprint(f"n: {n} (incremented from previous version {last_buildid})")
+    return n
+
+
+def parse_version(version):
+    m = re.match(r'^([0-9]+-[0-9]{8}\.[0-9]+)\.([0-9]+)$', version)
+    if m is None:
+        return None
+    composeid, iteration = m.groups()
+    return tuple((composeid, int(iteration)))
+
+
+def get_manifest_path():
+    if os.path.exists('src/config.json'):
+        config_json = json.load(open('src/config.json'))
+        variant = config_json['coreos-assembler.config-variant']
+        return f'src/config/manifest-{variant}.yaml'
+    return 'src/config/manifest.yaml'
+
+
+def get_flattened_manifest(fn):
+    return yaml.safe_load(
+        subprocess.check_output(['rpm-ostree', 'compose', 'tree',
+                                 '--print-only', fn]))
+
+
+def eprint(*args):
+    print(*args, file=sys.stderr)
+
+
+if __name__ == "__main__":
+    sys.exit(main())