feat(container): add finalize-rootfs subcommand for building base images

Add bootc container finalize-rootfs and bootc container post-chroot-cleanup
subcommands that transform a dnf --installroot rootfs into a bootc-compatible
layout without requiring rpm-ostree.

Transforms: toplevel symlinks, /var->tmpfiles.d, rpmdb relocation, config
injection (prepare-root.conf, dracut.conf.d, kernel install.conf).

Validated end-to-end: Fedora 42 image boots to login in 41s, bootc status
works, reboot succeeds, 12/12 lint checks pass.

Signed-off-by: Andrew Dunn <andrew@dunn.dev>

Author: andrewdunndev

crates/lib/src/cli.rs

@@ -463,6 +463,35 @@ pub(crate) enum ContainerOpts {
         /// Path to the container filesystem root
         target: Utf8PathBuf,
     },
+    /// Transform a dnf --installroot rootfs into a bootc-compatible layout.
+    ///
+    /// Applies the filesystem transforms needed to make a plain rootfs
+    /// deployable by bootc: toplevel symlinks, /var->tmpfiles.d conversion,
+    /// rpmdb relocation, config injection (prepare-root.conf, dracut.conf.d,
+    /// kernel install.conf, etc.).
+    ///
+    /// After running this, run dracut and systemctl preset-all in a chroot,
+    /// then use post-chroot-cleanup to finalize.
+    FinalizeRootfs {
+        /// Path to the rootfs directory (from dnf --installroot)
+        rootfs: Utf8PathBuf,
+
+        /// Check mode: report what would change without modifying
+        #[clap(long)]
+        check: bool,
+    },
+    /// Clean up artifacts left by chroot operations after finalize-rootfs.
+    ///
+    /// Run this AFTER dracut, systemctl preset-all, and bootupd metadata
+    /// generation, and BEFORE building the OCI image.
+    PostChrootCleanup {
+        /// Path to the rootfs directory
+        rootfs: Utf8PathBuf,
+
+        /// Check mode: report what would change without modifying
+        #[clap(long)]
+        check: bool,
+    },
 }
 
 #[derive(Debug, Clone, ValueEnum, PartialEq, Eq)]
@@ -1712,6 +1741,12 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                 )
                 .await
             }
+            ContainerOpts::FinalizeRootfs { rootfs, check } => {
+                crate::finalize_rootfs::finalize_rootfs(&rootfs, check)
+            }
+            ContainerOpts::PostChrootCleanup { rootfs, check } => {
+                crate::finalize_rootfs::post_chroot_cleanup(&rootfs, check)
+            }
         },
         Opt::Completion { shell } => {
             use clap_complete::aot::generate;