Use systemd-nspawn instead of docker for image

Using systemd-nspawn gives us more flexibility in what hardware the
agent can see. With this setup, the network is not virtualized, and the
/dev inside the container looks nearly identical to the one in the host.

Also added RestartSec=30s to the unit file because without this, systemd
will respawn the agent every 100ms if it dies (say, because DHCP hasn't
completed yet). Since it retries a max of 5 times per 60s, unless the restart value is
set higher it will be marked 'failed' forever and not retry. Adding this prevents that.

Change-Id: Ic64ab4b0824595683e5428464512594dd90eed83

imagebuild/coreos/coreos-oem-inject.py

@@ -8,7 +8,7 @@ import tempfile
 import shutil
 from plumbum import local, cmd
 
-COREOS_VERSION="197.0.0"
+COREOS_VERSION="250.0.0"
 
 COREOS_ARCH="amd64-generic"
 COREOS_BASE_URL="http://storage.core-os.net/coreos/{}/{}".format(COREOS_ARCH, COREOS_VERSION)

imagebuild/coreos/oem/run.sh

@@ -20,13 +20,8 @@ fi
 
 chown -R core:core /home/core/.ssh/
 
-# We have to wait until docker is started to proceed
-# In a perfect world I'd use inotifywait, but that doesn't exist on coreos
-while [ ! -e /var/run/docker.sock ]; do
-  sleep 1;
-done
-
-docker import - oemdocker:latest < container.tar.gz
+mkdir -p /media/state/ironic-python-agent
+tar -x -C /media/state/ironic-python-agent -f container.tar.gz
 
 systemctl enable --runtime /usr/share/oem/system/*
 systemctl start ironic-python-agent.service

imagebuild/coreos/oem/system/ironic-python-agent.service

@@ -1,6 +1,7 @@
 [Service]
-ExecStart=/usr/bin/docker run -p 9999:9999 -privileged=true -v=/sys:/mnt/sys oemdocker /usr/local/bin/ironic-python-agent
+ExecStart=/usr/bin/systemd-nspawn -D /media/state/ironic-python-agent --share-system --capability=all --machine=ironic_python_agent --bind=/dev:/dev --bind=/dev/pts:/dev/pts --bind=/usr/share/oem:/mnt --user=root --keep-unit /usr/local/bin/ironic-python-agent
 Restart=always
+RestartSec=30s
 
 [Install]
 WantedBy=oem.target