diff --git a/c9s/c9s.repo b/c9s/c9s.repo
new file mode 100644
index 00000000..33f501fe
--- /dev/null
+++ b/c9s/c9s.repo
@@ -0,0 +1,27 @@
+[baseos]
+name=CentOS Stream 9 BaseOS
+baseurl=http://mirror.stream.centos.org/9-stream/BaseOS/$basearch/os
+# FIXME
+gpgcheck=0
+enabled=1
+
+[appstream]
+name=CentOS Stream 9 AppStream
+baseurl=http://mirror.stream.centos.org/9-stream/AppStream/$basearch/os
+# FIXME
+gpgcheck=0
+enabled=1
+
+[nfv]
+name=CentOS Stream 9 NFV
+baseurl=http://mirror.stream.centos.org/9-stream/NFV/$basearch/os
+# FIXME
+gpgcheck=0
+enabled=1
+
+[rt]
+name=CentOS Stream 9 RT
+baseurl=http://mirror.stream.centos.org/9-stream/RT/$basearch/os
+# FIXME
+gpgcheck=0
+enabled=1
diff --git a/c9s/copr-walters-coreos-centos-stuff.repo b/c9s/copr-walters-coreos-centos-stuff.repo
new file mode 100644
index 00000000..797e081c
--- /dev/null
+++ b/c9s/copr-walters-coreos-centos-stuff.repo
@@ -0,0 +1,10 @@
+[walters-coreos-centos-stuff]
+name=Copr repo for coreos-centos-stuff owned by walters
+baseurl=https://download.copr.fedorainfracloud.org/results/walters/coreos-centos-stuff/fedora-34-$basearch/
+type=rpm-md
+skip_if_unavailable=True
+gpgcheck=1
+gpgkey=https://download.copr.fedorainfracloud.org/results/walters/coreos-centos-stuff/pubkey.gpg
+repo_gpgcheck=0
+enabled=1
+enabled_metadata=1
diff --git a/c9s/extensions.yaml b/c9s/extensions.yaml
new file mode 100644
index 00000000..bc841d11
--- /dev/null
+++ b/c9s/extensions.yaml
@@ -0,0 +1,62 @@
+# RPMs as operating system extensions, distinct from the base ostree commit/image
+# https://github.com/openshift/enhancements/blob/master/enhancements/rhcos/extensions.md
+# and https://github.com/coreos/fedora-coreos-tracker/issues/401
+
+repos:
+  - nfv
+
+extensions:
+  # https://github.com/coreos/fedora-coreos-tracker/issues/326
+  usbguard:
+    packages:
+      - usbguard
+  kerberos:
+    packages:
+      - krb5-workstation
+      - libkadm5
+  # https://github.com/kmods-via-containers/kmods-via-containers/issues/3
+  # https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/866
+  # These are currently overlaid onto the host so that they can be bind-mounted
+  # into build containers... in the future they should be a `development`
+  # extension: https://github.com/openshift/machine-config-operator/pull/2143.
+  kernel-devel:
+    packages:
+      - kernel-devel
+      - kernel-headers
+    match-base-evr: kernel
+  # These are already in the base, so they're not OS extensions, but they're
+  # useful to have in RPM form to install in kmod build containers.
+  kernel:
+    kind: development
+    packages:
+      - kernel
+      - kernel-core
+      - kernel-modules
+      - kernel-modules-extra
+    match-base-evr: kernel
+  # GRPA-2822
+  # https://github.com/openshift/machine-config-operator/pull/1330
+  # https://github.com/openshift/enhancements/blob/master/enhancements/support-for-realtime-kernel.md
+  kernel-rt:
+    architectures:
+      - x86_64
+    packages:
+      - kernel-rt-core
+      - kernel-rt-kvm
+      - kernel-rt-modules
+      - kernel-rt-modules-extra
+      - kernel-rt-devel
+  # https://github.com/openshift/machine-config-operator/pull/2456
+  # https://github.com/openshift/enhancements/blob/master/enhancements/sandboxed-containers/sandboxed-containers-tech-preview.md
+  # GRPA-3123
+  # - kata-containers (RHAOS)
+  sandboxed-containers:
+    architectures:
+      - x86_64
+    modules:
+      enable:
+        - virt:rhel
+    repos:
+      - appstream
+    packages:
+      - kata-containers
diff --git a/c9s/fedora-coreos-config b/c9s/fedora-coreos-config
new file mode 120000
index 00000000..3ce9ade1
--- /dev/null
+++ b/c9s/fedora-coreos-config
@@ -0,0 +1 @@
+../fedora-coreos-config
\ No newline at end of file
diff --git a/c9s/image.yaml b/c9s/image.yaml
new file mode 120000
index 00000000..73c5b031
--- /dev/null
+++ b/c9s/image.yaml
@@ -0,0 +1 @@
+../image.yaml
\ No newline at end of file
diff --git a/c9s/live b/c9s/live
new file mode 120000
index 00000000..6fd56fbe
--- /dev/null
+++ b/c9s/live
@@ -0,0 +1 @@
+../live
\ No newline at end of file
diff --git a/c9s/manifest.yaml b/c9s/manifest.yaml
new file mode 100644
index 00000000..92375537
--- /dev/null
+++ b/c9s/manifest.yaml
@@ -0,0 +1,142 @@
+# Manifest for CentOS Stream CoreOS (SCOS)
+
+rojig:
+  license: MIT
+  name: scos
+  summary: OKD 4
+
+variables:
+  distro: "scos"
+  version: "9"
+
+# Include manifests common to all RHEL and CentOS Stream versions
+include:
+  - ../common.yaml
+
+# Starting from here, everything should be specific to SCOS
+
+# CentOS Stream 9 repos + internal repos for now
+repos:
+  - baseos
+  - appstream
+  # Temporarily inlcude internal repos and coprs
+  - rhel-8-server-ose
+  - walters-coreos-centos-stuff
+
+# We include hours/minutes to avoid version number reuse
+automatic-version-prefix: "412.91.<date:%Y%m%d%H%M>"
+# This ensures we're semver-compatible which OpenShift wants
+automatic-version-suffix: "-"
+# Keep this is sync with the version in postprocess
+mutate-os-release: "4.12"
+
+postprocess:
+  - |
+     #!/usr/bin/env bash
+     set -xeo pipefail
+
+     # Tweak /usr/lib/os-release
+     grep -v "OSTREE_VERSION" /etc/os-release > /usr/lib/os-release.stream
+     OCP_RELEASE="4.12"
+     (
+     . /etc/os-release
+     cat > /usr/lib/os-release <<EOF
+     NAME="${NAME} CoreOS"
+     ID="scos"
+     ID_LIKE="rhel fedora"
+     VERSION="${OSTREE_VERSION}"
+     VERSION_ID="${OCP_RELEASE}"
+     VARIANT="CoreOS"
+     VARIANT_ID=coreos
+     PLATFORM_ID="${PLATFORM_ID}"
+     PRETTY_NAME="${NAME} CoreOS ${OSTREE_VERSION}"
+     ANSI_COLOR="${ANSI_COLOR}"
+     CPE_NAME="${CPE_NAME}::coreos"
+     HOME_URL="${HOME_URL}"
+     DOCUMENTATION_URL="https://docs.okd.io/latest/welcome/index.html"
+     BUG_REPORT_URL="https://bugzilla.redhat.com/"
+     REDHAT_BUGZILLA_PRODUCT="OpenShift Container Platform"
+     REDHAT_BUGZILLA_PRODUCT_VERSION="${OCP_RELEASE}"
+     REDHAT_SUPPORT_PRODUCT="OpenShift Container Platform"
+     REDHAT_SUPPORT_PRODUCT_VERSION="${OCP_RELEASE}"
+     OPENSHIFT_VERSION="${OCP_RELEASE}"
+     OSTREE_VERSION="${OSTREE_VERSION}"
+     EOF
+     )
+     rm -f /etc/os-release
+     ln -s ../usr/lib/os-release /etc/os-release
+
+     # Tweak /etc/system-release, /etc/system-release-cpe & /etc/redhat-release
+     (
+     . /etc/os-release
+     cat > /usr/lib/system-release-cpe <<EOF
+     ${CPE_NAME}
+     EOF
+     cat > /usr/lib/system-release <<EOF
+     ${NAME} release ${VERSION_ID}
+     EOF
+     rm -f /etc/system-release-cpe /etc/system-release /etc/redhat-release
+     ln -s /usr/lib/system-release-cpe /etc/system-release-cpe
+     ln -s /usr/lib/system-release /etc/system-release
+     ln -s /usr/lib/system-release /etc/redhat-release
+     )
+
+     # Tweak /usr/lib/issue
+     cat > /usr/lib/issue <<EOF
+     \S \S{VERSION_ID}
+     EOF
+     rm -f /etc/issue /etc/issue.net
+     ln -s /usr/lib/issue /etc/issue
+     ln -s /usr/lib/issue /etc/issue.net
+
+     # Let's have a non-boring motd, just like CL (although theirs is more subdued
+     # nowadays compared to early versions with ASCII art).  One thing we do here
+     # is add --- as a "separator"; the idea is that any "dynamic" information should
+     # be below that.
+     # See: https://projects.engineering.redhat.com/browse/COREOS-1029
+     . /etc/os-release
+     cat > /etc/motd <<EOF
+     CentOS Stream CoreOS $VERSION
+       Part of OKD ${OPENSHIFT_VERSION}, SCOS is a Kubernetes native operating system
+       managed by the Machine Config Operator (\`clusteroperator/machine-config\`).
+
+     WARNING: Direct SSH access to machines is not recommended; instead,
+     make configuration changes via \`machineconfig\` objects:
+       https://docs.openshift.com/container-platform/${OPENSHIFT_VERSION}/architecture/architecture-rhcos.html
+
+     ---
+     EOF
+  # Collection of workarounds specific to SCOS
+  - |
+     #!/usr/bin/env bash
+     set -xeo pipefail
+
+     # FIXME: Force enable dbus-broker to get the dbus.service → dbus-broker.service
+     systemctl enable dbus-broker
+
+     # FIXME: Why is this only broken here?  NM isn't removing the link?
