diff --git a/dracut/50flatcar-network/afterburn-network-kargs.service b/dracut/50flatcar-network/afterburn-network-kargs.service
index 595e831..a382e59 100644
--- a/dracut/50flatcar-network/afterburn-network-kargs.service
+++ b/dracut/50flatcar-network/afterburn-network-kargs.service
@@ -11,7 +11,7 @@ PartOf=systemd-networkd.service
 ConditionKernelCommandLine=|coreos.oem.id=vmware
 ConditionKernelCommandLine=|flatcar.oem.id=vmware
 OnFailure=emergency.target
-OnFailureJobMode=isolate
+OnFailureJobMode=replace-irreversibly
 
 # Flatcar: Load coreos-metadata binary
 Requires=sysusr-usr.mount
diff --git a/dracut/51diskless-generator/diskless-generator b/dracut/51diskless-generator/diskless-generator
index 7410702..d45bf8c 100755
--- a/dracut/51diskless-generator/diskless-generator
+++ b/dracut/51diskless-generator/diskless-generator
@@ -29,8 +29,6 @@ add_requires() {
     ln -sf "../${name}" "${requires_dir}/${name}"
 }
 
-# set to 1 to enable copying /oem from the initrd
-copy_oem=0
 # check both the new mount.usr and our old usr kernel options
 usr=$(cmdline_arg mount.usr "$(cmdline_arg usr)")
 root=$(cmdline_arg root)
@@ -39,7 +37,6 @@ rootflags=$(cmdline_arg rootflags)
 
 # If usr= was not specified and a squashfs is bundled in the initrd use it.
 if [[ -z "${usr}" && -f /usr.squashfs ]]; then
-    copy_oem=1
     add_requires sysroot-usr.mount
     cat >"${UNIT_DIR}/sysroot-usr.mount" <<EOF
 # Automatically generated by diskless-generator
@@ -57,6 +54,26 @@ What=/usr.squashfs
 Where=/sysroot/usr
 Type=squashfs
 EOF
+else
+    # When /usr is provided by the initrd, then OEM is a tmpfs. This is already
+    # mounted by minimal-init, so we don't need a unit in that case.
+    cat >"${UNIT_DIR}/oem.mount" <<EOF
+# Automatically generated by diskless-generator
+
+[Unit]
+# The default dependencies will mount this after local-fs-pre.target, but we
+# need to mount it before.
+DefaultDependencies=no
+# Add these lines that are normally added by default.
+Before=umount.target
+Conflicts=umount.target
+
+[Mount]
+What=/dev/disk/by-label/OEM
+Where=/oem
+Type=btrfs,ext4
+Options=nodev
+EOF
 fi
 
 # When root= and rootfstype= are unspecified mount it as a tmpfs
@@ -108,34 +125,3 @@ RemainAfterExit=yes
 ExecStart=/usr/lib/systemd/diskless-btrfs
 EOF
 fi
-
-# When /usr is provided by the initrd then OEM may be also, but as tmpfs.
-# The contents of /oem are copied into place by 99setup-root
-if [[ "${copy_oem}" -eq 1 ]]; then
-    add_requires sysroot-oem.mount
-    cat >"${UNIT_DIR}/sysroot-oem.mount" <<EOF
-# Automatically generated by diskless-generator
-
-[Unit]
-# This runs early for initrd-setup-root to populate it.
-# Ignition can mount something else on /oem still
-# if the user wants so.
-Before=initrd-root-fs.target
-
-[Mount]
-What=tmpfs
-Where=/sysroot/oem
-Type=tmpfs
-Options=size=0,mode=755
-EOF
-else
-    cat >"${UNIT_DIR}/sysroot-oem.mount" <<EOF
-# Automatically generated by diskless-generator
-# (Ignition's OEM mounting can also (de)activate the unit)
-[Mount]
-What=/dev/disk/by-label/OEM
-Where=/sysroot/oem
-Type=auto
-Options=nodev
-EOF
-fi
diff --git a/dracut/51diskless-generator/module-setup.sh b/dracut/51diskless-generator/module-setup.sh
index cbb8527..85820ba 100755
--- a/dracut/51diskless-generator/module-setup.sh
+++ b/dracut/51diskless-generator/module-setup.sh
@@ -12,4 +12,6 @@ install() {
     inst_simple "$moddir/diskless-btrfs" "$systemdutildir/diskless-btrfs"
     inst_simple "$moddir/diskless-generator" \
         "$systemdutildir/system-generators/diskless-generator"
+    inst_simple "$moddir/sysroot-oem.mount" \
+        "$systemdsystemunitdir/sysroot-oem.mount"
 }
diff --git a/dracut/51diskless-generator/sysroot-oem.mount b/dracut/51diskless-generator/sysroot-oem.mount
new file mode 100644
index 0000000..abe7b40
--- /dev/null
+++ b/dracut/51diskless-generator/sysroot-oem.mount
@@ -0,0 +1,8 @@
+[Unit]
+After=ignition-mount.service
+
+[Mount]
+What=/oem
+Where=/sysroot/oem
+Type=none
+Options=bind
diff --git a/dracut/53disk-uuid/disk-uuid.service b/dracut/53disk-uuid/disk-uuid.service
index aa14518..019d7c3 100644
--- a/dracut/53disk-uuid/disk-uuid.service
+++ b/dracut/53disk-uuid/disk-uuid.service
@@ -10,7 +10,7 @@ After=systemd-udevd.service dev-disk-by\x2dpartlabel-USR\x2dA.device
 
