composefs: Remove /etc/.updated on deployment initialization and finalization

ostree explicitly unlinks /etc/.updated (and /var/.updated) when
finalizing a new deployment so that systemd ConditionNeedsUpdate=|/etc
services like systemd-sysusers and systemd-tmpfiles always run on the
first boot of that deployment.

The native composefs path was missing this step.  initialize_state()
copies /etc from the container image with 'cp -a', which preserves any
/etc/.updated stamp from the build environment.  composefs_backend_finalize()
merges /etc into the staged deployment directory but similarly never removes
the stamp.

The consequence is that systemd sees /etc/.updated already present and
concludes /etc needs no update, causing sysusers (and tmpfiles) to be
skipped entirely on the first boot of an upgraded deployment.

Assisted-by: OpenCode (Claude Sonnet 4.6)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

crates/lib/src/bootc_composefs/finalize.rs

@@ -118,6 +118,13 @@ pub(crate) async fn composefs_backend_finalize(
     let diff = compute_diff(&pristine_files, &current_files, &new_files)?;
     merge(&current_etc, &current_files, &new_etc, &new_files, &diff)?;
 
+    // Remove /etc/.updated from the new deployment so that ConditionNeedsUpdate=|/etc
+    // services (systemd-sysusers, systemd-tmpfiles) run on the first boot, mirroring
+    // what ostree does in sysroot_finalize_deployment.
+    new_etc
+        .remove_file_optional(".updated")
+        .context("Removing /etc/.updated from staged deployment")?;
+
     // Unmount EROFS
     drop(erofs_tmp_mnt);
 

crates/lib/src/bootc_composefs/state.rs

@@ -132,16 +132,27 @@ pub(crate) fn initialize_state(
             .run_capture_stderr()?;
     }
 
-    let cp_ret = Command::new("cp")
+    Command::new("cp")
         .args([
             "-a",
             "--remove-destination",
             &format!("{}/etc/.", tempdir.dir.path().as_str()?),
             &format!("{state_path}/etc/."),
         ])
-        .run_capture_stderr();
+        .run_capture_stderr()?;
+
+    // Remove /etc/.updated so that ConditionNeedsUpdate=|/etc services
+    // (e.g. systemd-sysusers, systemd-tmpfiles) run on the first boot of
+    // this deployment, mirroring what ostree does in sysroot_finalize_deployment.
+    // Without this, systemd sees /etc/.updated from the container image and
+    // concludes /etc is already up-to-date, causing sysusers to be skipped.
+    let state_etc = Dir::open_ambient_dir(format!("{state_path}/etc"), ambient_authority())
+        .context("Opening state etc dir")?;
+    state_etc
+        .remove_file_optional(".updated")
+        .context("Removing /etc/.updated")?;
 
-    cp_ret
+    Ok(())
 }
 
 /// Adds or updates the provided key/value pairs in the .origin file of the deployment pointed to