+     sed -i '/etc.resolv/d' /usr/lib/tmpfiles.d/etc.conf
+
+     # crio should stop hardcoding things in their config file!
+     # We are apparently somehow pulling in a conmon override in RHCOS
+     # that contains /usr/libexec/crio/conmon - WHY?
+     # sed -i '/conmon.*=/d' /etc/crio/crio.conf
+     # Oh right but the MCO overrides that too so...
+     mkdir -p /usr/libexec/crio
+     ln -sr /usr/bin/conmon /usr/libexec/crio/conmon
+
+     # Use crun by default
+     sed -i '/\[crio.runtime\]/a default_runtime="crun"' /etc/crio/crio.conf
+     cat >> /etc/crio/crio.conf <<EOF
+     [crio.runtime.runtimes.crun]
+     runtime_path="/usr/bin/crun"
+     EOF
+
+# Packages that are only in SCOS and not in RHCOS or that have special
+# constraints that do not apply to RHCOS
+packages:
+ # We include the generic release package and tweak the os-release info in a
+ # post-proces script
+ - centos-release
+ # RHCOS package name includes a version number
+ - openvswitch
diff --git a/c9s/overlay.d b/c9s/overlay.d
new file mode 120000
index 00000000..ac61c882
--- /dev/null
+++ b/c9s/overlay.d
@@ -0,0 +1 @@
+../overlay.d/
\ No newline at end of file
diff --git a/ci/Dockerfile b/ci/Dockerfile
deleted file mode 100644
index 913096e1..00000000
--- a/ci/Dockerfile
+++ /dev/null
@@ -1,24 +0,0 @@
-FROM registry.ci.openshift.org/ocp/builder:rhel-8-golang-1.17-openshift-4.10 AS builder
-WORKDIR /go/src/github.com/openshift/os
-COPY . .
-# Prevent go mod from requiring a vendor directory.
-ENV GOFLAGS=-mod=mod
-# Compile our layering test binary for future use.
-RUN go test -v -c -o layering_test ./tests/layering
-
-FROM registry.svc.ci.openshift.org/coreos/coreos-assembler:latest
-WORKDIR /src
-ENV COSA_DIR=/tmp/cosa
-# Prow doesn't support emptydir for jobs today
-ENV COSA_SKIP_OVERLAY=1
-COPY --from=builder /go/src/github.com/openshift/os/layering_test /usr/local/bin/layering_test
-COPY . .
-RUN mkdir -p "${COSA_DIR}"
-# We need to make sure that root can read / write to the COSA_DIR so that
-# when this container is actually run, we have permissions to read and
-# write to the COSA_DIR to allow the Kola tests to run.
-USER root
-RUN chgrp -Rf root "${COSA_DIR}" && \
-  chmod -Rf g+w "${COSA_DIR}"
-USER builder
-WORKDIR /tmp/cosa
diff --git a/ci/Dockerfile.cosa-build b/ci/Dockerfile.cosa-build
deleted file mode 100644
index 263fd28f..00000000
--- a/ci/Dockerfile.cosa-build
+++ /dev/null
@@ -1,34 +0,0 @@
-# This stage actually builds the RHCOS OCI image. However, due to
-# limitations within OpenShift CI, we need to do the following:
-# 1. Disable KVM by using the COSA_NO_KVM env var. This is due to OpenShift
-# CI using the default OpenShift Docker Build strategy, which precludes us
-# from mounting /dev/kvm into the build context.
-# 2. Due to a limitation in the version of Buildah that OpenShift Builds
-# uses (at the time of this writing, it uses a v1.23.z version of Buildah),
-# we cannot mount the build context into the container build (e.g., `RUN
-# --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared
-# <cmd>`), which would allow it to mutate the build context. This is due to
-# https://github.com/containers/buildah/pull/3548 not being present.
-# For now, this necessitates passing this image into the cosa-build image
-# build below to extract the OCI archive and inject it into the
-# ImageStream. However, once the OpenShift CI system is upgraded to use
-# OpenShift 4.11, we can create the RHCOS image in a single shot via this
-# stage.
-FROM build-test-qemu-img:latest
-ENV COSA_DIR=/tmp/cosa
-ENV COSA_SKIP_OVERLAY=1
-RUN mkdir -p "${COSA_DIR}" && \
-  COSA_NO_KVM=1 /src/ci/prow-entrypoint.sh build && \
-  rm -rf "${COSA_DIR}/cache"
-# We need to make sure that root can read / write to the COSA_DIR so that
-# when this container is actually run, we have permissions to read and
-# write to the COSA_DIR to allow the Kola tests to run.
-# Note: In Docker BuildKit, this would double the image size because this
-# would create an additional layer. However, since OpenShift Image Builds
-# use Buildah, this is eliminated because it squashes these layers
-# together.
-USER root
-RUN chgrp -Rf root "${COSA_DIR}" && \
-  chmod -Rf g+w "${COSA_DIR}"
-USER builder
-WORKDIR /tmp/cosa
diff --git a/ci/Dockerfile.cosa-oci-archive b/ci/Dockerfile.cosa-oci-archive
deleted file mode 100644
index 3e3ccd8a..00000000
--- a/ci/Dockerfile.cosa-oci-archive
+++ /dev/null
@@ -1,10 +0,0 @@
-# We need the OCI archive to be somewhere with a predictable place with a constant
-# path. However, the Kola tests expect the OCI archive to have the build
-# number included in the filename. With that in mind, this image build will
-# extract the RHCOS OCI archive from the cosa-build archive and place it in
-# a constant path for extraction by the machine-os-oci-content image build.
-FROM cosa-build:latest AS base
-RUN /src/ci/simplify-ociarchive-path.sh
-
-FROM scratch
-COPY --from=base /tmp/cosa/builds/latest/x86_64/rhcos.x86_64.ociarchive /tmp/cosa/builds/latest/x86_64/rhcos.x86_64.ociarchive
diff --git a/ci/Dockerfile.layering-test b/ci/Dockerfile.layering-test
deleted file mode 100644
index f761106b..00000000
--- a/ci/Dockerfile.layering-test
+++ /dev/null
@@ -1,6 +0,0 @@
-# Create a slimmer Fedora-based image for the layering test binary. This is
-# intended to make the startup of the OS layering test faster since we
-# won't have to pull the larger build-test-qemu-img.
-FROM build-test-qemu-img:latest AS base
-FROM registry.ci.openshift.org/coreos/fedora:35 AS final
-COPY --from=base /usr/local/bin/layering_test /usr/local/bin/layering_test
diff --git a/ci/Dockerfile.machine-os-oci-content b/ci/Dockerfile.machine-os-oci-content
deleted file mode 100644
index ddd831e6..00000000
--- a/ci/Dockerfile.machine-os-oci-content
+++ /dev/null
@@ -1,12 +0,0 @@
-# This extracts the OCI archive from the cosa-build image build, injects it
-# into the build context, and then uses that OCI archive as this image.
-# This makes use of the following:
-# - OpenShift Image Builds allows one to pass in a path from another container
-# image. It places this under /tmp/build/inputs/<path>. See:
-# https://github.com/openshift/builder/blob/37525a77fa07e26c420962dee47193d672ef0b35/pkg/build/builder/common.go#L72
-# - Buildah allows one to use oci-archive as a transport. See:
-# https://www.redhat.com/sysadmin/7-transports-features
-# - Utilizing the above features in concert with one another and using an
-# absolute path to refer to the OCI archive in the build context allows us
-# to "import" the OCI archive into the CI ImageStream.
-FROM oci-archive:/tmp/build/inputs/magic/cosa/builds/latest/x86_64/rhcos.x86_64.ociarchive
diff --git a/ci/build-test-qemu.sh b/ci/build-test-qemu.sh
deleted file mode 100755
index bf82cc8b..00000000
--- a/ci/build-test-qemu.sh
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/bash
-true
diff --git a/ci/build-test.sh b/ci/build-test.sh
deleted file mode 100755
index bf82cc8b..00000000
--- a/ci/build-test.sh
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/bash
-true
diff --git a/ci/prow-build-test-qemu.sh b/ci/prow-build-test-qemu.sh
deleted file mode 100755
index bf82cc8b..00000000
--- a/ci/prow-build-test-qemu.sh
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/bash
-true
diff --git a/ci/prow-build.sh b/ci/prow-build.sh
deleted file mode 100755
index bf82cc8b..00000000
--- a/ci/prow-build.sh
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/bash
-true
diff --git a/ci/prow-entrypoint.sh b/ci/prow-entrypoint.sh
index c81d0752..2083c305 100755
--- a/ci/prow-entrypoint.sh
+++ b/ci/prow-entrypoint.sh
@@ -6,6 +6,9 @@ set -xeuo pipefail
 # Global variables
 REDIRECTOR_URL="https://rhcos-redirector.apps.art.xq1c.p1.openshiftapps.com/art/storage/releases/"
 
+# Default version of RHEL used to build RHCOS
+RHELVER="rhel-8.6"
+
 # This function is used to update the /etc/passwd file within the COSA container
 # at test-time. The need for this comes from the fact that OpenShift will run a
 # container with a randomized user ID by default to enhance security. Because
@@ -28,6 +31,8 @@ setup_user() {
     whoami
 }
 
+# Setup a new build directory with COSA init, selecting the version of RHEL or
+# CentOS Stream that we want as a basis for RHCOS/SCOS.
 cosa_init() {
     # Always create a writable copy of the source repo
     tmp_src="$(mktemp -d)"
@@ -39,54 +44,61 @@ cosa_init() {
     cd "$cosa_dir"
 
     # Setup source tree
-    cosa init --transient "${tmp_src}/os"
+    cosa init --transient "${tmp_src}/os" "${RHELVER}"
 }
 
-# Do a cosa build & cosa build-extensions only
+# Do a cosa build & cosa build-extensions only.
