diff --git a/manifests/group b/manifests/group
index 3ce8c35..2fd197c 100644
--- a/manifests/group
+++ b/manifests/group
@@ -16,35 +16,29 @@ sudo:x:16:
 dialout:x:18:
 floppy:x:19:
 games:x:20:
-tape:x:30:
+tape:x:33:
 video:x:39:
 ftp:x:50:
 lock:x:54:
 audio:x:63:
 nobody:x:99:
 users:x:100:
-utmp:x:22:
-utempter:x:35:
 ssh_keys:x:999:
 systemd-journal:x:190:
-dbus:x:81:
 polkitd:x:998:
 etcd:x:997:
 dip:x:40:
 cgred:x:996:
-tss:x:59:
 avahi-autoipd:x:170:
-rpc:x:32:
 sssd:x:993:
 dockerroot:x:986:
 rpcuser:x:29:
 nfsnobody:x:65534:
 kube:x:994:
-sshd:x:74:
 chrony:x:992:
 tcpdump:x:72:
 ceph:x:167:
-input:x:995:
+input:x:104:
 systemd-timesync:x:991:
 systemd-network:x:990:
 systemd-resolve:x:989:
diff --git a/manifests/grub2-removals.yaml b/manifests/grub2-removals.yaml
new file mode 100644
index 0000000..d87ec01
--- /dev/null
+++ b/manifests/grub2-removals.yaml
@@ -0,0 +1,9 @@
+remove-from-packages:
+  # The grub bits are mainly designed for desktops, and IMO haven't seen
+  # enough testing in concert with ostree. At some point we'll flesh out
+  # the full plan in https://github.com/coreos/fedora-coreos-tracker/issues/47
+  - [grub2-tools, /etc/grub.d/08_fallback_counting,
+                  /etc/grub.d/10_reset_boot_success,
+                  /etc/grub.d/12_menu_auto_hide,
+                  /usr/lib/systemd/.*]
+
diff --git a/manifests/passwd b/manifests/passwd
index b05ebdb..8b00e55 100644
--- a/manifests/passwd
+++ b/manifests/passwd
@@ -6,28 +6,35 @@ lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
 sync:x:5:0:sync:/sbin:/bin/sync
 shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
 halt:x:7:0:halt:/sbin:/sbin/halt
-mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
-operator:x:11:0:operator:/root:/sbin/nologin
-games:x:12:100:games:/usr/games:/sbin/nologin
-ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
-nobody:x:99:99:Nobody:/:/sbin/nologin
-dbus:x:81:81:System message bus:/:/sbin/nologin
-polkitd:x:999:998:User for polkitd:/:/sbin/nologin
-etcd:x:998:997:etcd user:/var/lib/etcd:/sbin/nologin
-tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
-avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
-rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
-sssd:x:995:993:User for sssd:/:/sbin/nologin
-dockerroot:x:997:986:Docker User:/var/lib/docker:/sbin/nologin
-rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
-nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
-kube:x:996:994:Kubernetes user:/:/sbin/nologin
-sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
-chrony:x:994:992::/var/lib/chrony:/sbin/nologin
-tcpdump:x:72:72::/:/sbin/nologin
-ceph:x:167:167:Ceph daemons:/var/lib/ceph:/sbin/nologin
-systemd-timesync:x:993:991:systemd Time Synchronization:/:/sbin/nologin
-systemd-network:x:991:990:systemd Network Management:/:/sbin/nologin
-systemd-resolve:x:990:989:systemd Resolver:/:/sbin/nologin
-systemd-bus-proxy:x:989:988:systemd Bus Proxy:/:/sbin/nologin
-cockpit-ws:x:988:987:User for cockpit-ws:/:/sbin/nologin
+adm:x:3:4:adm:/var/adm:/usr/sbin/nologin
+avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/usr/sbin/nologin
+bin:x:1:1:bin:/bin:/usr/sbin/nologin
+ceph:x:167:167:Ceph daemons:/var/lib/ceph:/usr/sbin/nologin
+chrony:x:994:992::/var/lib/chrony:/usr/sbin/nologin
+cockpit-ws:x:988:987:User for cockpit-ws:/:/usr/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/usr/sbin/nologin
+dbus:x:81:81:System Message Bus:/:/usr/sbin/nologin
+dockerroot:x:997:986:Docker User:/var/lib/docker:/usr/sbin/nologin
+etcd:x:998:997:etcd user:/var/lib/etcd:/usr/sbin/nologin
+ftp:x:14:50:FTP User:/var/ftp:/usr/sbin/nologin
+games:x:12:100:games:/usr/games:/usr/sbin/nologin
+halt:x:7:0:halt:/sbin:/sbin/halt
+kube:x:996:994:Kubernetes user:/:/usr/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:12:mail:/var/spool/mail:/usr/sbin/nologin
+nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/usr/sbin/nologin
+nobody:x:99:99:Kernel Overflow User:/:/usr/sbin/nologin
+operator:x:11:0:operator:/root:/usr/sbin/nologin
+polkitd:x:999:998:User for polkitd:/:/usr/sbin/nologin
+root:x:0:0:Super User:/root:/bin/bash
+rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/usr/sbin/nologin
+rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/usr/sbin/nologin
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/usr/sbin/nologin
+sssd:x:995:993:User for sssd:/:/usr/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/sync
+systemd-bus-proxy:x:989:988:systemd Bus Proxy:/:/usr/sbin/nologin
+systemd-network:x:991:990:systemd Network Management:/:/usr/sbin/nologin
+systemd-resolve:x:990:989:systemd Resolver:/:/usr/sbin/nologin
+systemd-timesync:x:993:991:systemd Time Synchronization:/:/usr/sbin/nologin
+tcpdump:x:72:72::/:/usr/sbin/nologin
diff --git a/manifests/rocky-ostree-base.yaml b/manifests/rocky-ostree-base.yaml
index 65848f1..6bbde24 100644
--- a/manifests/rocky-ostree-base.yaml
+++ b/manifests/rocky-ostree-base.yaml
@@ -8,11 +8,15 @@ ostree-layers:
   - overlay/08nouveau
   - overlay/09misc
   - overlay/20platform-chrony
+  - overlay/15fcos
 
 
 conditional-include:
   - if: releasever <= 8
     include: fallback-hostname.yaml
+  - if: basearch != "s390x"
+    # And remove some cruft from grub2
+    include: grub2-removals.yaml
 
 packages:
   - rpm
@@ -29,6 +33,7 @@ packages:
   - polkit
   - coreos-installer
 
+
 ignore-removed-users:
   - root
 ignore-removed-groups:
@@ -38,6 +43,7 @@ etc-group-members:
   - sudo
   - systemd-journal
   - adm
+  - docker
 
 
 check-passwd: