sysext: add built-in Incus sysext image

[tormath1]

In this PR, we add Incus support as opt-out built-in sysext.

Note for reviewers:

• Most of this PR is adding new packages into portage-stable
• One commit must be upstreamed: app-containers/incus: fix cross-compilation issue (app-containers/incus: fix cross-compilation issue gentoo/gentoo#42095)
• With this sysext, we're adding new groups and users - I tried to leverage userdb to dynamically load and unload those groups when we load and unload the sysext image (note: it seems a soft reboot might still be necessary)
• I have one concern for the static-libs useflag enabled for sys-libs/libcap as it seems we don't use this flag for the generic image but for the SDK - that said, the CI output does not show any change regarding the libcap.
• documentation: incus: initial documentation flatcar-website#423

How to use

(This is optional to use ZFS)

---
variant: flatcar
version: 1.1.0
storage:
  files:
    - path: /etc/flatcar/enabled-sysext.conf
      contents:
        inline: |
          incus
          zfs
  links:
    - path: /etc/extensions/docker-flatcar.raw
      target: /dev/null
      overwrite: true
    - path: /etc/extensions/containerd-flatcar.raw
      target: /dev/null
      overwrite: true

Once on the instance, you can use a preseed or follow the interactive incus admin init:

core@localhost ~ $ systemctl status incus
● incus.service - Incus - main daemon
     Loaded: loaded (/usr/lib/systemd/system/incus.service; indirect; preset: disabled)
     Active: active (running) since Thu 2025-05-15 07:54:30 UTC; 40s ago
...
core@localhost ~ $ incus admin init
core@localhost ~ $ incus launch images:ubuntu/22.04 ubuntu-01
Launching ubuntu-01
core@localhost ~ $ incus list
+-----------+---------+----------------------+------+-----------+-----------+
|   NAME    |  STATE  |         IPV4         | IPV6 |   TYPE    | SNAPSHOTS |
+-----------+---------+----------------------+------+-----------+-----------+
| ubuntu-01 | RUNNING | 10.126.29.162 (eth0) |      | CONTAINER | 0         |
+-----------+---------+----------------------+------+-----------+-----------+
core@localhost ~ $ incus exec ubuntu-01 cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.5 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.5 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
core@localhost ~ $ incus storage list
+---------+--------+-------------+---------+---------+
|  NAME   | DRIVER | DESCRIPTION | USED BY |  STATE  |
+---------+--------+-------------+---------+---------+
| default | zfs    |             | 3       | CREATED |
+---------+--------+-------------+---------+---------+
core@localhost ~ $ zpool list
NAME      SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP    HEALTH  ALTROOT
default  4.50G   264M  4.24G        -         -     1%     5%  1.00x    ONLINE  -

• CI: http://jenkins.infra.kinvolk.io:8080/job/container/job/packages_all_arches/5981/cldsv/
• Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)
• Add new packages to .github/workflows/portage-stable-packages-list
• rebase on Build ZFS sysext with each release #1742
• review downstream patch (tc-is-cross-compiler) + wait for Go1.21 upgrade (app-containers/incus: fix cross compilation issue gentoo/gentoo#36323)
• Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.
• Inspect USE flags

Closes: flatcar/Flatcar#1319

[github-actions]

Build action triggered: https://github.com/flatcar/scripts/actions/runs/9052482849

[krnowak]

This looks like a fix candidate for upstream, no?