 # This is called both as part of the build phase and test phase in Prow thus we
 # can not do any kola testing in this function.
+# We do not build the QEMU image here as we don't need it in the pure container
+# test case.
 cosa_build() {
     # Grab the raw value of `mutate-os-release` and use sed to convert the value
     # to X-Y format
     ocpver=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["mutate-os-release"]')
     ocpver_mut=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["mutate-os-release"]' | sed 's|\.|-|')
-    prev_build_url=${REDIRECTOR_URL}/rhcos-${ocpver}/
-    # Fetch the previous build
-    cosa buildfetch --url="${prev_build_url}"
+
+    # Currently disabled for SCOS as we don't have any previous builds
+    if [[ "${RHELVER}" != "c9s" ]]; then
+        # Fetch the previous build
+        cosa buildfetch --url="${REDIRECTOR_URL}/rhcos-${ocpver}/"
+    fi
 
     # Fetch the repos corresponding to the release we are building
-    rhelver=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["automatic-version-prefix"]' | cut -f2 -d.)
-    id
-    whoami
-    ls -alh "src/config/"
-    curl -L "http://base-${ocpver_mut}-rhel${rhelver}.ocp.svc.cluster.local" -o "src/config/ocp.repo"
+    if [[ "${RHELVER}" == "rhel-8.6" ]]; then
+        rhelver=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["automatic-version-prefix"]' | cut -f2 -d.)
+        curl -L "http://base-${ocpver_mut}-rhel${rhelver}.ocp.svc.cluster.local" -o "src/config/ocp.repo"
+    elif [[ "${RHELVER}" == "rhel-9.0" ]]; then
+        # Temporary workaround until we have all packages for RHCOS 9
+        curl -L "http://base-${ocpver_mut}-rhel86.ocp.svc.cluster.local" -o "src/config/ocp86.repo"
+        curl -L "http://base-${ocpver_mut}-rhel90.ocp.svc.cluster.local" -o "src/config/ocp90.repo"
+    elif [[ "${RHELVER}" == "c9s" ]]; then
+        # Temporary workarounds until we have all packages for SCOS
+        curl -L "http://base-${ocpver_mut}-rhel86.ocp.svc.cluster.local" -o "src/config/ocp86.repo"
+    fi
 
-    # Build RHCOS & extensions
+    # Fetch packages
     cosa fetch
-    cosa build
+    # Only build the ostree image by default
+    cosa build ostree
+    # Build extensions
     cosa buildextend-extensions
 }
 
-# Make sure the image is at least booting before runnning expensive tests
-kola_test_basic() {
-    cosa kola run basic
-}
-
-kola_test_basic_scenarios() {
+# Build QEMU image and run all kola tests
+kola_test_qemu() {
+    cosa buildextend-qemu
     cosa kola --basic-qemu-scenarios
-}
-
-kola_test_upgrade() {
     kola run-upgrade -b rhcos -v --find-parent-image --qemu-image-dir tmp/ --output-dir tmp/kola-upgrade
-}
-
-kola_test_run() {
     cosa kola run --parallel 2
 }
 
+# Build metal, metal4k & live images and run kola tests
 kola_test_metal() {
     # Build metal + installer now so we can test them
-    cosa buildextend-metal && cosa buildextend-metal4k && cosa buildextend-live
+    cosa buildextend-metal
+    cosa buildextend-metal4k
+    cosa buildextend-live
 
     # Compress the metal and metal4k images now so we're testing
     # installs with the image format we ship
@@ -154,34 +166,52 @@ main () {
             cosa_init
             cosa_build
             ;;
-        "build-test-qemu-kola-basic")
+        "rhcos-86-build-test-qemu")
+            RHELVER="rhel-8.6"
             setup_user
             cosa_init
             cosa_build
-            kola_test_basic
-            kola_test_basic_scenarios
+            kola_test_qemu
             ;;
-        "build-test-qemu-kola-all")
+        "rhcos-86-build-test-metal")
+            RHELVER="rhel-8.6"
             setup_user
             cosa_init
             cosa_build
-            kola_test_basic
-            kola_test_run
+            kola_test_metal
             ;;
-        "build-test-qemu-kola-upgrade")
+        "rhcos-90-build-test-qemu")
+            RHELVER="rhel-9.0"
             setup_user
             cosa_init
             cosa_build
-            kola_test_basic
-            kola_test_upgrade
+            kola_test_qemu
             ;;
-        "build-test-qemu-kola-metal")
+        "rhcos-90-build-test-metal")
+            RHELVER="rhel-9.0"
             setup_user
             cosa_init
             cosa_build
-            kola_test_basic
             kola_test_metal
             ;;
+        "scos-9-build-test-qemu")
+            RHELVER="c9s"
+            setup_user
+            cosa_init
+            cosa_build
+            kola_test_qemu
+            ;;
+        "scos-9-build-test-metal")
+            RHELVER="c9s"
+            setup_user
+            cosa_init
+            cosa_build
+            kola_test_metal
+            ;;
+        "disabled-test")
+            echo "Disabled tests"
+            exit 0
+            ;;
         *)
             echo "Unknown test name"
             exit 1
diff --git a/ci/set-openshift-user.sh b/ci/set-openshift-user.sh
deleted file mode 100755
index bf82cc8b..00000000
--- a/ci/set-openshift-user.sh
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/bash
-true
diff --git a/ci/test-qemu-firmware-uefi.sh b/ci/test-qemu-firmware-uefi.sh
deleted file mode 100755
index 121d870d..00000000
--- a/ci/test-qemu-firmware-uefi.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/bash
-set -xeuo
-/src/ci/prow-entrypoint.sh "build-test-qemu-kola-basic"
diff --git a/ci/test-qemu-kola-upgrade.sh b/ci/test-qemu-kola-upgrade.sh
deleted file mode 100755
index 8e087b5a..00000000
--- a/ci/test-qemu-kola-upgrade.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/bash
-set -xeuo
-/src/ci/prow-entrypoint.sh "build-test-qemu-kola-upgrade"
diff --git a/ci/test-qemu-kola.sh b/ci/test-qemu-kola.sh
deleted file mode 100755
index 4d0df394..00000000
--- a/ci/test-qemu-kola.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/bash
-set -xeuo
-/src/ci/prow-entrypoint.sh "build-test-qemu-kola-all"
diff --git a/ci/test-qemu-metal.sh b/ci/test-qemu-metal.sh
deleted file mode 100755
index 8060b9a3..00000000
--- a/ci/test-qemu-metal.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/bash
-set -xeuo
-/src/ci/prow-entrypoint.sh "build-test-qemu-kola-metal"
diff --git a/ci/test-qemu-nvme.sh b/ci/test-qemu-nvme.sh
deleted file mode 100755
index 2e06e213..00000000
--- a/ci/test-qemu-nvme.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/bash
-set -xeuo
-true
diff --git a/ci/validate.sh b/ci/validate.sh
deleted file mode 100755
index fdd4042c..00000000
--- a/ci/validate.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/bash
-set -xeuo
-./ci/prow-entrypoint.sh "validate"
diff --git a/common.yaml b/common.yaml
new file mode 100644
index 00000000..ca7ebaa1
--- /dev/null
+++ b/common.yaml
@@ -0,0 +1,244 @@
+# We inherit from Fedora CoreOS' base configuration
+include:
+  - fedora-coreos-config/manifests/ignition-and-ostree.yaml
+  - fedora-coreos-config/manifests/file-transfer.yaml
+  - fedora-coreos-config/manifests/networking-tools.yaml
+  - fedora-coreos-config/manifests/system-configuration.yaml
+  - fedora-coreos-config/manifests/user-experience.yaml
+  - fedora-coreos-config/manifests/shared-workarounds.yaml
+  # RHCOS owned packages
+  - rhcos-packages.yaml
+
+# Layers common to all versions of RHCOS and SCOS
+ostree-layers:
+  - overlay/01fcos
+  - overlay/02fcos-nouveau
+  - overlay/05rhcos
+  - overlay/06gcp-routes
+  - overlay/15rhcos-tuned-bits
+  - overlay/20platform-chrony
+  - overlay/21dhcp-chrony
+
+arch-include:
+  x86_64:
+    - fedora-coreos-config/manifests/grub2-removals.yaml
+    - fedora-coreos-config/manifests/bootupd.yaml
+  ppc64le: fedora-coreos-config/manifests/grub2-removals.yaml
+  aarch64:
+    - fedora-coreos-config/manifests/grub2-removals.yaml
+    - fedora-coreos-config/manifests/bootupd.yaml
+
+documentation: false
+initramfs-args:
+  - "--no-hostonly"
+  - "--omit-drivers"
+  - "nouveau"
+  - "--omit"
+  # we don't need root-on-NFS
+  # see upstream: https://github.com/coreos/fedora-coreos-config/pull/60
+  - "nfs"
+  - "--add"
+  - "iscsi"
+  - "ignition"
+  - "--add"
+  - "ifcfg"
+  - "--add"
+  - "fips"
+  # The current default in RHEL8 is network-legacy
+ ## XXX: This does not work for now: https://github.com/dracutdevs/dracut/issues/798
+ ## XXX: Temporarily use overlay.d/05rhcos/usr/lib/dracut/modules.d/29rhcos-need-network-manager/module-setup.sh
+ #- "--add"
+ #- "network-manager"
+  - "--omit"
+  - "network-legacy"
+
+postprocess:
+  - |
+     #!/usr/bin/env bash
+     set -xeo pipefail
+
+     # Disable PasswordAuthentication in SSH
+     sed -i "s|^PasswordAuthentication yes$|PasswordAuthentication no|g" /etc/ssh/sshd_config
+     # Disable root login because don't do that.
