diff --git a/Containerfile b/Containerfile
index 2d44588b..246c88d0 100644
--- a/Containerfile
+++ b/Containerfile
@@ -4,7 +4,9 @@
 ARG IMAGE_FROM=overridden
 FROM ${IMAGE_FROM} as build
 ARG OPENSHIFT_CI=0
-RUN --mount=type=bind,target=/run/src --mount=type=secret,id=yumrepos,target=/etc/yum.repos.d/secret.repo /run/src/build-node-image.sh
+ARG OPENSHIFT_VERSION=overridden
+ARG YUM_REPO_NAMES=overridden
+RUN --mount=type=bind,target=/run/src --mount=type=secret,id=yumrepos,target=/run/src/secret.repo /run/src/build-node-image.sh
 
 FROM build as metadata
 ARG IMAGE_NAME
diff --git a/build-args-10.2-5.0.conf b/build-args-10.2-5.0.conf
index a7fa9856..fd63e6c6 100644
--- a/build-args-10.2-5.0.conf
+++ b/build-args-10.2-5.0.conf
@@ -1,3 +1,9 @@
+OPENSHIFT_VERSION=5.0
 IMAGE_FROM=registry.ci.openshift.org/coreos/rhel-coreos-base:10.2
+
+# Used by the generate-labels script
 IMAGE_NAME=openshift/ose-rhel-coreos-10
 IMAGE_CPE=cpe:/a:redhat:openshift:5.0::el10
+
+# The names of the yum repos to use for the node image build.
+YUM_REPO_NAMES=rhel-10.2-baseos,rhel-10.2-appstream,rhel-10.2-early-kernel,rhel-10.2-fast-datapath,rhel-10.2-server-ose-5.0
diff --git a/build-args-9.8-5.0.conf b/build-args-9.8-5.0.conf
index 5ba98ffd..b2525478 100644
--- a/build-args-9.8-5.0.conf
+++ b/build-args-9.8-5.0.conf
@@ -1,3 +1,9 @@
+OPENSHIFT_VERSION=5.0
 IMAGE_FROM=registry.ci.openshift.org/coreos/rhel-coreos-base:9.8
+
+# Used by the generate-labels script
 IMAGE_NAME=openshift/ose-rhel-coreos-9
 IMAGE_CPE=cpe:/a:redhat:openshift:5.0::el9
+
+# The names of the yum repos to use for the node image build.
+YUM_REPO_NAMES=rhel-9.8-baseos,rhel-9.8-appstream,rhel-9.8-early-kernel,rhel-9.8-fast-datapath,rhel-9.8-server-ose-5.0
diff --git a/build-args-c10s-5.0.conf b/build-args-c10s-5.0.conf
index 1ae66b2b..aab3c247 100644
--- a/build-args-c10s-5.0.conf
+++ b/build-args-c10s-5.0.conf
@@ -1,2 +1,12 @@
+OPENSHIFT_VERSION=5.0
 IMAGE_FROM=registry.ci.openshift.org/coreos/stream-coreos-base:10
-# SCOS/OKD: no labels.json or OCI labels for name/cpe
+
+# SCOS/OKD: no labels.json or OCI labels for name/cpe (so don't define them)
+# IMAGE_NAME=
+# IMAGE_CPE=
+
+# The names of the yum repos to use for the node image build.
+# XXX: use of the rhel-*server-ose-* ART repo shouldn't happen for OKD; see related XXX
+#      in build-node-image.sh. Also we must put the ART repo last for the modification
+#      in the script to work.
+YUM_REPO_NAMES=c10s-baseos,c10s-appstream,c10s-sig-nfv,c10s-sig-cloud-okd,rhel-10.2-server-ose-5.0
diff --git a/build-node-image.sh b/build-node-image.sh
index d732e7ec..4b2c26f7 100755
--- a/build-node-image.sh
+++ b/build-node-image.sh
@@ -14,7 +14,8 @@ if [ "${OPENSHIFT_CI}" != 0 ]; then
     /run/src/ci/get-ocp-repo.sh /etc/yum.repos.d/ocp.repo
 fi
 
-# add all the repos from the src repo into `/etc/yum.repos.d` so dnf sees them
+# add all the repos from the src repo (including mounted in secret.repo)
+# into `/etc/yum.repos.d` so dnf sees them
 cat /run/src/*.repo >> /etc/yum.repos.d/git.repo
 
 source /etc/os-release
@@ -22,23 +23,118 @@ source /etc/os-release
 # XXX: For SCOS, only allow certain packages to come from ART; everything else
 # should come from CentOS. We should eventually sever this.
 if [ $ID = centos ]; then
-    # this says: "if the line starts with [.*], turn off printing. if the line starts with [our-repo], turn it on."
-    awk "/\[.*\]/{p=0} /\[rhel-10.2-server-ose-5.0\]/{p=1} p" /etc/yum.repos.d/*.repo > /etc/yum.repos.d/okd.repo.tmp
-    sed -i -e 's,\[rhel-10.2-server-ose-5.0\],\[rhel-10.2-server-ose-5.0-okd\],' /etc/yum.repos.d/okd.repo.tmp
-    echo 'includepkgs=openshift-*,ose-aws-ecr-*,ose-azure-acr-*,ose-gcp-gcr-*,ose-crio-* ' >> /etc/yum.repos.d/okd.repo.tmp
-    mv /etc/yum.repos.d/okd.repo{.tmp,}
+    OPENSHIFT_ART_REPO_NAME=${YUM_REPO_NAMES/*,/} # ART repo == the last repo in the list
+    dnf config-manager --save \
+        --setopt="${OPENSHIFT_ART_REPO_NAME}.includepkgs=openshift-*,ose-aws-ecr-*,ose-azure-acr-*,ose-gcp-gcr-*,ose-crio-*"
 fi
 
 # XXX: patch cri-o spec to use tmpfiles
 # https://github.com/CentOS/centos-bootc/issues/393
 mkdir -p /var/opt
 
-# this is where all the real work happens
-rpm-ostree experimental compose treefile-apply \
-    --var "osversion=${ID}-${VERSION_ID}" /run/src/packages-openshift.yaml
+# Version lock to the specific packages installed on the system already
+dnf --disablerepo=* versionlock add '*'
 
-# cleanup any repo files we injected
-rm -f /etc/yum.repos.d/{ocp,git,okd}.repo
+# Install the OCP packages. Limit to appropriate repos for this stream.
+dnf --repo="${YUM_REPO_NAMES}" install -y \
+    cri-o cri-tools conmon-rs \
+    openshift-clients openshift-kubelet \
+    openvswitch3.5 \
+    NetworkManager-ovs \
+    ose-aws-ecr-image-credential-provider \
+    ose-azure-acr-image-credential-provider \
+    ose-gcp-gcr-image-credential-provider \
+    ose-crio-credential-provider
+
+# clear the versionlock and clean up any dnf caches / yum repo files we created.
+# note `redhat.repo` gets created when you run dnf (via subscription-manager plugin),
+# so we'll clean that up too.
+dnf --disablerepo=* versionlock clear
+dnf clean all
+rm -vf /etc/yum.repos.d/{ocp,git,redhat}.repo
+
+
+# --- postprocess steps ---
+# These were previously in the `postprocess` section of packages-openshift.yaml.
+
+# Disable any built-in repos. We need to work in disconnected environments by
+# default, and default-enabled repos will be attempted to be fetched by
+# rpm-ostree when doing node-local kernel overrides today for e.g. kernel-rt.
+for x in $(find /etc/yum.repos.d/ -name '*.repo'); do
+    sed -i -e 's/enabled\s*=\s*1/enabled=0/g' "$x"
+done
+
+# Enable librhsm which enables host subscriptions to work in containers
+# https://github.com/rpm-software-management/librhsm/blob/fcd972cbe7c8a3907ba9f091cd082b1090231492/rhsm/rhsm-context.c#L30
+ln -sr /run/secrets/etc-pki-entitlement /etc/pki/entitlement-host
+ln -sr /run/secrets/rhsm /etc/rhsm-host
+
+# Manually modify SELinux booleans that are needed for OCP use cases
+semanage boolean --modify --on container_use_cephfs      # RHBZ#1694045
+semanage boolean --modify --on virt_use_samba            # RHBZ#1754825
+
+# https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/812
+# https://bugzilla.redhat.com/show_bug.cgi?id=1796537
+mkdir -p /usr/share/containers/oci/hooks.d
+
+# crio conmon symlink
+mkdir -p /usr/libexec/crio
+ln -sr /usr/bin/conmon /usr/libexec/crio/conmon
+
+# Inject OpenShift-specific release fields
+cat >> /usr/lib/os-release <<EOF
+OPENSHIFT_VERSION="${OPENSHIFT_VERSION}"
+EOF
+
+# Generate MOTD
+# Detect variant based on the Containerfile metadata. In the absence of
+# rpm-ostree treefile metadata, we use a heuristic: centos builds are SCOS.
+if [ "$ID" = "centos" ]; then
+    colloquial_name=SCOS
+    project_name=OKD
+else
+    colloquial_name=RHCOS
+    project_name=OpenShift
+fi
+# in the el-only variants, we already have CoreOS in the NAME, so don't
+# re-add it when building the node image
+if [[ $NAME != *CoreOS* ]]; then
+    NAME="$NAME CoreOS"
+fi
+cat > /etc/motd <<EOF
+$NAME $OSTREE_VERSION
+  Part of ${project_name} ${OPENSHIFT_VERSION}, ${colloquial_name} is a Kubernetes-native operating system
+  managed by the Machine Config Operator (\`clusteroperator/machine-config\`).
+
+WARNING: Direct SSH access to machines is not recommended; instead,
+make configuration changes via \`machineconfig\` objects:
+  https://docs.openshift.com/container-platform/${OPENSHIFT_VERSION}/architecture/architecture-rhcos.html
+
+---
+EOF
+
+# Delete leftover files in the layering path
+if [ -f /run/.containerenv ]; then
+    # lockfiles and backup files
+    rm -f /etc/.pwd.lock /etc/group- /etc/gshadow- /etc/shadow- /etc/passwd-
+    rm -f /etc/selinux/targeted/*.LOCK
+    # cache, logs, etc...
+    rm -rf /var && mkdir /var
+    # All the entries here should instead be part of their respective
+    # packages. But we carry them here for now to maintain compatibility.
+    cat > /usr/lib/tmpfiles.d/openshift.conf << EOF
+L /opt/cni - - - - ../../usr/lib/opt/cni
+d /var/lib/cni 0755 root root - -
+d /var/lib/cni/bin 0755 root root - -
+d /var/lib/containers 0755 root root - -
+d /var/lib/openvswitch 0755 root root - -
+d /var/lib/openvswitch/pki 0755 root root - -
+d /var/log/openvswitch 0750 openvswitch hugetlbfs - -
+d /var/lib/unbound 0755 unbound unbound - -
+EOF
+fi
+
+# --- end postprocess steps ---
 
