manifests: move OCP-related postprocessing to packages-openshift.yaml

As prep for openshift#799, let's better split the postprocessing steps that are
related to OCP from those that have tighter binding to RHEL proper.

This should have almost no functional effect. One visible difference is
in the `/etc/motd` we write which before hardcoded e.g. RHCOS and CentOS
Stream in the prose text, but is now a little more generic.

common.yaml

@@ -67,33 +67,6 @@ postprocess:
     # We're not using resolved yet
     rm -f /usr/lib/systemd/system/systemd-resolved.service
 
-  # manually modify SELinux booleans that are needed for OCP use cases
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    semanage boolean --modify --on container_use_cephfs      # RHBZ#1694045
-    semanage boolean --modify --on virt_use_samba            # RHBZ#1754825
-
-  # https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/812
-  # https://bugzilla.redhat.com/show_bug.cgi?id=1796537
-  - |
-    #!/usr/bin/bash
-    mkdir -p /usr/share/containers/oci/hooks.d
-
-  # This is part of e.g. fedora-repos in Fedora; we now want to include it by default
-  # so that the MCO can use it by default and not trip over SELinux issues trying
-  # to create it.
-  - |
-    #!/usr/bin/bash
-    mkdir -p /etc/yum.repos.d
-
-  # These enable librhsm which enables host subscriptions to work in containers
-  # https://github.com/rpm-software-management/librhsm/blob/fcd972cbe7c8a3907ba9f091cd082b1090231492/rhsm/rhsm-context.c#L30
-  - |
-    #!/usr/bin/bash
-    ln -sr /run/secrets/etc-pki-entitlement /etc/pki/entitlement-host
-    ln -sr /run/secrets/rhsm /etc/rhsm-host
-
   # This updates the PAM configuration to reference all of the SSSD modules.
   # Removes the `authselect` binary afterwards since `authselect` does not play well with `nss-altfiles`
   # (https://github.com/pbrezina/authselect/issues/48).
@@ -151,17 +124,6 @@ postprocess:
     # FIXME: Why is this only broken here?  NM isn't removing the link?
     sed -i '/etc.resolv/d' /usr/lib/tmpfiles.d/etc.conf
 
-  - |
-    #!/usr/bin/env bash
-    set -xeo pipefail
-    # crio should stop hardcoding things in their config file!
-    # We are apparently somehow pulling in a conmon override in RHCOS
-    # that contains /usr/libexec/crio/conmon - WHY?
-    # sed -i '/conmon.*=/d' /etc/crio/crio.conf
-    # Oh right but the MCO overrides that too so...
-    mkdir -p /usr/libexec/crio
-    ln -sr /usr/bin/conmon /usr/libexec/crio/conmon
-
   - |
     #!/usr/bin/env bash
     set -xeuo pipefail
@@ -181,17 +143,6 @@ postprocess:
     # generating it.
     ln -sr /usr/share/zoneinfo/UTC /etc/localtime
 
-  - |
-    #!/usr/bin/env bash
-    set -xeo pipefail
-    # Add the hugetlbfs group to the openvswitch user if the openvswitch-hugetlbfs.conf
-    # sysusers fragment exists. The usermod used to happen in the RPM scriptlets but
-    # that stopped working in the sysusers conversion. We should be able to drop this
-    # when a bug gets fixed in systemd: https://github.com/openshift/os/issues/1274#issuecomment-1605507390
-    if [ -f /usr/lib/sysusers.d/openvswitch-hugetlbfs.conf ]; then
-        usermod -a -G hugetlbfs openvswitch
-    fi
-
 remove-files:
   # We don't ship man(1) or info(1)
   - usr/share/info

manifest-c9s.yaml

@@ -95,31 +95,6 @@ postprocess:
      ln -s /usr/lib/issue /etc/issue
      ln -s /usr/lib/issue /etc/issue.net
 
-     # Let's have a non-boring motd, just like CL (although theirs is more subdued
-     # nowadays compared to early versions with ASCII art).  One thing we do here
-     # is add --- as a "separator"; the idea is that any "dynamic" information should
-     # be below that.
-     # See: https://projects.engineering.redhat.com/browse/COREOS-1029
-     . /etc/os-release
-     cat > /etc/motd <<EOF
-     CentOS Stream CoreOS $VERSION
-       Part of OKD ${OPENSHIFT_VERSION}, SCOS is a Kubernetes native operating system
-       managed by the Machine Config Operator (\`clusteroperator/machine-config\`).
-
-     WARNING: Direct SSH access to machines is not recommended; instead,
-     make configuration changes via \`machineconfig\` objects:
-       https://docs.openshift.com/container-platform/${OPENSHIFT_VERSION}/architecture/architecture-rhcos.html
-
-     ---
-     EOF
-  - |
-     #!/usr/bin/env bash
-     set -xeo pipefail
-     # We need to work in disconnected environments by default, and default-enabled
-     # repos will be attempted to be fetched by rpm-ostree when doing node-local
-     # kernel overrides today for e.g. kernel-rt.
-     for x in /etc/yum.repos.d/*.repo; do sed -i -e s,enabled=1,enabled=0, $x; done
-
 # Packages that are only in SCOS and not in RHCOS or that have special
 # constraints that do not apply to RHCOS
 packages:

manifest-rhel-9.4.yaml

@@ -91,31 +91,6 @@ postprocess:
      ln -s /usr/lib/issue /etc/issue
      ln -s /usr/lib/issue /etc/issue.net
 
