As it turns out, KCL literally *compiles* a program from the KCL
sources. The program it creates needs to link with its runtime library,
`libkclvm_cli_cdylib.so`. The `kcl` command extracts this library,
along with a helper utility `kclvm_cli`, which performs the actual
compilation and linking. In a container, `/root/go` is probably mounted
read-only, so we need to extract these files ahead of time and put them
in another location, so the `kcl` command does not have to do it each
time it runs.
When `tmpl` substitutes the path of the generated file for `%s` in hook
commands, it uses the full path including the `destdir` prefix. Since
we're running `tmpl` inside a container, but `systemd-sysusers` outside
it (via `nsenter -t 1`), that path is not correct. Thus, we need to
explicitly pass the path as `systemd-sysusers` will see it.
Dustin