Ensure salt-minion never starts by setting invoke-rc.d policy using

the /usr/sbin/policy-rc.d script and returning 101, per
https://people.debian.org/~hmh/invokerc.d-policyrc.d-specification.txt,
but only for the window while we're installing Salt.

This is a much more fool-proof method than what I was attempting
before. I hunted for how to do this before and clearly failed at my
Google-fu.

Fixes #5621

cluster/gce/configure-vm.sh

@@ -128,6 +128,19 @@ install-salt() {
   )
   URL_BASE="https://storage.googleapis.com/kubernetes-release/salt"
 
+  # Based on
+  # https://major.io/2014/06/26/install-debian-packages-without-starting-daemons/
+  # We do this to prevent Salt from starting the salt-minion
+  # daemon. The other packages don't have relevant daemons. (If you
+  # add a package that needs a daemon started, add it to a different
+  # list.)
+  cat > /usr/sbin/policy-rc.d <<EOF
+#!/bin/sh
+echo "Salt shall not start." >&2
+exit 101
+EOF
+  chmod 0755 /usr/sbin/policy-rc.d
+
   for tar in "${TARS[@]}"; do
     download-or-bust "${URL_BASE}/${tar}"
     dpkg -i "${tar}" || true
@@ -135,19 +148,19 @@ install-salt() {
 
   # This will install any of the unmet dependencies from above.
   apt-get install -f -y
+
+  rm /usr/sbin/policy-rc.d
 }
 
-# Ensure salt-minion *isn't* running
+# Ensure salt-minion never runs
 stop-salt-minion() {
   # This ensures it on next reboot
   echo manual > /etc/init/salt-minion.override
 
-  service salt-minion stop
-  while service salt-minion status >/dev/null; do
-    service salt-minion stop # No, really.
-    echo "Waiting for salt-minion to shut down"
-    sleep 1
-  done
+  if service salt-minion status >/dev/null; then
+    echo "salt-minion started in defiance of runlevel policy, aborting startup." >&2
+    return 1
+  fi
 }
 
 # Mounts a persistent disk (formatting if needed) to store the persistent data