install: Make some "lints" default fatal

[cgwalters]

TL;DR change bootc install to run bootc container lint --fatal-only before we start an install at all.

---

Our base image has an empty /var, and things like RPMs/debs that for legacy reasons write to /var/run will create it as a directory which will just break a lot of things, but often not totally fatally.

• https://issues.redhat.com/browse/RHEL-25756 (originally Fix for /var content (ostreedev PR #569) doesn't seem to be in the latest centos-bootc-dev base image CentOS/centos-bootc#140 )
• https://gitlab.com/fedora/bootc/base-images/-/issues/28 (e.g. Fedora's audit package has /var/run)

We added a lint against this in RUN bootc container lint but not many people know to use that yet.

Almost all of what we have as lints today should be fatal at install time by default. The only exception is usr/etc needs to be a soft, not hard error for compat today.

(Also we should warn client side too! But install time would help a lot for now)

[cgwalters]

Specifically related to /var/run, it'd also just paper over this entirely if we encouraged shipping that by default in the image, which is quite tempting to do.

But larger picture, we should also try to just convert all packages and other tools to stop using var/run.

[hanthor]

Oh I think the presence of multiple kernel/kmod versions isn't fatal in bootc lint but is fatal in bootc-image-builder

Nevermind I can't find the exact scenario in which something passes link but fails bootc update or bootc-image-builder. I will update when I find it

[cgwalters]

We definitely check for multiple kernels in bootc container lint already.