+     sed -i "s|^PermitRootLogin yes$|PermitRootLogin no|g" /etc/ssh/sshd_config
+     # Enable ClientAliveInterval and set to 180 per https://bugzilla.redhat.com/show_bug.cgi?id=1701050
+     sed -i "s|^#ClientAliveInterval 0$|ClientAliveInterval 180|g" /etc/ssh/sshd_config
+
+     # TEMPORARY: Create /etc/vmware-tools/tools.conf to ensure RHCOS shows up properly in VMWare
+     # See https://jira.coreos.com/browse/RHCOS-258
+     if [ "$(uname -m)" == "x86_64" ]; then
+     cat > /etc/vmware-tools/tools.conf <<'EOF'
+     [guestosinfo]
+     short-name = rhel8-64
+     EOF
+     fi
+
+     # TEMPORARY: Fix file permission for cpictl until fix is backported to RHEL 8.6
+     # See https://bugzilla.redhat.com/show_bug.cgi?id=2024102
+     if [ "$(uname -m)" == "s390x" ]; then
+     [ "$(stat -c '%a' /usr/lib/s390-tools/cpictl)" == "755" ] && echo "Permission for /usr/lib/s390-tools/cpictl is fixed, remove temporary hack"
+     chmod 755 /usr/lib/s390-tools/cpictl
+     fi
+
+     # Nuke network.service from orbit
+     # https://github.com/openshift/os/issues/117
+     rm -rf /etc/rc.d/init.d/network /etc/rc.d/rc*.d/*network
+
+     # We're not using resolved yet
+     rm -f /usr/lib/systemd/system/systemd-resolved.service
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    # manually modify SELinux booleans that are needed for OCP use cases
+    semanage boolean --modify --on container_use_cephfs      # RHBZ#1694045
+    semanage boolean --modify --on virt_use_samba            # RHBZ#1754825
+
+  # https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/812
+  # https://bugzilla.redhat.com/show_bug.cgi?id=1796537
+  - |
+    #!/usr/bin/bash
+    mkdir -p /usr/share/containers/oci/hooks.d
+
+  # This is part of e.g. fedora-repos in Fedora; we now want to include it by default
+  # so that the MCO can use it by default and not trip over SELinux issues trying
+  # to create it.
+  - |
+    #!/usr/bin/bash
+    mkdir -p /etc/yum.repos.d
+
+  # This updates the PAM configuration to reference all of the SSSD modules.
+  # Removes the `authselect` binary afterwards since `authselect` does not play well with `nss-altfiles`
+  # (https://github.com/pbrezina/authselect/issues/48).
+  # https://bugzilla.redhat.com/show_bug.cgi?id=1774154
+  # NOTE: This is a temporary hack which should be updated after switching to systemd-sysusers
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    # use `authselect test` since `authselect select` wants to copy to `/var` too
+    authselect test sssd --nsswitch | tail -n +2 > /etc/nsswitch.conf
+    for pam_file in system-auth password-auth smartcard-auth fingerprint-auth postlogin; do
+      authselect test sssd --${pam_file} | tail -n +2 > /etc/pam.d/${pam_file}
+    done
+    rm -f $(which authselect)
+
+etc-group-members:
+  - wheel
+  - sudo
+  - systemd-journal
+  - adm
+ignore-removed-users:
+  - root
+ignore-removed-groups:
+  - root
+check-passwd:
+  type: "file"
+  filename: "passwd"
+check-groups:
+  type: "file"
+  filename: "group"
+
+exclude-packages:
+  # https://bugzilla.redhat.com/show_bug.cgi?id=1798278
+  - subscription-manager
+  # And this one shouldn't come in
+  - dnf
+  # https://github.com/coreos/rpm-ostree/pull/1789/files/a0cd999a8acd5b40ec1024a794a642916fbc8ff8#diff-fc2076dc46933204a7a798f544ce3734
+  # People need to use `rpm-ostree kargs` instead.
+  - grubby
+  # udisks2 is a fwupd recommends only need for encrypted swap checks
+  - udisks2
+  # dhcp-client is recommended by chrony for handling NTP servers given out via
+  # DHCP, but we have a NM dispatcher script that is doing that
+  # See: https://bugzilla.redhat.com/show_bug.cgi?id=1930468
+  # See: https://bugzilla.redhat.com/show_bug.cgi?id=1800901
+  - dhcp-client
+
+# Try to maintain this list ordering by "in RHEL, then not in RHEL".
+# To verify, disable all repos except the ootpa ones and then comment
+# out the bottom and run `coreos-assembler build`.
+# A lof of packages are inherited by the manifests included at the top.
+packages:
+ # Contains SCTP (https://bugzilla.redhat.com/show_bug.cgi?id=1718049)
+ # and it's not really going to be worth playing the "where's my kernel module"
+ # game long term.  If we ship it we support it, etc.
+ - kernel-modules-extra
+ # Audit
+ - audit
+ # Containers
+ - containernetworking-plugins
+ # Pinned due to cosa on Fedora not honoring RHEL 8 modules as expected
+ - container-selinux
+ - cri-o cri-tools
+ # Networking
+ - nfs-utils
+ - dnsmasq
+ - NetworkManager-ovs
+ # Extra runtime
+ - sssd
+ # Common tools used by scripts and admins interactively
+ - rsync tmux
+ - nmap-ncat strace
+ # Editors
+ - nano
+ # Red Hat CA certs
+ - subscription-manager-rhsm-certificates
+ # Used on the bootstrap node
+ - systemd-journal-remote
+ # Extras
+ - systemd-journal-gateway
+ - clevis clevis-luks clevis-dracut
+ - tpm2-tools
+ # Used to update PAM configuration to work with SSSD
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1774154
+ - authselect
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1900759
+ - qemu-guest-agent
+ # BELOW HERE ARE PACKAGES NOT IN RHEL
+ # OpenShift OKD
+ #- origin-node origin-hyperkube origin-clients
+ # OpenShift
+ - openshift-hyperkube openshift-clients
+ # Gluster - Used for Openshift e2e gluster testcases
+ # Reverts https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/367 and add it for all arches
+ - glusterfs-fuse
+ # Needed for kernel-devel extension: https://bugzilla.redhat.com/show_bug.cgi?id=1885408
+ # x86_64 and s390x have these packages installed as dependencies of other packages, ppc64le does not
+ # FIXME: once the below BZs have been resolved to remove perl dependencies, this can be done in the extensions script
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1877905
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1886201
+ - perl-interpreter
+ # https://github.com/coreos/fedora-coreos-tracker/issues/404
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1925698
+ # https://github.com/openshift/machine-config-operator/pull/2421
+ - conntrack-tools
+ # Upstream PR https://github.com/coreos/fedora-coreos-config/pull/786
+ - WALinuxAgent-udev
+
+packages-x86_64:
+  # Temporary add of open-vm-tools. Should be removed when containerized
+  - open-vm-tools
+  - irqbalance
+  # Until we sort out 4.2 -> 4.3 upgrades, we need to carry this.
+  # See also https://github.com/ostreedev/ostree/pull/1929
+  - ostree-grub2
+  # rdma-core cleanly covers some key bare metal use cases
+  - rdma-core
+
+packages-ppc64le:
+  - irqbalance
+  - librtas
+  - powerpc-utils-core
+  - ppc64-diag-rtas
+  - rdma-core
+
+remove-from-packages:
+  - - filesystem
+    - "/usr/share/backgrounds"
+  # https://bugzilla.redhat.com/show_bug.cgi?id=1762509
+  # https://bugzilla.redhat.com/show_bug.cgi?id=1727058
+  - - initscripts
+    - "/"
+  # Remove the systemd unit; we only want the binary to be used
+  # by MCD or kubelet.  See above.
+  - - conntrack-tools
+    - /usr/lib/systemd/system
diff --git a/extensions.yaml b/extensions.yaml
deleted file mode 100644
index d989e3b0..00000000
--- a/extensions.yaml
+++ /dev/null
@@ -1,62 +0,0 @@
-# RPMs as operating system extensions, distinct from the base ostree commit/image
-# https://github.com/openshift/enhancements/blob/master/enhancements/rhcos/extensions.md
-# and https://github.com/coreos/fedora-coreos-tracker/issues/401
-
-repos:
-  - rhel-8-nfv
-
-extensions:
-  # https://github.com/coreos/fedora-coreos-tracker/issues/326
-  usbguard:
-    packages:
-      - usbguard
-  kerberos:
-    packages:
-      - krb5-workstation
-      - libkadm5
-  # https://github.com/kmods-via-containers/kmods-via-containers/issues/3
-  # https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/866
-  # These are currently overlaid onto the host so that they can be bind-mounted
-  # into build containers... in the future they should be a `development`
-  # extension: https://github.com/openshift/machine-config-operator/pull/2143.
-  kernel-devel:
-    packages:
-      - kernel-devel
-      - kernel-headers
-    match-base-evr: kernel
-  # These are already in the base, so they're not OS extensions, but they're
-  # useful to have in RPM form to install in kmod build containers.