 # Run before services that use device nodes, preventing them from racing
 # with udev activity generated by sgdisk
-Before=ignition-setup.service ignition-disks.service verity-setup.service
+Before=ignition-disks.service verity-setup.service
 
 [Service]
 Type=oneshot
diff --git a/dracut/53ignition/flatcar-metadata-hostname.service b/dracut/53ignition/flatcar-metadata-hostname.service
index 0975e29..be75de1 100644
--- a/dracut/53ignition/flatcar-metadata-hostname.service
+++ b/dracut/53ignition/flatcar-metadata-hostname.service
@@ -40,7 +40,7 @@ ConditionKernelCommandLine=|flatcar.oem.id=proxmoxve
 ConditionKernelCommandLine=|flatcar.oem.id=scaleway
 
 OnFailure=emergency.target
-OnFailureJobMode=isolate
+OnFailureJobMode=replace-irreversibly
 
 [Service]
 Type=oneshot
diff --git a/dracut/53ignition/ignition-complete.target b/dracut/53ignition/ignition-complete.target
index 686761e..84b0bdc 100644
--- a/dracut/53ignition/ignition-complete.target
+++ b/dracut/53ignition/ignition-complete.target
@@ -9,10 +9,10 @@ Documentation=https://github.com/coreos/ignition
 ConditionPathExists=/etc/initrd-release
 Before=initrd.target
 
-# Run the generic rootfs setup helpers
-Requires=initrd-setup-root.service initrd-setup-root-after-ignition.service
-After=initrd-setup-root.service initrd-setup-root-after-ignition.service
-
 # Make sure we stop all the units before switching root
 Conflicts=initrd-switch-root.target umount.target
 Conflicts=dracut-emergency.service emergency.service emergency.target
+
+# Run the generic rootfs setup helpers
+Requires=initrd-setup-root.service initrd-setup-root-after-ignition.service
+After=initrd-setup-root.service initrd-setup-root-after-ignition.service
diff --git a/dracut/53ignition/ignition-disks.service b/dracut/53ignition/ignition-disks.service
index 4e2b783..d3cea85 100644
--- a/dracut/53ignition/ignition-disks.service
+++ b/dracut/53ignition/ignition-disks.service
@@ -5,12 +5,6 @@ ConditionPathExists=/etc/initrd-release
 DefaultDependencies=false
 Before=ignition-complete.target
 
-# Flatcar:
-Requires=local-fs-pre.target
-Before=local-fs-pre.target
-Requires=ignition-setup.service
-After=ignition-setup.service
-
 # Stage order: fetch-offline [-> fetch] [-> kargs] -> disks -> mount -> files.
 After=ignition-fetch.service
 Before=ignition-mount.service
@@ -28,14 +22,23 @@ Before=initrd-root-device.target
 Before=sysroot.mount
 
 OnFailure=emergency.target
-OnFailureJobMode=isolate
+OnFailureJobMode=replace-irreversibly
 
 # This stage requires udevd to detect disk partitioning changes.
 Requires=systemd-udevd.service
 After=systemd-udevd.service
 
+# Flatcar:
+Requires=local-fs-pre.target
+Before=local-fs-pre.target
+Requires=ignition-setup-pre.service
+After=ignition-setup-pre.service
+RequiresMountsFor=/sysusr/usr/
+
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=/run/ignition.env
+# Flatcar: Unmount any disk-based OEM partition in case the Ignition config wants to wipe it.
+ExecStartPre=sh -c 'findmnt -t tmpfs /oem >/dev/null || systemctl stop oem.mount'
 ExecStart=/usr/bin/ignition --root=/sysroot --platform=${PLATFORM_ID} --stage=disks
diff --git a/dracut/53ignition/ignition-fetch-offline.service b/dracut/53ignition/ignition-fetch-offline.service
index 3a4b010..0c5beea 100644
--- a/dracut/53ignition/ignition-fetch-offline.service
+++ b/dracut/53ignition/ignition-fetch-offline.service
@@ -9,22 +9,22 @@ Documentation=https://github.com/coreos/ignition
 ConditionPathExists=/etc/initrd-release
 DefaultDependencies=false
 Before=ignition-complete.target
-# Flatcar:
-#After=basic.target
-Wants=sockets.target paths.target slices.target
-After=sockets.target paths.target slices.target
-
-# Flatcar:
-Requires=local-fs-pre.target
-Before=local-fs-pre.target
-Requires=ignition-setup.service
-After=ignition-setup.service
+#After=basic.target # Flatcar
 
 # Stage order: fetch-offline [-> fetch] [-> kargs] -> disks -> mount -> files.
 Before=ignition-fetch.service
 
 OnFailure=emergency.target
-OnFailureJobMode=isolate
+OnFailureJobMode=replace-irreversibly
+
+# Flatcar:
+Wants=sockets.target paths.target slices.target
+After=sockets.target paths.target slices.target
+Requires=local-fs-pre.target
+Before=local-fs-pre.target
+Requires=ignition-setup-pre.service
+After=ignition-setup-pre.service
+RequiresMountsFor=/sysusr/usr/ /oem/
 
 [Service]
 Type=oneshot
diff --git a/dracut/53ignition/ignition-fetch.service b/dracut/53ignition/ignition-fetch.service
index 8adf32b..72b8349 100644
--- a/dracut/53ignition/ignition-fetch.service
+++ b/dracut/53ignition/ignition-fetch.service
@@ -4,8 +4,7 @@ Documentation=https://github.com/coreos/ignition
 ConditionPathExists=/etc/initrd-release
 DefaultDependencies=false
 Before=ignition-complete.target
-# Flatcar:
-#After=basic.target
+#After=basic.target # Flatcar
 ConditionPathExists=/run/ignition/neednet
 # Don't run if the `fetch-offline` stage successfully fetched a config
 ConditionPathExists=!/run/ignition.json
@@ -17,19 +16,19 @@ After=ignition-fetch-offline.service
 Before=ignition-disks.service
 
 OnFailure=emergency.target
-OnFailureJobMode=isolate
+OnFailureJobMode=replace-irreversibly
 
 # If we run, we definitely need network, so make sure we run after.
 After=network.target
+
 # Flatcar:
-Wants=systemd-networkd.service
-After=systemd-networkd.service
-Wants=systemd-resolved.service
-After=systemd-resolved.service
+Wants=systemd-networkd.service systemd-resolved.service
+After=systemd-networkd.service systemd-resolved.service
 Requires=local-fs-pre.target
 Before=local-fs-pre.target
-Requires=ignition-setup.service
-After=ignition-setup.service
+Requires=ignition-setup-pre.service
+After=ignition-setup-pre.service
+RequiresMountsFor=/sysusr/usr/ /oem/
 
 [Service]
 Type=oneshot
diff --git a/dracut/53ignition/ignition-files.service b/dracut/53ignition/ignition-files.service
index b0c11b6..e511666 100644
--- a/dracut/53ignition/ignition-files.service
+++ b/dracut/53ignition/ignition-files.service
@@ -5,20 +5,8 @@ ConditionPathExists=/etc/initrd-release
 DefaultDependencies=false
 Before=ignition-complete.target
 
-# Flatcar:
-Requires=initrd-root-fs.target
-After=initrd-root-fs.target
-Requires=ignition-setup.service ignition-disks.service
-After=ignition-setup.service ignition-disks.service
-# setup the root filesystem before we try do things like create users on it.
-Requires=initrd-setup-root.service
-After=initrd-setup-root.service
-# Already mount the OEM partition here so that it works to write files
-# without having to declare it as initrd mount in Ignition
-RequiresMountsFor=/sysroot/usr/ /sysroot/oem/
-
 OnFailure=emergency.target
-OnFailureJobMode=isolate
+OnFailureJobMode=replace-irreversibly
 
 # Stage order: fetch-offline [-> fetch] [-> kargs] -> disks -> mount -> files.
 After=ignition-mount.service
@@ -26,10 +14,20 @@ After=ignition-mount.service
 # Run before initrd-parse-etc so that we can drop files it then picks up.
 Before=initrd-parse-etc.service
 
