flatcar-postinst: Ensure /etc/extensions is mergable

In Beta 3760.1.0 the /etc/extensions/ folder gets created by "mkdir -p"
because it does not exist in the lowerdir /usr/share/flatcar/etc/. This
causes the opaque marker to be set by overlayfs. The update to Alpha
thus does not merge the new /usr/share/flatcar/etc/extensions/ folder
with its docker/containerd sysext symlinks. We should have had
/etc/extensions/ in the lowerdir in Beta but didn't.

Ensure that the created folders are mergable by removing the overlayfs
marker. This is needed for existing installations and folders we expect
to exist in the lowerdir but were missing so far.

flatcar-postinst

@@ -217,6 +217,19 @@ for NAME in $(grep -h -o '^[^#]*' /etc/flatcar/enabled-sysext.conf /usr/share/fl
     mv  "/var/lib/update_engine/flatcar-${NAME}.raw" "/etc/flatcar/sysext/flatcar-${NAME}-${NEXT_VERSION}.raw"
 done
 
+# A mkdir -p /etc/extensions was done for the OEM sysext symlink when the /etc overlay
+# was already set up but we didn't ship /etc/extensions in the lowerdir. Since overlayfs
+# creates any folders that don't exist in the lowerdir as opaque it means that when
+# they appear later in the lowerdir through an update, the lowerdir folder is ignored.
+# That happened in the update from, e.g., 3760.1.0 to 3794.0.0 to where /etc/extensions
+# wasn't present in /usr/share/flatcar/etc/.
+# To fix this, remove any opaque markers for this directory. Other common folders which
+# we introduce later in the lowerdir could also be handled that way, e.g., /etc/cni/.
+mkdir -p /etc/extensions
+if mountpoint -q /etc; then
+  unshare -m sh -c "umount /etc && attr -R -r overlay.opaque /etc/extensions || true"
+fi
+
 # Keep old nodes on cgroup v1
 if [[ "${BUILD_ID}" != "dev-"* ]]; then
     if [ "${VERSION_ID%%.*}" -lt 2956 ]; then