[teleport-update] needrestart and systemd drop-in

[sclevine]

This PR sets the default needrestart configuration to disabled for the Teleport systemd service. This PR only affects Teleport when it is installed via the teleport-update command, and does not change the behavior of the teleport deb/rpm package.

needrestart is a Debian service that restarts services when their underlying libraries change. Networking services like Teleport are not always safe to restart during package upgrades, because they may disrupt connections. If needed, users may still opt-in to enable restarts for Teleport via dpkg (including interactive prompting). Internal link with more details.

This PR also adds a systemd drop-in that teleport-update can use to provide env vars to teleport. This will let teleport read agent group identifiers in the future. It's included here because the logic is very similar to the needrestart feature, and both features drove out some minor refactoring.

ubuntu@legendary-mite:~$ cat /etc/systemd/system/teleport.service.d/teleport-update.conf 
# teleport-update
# DO NOT EDIT THIS FILE
[Service]
Environment=TELEPORT_UPDATE_CONFIG_FILE=/opt/teleport/default/update.yaml

ubuntu@legendary-mite:~$ cat /etc/needrestart/conf.d/teleport-update.conf 
$nrconf{override_rc}{qr(^teleport\.service)} = 0;

---

The teleport-update binary will be used to enable, disable, and trigger automatic Teleport agent updates. The new auto-updates system manages a local installation of the cluster-specified version of Teleport stored in /opt/teleport.

RFD: #47126
Goal (internal): https://github.com/gravitational/cloud/issues/10289

[sclevine]

Reviews appreciated when anyone has an opportunity 🙂

[sclevine]

@codingllama @greedy52 @hugoShaka looking for another review when you have a chance 🙂

[hugoShaka]

We had an interesting discussion about what to do with needrestart and ended up with this solution. Could you summarize it in a comment somewhere in setup.go so we have a written trace about this decision and why we chose to opt-out instead of teaching needrestat to do soft reloads?

[sclevine]

summarize it in a comment somewhere in setup.go

👍 Great idea, will do.