-  kernel:
-    kind: development
-    packages:
-      - kernel
-      - kernel-core
-      - kernel-modules
-      - kernel-modules-extra
-    match-base-evr: kernel
-  # GRPA-2822
-  # https://github.com/openshift/machine-config-operator/pull/1330
-  # https://github.com/openshift/enhancements/blob/master/enhancements/support-for-realtime-kernel.md
-  kernel-rt:
-    architectures:
-      - x86_64
-    packages:
-      - kernel-rt-core
-      - kernel-rt-kvm
-      - kernel-rt-modules
-      - kernel-rt-modules-extra
-      - kernel-rt-devel
-  # https://github.com/openshift/machine-config-operator/pull/2456
-  # https://github.com/openshift/enhancements/blob/master/enhancements/sandboxed-containers/sandboxed-containers-tech-preview.md
-  # GRPA-3123
-  # - kata-containers (RHAOS)
-  sandboxed-containers:
-    architectures:
-      - x86_64
-    modules:
-      enable:
-        - virt:rhel
-    repos:
-      - rhel-8-appstream
-    packages:
-      - kata-containers
diff --git a/extensions.yaml b/extensions.yaml
new file mode 120000
index 00000000..df0dd1aa
--- /dev/null
+++ b/extensions.yaml
@@ -0,0 +1 @@
+rhel-8.6/extensions.yaml
\ No newline at end of file
diff --git a/manifest.yaml b/manifest.yaml
index fa78aa8e..63836df4 100644
--- a/manifest.yaml
+++ b/manifest.yaml
@@ -1,410 +1,3 @@
-rojig:
-  license: MIT
-  name: rhcos
-  summary: OpenShift 4
-
-# We inherit from Fedora CoreOS' base configuration
+# Default RHEL version used to build RHCOS
 include:
-  - fedora-coreos-config/manifests/ignition-and-ostree.yaml
-  - fedora-coreos-config/manifests/file-transfer.yaml
-  - fedora-coreos-config/manifests/networking-tools.yaml
-  - fedora-coreos-config/manifests/system-configuration.yaml
-  - fedora-coreos-config/manifests/user-experience.yaml
-  - fedora-coreos-config/manifests/shared-workarounds.yaml
-  # RHCOS owned packages
-  - rhcos-packages.yaml
-
-ostree-layers:
-  - overlay/01fcos
-  - overlay/02fcos-nouveau
-  - overlay/05rhcos
-  - overlay/06gcp-routes
-  - overlay/15rhcos-logrotate
-  - overlay/15rhcos-tuned-bits
-  - overlay/20platform-chrony
-  - overlay/21dhcp-chrony
-  - overlay/25rhcos-azure-udev
-
-arch-include:
-  x86_64:
-    - fedora-coreos-config/manifests/grub2-removals.yaml
-    - fedora-coreos-config/manifests/bootupd.yaml
-  ppc64le: fedora-coreos-config/manifests/grub2-removals.yaml
-  aarch64:
-    - fedora-coreos-config/manifests/grub2-removals.yaml
-    - fedora-coreos-config/manifests/bootupd.yaml
-
-# See README.md
-# and https://github.com/openshift/release/blob/master/core-services/release-controller/README.md#rpm-mirrors
-repos:
-  - rhel-8-baseos
-  - rhel-8-appstream
-  - rhel-8-fast-datapath
-  - rhel-8-server-ose
-
-# https://bugzilla.redhat.com/show_bug.cgi?id=1938928
-rpmdb: bdb
-
-# We include hours/minutes to avoid version number reuse
-automatic-version-prefix: "411.86.<date:%Y%m%d%H%M>"
-# This ensures we're semver-compatible which OpenShift wants
-automatic-version-suffix: "-"
-# Keep this is sync with the version in postprocess
-mutate-os-release: "4.11"
-
-documentation: false
-initramfs-args:
-  - "--no-hostonly"
-  - "--omit-drivers"
-  - "nouveau"
-  - "--omit"
-  # we don't need root-on-NFS
-  # see upstream: https://github.com/coreos/fedora-coreos-config/pull/60
-  - "nfs"
-  - "--add"
-  - "iscsi"
-  - "ignition"
-  - "--add"
-  - "ifcfg"
-  - "--add"
-  - "fips"
-  # The current default in RHEL8 is network-legacy
- ## XXX: This does not work for now: https://github.com/dracutdevs/dracut/issues/798
- ## XXX: Temporarily use overlay.d/05rhcos/usr/lib/dracut/modules.d/29rhcos-need-network-manager/module-setup.sh
- #- "--add"
- #- "network-manager"
-  - "--omit"
-  - "network-legacy"
-
-postprocess:
-  - |
-     #!/usr/bin/env bash
-     set -xeo pipefail
-
-     # Disable PasswordAuthentication in SSH
-     sed -i "s|^PasswordAuthentication yes$|PasswordAuthentication no|g" /etc/ssh/sshd_config
-     # Disable root login because don't do that.
-     sed -i "s|^PermitRootLogin yes$|PermitRootLogin no|g" /etc/ssh/sshd_config
-     # Enable ClientAliveInterval and set to 180 per https://bugzilla.redhat.com/show_bug.cgi?id=1701050
-     sed -i "s|^#ClientAliveInterval 0$|ClientAliveInterval 180|g" /etc/ssh/sshd_config
-
-     # TEMPORARY: Create /etc/vmware-tools/tools.conf to ensure RHCOS shows up properly in VMWare
-     # See https://jira.coreos.com/browse/RHCOS-258
-     if [ "$(uname -m)" == "x86_64" ]; then
-     cat > /etc/vmware-tools/tools.conf <<'EOF'
-     [guestosinfo]
-     short-name = rhel8-64
-     EOF
-     fi
-
-     # TEMPORARY: Fix file permission for cpictl until fix is backported to RHEL 8.6
-     # See https://bugzilla.redhat.com/show_bug.cgi?id=2024102
-     if [ "$(uname -m)" == "s390x" ]; then
-     [ "$(stat -c '%a' /usr/lib/s390-tools/cpictl)" == "755" ] && echo "Permission for /usr/lib/s390-tools/cpictl is fixed, remove temporary hack"
-     chmod 755 /usr/lib/s390-tools/cpictl
-     fi
-
-     # Nuke network.service from orbit
-     # https://github.com/openshift/os/issues/117
-     rm -rf /etc/rc.d/init.d/network /etc/rc.d/rc*.d/*network
-
-     # We're not using resolved yet
-     rm -f /usr/lib/systemd/system/systemd-resolved.service
-
-     # Enable tmp-on-tmpfs by default because we don't want to have things
-     # leak across reboots, it increases alignment with FCOS, and also fixes
-     # the Live ISO.  First, verify that RHEL is still disabling.
-     grep -q '# RHEL-only: Disable /tmp on tmpfs' /usr/lib/systemd/system/basic.target
-     echo '# RHCOS-only: we follow the Fedora/upstream default' >> /usr/lib/systemd/system/basic.target
-     echo 'Wants=tmp.mount' >> /usr/lib/systemd/system/basic.target
-  - |
-     #!/usr/bin/env bash
-     set -xeo pipefail
-
-     # Ensure that /etc/issue.d exists for console-login-helper-messages
-     # This can be removed once we rebase to RHEL 9
-     install -d -m 0755 /etc/issue.d
-  - |
-     #!/usr/bin/env bash
-     set -xeo pipefail
-
-     # Tweak /usr/lib/os-release
-     grep -v "OSTREE_VERSION" /etc/os-release > /usr/lib/os-release.rhel
-     OCP_RELEASE="4.11"
-     (
-     . /etc/os-release
-     cat > /usr/lib/os-release <<EOF
-     NAME="${NAME} CoreOS"
-     ID="rhcos"
-     ID_LIKE="rhel fedora"
-     VERSION="${OSTREE_VERSION}"
-     VERSION_ID="${OCP_RELEASE}"
-     PLATFORM_ID="${PLATFORM_ID}"
-     PRETTY_NAME="${NAME} CoreOS ${OSTREE_VERSION} (Ootpa)"
-     ANSI_COLOR="${ANSI_COLOR}"
-     CPE_NAME="cpe:/o:redhat:enterprise_linux:8::coreos"
-     HOME_URL="${HOME_URL}"
-     DOCUMENTATION_URL="https://docs.openshift.com/container-platform/${OCP_RELEASE}/"
-     BUG_REPORT_URL="https://bugzilla.redhat.com/"
-     REDHAT_BUGZILLA_PRODUCT="OpenShift Container Platform"
-     REDHAT_BUGZILLA_PRODUCT_VERSION="${OCP_RELEASE}"
-     REDHAT_SUPPORT_PRODUCT="OpenShift Container Platform"
-     REDHAT_SUPPORT_PRODUCT_VERSION="${OCP_RELEASE}"
-     OPENSHIFT_VERSION="${OCP_RELEASE}"
-     RHEL_VERSION="${VERSION_ID}"
-     OSTREE_VERSION="${OSTREE_VERSION}"
-     EOF
-     )
-     rm -f /etc/os-release
-     ln -s ../usr/lib/os-release /etc/os-release
-
-     # Tweak /etc/system-release, /etc/system-release-cpe & /etc/redhat-release
-     (
-     . /etc/os-release
-     cat > /usr/lib/system-release-cpe <<EOF
-     ${CPE_NAME}
-     EOF
-     cat > /usr/lib/system-release <<EOF
-     ${NAME} release ${VERSION_ID}
-     EOF
-     rm -f /etc/system-release-cpe /etc/system-release /etc/redhat-release
-     ln -s /usr/lib/system-release-cpe /etc/system-release-cpe
-     ln -s /usr/lib/system-release /etc/system-release
-     ln -s /usr/lib/system-release /etc/redhat-release
-     )
-
-     # Tweak /usr/lib/issue
-     cat > /usr/lib/issue <<EOF
-     \S \S{VERSION_ID}
-     EOF
-     rm -f /etc/issue /etc/issue.net
-     ln -s /usr/lib/issue /etc/issue
-     ln -s /usr/lib/issue /etc/issue.net
-
-     # Let's have a non-boring motd, just like CL (although theirs is more subdued
-     # nowadays compared to early versions with ASCII art).  One thing we do here
-     # is add --- as a "separator"; the idea is that any "dynamic" information should
-     # be below that.
-     # See: https://projects.engineering.redhat.com/browse/COREOS-1029
-     . /etc/os-release
-     cat > /etc/motd <<EOF
-     Red Hat Enterprise Linux CoreOS $VERSION
-       Part of OpenShift ${OPENSHIFT_VERSION}, RHCOS is a Kubernetes native operating system
-       managed by the Machine Config Operator (\`clusteroperator/machine-config\`).
-
-     WARNING: Direct SSH access to machines is not recommended; instead,
-     make configuration changes via \`machineconfig\` objects:
-       https://docs.openshift.com/container-platform/${OPENSHIFT_VERSION}/architecture/architecture-rhcos.html
-
-     ---
-     EOF
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    # manually modify SELinux booleans that are needed for OCP use cases
-    semanage boolean --modify --on container_use_cephfs      # RHBZ#1694045
-    semanage boolean --modify --on virt_use_samba            # RHBZ#1754825
-
-  # https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/812
-  # https://bugzilla.redhat.com/show_bug.cgi?id=1796537
-  - |
-    #!/usr/bin/bash
-    mkdir -p /usr/share/containers/oci/hooks.d
-
-  # This is part of e.g. fedora-repos in Fedora; we now want to include it by default
-  # so that the MCO can use it by default and not trip over SELinux issues trying
-  # to create it.