+# Flatcar:
+# setup the root filesystem before we try do things like create users on it.
+Requires=initrd-setup-root.service
+After=initrd-setup-root.service
+# Already mount the OEM partition here so that it works to write files
+# without having to declare it as initrd mount in Ignition
+RequiresMountsFor=/sysroot/usr/
+
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=/run/ignition.env
-# Flatcar: Make sure that the OEM mount point is there even if it shortly was away
+# Flatcar: Start the /sysroot/oem bind mount and its underlying /oem mount.
+# Don't use RequiresMountsFor for this because /oem may get unmounted earlier in
+# the same systemd transaction, preventing this unit from starting.
 ExecStartPre=-systemctl start sysroot-oem.mount
 ExecStart=/usr/bin/ignition --root=/sysroot --platform=${PLATFORM_ID} --stage=files --log-to-stdout
diff --git a/dracut/53ignition/ignition-generator b/dracut/53ignition/ignition-generator
index 9de35ed..7c613cc 100755
--- a/dracut/53ignition/ignition-generator
+++ b/dracut/53ignition/ignition-generator
@@ -82,22 +82,16 @@ else
     add_requires ignition-subsequent.target initrd.target
 fi
 
-# Write ignition-setup.service customized for PXE/ISO or regular boot
-pxe=
-nopxe=
-usr=$(cmdline_arg mount.usr "$(cmdline_arg usr)")
-if [[ -z "${usr}" && -f /usr.squashfs ]]; then
-    # PXE-booted system, with or without persistent root
-    # (see 10diskless-generator)
-    pxe=1
-else
-    nopxe=1
+# Do disk-based steps for non-PXE/ISO boot.
+if is-live-image; then
+    add_requires disk-uuid.service initrd.target
     if $(cmdline_bool flatcar.first_boot 0) || $(cmdline_bool coreos.first_boot 0); then
         add_requires ignition-diskful.target ignition-complete.target
     else
         add_requires ignition-diskful-subsequent.target ignition-subsequent.target
     fi
 fi
+
 cat > ${UNIT_DIR}/ignition-setup-pre.service <<EOF
 [Unit]
 Description=Ignition env setup
@@ -107,7 +101,7 @@ Requires=local-fs-pre.target
 Before=local-fs-pre.target
 
 OnFailure=emergency.target
-OnFailureJobMode=isolate
+OnFailureJobMode=replace-irreversibly
 
 [Service]
 Type=oneshot
@@ -115,38 +109,6 @@ RemainAfterExit=yes
 ExecStart=/usr/sbin/ignition-setup-pre
 EOF
 
-cat > ${UNIT_DIR}/ignition-setup.service <<EOF
-[Unit]
-Description=Ignition (setup)
-DefaultDependencies=false
-
-# Flatcar: Load Ignition binary
-Requires=sysusr-usr.mount ignition-setup-pre.service
-After=sysusr-usr.mount ignition-setup-pre.service
-
-Requires=local-fs-pre.target
-Before=local-fs-pre.target
-
-# pull in OEM device if it should exist
-${nopxe:+Requires=dev-disk-by\x2dlabel-OEM.device
-After=dev-disk-by\x2dlabel-OEM.device}
-
-OnFailure=emergency.target
-OnFailureJobMode=isolate
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-MountFlags=slave
-ExecStart=/usr/sbin/ignition-setup ${nopxe:+normal} ${pxe:+pxe}
-EOF
-
-# Call the disk UUID randomizer whenever we're not PXE booting
-# The unit will check if it needs to act or not.
-if [ "${nopxe}" = 1 ]; then
-    add_requires "disk-uuid.service" initrd.target
-fi
-
 if [[ $(cmdline_arg flatcar.oem.id) == "digitalocean" ]] || [[ $(cmdline_arg coreos.oem.id) == "digitalocean" ]] || [[ $(cmdline_arg flatcar.oem.id) == "proxmoxve" ]]; then
     add_requires flatcar-afterburn-network.service initrd.target
 fi
diff --git a/dracut/53ignition/ignition-kargs-helper b/dracut/53ignition/ignition-kargs-helper
old mode 100644
new mode 100755
index 48f420f..01ae0f6
--- a/dracut/53ignition/ignition-kargs-helper
+++ b/dracut/53ignition/ignition-kargs-helper
@@ -4,19 +4,14 @@
 
 set -euxo pipefail
 
-# Handle PXE boots gracefully by not mounting any disk and instead error out early
-if [ "${OEM_ID}" = "pxe" ]; then
+# Bail out early when PXE booting. OEM is a tmpfs in this case, so a new
+# grub.cfg would be lost on reboot.
+if [[ ${OEM_ID} == pxe ]]; then
   echo "error: can't set kargs for PXE boots" >&2
   exit 1
 fi
 