 find /usr -name '*.pyc.bak' -exec sh -c 'mv $1 ${1%.bak}' _ {} \;
 ostree container commit
diff --git a/packages-openshift.yaml b/packages-openshift.yaml
deleted file mode 100644
index 8b86b5e6..00000000
--- a/packages-openshift.yaml
+++ /dev/null
@@ -1,173 +0,0 @@
-metadata:
-  # This should match the /etc/os-release manipulation we do below when
-  # injecting `OPENSHIFT_VERSION`. It's used by CI to determine the repos to
-  # inject when building the layered image.
-  ocp_version: "5.0"
-
-conditional-include:
-  - if:
-    - osversion != "rhel-9.8"
-    - osversion != "rhel-10.2"
-    - osversion != "centos-10"
-    include:
-      repos: [ENOEXIST] # We want an error in this case
-  - if: osversion == "rhel-9.8"
-    include:
-      repos:
-        - rhel-9.8-baseos
-        - rhel-9.8-appstream
-        - rhel-9.8-early-kernel
-        - rhel-9.8-fast-datapath
-        - rhel-9.8-server-ose-5.0
-  - if: osversion == "rhel-10.2"
-    include:
-      repos:
-        - rhel-10.2-baseos
-        - rhel-10.2-appstream
-        - rhel-10.2-early-kernel
-        - rhel-10.2-fast-datapath
-        - rhel-10.2-server-ose-5.0
-  - if: osversion == "centos-10"
-    include:
-      repos:
-        - c10s-baseos
-        - c10s-appstream
-        - c10s-sig-nfv
-        - c10s-sig-cloud-okd
-        # XXX: this shouldn't be here; see related XXX in build-node-image.sh
-        - rhel-10.2-server-ose-5.0-okd
-
-packages:
-  # The packages below are required by OpenShift/OKD
-  # but are not present in CentOS Stream and RHEL.
-  - cri-o cri-tools conmon-rs
-  - openshift-clients openshift-kubelet
-  - openvswitch3.5
-  # The packages below are present in CentOS Stream/RHEL,
-  # and depend on one or more of the above.
-  - NetworkManager-ovs
-  - ose-aws-ecr-image-credential-provider
-  - ose-azure-acr-image-credential-provider
-  - ose-gcp-gcr-image-credential-provider
-  - ose-crio-credential-provider
-
-postprocess:
-  # This is part of e.g. fedora-repos in Fedora; we now want to include it by default
-  # so that the MCO can use it by default and not trip over SELinux issues trying
-  # to create it.
-  - |
-    #!/usr/bin/bash
-    set -euo pipefail
-    mkdir -p /etc/yum.repos.d
-
-    # If there *are* repos built-in (e.g. c9s), disable them.
-    # We need to work in disconnected environments by default, and default-enabled
-    # repos will be attempted to be fetched by rpm-ostree when doing node-local
-    # kernel overrides today for e.g. kernel-rt.
-    for x in $(find /etc/yum.repos.d/ -name '*.repo'); do
-      # ignore repo files that are mountpoints since they're likely secrets
-      if ! mountpoint "$x"; then
-        sed -i -e 's/enabled\s*=\s*1/enabled=0/g' $x
-      fi
-    done
-
-  # These enable librhsm which enables host subscriptions to work in containers
-  # https://github.com/rpm-software-management/librhsm/blob/fcd972cbe7c8a3907ba9f091cd082b1090231492/rhsm/rhsm-context.c#L30
-  - |
-    #!/usr/bin/bash
-    set -euo pipefail
-    ln -sr /run/secrets/etc-pki-entitlement /etc/pki/entitlement-host
-    ln -sr /run/secrets/rhsm /etc/rhsm-host
-
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    # manually modify SELinux booleans that are needed for OCP use cases
-    semanage boolean --modify --on container_use_cephfs      # RHBZ#1694045
-    semanage boolean --modify --on virt_use_samba            # RHBZ#1754825