-  - |
-    #!/usr/bin/bash
-    mkdir -p /etc/yum.repos.d
-
-  # This updates the PAM configuration to reference all of the SSSD modules.
-  # Removes the `authselect` binary afterwards since `authselect` does not play well with `nss-altfiles`
-  # (https://github.com/pbrezina/authselect/issues/48).
-  # https://bugzilla.redhat.com/show_bug.cgi?id=1774154
-  # NOTE: This is a temporary hack which should be updated after switching to systemd-sysusers
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    # use `authselect test` since `authselect select` wants to copy to `/var` too
-    authselect test sssd --nsswitch | tail -n +2 > /etc/nsswitch.conf
-    for pam_file in system-auth password-auth smartcard-auth fingerprint-auth postlogin; do
-      authselect test sssd --${pam_file} | tail -n +2 > /etc/pam.d/${pam_file}
-    done
-    rm -f $(which authselect)
-
-  # Stop shipping a baked initiator name in the image; this should be generated
-  # at runtime. We have a service which does this
-  # (coreos-generate-iscsi-initiatorname.service) until it's done properly
-  # upstream (see https://bugzilla.redhat.com/show_bug.cgi?id=1493296).
-  - |
-     #!/usr/bin/env bash
-     set -xeuo pipefail
-
-     # NB: we don't use -f here so we break when this is no longer needed
-     rm -v /etc/iscsi/initiatorname.iscsi
-
-etc-group-members:
-  - wheel
-  - sudo
-  - systemd-journal
-  - adm
-ignore-removed-users:
-  - root
-ignore-removed-groups:
-  - root
-check-passwd:
-  type: "file"
-  filename: "passwd"
-check-groups:
-  type: "file"
-  filename: "group"
-
-exclude-packages:
-  # https://bugzilla.redhat.com/show_bug.cgi?id=1798278
-  - subscription-manager
-  # And this one shouldn't come in
-  - dnf
-  # https://github.com/coreos/rpm-ostree/pull/1789/files/a0cd999a8acd5b40ec1024a794a642916fbc8ff8#diff-fc2076dc46933204a7a798f544ce3734
-  # People need to use `rpm-ostree kargs` instead.
-  - grubby
-  # udisks2 is a fwupd recommends only need for encrypted swap checks
-  - udisks2
-  # dhcp-client is recommended by chrony for handling NTP servers given out via
-  # DHCP, but we have a NM dispatcher script that is doing that
-  # See: https://bugzilla.redhat.com/show_bug.cgi?id=1930468
-  # See: https://bugzilla.redhat.com/show_bug.cgi?id=1800901
-  - dhcp-client
-
-# Try to maintain this list ordering by "in RHEL, then not in RHEL".
-# To verify, disable all repos except the ootpa ones and then comment
-# out the bottom and run `coreos-assembler build`.
-# A lof of packages are inherited by the manifests included at the top.
-packages:
- # We include the generic release package and tweak the os-release info in a
- # post-proces script
- - redhat-release
- # Contains SCTP (https://bugzilla.redhat.com/show_bug.cgi?id=1718049)
- # and it's not really going to be worth playing the "where's my kernel module"
- # game long term.  If we ship it we support it, etc.
- - kernel-modules-extra
- # Audit
- - audit
- # Containers
- - containernetworking-plugins
- # Pinned due to cosa on Fedora not honoring RHEL 8 modules as expected
- - container-selinux
- - cri-o cri-tools
- # Networking
- - nfs-utils
- - openvswitch2.17
- - dnsmasq
- - NetworkManager-ovs
- # Extra runtime
- - sssd
- # Common tools used by scripts and admins interactively
- - rsync tmux
- - nmap-ncat strace
- # Editors
- - nano
- # Red Hat CA certs
- - subscription-manager-rhsm-certificates
- # Used on the bootstrap node
- - systemd-journal-remote
- # Extras
- - systemd-journal-gateway
- # RHEL7 compatibility
- - compat-openssl10
- # Make sure we pull in at least clevis 15; it drops the rd.neednet=1 hardcode
- # and has a few other patches we need.
- # https://bugzilla.redhat.com/show_bug.cgi?id=1853651
- - "'clevis >= 15-1.el8' 'clevis-luks >= 15-1.el8' 'clevis-dracut >= 15-1.el8'"
- - cryptsetup-reencrypt tpm2-tools
- # Used to update PAM configuration to work with SSSD
- # https://bugzilla.redhat.com/show_bug.cgi?id=1774154
- - authselect
- # https://bugzilla.redhat.com/show_bug.cgi?id=1900759
- - qemu-guest-agent
- # BELOW HERE ARE PACKAGES NOT IN RHEL
- # OpenShift OKD
- #- origin-node origin-hyperkube origin-clients
- # OpenShift
- - openshift-hyperkube openshift-clients
- # Gluster - Used for Openshift e2e gluster testcases
- # Reverts https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/367 and add it for all arches
- - glusterfs-fuse
- # Needed for kernel-devel extension: https://bugzilla.redhat.com/show_bug.cgi?id=1885408
- # x86_64 and s390x have these packages installed as dependencies of other packages, ppc64le does not
- # FIXME: once the below BZs have been resolved to remove perl dependencies, this can be done in the extensions script
- # https://bugzilla.redhat.com/show_bug.cgi?id=1877905
- # https://bugzilla.redhat.com/show_bug.cgi?id=1886201
- - perl-interpreter
- # https://github.com/coreos/fedora-coreos-tracker/issues/404
- # https://bugzilla.redhat.com/show_bug.cgi?id=1925698
- # https://github.com/openshift/machine-config-operator/pull/2421
- - conntrack-tools
- # Upstream PR https://github.com/coreos/fedora-coreos-config/pull/786
- - WALinuxAgent-udev
-
-repo-packages:
-  # we always want the kernel from BaseOS
-  - repo: rhel-8-baseos
-    packages:
-      - kernel
-  # we want the one shipping in RHEL, not the equivalently versioned one in RHAOS
-  - repo: rhel-8-appstream
-    packages:
-      - nss-altfiles
-  - repo: rhel-8-server-ose
-    packages:
-      # Starting with 4.11, we are working with the Containers team to build
-      # certain container-tools RPMs in the RHAOS branches for RHCOS + RHEL
-      # worker nodes.
-      - conmon
-      - container-selinux
-      - containernetworking-plugins
-      - containers-common
-      - criu
-      - crun
-      - fuse-overlayfs
-      - podman
-      - runc
-      - skopeo
-      - slirp4netns
-      - toolbox
-
-modules:
-  enable:
-    # qemu-guest-agent
-    - virt:rhel
-
-packages-x86_64:
-  # Temporary add of open-vm-tools. Should be removed when containerized
-  - open-vm-tools
-  - irqbalance
-  # Until we sort out 4.2 -> 4.3 upgrades, we need to carry this.
-  # See also https://github.com/ostreedev/ostree/pull/1929
-  - ostree-grub2
-  # rdma-core cleanly covers some key bare metal use cases
-  - rdma-core
-
-
-packages-ppc64le:
-  - irqbalance
-  - librtas
-  - powerpc-utils-core
-  - ppc64-diag-rtas
-  - rdma-core
-
-
-remove-from-packages:
-  - - filesystem
-    - "/usr/share/backgrounds"
-  # https://bugzilla.redhat.com/show_bug.cgi?id=1762509
-  # https://bugzilla.redhat.com/show_bug.cgi?id=1727058
-  - - initscripts
-    - "/"
-  # Remove the systemd unit; we only want the binary to be used
-  # by MCD or kubelet.  See above.
-  - - conntrack-tools
-    - /usr/lib/systemd/system
+  - rhel-8.6/manifest.yaml
diff --git a/rhel-8.6/extensions.yaml b/rhel-8.6/extensions.yaml
new file mode 100644
index 00000000..d989e3b0
--- /dev/null
+++ b/rhel-8.6/extensions.yaml
@@ -0,0 +1,62 @@
+# RPMs as operating system extensions, distinct from the base ostree commit/image
+# https://github.com/openshift/enhancements/blob/master/enhancements/rhcos/extensions.md
+# and https://github.com/coreos/fedora-coreos-tracker/issues/401
+
+repos:
+  - rhel-8-nfv
+
+extensions:
+  # https://github.com/coreos/fedora-coreos-tracker/issues/326
+  usbguard:
+    packages:
+      - usbguard
+  kerberos:
+    packages:
+      - krb5-workstation
+      - libkadm5
+  # https://github.com/kmods-via-containers/kmods-via-containers/issues/3
+  # https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/866
+  # These are currently overlaid onto the host so that they can be bind-mounted
+  # into build containers... in the future they should be a `development`
+  # extension: https://github.com/openshift/machine-config-operator/pull/2143.
+  kernel-devel:
+    packages:
+      - kernel-devel
+      - kernel-headers
+    match-base-evr: kernel
+  # These are already in the base, so they're not OS extensions, but they're
+  # useful to have in RPM form to install in kmod build containers.
