tier-0: enable kernel-install cliwrap

[jlebon]

Until the native kernel-install is OSTree and container aware[1], we need to have a custom kernel-install for kernel replacements to work in a derived build.

This will make it so that users don't have to first install the wrappers themselves in their Containerfiles[2].

The caveat with this is that if anywhere in the derivation, systemd is updated, the update will retake ownership of /usr/bin/kernel-install, which means that a further kernel replacement down the derivation chain would hit issues. We can document that. This still seems worth the UX improvement in the common case.

[jlebon]

Came out of discussions in coreos/fedora-coreos-config#2887.

[cgwalters]

I think this makes sense, but it would also mean we can't do #314

[jlebon]

But note we basically need this cliwrap today for kernel replacements to work. This PR is just moving it from Containerfile-time to compose-time to make the UX a little less awkward. IOW, if we want kernel replacements to keep working, then we have to gate #314 on coreos/rpm-ostree#4726.

[jlebon]

IOW, if we want kernel replacements to keep working, then we have to gate #314 on coreos/rpm-ostree#4726.

Well, that's not quite true. You could probably still technically replace the kernel in a base image without rpm-ostree by doing e.g.

RUN dnf install -y rpm-ostree && rpm-ostree cliwrap install-to-root /
RUN dnf install -y kernel.rpm
RUN dnf remove -y rpm-ostree

Though it would leak the wrappers into the image.

Anyway, this is all just trying to make the short-term better. Cool to just stick with the status quo until we have the proper fix. Mostly did it to match the proposal in coreos/fedora-coreos-config#2887.

[shi2wei3]

I failed to install a new kernel on bootc image with dnf install -y kernel.rpm, does the only way to install a new kernel is through rpm-ostree override replace?

STEP 3/5: COPY kernel /kernel
--> Using cache e350b8b4c6f90537e928f2b12a3d761a13adf27f06195f78decbdc08ea141160
--> e350b8b4c6f9
STEP 4/5: RUN rpm-ostree cliwrap install-to-root /
Successfully enabled cliwrap for /
--> edda3320a3a4
STEP 5/5: RUN dnf install -y /kernel/kernel-*
Note: This system is image (rpm-ostree) based.
...
...
...
Resolving dependencies...done
error: Could not depsolve transaction; 4 problems detected:
 Problem 1: cannot install both kernel-core-5.14.0-443.el9.x86_64 from @commandline and kernel-core-5.14.0-427.13.1.el9_4.x86_64 from @System
  - conflicting requests
 Problem 2: cannot install both kernel-modules-core-5.14.0-443.el9.x86_64 from @commandline and kernel-modules-core-5.14.0-427.13.1.el9_4.x86_64 from @System
  - conflicting requests
 Problem 3: cannot install both kernel-modules-5.14.0-443.el9.x86_64 from @commandline and kernel-modules-5.14.0-427.13.1.el9_4.x86_64 from @System
  - conflicting requests
 Problem 4: cannot install both kernel-5.14.0-443.el9.x86_64 from @commandline and kernel-5.14.0-427.13.1.el9_4.x86_64 from @System
  - conflicting requests
Error: building at STEP "RUN dnf install -y /kernel/kernel-*": while running runtime: exit status 1