-
-  # https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/812
-  # https://bugzilla.redhat.com/show_bug.cgi?id=1796537
-  - |
-    #!/usr/bin/bash
-    mkdir -p /usr/share/containers/oci/hooks.d
-
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    # crio should stop hardcoding things in their config file!
-    # We are apparently somehow pulling in a conmon override in RHCOS
-    # that contains /usr/libexec/crio/conmon - WHY?
-    # sed -i '/conmon.*=/d' /etc/crio/crio.conf
-    # Oh right but the MCO overrides that too so...
-    mkdir -p /usr/libexec/crio
-    ln -sr /usr/bin/conmon /usr/libexec/crio/conmon
-
-  # Inject OpenShift-specific release fields
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    cat >> /usr/lib/os-release <<EOF
-    OPENSHIFT_VERSION="5.0"
-    EOF
-
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    # Let's have a non-boring motd, just like CL (although theirs is more subdued
-    # nowadays compared to early versions with ASCII art).  One thing we do here
-    # is add --- as a "separator"; the idea is that any "dynamic" information should
-    # be below that.
-    # See: https://projects.engineering.redhat.com/browse/COREOS-1029
-    . /etc/os-release
-    # This works around the fact that we can't currently access manifest
-    # variables from postprocess scripts, though we just use the name, since
-    # it's easier.
-    variant=$(jq -r .metadata.name /usr/share/rpm-ostree/treefile.json)
-    if [ $variant = "scos" ]; then
-      colloquial_name=SCOS
-      project_name=OKD
-    else
-      colloquial_name=RHCOS
-      project_name=OpenShift
-    fi
-    # in the el-only variants, we already have CoreOS in the NAME, so don't
-    # re-add it when building the node image
-    if [[ $NAME != *CoreOS* ]]; then
-      NAME="$NAME CoreOS"
-    fi
-    cat > /etc/motd <<EOF
-    $NAME $OSTREE_VERSION
-      Part of ${project_name} ${OPENSHIFT_VERSION}, ${colloquial_name} is a Kubernetes-native operating system
-      managed by the Machine Config Operator (\`clusteroperator/machine-config\`).
-
-    WARNING: Direct SSH access to machines is not recommended; instead,
-    make configuration changes via \`machineconfig\` objects:
-      https://docs.openshift.com/container-platform/${OPENSHIFT_VERSION}/architecture/architecture-rhcos.html
-
-    ---
-    EOF
-
-  - |
-    #!/usr/bin/env bash
-    set -xeo pipefail
-    # Delete a bunch of leftover files in the layering path
-    if [ -f /run/.containerenv ]; then
-      # lockfiles and backup files
-      rm -f /etc/.pwd.lock /etc/group- /etc/gshadow- /etc/shadow- /etc/passwd-
-      rm -f /etc/selinux/targeted/*.LOCK
-      # cache, logs, etc...
-      rm -rf /var && mkdir /var
-      # All the entries here should instead be part of their respective
-      # packages. But we carry them here for now to maintain compatibility.
-      cat > /usr/lib/tmpfiles.d/openshift.conf << EOF
-    L /opt/cni - - - - ../../usr/lib/opt/cni
-    d /var/lib/cni 0755 root root - -
-    d /var/lib/cni/bin 0755 root root - -
-    d /var/lib/containers 0755 root root - -
-    d /var/lib/openvswitch 0755 root root - -
-    d /var/lib/openvswitch/pki 0755 root root - -
-    d /var/log/openvswitch 0750 openvswitch hugetlbfs - -
-    d /var/lib/unbound 0755 unbound unbound - -
-    EOF
-    fi