buildah: [OSTree] Cannot build rootfs with Containerfile due to dangling files /etc/{hostname,hosts,resolv.conf}

Issue Description

One of requirements for building a OSTree images is moving /etc to /usr/etc (see: https://ostree.readthedocs.io/en/stable/manual/adapting-existing/). However, this isn’t possible in a single stage build with Containerfile as seen here:

RUN mv /etc /usr/
RUN ls -l /etc
-rw-r--r-- 1 0 0  13 Sep 16 08:54 hostname
-rw-r--r-- 1 0 0 128 Sep 16 08:54 hosts
-rw-r--r-- 1 0 0  24 Sep 16 08:54 resolv.conf

These dangling files prevent $ ostree commit from deploying:

Deploying tree: Initializing deployment: Preparing /etc: Tree contains both /etc and /usr/etc

Furthermore they can’t be removed:

RUN rm -rf /etc
rm: cannot remove '/etc/hosts': Device or resource busy
rm: cannot remove '/etc/hostname': Device or resource busy
rm: cannot remove '/etc/resolv.conf': Device or resource busy

Disabling network isn’t possible to workaround this:

RUN --network=none mv /etc /usr/

Currently the only working workaround is to export rootfs/ and then modify it outside of Containerfile but ideally this shouldn’t be needed to keep everything inside one place (Containerfile)

Steps to reproduce the issue

Steps to reproduce the issue

1. Create Containerfile with any distro as base, e.g:

   FROM fedora:latest
   RUN rm -rf /etc
   

2. $ podman build -f Containerfile

Describe the results you received

Dangling files exist in /etc/{hostname,hosts,resolv.conf} after moving /etc to /usr/etc

Describe the results you expected

It should be possible to move contents of /etc to /usr/etc to comply with OSTree image requirements

podman info output

host:
  arch: amd64
  buildahVersion: 1.31.2
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: /usr/bin/conmon is owned by conmon 1:2.1.8-1
    path: /usr/bin/conmon
    version: 'conmon version 2.1.8, commit: 00e08f4a9ca5420de733bf542b930ad58e1a7e7d'
  cpuUtilization:
    idlePercent: 99.89
    systemPercent: 0.08
    userPercent: 0.03
  cpus: 32
  databaseBackend: boltdb
  distribution:
    distribution: arch
    version: unknown
  eventLogger: journald
  freeLocks: 2026
  hostname: ostree
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.5.3-arch1-1
  linkmode: dynamic
  logDriver: journald
  memFree: 30800125952
  memTotal: 33651613696
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: Unknown
    package: /usr/lib/podman/netavark is owned by netavark 1.7.0-1
    path: /usr/lib/podman/netavark
    version: netavark 1.7.0
  ociRuntime:
    name: crun
    package: /usr/bin/crun is owned by crun 1.9-1
    path: /usr/bin/crun
    version: |-
      crun version 1.9
      commit: a538ac4ea1ff319bcfe2bf81cb5c6f687e2dc9d3
      rundir: /run/user/0/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: ""
    package: ""
    version: ""
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: /usr/bin/slirp4netns is owned by slirp4netns 1.2.2-1
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 0
  swapTotal: 0
  uptime: 0h 22m 21.00s
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 22
    paused: 0
    running: 0
    stopped: 22
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 20957446144
  graphRootUsed: 9738891264
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 71
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.6.2
  Built: 1693343961
  BuiltTime: Tue Aug 29 23:19:21 2023
  GitCommit: 5db42e86862ef42c59304c38aa583732fd80f178-dirty
  GoVersion: go1.21.0
  Os: linux
  OsArch: linux/amd64
  Version: 4.6.2

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

Yes

Additional environment details

N/A

Additional information

N/A