Support systemd-confext

[joelcapitao]

I recently moved my RaspberryPi 4 to FCOS. It was an enjoyable experience.
I managed to confine all my configuration (sysctl, rootless quadlets, etc) into a systemd-confext, which makes /etc to remain read-only.
Everything works fine except for two units:

Failed Units: 2
  console-login-helper-messages-gensnippet-ssh-keys.service
  coreos-ignition-write-issues.service

Those are not hard blockers.

These services attempt to write to /etc/issues.d to report issues, but since /etc is RO, they fail.
After some archaeology, I found out coreos/console-login-helper-messages#91 has already partially migrated the logic to write issues to/run/issue.d. However /etc/issues.d was kept to maintain compatibility with the default agetty configuration c.f: https://github.com/coreos/console-login-helper-messages/blob/70344cce1758730245cb46ca4d5bcdb56ff2f20e/usr/lib/console-login-helper-messages/issue.defs#L15-L17

Since then, the getty systemd service has been updated to source both locations:

$ systemctl cat getty@tty1.service | grep ExecStart=
ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d - ${TERM}

Therefore, I believe we can now finalize the migration to /run/issue.d.

[jbtrystram]

Since then, the getty systemd service has been updated to source both locations:

$ systemctl cat getty@tty1.service | grep ExecStart=
ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d - ${TERM}

Therefore, I believe we can now finalize the migration to /run/issue.d.

Let's check on RHEL 9 if that's also true and update if we can

[jbtrystram]

I am turning this issue into a tracker for the support of systemd-confext in fedora CoreOS.

This have been a side quest for me for a little while, so here is the current state of progress on this :

• We need to move some generated issues to /run because /etc is no longer writeable with a confext enabled : overlay/core: write ignition issues to /run fedora-coreos-config#4046
• CLHM need to do the same thing. This is done upstream but blocked by selinux poilcy right now, so not released yet:
  • Networkmanager: Allow NM to manage files under /run fedora-selinux/selinux-policy#3169
• There is also a pending PR for this in CLHM because i made a mistake at my previous attempt at this : Revert "remove tmpfile cleanup for issue files in /run" console-login-helper-messages#134

Finally, I opened a PR to add back-compat symlink in RHCOS because these changes will not work there : coreos/rhel-coreos-config#215