Seed /var behaviour and separate /var filesystems

[jlebon]

In https://github.com/ostreedev/ostree/pull/3166, we changed semantics to have /var be valid in an OSTree commit, which is then copied into the stateroot /var at deployment time.

However, if anyone is doing separate /var filesystems (or really, any subpath of /var which has seed content in the OSTree), the new /var will not hold that seed content.

It sounds like it would be more correct to make the /var seeding happen on first boot instead of at deployment time.

[cgwalters]

For things doing an install, they can ensure that /var is set up as the final mounted filesystem at installation time - this is how Anaconda works today.

However, if anyone is doing separate /var filesystems

Which gets to the point of how they're doing that separate /var - if it's done via a systemd .mount unit or /etc/fstab (especially in combination with e.g. x-systemd.makefs) then indeed they'd hit what you're talking about.

I'm OK doing this on firstboot, though I am a bit wary of latency (especially on systems without reflinks).

From an implementation perspective...I think we'd need to run very early, Before=systemd-tmpfiles.service too? And I think only execute ConditionDirectoryNotEmpty=!/var (i.e. ConditionDirectoryEmpty=/var).