buildextend-metal: Make sysroot-ro an opt-in image.yaml parameter

See
coreos/fedora-coreos-tracker#343 (comment)
Basically we need to make raw `ostree` operations work and not
just `ostree admin`.

src/cmd-buildextend-metal

@@ -181,6 +181,11 @@ fi
 
 disk_args=()
 
+sysroot_ro="$(python3 -c 'import sys, yaml; v=yaml.safe_load(sys.stdin).get("sysroot-ro", False); print("1" if v else "")' < "$configdir/image.yaml")"
+if [ -n "${sysroot_ro}" ]; then
+    disk_args+=("--sysroot-ro")
+fi
+
 set -x
 # Extract the target kernel config, which may inform how we build disks.
 target_moduledir=$(ostree --repo="${ostree_repo}" ls "${commit}" /usr/lib/modules | grep -o '/usr/lib/modules/.*')

src/create_disk.sh

@@ -29,6 +29,7 @@ Options:
     --save-var-subdirs: "yes" to workaround selabel issue for RHCOS
     --rootfs-size: Create the root filesystem with specified size
     --boot-verity: Provide this to enable ext4 fs-verity for /boot
+    --sysroot-ro: Enable read-only /sysroot
     --rootfs: xfs|ext4verity|luks
 
 You probably don't want to run this script by hand. This script is
@@ -38,6 +39,7 @@ EOC
 
 rootfs_size="0"
 boot_verity=0
+sysroot_ro=0
 rootfs_type="xfs"
 extrakargs=""
 
@@ -58,6 +60,7 @@ do
         --save-var-subdirs) save_var_subdirs="${1}"; shift;;
         --rootfs-size)      rootfs_size="${1}"; shift;;
         --boot-verity)      boot_verity=1;;
+        --sysroot-ro)       sysroot_ro=1;;
         --rootfs)           rootfs_type="${1}" shift;;
          *) echo "${flag} is not understood."; usage; exit 10;;
          --) break;
@@ -396,7 +399,9 @@ esac
 ostree config --repo $rootfs/ostree/repo set sysroot.bootloader "${bootloader_backend}"
 # Opt-in to https://github.com/ostreedev/ostree/pull/1767 AKA
 # https://github.com/ostreedev/ostree/issues/1265
-ostree config --repo $rootfs/ostree/repo set sysroot.readonly true
+if [ "${sysroot_ro}" = 1 ]; then
+    ostree config --repo $rootfs/ostree/repo set sysroot.readonly true
+fi
 
 touch $rootfs/boot/ignition.firstboot