Freeipa-client OCI install vs layered package install


I am attempting to build my own custom silverblue image and I have found that when I install the freeipa-client package in the image like:

RUN setsebool -P -N use_nfs_home_dirs=1 && \
    rpm-ostree override remove nano-default-editor && \
    rpm-ostree install freeipa-client clevis clevis-dracut clevis-udisks2 nmap-ncat openssh-askpass rclone tor \
    vim vim-default-editor xorg-x11-drv-amdgpu vulkan-tools mesa-vulkan-drivers && \
    ostree container commit

After rebasing to my newly built image and rebooting when trying to setup the freeipa client it errors like:

[root@mine ~]# ipa-client-install --mkhomedir
This program will set up IPA client.
Version 4.10.1

DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: freeipa.example
Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]: 
Client hostname: mine.example
DNS Domain: freeipa.example
IPA Server: master.freeipa.example
BaseDN: dc=freeipa,dc=example

Continue to configure the system with these values? [no]: yes
[Errno 2] No such file or directory: '/var/lib/ipa-client/sysrestore/sysrestore.state'
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

However if I layer the package in a normal install using an rpm-ostree install freeipa-client then reboot, I am able to successfully setup the freeia-client.

How can I incorporate the freeipa-client into my custom silverblue image?

It looks as if when using layering in an OCI container the directory /var/lib/ipa-client/sysrestore/ is not present and this is causing the ipa-client-install --mkhomedir to fail.

Perhaps this is a bug with the ostree native container layering?