Defer reading prepare-root config when using `--source-imageref

[cgwalters]

What is the purpose of this file and why bootc needs it?

It looks like it uses it to know if to turn on fs-verity on the repo: https://github.com/bootc-dev/bootc/blob/5ed53c30f00f16b6330c8238a4966123d79f2f84/lib/src/install.rs#L684

But yeah, I think the main gap here is that one would expect that with --source-imgref, the prepare-root.conf to check comes from the target image and not the host environment. The problem of course is that at that point, the container image hasn't been pulled yet (because the filesystem we're pulling it into is still being initialized!).

So... one seemingly obvious fix here is to delay turning on fs-verity until after we deploy the container image? I think the main downside of that is that it's much more expensive because you now have a lot more objects to iterate over. It's the same amount of I/O (I think) total, but when done upfront it's amortized over the whole ostree import operation. And obviously, we could do this only in the --source-imgref case.

Originally posted by @jlebon in https://github.com/bootc-dev/bootc/discussions/1400#discussioncomment-13767156

[cgwalters]

A workaround for now is to just create the file; this won't correctly handle the fsverity enabled case, but I don't think that's critical.

[elkoniu]

I have created the empty file but end result is that I am facing next error then - SELinux one: Loading SELinux policy: SELinux enabled, but no policy found in root. I was wondering if this is not the result of prepare-root.conf configuration missing or some another broken dependency on the Anaconda side, which is presented in the container environment.

[cgwalters]

That's a different issue, I filed https://github.com/bootc-dev/bootc/issues/1438