osbuild/systemd-unit-create: fix DefaultDependencies option

[achilleas-k]

The original purpose of this PR was to make the DefaultDependencies option an optional property that defaults to 'true'. The original PR also had a small fix for the mountpoint creation service. While working on updating the previous PR, I found that the mountpoint creation service for ostree-based images needed more work, including additions to the osbuild stage that creates it.

Replaces #608.

Changes to the systemd unit:

• The unit must run after the ostree-remount.service.
• The unit must run before the .mount units for each mountpoint (needs new option in systemd stage).
• The chattr +i / command in ExecStartPost isn't run because RemainAfterExit is enabled, so the service doesn't "stop". RemainAfterExit should be disabled.
• Instead of checking for composefs by grepping a binary, perhaps it's more reliable to check for the symptom, the thing we want to toggle, with lsattr -ld / | grep -q Immutable.

The last item was abandoned because we don't have a clean way of toggling the immutable flag back on without communicating info from the Pre command to the Post command.

This PR also updates the mountpoint policy for ostree-based systems to disallow paths that are top-level symlinks on a booted system.

Requires osbuild/osbuild#1782

[achilleas-k]

This needs more work. The systemd service needs fixing both in the things it runs and its ordering.

[achilleas-k]

The systemd unit in its current form doesn't do what we want. We need to be very specific about unit ordering for the mkdir unit to work. See the top comment for a check list of changes.

There's a simple (ish) way to experiment with the problem this service is trying to solve.

1. Start an ostree container from CI (no need to build one):

podman run -d --rm -p42000:8080 registry.gitlab.com/redhat/services/products/image-builder/ci/images/rhel_9.4-x86_64-edge_container-empty:build-9018cfd56ba5f3b94ed50834e0ad64813704ed0be353abaeff95b18f5aa0b453

2. Write this config.json (with your own ssh key and/or password):

{
  "name": "ostree-filesystem-customizations-42000",
  "blueprint": {
    "customizations": {
      "user": [
        {
          "name": "root",
          "key": "<SSHKEY>",
          "password": "<PASSWORD>"
        }
      ],
      "filesystem": [
        {
          "mountpoint": "/data",
          "minsize": 2147483648
        },
        {
          "mountpoint": "/data/secondary",
          "minsize": 2147483648
        },
        {
          "mountpoint": "/stuff",
          "minsize": 2147483648
        },
        {
          "mountpoint": "/var/mydata",
          "minsize": 1073741824
        }
      ]
    }
  },
  "options": {
    "ostree": {
      "ref": "rhel/9/x86_64/edge",
      "url": "http://127.0.0.1:42000/repo"
    }
  }
}

3. Build an edge-raw image:

go build -o bin/build ./cmd/build && sudo ./bin/build --distro rhel-9.4 --image edge-raw --config ./config.json --output whatever

4. Boot the image, ssh in, and break it

systemctl disable osbuild-ostree-mountpoints.service
chattr -i /
rmdir /stuff
chattr +i /
reboot

With the service disabled, the mount should fail on boot.

If the service looks like this though, everything should work (you can just plop it down in /etc/systemd/system/mountpoints.service and enable it):

[Unit]
Description=Ensure custom filesystem mountpoints exist
DefaultDependencies=False
After=ostree-remount.service
Before=stuff.mount
Before=data.mount
Before=var-mydata.mount

[Service]
Type=oneshot
RemainAfterExit=False
ExecStartPre=chattr -i /
ExecStartPre=ls -l /
ExecStopPost=chattr +i /
ExecStart=mkdir -pv /stuff /data /data/secondary /var/mydata

[Install]
WantedBy=sysinit.target

[mvo5]

Thank you! This is very nice! Some quick drive-by feedback, I wanted to go full-review but only managed the first few lines and then got distracted. Feel free to ignore, it's mostly rambling.

[mvo5]

Thank you!