overlay/mounts: Mount /boot and /boot/efi ro,nodev,nosuid

[cgwalters]

Ironically ostree has had support for a ro boot for a long time,
and only more recently did we land the sysroot readonly.

But we never actually went and made /boot ro for FCOS, so let's
do it now.

This was actually motivated by someone wanting to "security harden" RHCOS
running through a checklist saying certain mounts should be nodev.
Let's add nosuid while we're here.

[dustymabe]

should this go in a separate file?

[dustymabe]

i.e. a different test and maybe add some text about why we have this test

[cgwalters]

But then we end up booting a whole other VM for it.

[cgwalters]

(What we really want are nondestructive tests and teach kola to reuse existing VMs for them)

[dustymabe]

yeah ok that's a good reason to keep it in the same file. Can we add some text at the top about an RFE for nondestructive tests (open issue somewhere?) and then we can break these out once that is in place,

It would still be nice to have a comment at the top of this particular test you are adding about
# in coreos-boot-mount-generator we mount boot readonly, verify it is readonly.

[dustymabe]

If we mount boot read only we probably need to delete at least:

fedora-coreos-config/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-copy-firstboot-network/coreos-copy-firstboot-network.sh

Lines 60 to 63 in 49de0c7

	# If we make it to the realroot (successfully ran ignition) then
	# clean up the files in the firstboot network dir
	echo "R ${realroot_firstboot_network_dir} - - - - -" > \
	/run/tmpfiles.d/15-coreos-firstboot-network.conf

[cgwalters]

If we mount boot read only we probably need to delete at least:

Hmm; and have the files leak? We already have ignition-firstboot-complete.service which is remounting writable (privately/temporarily) too from the real root. Maybe we should coalesce the "clean up stuff from /boot" there.

[dustymabe]

Maybe we should coalesce the "clean up stuff from /boot" there.

SGTM

[cgwalters]

Closing in favor of #659