If the `prepare-root.conf` file contains:
```
[etc]
transient=yes
```
Then during prepare-root, an overlayfs is mounted as /etc, with the
upper dir being in /run. If composefs is used, the lower dir is
`usr/etc` from the composefs image , or it is the deployed
`$deploydir/usr/etc`.
Note that for this to work with selinux, the commit must have been
built with OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC. Otherwise
the lowerdir (/usr/etc) will have the wrong selinux contexts for the
final location of the mount (/etc).
We also set the transient-etc key in the ostree-booted file, pointing it
to the directory that is used for the overlayfs.
There are some additional work happening in ostree-remount, mostly
related to selinux (as this needs to happen post selinux policy
load):
* Recent versions of selinux-poliy have issues with the overlayfs
mount being kernel_t, and that is not allowed to manage files as
needed. This is fixed in
fedora-selinux/selinux-policy#1893
* Any /etc files created in the initramfs will not be labeled,
because the selinux policy has not been loaded. In addition, the
upper dir is on a tmpfs, and any manually set xattr-based selinux
labels on those are reset during policy load. To work around this
ostree-remount will relabel all files on /etc that have
corresponding files in overlayfs upper dir.
* During early boot, systemd mounts /run/machine-id on top of
/etc/machine-id (as /etc is readonly). Later during boot, when etc
is readwrite, systemd-machine-id-commit.service will remove the
mount and update the real file under it with the right content. To
ensure that this keeps working, we need to ensure that when we
relabel /etc/machine-id we relabel the real (covered) file, not the
temporary bind-mount.
* ostree-remount no longer needs to remount /etc read-only in the
transient-etc case.
Signed-off-by: Alexander Larsson <[email protected]>