manifest: lock the root password for OSTreeDeployment

internal/manifest/commit_deployment.go

@@ -156,6 +156,17 @@ func (p *OSTreeDeployment) serialize() osbuild.Pipeline {
 	fstabStage.MountOSTree(p.osName, p.osTreeRef, 0)
 	pipeline.AddStage(fstabStage)
 
+	userOptions := &osbuild.UsersStageOptions{
+		Users: map[string]osbuild.UsersStageOptionsUser{
+			"root": {
+				Password: common.StringToPtr("!locked"), // this is treated as crypted and locks/disables the password
+			},
+		},
+	}
+	userStage := osbuild.NewUsersStage(userOptions)
+	userStage.MountOSTree(p.osName, p.osTreeRef, 0)
+	pipeline.AddStage(userStage)
+
 	if p.Keyboard != "" {
 		options := &osbuild.KeymapStageOptions{
 			Keymap: p.Keyboard,

test/data/manifests/fedora_35-aarch64-fedora_iot_raw_image-boot.json

@@ -1904,6 +1904,29 @@
               }
             ]
           },
+          {
+            "type": "org.osbuild.users",
+            "options": {
+              "users": {
+                "root": {
+                  "password": "!locked"
+                }
+              }
+            },
+            "mounts": [
+              {
+                "name": "ostree-test/fedora/iot",
+                "type": "org.osbuild.ostree.deployment",
+                "options": {
+                  "deployment": {
+                    "osname": "fedora-iot",
+                    "ref": "test/fedora/iot",
+                    "serial": 0
+                  }
+                }
+              }
+            ]
+          },
           {
             "type": "org.osbuild.keymap",
             "options": {

test/data/manifests/fedora_35-x86_64-fedora_iot_raw_image-boot.json

@@ -1928,6 +1928,29 @@
               }
             ]
           },
+          {
+            "type": "org.osbuild.users",
+            "options": {
+              "users": {
+                "root": {
+                  "password": "!locked"
+                }
+              }
+            },
+            "mounts": [
+              {
+                "name": "ostree-test/fedora/iot",
+                "type": "org.osbuild.ostree.deployment",
+                "options": {
+                  "deployment": {
+                    "osname": "fedora-iot",
+                    "ref": "test/fedora/iot",
+                    "serial": 0
+                  }
+                }
+              }
+            ]
+          },
           {
             "type": "org.osbuild.keymap",
             "options": {

test/data/manifests/fedora_36-aarch64-fedora_iot_raw_image-boot.json

@@ -2152,6 +2152,29 @@
               }
             ]
           },
+          {
+            "type": "org.osbuild.users",
+            "options": {
+              "users": {
+                "root": {
+                  "password": "!locked"
+                }
+              }
+            },
+            "mounts": [
+              {
+                "name": "ostree-test/fedora/iot",
+                "type": "org.osbuild.ostree.deployment",
+                "options": {
+                  "deployment": {
+                    "osname": "fedora-iot",
+                    "ref": "test/fedora/iot",
+                    "serial": 0
+                  }
+                }
+              }
+            ]
+          },
           {
             "type": "org.osbuild.keymap",
             "options": {

test/data/manifests/fedora_36-x86_64-fedora_iot_raw_image-boot.json

@@ -2176,6 +2176,29 @@
               }
             ]
           },
+          {
+            "type": "org.osbuild.users",
+            "options": {
+              "users": {
+                "root": {
+                  "password": "!locked"
+                }
+              }
+            },
+            "mounts": [
+              {
+                "name": "ostree-test/fedora/iot",
+                "type": "org.osbuild.ostree.deployment",
+                "options": {
+                  "deployment": {
+                    "osname": "fedora-iot",
+                    "ref": "test/fedora/iot",
+                    "serial": 0
+                  }
+                }
+              }
+            ]
+          },
           {
             "type": "org.osbuild.keymap",
             "options": {

test/data/manifests/fedora_37-aarch64-fedora_iot_raw_image-boot.json

@@ -2160,6 +2160,29 @@
               }
             ]
           },
+          {
+            "type": "org.osbuild.users",
+            "options": {
+              "users": {
+                "root": {
+                  "password": "!locked"
+                }
+              }
+            },
+            "mounts": [
+              {
+                "name": "ostree-test/fedora/iot",
+                "type": "org.osbuild.ostree.deployment",
+                "options": {
+                  "deployment": {
+                    "osname": "fedora-iot",
+                    "ref": "test/fedora/iot",
+                    "serial": 0
+                  }
+                }
+              }
+            ]
+          },
           {
             "type": "org.osbuild.keymap",
             "options": {

test/data/manifests/fedora_37-x86_64-fedora_iot_raw_image-boot.json

@@ -2184,6 +2184,29 @@
               }
             ]
           },
+          {
+            "type": "org.osbuild.users",
+            "options": {
+              "users": {
+                "root": {
+                  "password": "!locked"
+                }
+              }
+            },
+            "mounts": [
+              {
+                "name": "ostree-test/fedora/iot",
+                "type": "org.osbuild.ostree.deployment",
+                "options": {
+                  "deployment": {
+                    "osname": "fedora-iot",
+                    "ref": "test/fedora/iot",
+                    "serial": 0
+                  }
+                }
+              }
+            ]
+          },
           {
             "type": "org.osbuild.keymap",
             "options": {