-     # Let's have a non-boring motd, just like CL (although theirs is more subdued
-     # nowadays compared to early versions with ASCII art).  One thing we do here
-     # is add --- as a "separator"; the idea is that any "dynamic" information should
-     # be below that.
-     # See: https://projects.engineering.redhat.com/browse/COREOS-1029
-     . /etc/os-release
-     cat > /etc/motd <<EOF
-     Red Hat Enterprise Linux CoreOS $VERSION
-       Part of OpenShift ${OPENSHIFT_VERSION}, RHCOS is a Kubernetes native operating system
-       managed by the Machine Config Operator (\`clusteroperator/machine-config\`).
-
-     WARNING: Direct SSH access to machines is not recommended; instead,
-     make configuration changes via \`machineconfig\` objects:
-       https://docs.openshift.com/container-platform/${OPENSHIFT_VERSION}/architecture/architecture-rhcos.html
-
-     ---
-     EOF
-  - |
-     #!/usr/bin/env bash
-     set -xeo pipefail
-     # We need to work in disconnected environments by default, and default-enabled
-     # repos will be attempted to be fetched by rpm-ostree when doing node-local
-     # kernel overrides today for e.g. kernel-rt.
-     for x in /etc/yum.repos.d/*.repo; do sed -i -e s,enabled=1,enabled=0, $x; done
-
 # Packages that are only in RHCOS and not in SCOS or that have special
 # constraints that do not apply to SCOS
 packages:

packages-openshift.yaml

@@ -8,3 +8,85 @@ packages:
   # and depend on one or more of the above.
   - NetworkManager-ovs
   - ose-aws-ecr-image-credential-provider
+
+postprocess:
+  # This is part of e.g. fedora-repos in Fedora; we now want to include it by default
+  # so that the MCO can use it by default and not trip over SELinux issues trying
+  # to create it.
+  - |
+    #!/usr/bin/bash
+    set -euo pipefail
+    mkdir -p /etc/yum.repos.d
+
+    # If there *are* repos built-in (e.g. c9s), disable them.
+    # We need to work in disconnected environments by default, and default-enabled
+    # repos will be attempted to be fetched by rpm-ostree when doing node-local
+    # kernel overrides today for e.g. kernel-rt.
+    for x in /etc/yum.repos.d/*.repo; do sed -i -e s,enabled=1,enabled=0, $x; done
+
+  - |
+    #!/usr/bin/bash
+    set -euo pipefail
+    # Let's have a non-boring motd, just like CL (although theirs is more subdued
+    # nowadays compared to early versions with ASCII art).  One thing we do here
+    # is add --- as a "separator"; the idea is that any "dynamic" information should
+    # be below that.
+    # See: https://projects.engineering.redhat.com/browse/COREOS-1029
+    . /etc/os-release
+    if ! grep -q CoreOS <<< "$NAME"; then
+      NAME="${NAME} CoreOS"
+    fi
+    cat > /etc/motd <<EOF
+    $NAME $VERSION
+      Part of OpenShift ${OPENSHIFT_VERSION}, this is a Kubernetes native operating system
+      managed by the Machine Config Operator (\`clusteroperator/machine-config\`).
+
+    WARNING: Direct SSH access to machines is not recommended; instead,
+    make configuration changes via \`machineconfig\` objects:
+      https://docs.openshift.com/container-platform/${OPENSHIFT_VERSION}/architecture/architecture-rhcos.html
+
+    ---
+    EOF
+
+  # These enable librhsm which enables host subscriptions to work in containers
+  # https://github.com/rpm-software-management/librhsm/blob/fcd972cbe7c8a3907ba9f091cd082b1090231492/rhsm/rhsm-context.c#L30
+  - |
+    #!/usr/bin/bash
+    set -euo pipefail
+    ln -sr /run/secrets/etc-pki-entitlement /etc/pki/entitlement-host
+    ln -sr /run/secrets/rhsm /etc/rhsm-host
+
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    # manually modify SELinux booleans that are needed for OCP use cases
+    semanage boolean --modify --on container_use_cephfs      # RHBZ#1694045
+    semanage boolean --modify --on virt_use_samba            # RHBZ#1754825
+
+  # https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/812
+  # https://bugzilla.redhat.com/show_bug.cgi?id=1796537
+  - |
+    #!/usr/bin/bash
+    mkdir -p /usr/share/containers/oci/hooks.d
+
+  - |
+    #!/usr/bin/env bash
+    set -xeo pipefail
+    # Add the hugetlbfs group to the openvswitch user if the openvswitch-hugetlbfs.conf
+    # sysusers fragment exists. The usermod used to happen in the RPM scriptlets but
+    # that stopped working in the sysusers conversion. We should be able to drop this
+    # when a bug gets fixed in systemd: https://github.com/openshift/os/issues/1274#issuecomment-1605507390
+    if [ -f /usr/lib/sysusers.d/openvswitch-hugetlbfs.conf ]; then
+        usermod -a -G hugetlbfs openvswitch
+    fi
+
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    # crio should stop hardcoding things in their config file!
+    # We are apparently somehow pulling in a conmon override in RHCOS
+    # that contains /usr/libexec/crio/conmon - WHY?
+    # sed -i '/conmon.*=/d' /etc/crio/crio.conf
+    # Oh right but the MCO overrides that too so...
+    mkdir -p /usr/libexec/crio
+    ln -sr /usr/bin/conmon /usr/libexec/crio/conmon