during offline updates we run in a minimal system with few services started
and we do actually not want to start any additional services. because of
the minimal nature this may also result in services timing out as they
won't be able to bind network interfaces or any other reason really.
to that end prevent any services from even attempting to start by
installing a policy-rc.d will prevent offline updates for getting stuck
for 90 or so seconds until a service may decide to fail starting.
system-update.target wants a special helper which binds our policy-rc.d
into place, default.target may clean up an empty policy-rc.d if
should the user have a policy-rc.d we'll not destroy them, and thanks
to the bind mount our override will not persist across the reboot out of
system-update.target. the ultimate target is an ephemeral policy-rc.d.