+  kernel:
+    kind: development
+    packages:
+      - kernel
+      - kernel-core
+      - kernel-modules
+      - kernel-modules-extra
+    match-base-evr: kernel
+  # GRPA-2822
+  # https://github.com/openshift/machine-config-operator/pull/1330
+  # https://github.com/openshift/enhancements/blob/master/enhancements/support-for-realtime-kernel.md
+  kernel-rt:
+    architectures:
+      - x86_64
+    packages:
+      - kernel-rt-core
+      - kernel-rt-kvm
+      - kernel-rt-modules
+      - kernel-rt-modules-extra
+      - kernel-rt-devel
+  # https://github.com/openshift/machine-config-operator/pull/2456
+  # https://github.com/openshift/enhancements/blob/master/enhancements/sandboxed-containers/sandboxed-containers-tech-preview.md
+  # GRPA-3123
+  # - kata-containers (RHAOS)
+  sandboxed-containers:
+    architectures:
+      - x86_64
+    modules:
+      enable:
+        - virt:rhel
+    repos:
+      - rhel-8-appstream
+    packages:
+      - kata-containers
diff --git a/rhel-8.6/fedora-coreos-config b/rhel-8.6/fedora-coreos-config
new file mode 120000
index 00000000..3ce9ade1
--- /dev/null
+++ b/rhel-8.6/fedora-coreos-config
@@ -0,0 +1 @@
+../fedora-coreos-config
\ No newline at end of file
diff --git a/rhel-8.6/image.yaml b/rhel-8.6/image.yaml
new file mode 120000
index 00000000..73c5b031
--- /dev/null
+++ b/rhel-8.6/image.yaml
@@ -0,0 +1 @@
+../image.yaml
\ No newline at end of file
diff --git a/rhel-8.6/live b/rhel-8.6/live
new file mode 120000
index 00000000..6fd56fbe
--- /dev/null
+++ b/rhel-8.6/live
@@ -0,0 +1 @@
+../live
\ No newline at end of file
diff --git a/rhel-8.6/manifest.yaml b/rhel-8.6/manifest.yaml
new file mode 100644
index 00000000..bcae242f
--- /dev/null
+++ b/rhel-8.6/manifest.yaml
@@ -0,0 +1,187 @@
+# Manifest for RHCOS based on RHEL 8.6
+
+rojig:
+  license: MIT
+  name: rhcos
+  summary: OpenShift 4
+
+variables:
+  distro: "rhel"
+  version: "8.6"
+
+# Include manifests common to all RHEL and CentOS Stream versions
+include:
+  - ../common.yaml
+
+# Starting from here, everything should be specific to RHCOS based on RHEL 8.6
+
+ostree-layers:
+  # Temporary logrotate service and timer units
+  - overlay/15rhcos-logrotate
+  - overlay/25rhcos-azure-udev
+
+# See README.md
+# and https://github.com/openshift/release/blob/master/core-services/release-controller/README.md#rpm-mirrors
+repos:
+  - rhel-8-baseos
+  - rhel-8-appstream
+  - rhel-8-fast-datapath
+  - rhel-8-server-ose
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=1938928
+rpmdb: bdb
+
+# We include hours/minutes to avoid version number reuse
+automatic-version-prefix: "412.86.<date:%Y%m%d%H%M>"
+# This ensures we're semver-compatible which OpenShift wants
+automatic-version-suffix: "-"
+# Keep this is sync with the version in postprocess
+mutate-os-release: "4.12"
+
+postprocess:
+  - |
+     #!/usr/bin/env bash
+     set -xeo pipefail
+
+     # Tweak /usr/lib/os-release
+     grep -v "OSTREE_VERSION" /etc/os-release > /usr/lib/os-release.rhel
+     OCP_RELEASE="4.12"
+     (
+     . /etc/os-release
+     cat > /usr/lib/os-release <<EOF
+     NAME="${NAME} CoreOS"
+     ID="rhcos"
+     ID_LIKE="rhel fedora"
+     VERSION="${OSTREE_VERSION}"
+     VERSION_ID="${OCP_RELEASE}"
+     PLATFORM_ID="${PLATFORM_ID}"
+     PRETTY_NAME="${NAME} CoreOS ${OSTREE_VERSION} (Ootpa)"
+     ANSI_COLOR="${ANSI_COLOR}"
+     CPE_NAME="${CPE_NAME%baseos}coreos"
+     HOME_URL="${HOME_URL}"
+     DOCUMENTATION_URL="https://docs.openshift.com/container-platform/${OCP_RELEASE}/"
+     BUG_REPORT_URL="https://bugzilla.redhat.com/"
+     REDHAT_BUGZILLA_PRODUCT="OpenShift Container Platform"
+     REDHAT_BUGZILLA_PRODUCT_VERSION="${OCP_RELEASE}"
+     REDHAT_SUPPORT_PRODUCT="OpenShift Container Platform"
+     REDHAT_SUPPORT_PRODUCT_VERSION="${OCP_RELEASE}"
+     OPENSHIFT_VERSION="${OCP_RELEASE}"
+     RHEL_VERSION="${VERSION_ID}"
+     OSTREE_VERSION="${OSTREE_VERSION}"
+     EOF
+     )
+     rm -f /etc/os-release
+     ln -s ../usr/lib/os-release /etc/os-release
+
+     # Tweak /etc/system-release, /etc/system-release-cpe & /etc/redhat-release
+     (
+     . /etc/os-release
+     cat > /usr/lib/system-release-cpe <<EOF
+     ${CPE_NAME}
+     EOF
+     cat > /usr/lib/system-release <<EOF
+     ${NAME} release ${VERSION_ID}
+     EOF
+     rm -f /etc/system-release-cpe /etc/system-release /etc/redhat-release
+     ln -s /usr/lib/system-release-cpe /etc/system-release-cpe
+     ln -s /usr/lib/system-release /etc/system-release
+     ln -s /usr/lib/system-release /etc/redhat-release
+     )
+
+     # Tweak /usr/lib/issue
+     cat > /usr/lib/issue <<EOF
+     \S \S{VERSION_ID}
+     EOF
+     rm -f /etc/issue /etc/issue.net
+     ln -s /usr/lib/issue /etc/issue
+     ln -s /usr/lib/issue /etc/issue.net
+
+     # Let's have a non-boring motd, just like CL (although theirs is more subdued
+     # nowadays compared to early versions with ASCII art).  One thing we do here
+     # is add --- as a "separator"; the idea is that any "dynamic" information should
+     # be below that.
+     # See: https://projects.engineering.redhat.com/browse/COREOS-1029
+     . /etc/os-release
+     cat > /etc/motd <<EOF
+     Red Hat Enterprise Linux CoreOS $VERSION
+       Part of OpenShift ${OPENSHIFT_VERSION}, RHCOS is a Kubernetes native operating system
+       managed by the Machine Config Operator (\`clusteroperator/machine-config\`).
+
+     WARNING: Direct SSH access to machines is not recommended; instead,
+     make configuration changes via \`machineconfig\` objects:
+       https://docs.openshift.com/container-platform/${OPENSHIFT_VERSION}/architecture/architecture-rhcos.html
+
+     ---
+     EOF
+  # Collection of workarounds specific to RHEL 8.6 based RHCOS
+  - |
+     #!/usr/bin/env bash
+     set -xeo pipefail
+
+     # Ensure that /etc/issue.d exists for console-login-helper-messages
+     # This can be removed once we rebase to RHEL 9
+     install -d -m 0755 /etc/issue.d
+  - |
+     #!/usr/bin/env bash
+     set -xeuo pipefail
+
+     # Enable tmp-on-tmpfs by default because we don't want to have things
+     # leak across reboots, it increases alignment with FCOS, and also fixes
+     # the Live ISO.  First, verify that RHEL is still disabling.
+     grep -q '# RHEL-only: Disable /tmp on tmpfs' /usr/lib/systemd/system/basic.target
+     echo '# RHCOS-only: we follow the Fedora/upstream default' >> /usr/lib/systemd/system/basic.target
+     echo 'Wants=tmp.mount' >> /usr/lib/systemd/system/basic.target
+  # Stop shipping a baked initiator name in the image; this should be generated
+  # at runtime. We have a service which does this
+  # (coreos-generate-iscsi-initiatorname.service) until it's done properly
+  # upstream (see https://bugzilla.redhat.com/show_bug.cgi?id=1493296).
+  - |
+     #!/usr/bin/env bash
+     set -xeuo pipefail
+
+     # NB: we don't use -f here so we break when this is no longer needed
+     rm -v /etc/iscsi/initiatorname.iscsi
+
+# Packages that are only in RHCOS and not in SCOS or that have special
+# constraints that do not apply to SCOS
+packages:
+ # We include the generic release package and tweak the os-release info in a
+ # post-proces script
+ - redhat-release
+ # RHEL7 compatibility
+ - compat-openssl10
+ # SCOS package name does not include a version number
+ - openvswitch2.17
+
+# Packages pinned to specific repos in RHCOS
+repo-packages:
+  # we always want the kernel from BaseOS
+  - repo: rhel-8-baseos
+    packages:
+      - kernel
+  # we want the one shipping in RHEL, not the equivalently versioned one in RHAOS
+  - repo: rhel-8-appstream
+    packages:
+      - nss-altfiles
+  - repo: rhel-8-server-ose
+    packages:
+      # Starting with 4.11, we are working with the Containers team to build
+      # certain container-tools RPMs in the RHAOS branches for RHCOS + RHEL
+      # worker nodes.
+      - conmon
+      - container-selinux
+      - containernetworking-plugins
+      - containers-common
+      - criu
+      - crun
+      - fuse-overlayfs
+      - podman
+      - runc
+      - skopeo
+      - slirp4netns
+      - toolbox
+
+modules:
+  enable:
+    # qemu-guest-agent
+    - virt:rhel
diff --git a/rhel-8.6/overlay.d b/rhel-8.6/overlay.d
new file mode 120000
index 00000000..ac61c882
--- /dev/null
+++ b/rhel-8.6/overlay.d
@@ -0,0 +1 @@
+../overlay.d/
\ No newline at end of file
diff --git a/rhel-9.0/extensions.yaml b/rhel-9.0/extensions.yaml
new file mode 100644
index 00000000..f3e241d8
--- /dev/null
+++ b/rhel-9.0/extensions.yaml
@@ -0,0 +1,62 @@
+# RPMs as operating system extensions, distinct from the base ostree commit/image
+# https://github.com/openshift/enhancements/blob/master/enhancements/rhcos/extensions.md
+# and https://github.com/coreos/fedora-coreos-tracker/issues/401
+
+repos:
+  - rhel-9-nfv
+
+extensions:
+  # https://github.com/coreos/fedora-coreos-tracker/issues/326
+  usbguard:
+    packages:
+      - usbguard
+  kerberos:
+    packages:
+      - krb5-workstation
+      - libkadm5
+  # https://github.com/kmods-via-containers/kmods-via-containers/issues/3
+  # https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/866
+  # These are currently overlaid onto the host so that they can be bind-mounted
+  # into build containers... in the future they should be a `development`
+  # extension: https://github.com/openshift/machine-config-operator/pull/2143.
+  kernel-devel:
+    packages:
+      - kernel-devel
+      - kernel-headers
+    match-base-evr: kernel
+  # These are already in the base, so they're not OS extensions, but they're
+  # useful to have in RPM form to install in kmod build containers.
+  kernel:
+    kind: development
+    packages:
+      - kernel
+      - kernel-core
+      - kernel-modules
+      - kernel-modules-extra
+    match-base-evr: kernel
+  # GRPA-2822
+  # https://github.com/openshift/machine-config-operator/pull/1330
+  # https://github.com/openshift/enhancements/blob/master/enhancements/support-for-realtime-kernel.md
+  kernel-rt:
+    architectures:
+      - x86_64
+    packages:
+      - kernel-rt-core
+      - kernel-rt-kvm
+      - kernel-rt-modules
+      - kernel-rt-modules-extra
+      - kernel-rt-devel
+  # https://github.com/openshift/machine-config-operator/pull/2456
+  # https://github.com/openshift/enhancements/blob/master/enhancements/sandboxed-containers/sandboxed-containers-tech-preview.md
+  # GRPA-3123
+  # - kata-containers (RHAOS)
+  sandboxed-containers:
+    architectures:
+      - x86_64
+    modules:
+      enable:
+        - virt:rhel
+    repos:
+      - rhel-9-appstream
+    packages:
+      - kata-containers
diff --git a/rhel-9.0/fedora-coreos-config b/rhel-9.0/fedora-coreos-config
new file mode 120000
index 00000000..3ce9ade1
--- /dev/null
+++ b/rhel-9.0/fedora-coreos-config
@@ -0,0 +1 @@
+../fedora-coreos-config
\ No newline at end of file
diff --git a/rhel-9.0/image.yaml b/rhel-9.0/image.yaml
new file mode 120000
index 00000000..73c5b031
--- /dev/null
+++ b/rhel-9.0/image.yaml
@@ -0,0 +1 @@
+../image.yaml
\ No newline at end of file
diff --git a/rhel-9.0/live b/rhel-9.0/live
new file mode 120000
index 00000000..6fd56fbe
--- /dev/null
+++ b/rhel-9.0/live
@@ -0,0 +1 @@
+../live
\ No newline at end of file
diff --git a/rhel-9.0/manifest.yaml b/rhel-9.0/manifest.yaml
new file mode 100644
index 00000000..d5a9cf7e
--- /dev/null
+++ b/rhel-9.0/manifest.yaml
@@ -0,0 +1,161 @@
+# Manifest for RHCOS based on RHEL 9.0
+
+rojig:
+  license: MIT
+  name: rhcos
+  summary: OpenShift 4
+
+variables:
+  distro: "rhel"
+  version: "9.0"
+
+# Include manifests common to all RHEL and CentOS Stream versions
+include:
+  - ../common.yaml
+
+# Starting from here, everything should be specific to RHCOS based on RHEL 9.0
+
+# See README.md
+# and https://github.com/openshift/release/blob/master/core-services/release-controller/README.md#rpm-mirrors
+repos:
+  - rhel-9-baseos
+  - rhel-9-appstream
+  - rhel-9-fast-datapath
+  - rhel-9-server-ose
+  # Temporary for openvswitch-selinux-extra-policy
+  - rhel-8-fast-datapath
+
+# We include hours/minutes to avoid version number reuse
+automatic-version-prefix: "412.90.<date:%Y%m%d%H%M>"
+# This ensures we're semver-compatible which OpenShift wants
+automatic-version-suffix: "-"
+# Keep this is sync with the version in postprocess
+mutate-os-release: "4.12"
+
+postprocess:
+  - |
+     #!/usr/bin/env bash
+     set -xeo pipefail
+
+     # Tweak /usr/lib/os-release
+     grep -v "OSTREE_VERSION" /etc/os-release > /usr/lib/os-release.rhel
+     OCP_RELEASE="4.12"
+     (
+     . /etc/os-release
+     cat > /usr/lib/os-release <<EOF
+     NAME="${NAME} CoreOS"
+     ID="rhcos"
+     ID_LIKE="rhel fedora"
+     VERSION="${OSTREE_VERSION}"
+     VERSION_ID="${OCP_RELEASE}"
+     VARIANT="CoreOS"
+     VARIANT_ID=coreos
+     PLATFORM_ID="${PLATFORM_ID}"
+     PRETTY_NAME="${NAME} CoreOS ${OSTREE_VERSION} (Plow)"
+     ANSI_COLOR="${ANSI_COLOR}"
+     CPE_NAME="${CPE_NAME%baseos}coreos"
+     HOME_URL="${HOME_URL}"
+     DOCUMENTATION_URL="https://docs.openshift.com/container-platform/${OCP_RELEASE}/"
+     BUG_REPORT_URL="https://bugzilla.redhat.com/"
+     REDHAT_BUGZILLA_PRODUCT="OpenShift Container Platform"
+     REDHAT_BUGZILLA_PRODUCT_VERSION="${OCP_RELEASE}"
+     REDHAT_SUPPORT_PRODUCT="OpenShift Container Platform"
+     REDHAT_SUPPORT_PRODUCT_VERSION="${OCP_RELEASE}"
+     OPENSHIFT_VERSION="${OCP_RELEASE}"
+     RHEL_VERSION="${VERSION_ID}"
+     OSTREE_VERSION="${OSTREE_VERSION}"
+     EOF
+     )
+     rm -f /etc/os-release
+     ln -s ../usr/lib/os-release /etc/os-release
+
+     # Tweak /etc/system-release, /etc/system-release-cpe & /etc/redhat-release
+     (
+     . /etc/os-release
+     cat > /usr/lib/system-release-cpe <<EOF
+     ${CPE_NAME}
+     EOF
+     cat > /usr/lib/system-release <<EOF
+     ${NAME} release ${VERSION_ID}
+     EOF
+     rm -f /etc/system-release-cpe /etc/system-release /etc/redhat-release
+     ln -s /usr/lib/system-release-cpe /etc/system-release-cpe
+     ln -s /usr/lib/system-release /etc/system-release
+     ln -s /usr/lib/system-release /etc/redhat-release
+     )
+
+     # Tweak /usr/lib/issue
+     cat > /usr/lib/issue <<EOF
+     \S \S{VERSION_ID}
+     EOF
+     rm -f /etc/issue /etc/issue.net
+     ln -s /usr/lib/issue /etc/issue
+     ln -s /usr/lib/issue /etc/issue.net
+
+     # Let's have a non-boring motd, just like CL (although theirs is more subdued
+     # nowadays compared to early versions with ASCII art).  One thing we do here
+     # is add --- as a "separator"; the idea is that any "dynamic" information should
+     # be below that.
+     # See: https://projects.engineering.redhat.com/browse/COREOS-1029
+     . /etc/os-release
+     cat > /etc/motd <<EOF
+     Red Hat Enterprise Linux CoreOS $VERSION
+       Part of OpenShift ${OPENSHIFT_VERSION}, RHCOS is a Kubernetes native operating system
+       managed by the Machine Config Operator (\`clusteroperator/machine-config\`).
+
+     WARNING: Direct SSH access to machines is not recommended; instead,
+     make configuration changes via \`machineconfig\` objects:
+       https://docs.openshift.com/container-platform/${OPENSHIFT_VERSION}/architecture/architecture-rhcos.html
+
+     ---
+     EOF
+  # Collection of workarounds specific to RHEL 9.0 based RHCOS
+  - |
+     #!/usr/bin/env bash
+     set -xeo pipefail
+
+     # FIXME: Force enable dbus-broker to get the dbus.service → dbus-broker.service
+     systemctl enable dbus-broker
+
+     # FIXME: Why is this only broken here?  NM isn't removing the link?
+     sed -i '/etc.resolv/d' /usr/lib/tmpfiles.d/etc.conf
+
+     # crio should stop hardcoding things in their config file!
+     # We are apparently somehow pulling in a conmon override in RHCOS
+     # that contains /usr/libexec/crio/conmon - WHY?
+     # sed -i '/conmon.*=/d' /etc/crio/crio.conf
+     # Oh right but the MCO overrides that too so...
+     mkdir -p /usr/libexec/crio
+     ln -sr /usr/bin/conmon /usr/libexec/crio/conmon
+
+     # Use crun by default
+     sed -i '/\[crio.runtime\]/a default_runtime="crun"' /etc/crio/crio.conf
+     cat >> /etc/crio/crio.conf <<EOF
+     [crio.runtime.runtimes.crun]
+     runtime_path="/usr/bin/crun"
+     EOF
+
+# Packages that are only in RHCOS and not in SCOS or that have special
+# constraints that do not apply to SCOS
+packages:
+ # We include the generic release package and tweak the os-release info in a
+ # post-proces script
+ - redhat-release
+ # SCOS package name does not include a version number
+ - openvswitch2.17
+
+# Packages pinned to specific repos in RHCOS
+repo-packages:
+  # we always want the kernel from BaseOS
+  - repo: rhel-9-baseos
+    packages:
+      - kernel
+  # we want the one shipping in RHEL, not the equivalently versioned one in RHAOS
+  - repo: rhel-9-appstream
+    packages:
+      - nss-altfiles
+  - repo: rhel-9-server-ose
+    packages:
+      # eventually, we want the one from the container-tools module, but we're
+      # not there yet
+      - toolbox
diff --git a/rhel-9.0/overlay.d b/rhel-9.0/overlay.d
new file mode 120000
index 00000000..ac61c882
--- /dev/null
+++ b/rhel-9.0/overlay.d
@@ -0,0 +1 @@
+../overlay.d/
\ No newline at end of file