-# Mount the OEM partition. Note that we mount but we don't unmount it because we
-# are run in a systemd unit with MountFlags=slave so it is unmounted for us.
-oemmnt=/mnt/oem_partition
-mkdir -p ${oemmnt}
-oemdev=/dev/disk/by-label/OEM
-mount -o rw ${oemdev} ${oemmnt}
-grubcfg="${oemmnt}/grub.cfg"
+grubcfg="/oem/grub.cfg"
 
 # Ensure that it exists before we read from it (needed for the generic Flatcar image), "touch" does not exist in initramfs
 true >> $grubcfg
diff --git a/dracut/53ignition/ignition-kargs.service b/dracut/53ignition/ignition-kargs.service
index fb15ec4..ebedeb9 100644
--- a/dracut/53ignition/ignition-kargs.service
+++ b/dracut/53ignition/ignition-kargs.service
@@ -8,14 +8,16 @@ Before=ignition-complete.target
 # Stage order: fetch-offline [-> fetch] [-> kargs] -> disks -> mount -> files.
 After=ignition-fetch.service
 Before=ignition-disks.service
+
+OnFailure=emergency.target
+OnFailureJobMode=replace-irreversibly
+
 # Flatcar:
 Requires=local-fs-pre.target
 Before=local-fs-pre.target
-Requires=ignition-setup.service
-After=ignition-setup.service
-
-OnFailure=emergency.target
-OnFailureJobMode=isolate
+Requires=ignition-setup-pre.service
+After=ignition-setup-pre.service
+RequiresMountsFor=/sysusr/usr/ /oem/
 
 [Service]
 Type=oneshot
diff --git a/dracut/53ignition/ignition-mount.service b/dracut/53ignition/ignition-mount.service
index 5476dba..86a3410 100644
--- a/dracut/53ignition/ignition-mount.service
+++ b/dracut/53ignition/ignition-mount.service
@@ -22,7 +22,7 @@ Before=initrd-switch-root.target
 After=network.target
 
 OnFailure=emergency.target
-OnFailureJobMode=isolate
+OnFailureJobMode=replace-irreversibly
 
 # Make sure the final /sysroot is ready first, since we're mounting under there
 Requires=initrd-root-fs.target
@@ -34,14 +34,15 @@ After=ignition-remount-sysroot.service
 # Flatcar:
 Requires=initrd-setup-root.service
 After=initrd-setup-root.service
-Requires=ignition-setup.service
-After=ignition-setup.service
+Requires=ignition-setup-pre.service
+After=ignition-setup-pre.service
+RequiresMountsFor=/sysusr/usr/
 
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=/run/ignition.env
-# Flatcar: Unmount any OEM mount in case the Ignition config has one defined
-ExecStartPre=/bin/bash -c 'if ! mount | grep -m 1 /sysroot/oem | grep tmpfs; then umount /sysroot/oem || true; fi'
+# Flatcar: Unmount any disk-based OEM partition in case the Ignition config wants to mount it.
+ExecStartPre=sh -c 'findmnt -t tmpfs /oem >/dev/null || systemctl stop oem.mount'
 ExecStart=/usr/bin/ignition --root=/sysroot --platform=${PLATFORM_ID} --stage=mount --log-to-stdout
 ExecStop=/usr/bin/ignition --root=/sysroot --platform=${PLATFORM_ID} --stage=umount --log-to-stdout
diff --git a/dracut/53ignition/ignition-remount-sysroot.service b/dracut/53ignition/ignition-remount-sysroot.service
index f004d20..47759ac 100644
--- a/dracut/53ignition/ignition-remount-sysroot.service
+++ b/dracut/53ignition/ignition-remount-sysroot.service
@@ -9,7 +9,7 @@ DefaultDependencies=no
 Before=ignition-diskful.target
 
 OnFailure=emergency.target
-OnFailureJobMode=isolate
+OnFailureJobMode=replace-irreversibly
 
 After=sysroot.mount
 ConditionPathIsReadWrite=!/sysroot
diff --git a/dracut/53ignition/ignition-setup.sh b/dracut/53ignition/ignition-setup.sh
deleted file mode 100755
index 93abb2e..0000000
--- a/dracut/53ignition/ignition-setup.sh
+++ /dev/null
@@ -1,40 +0,0 @@
-#!/bin/bash
-# Set up /usr/lib/ignition, copying contents from /oem.
-
-set -e
-
-# remount read write for Ignition required steps
-mount -o remount,rw /usr
-# we run with MountFlags=slave, so the rw remount is not propagated outside the
-# unit - no need to remount ro or umount the OEM partition
-
-case "$1" in
-normal)
-    src=/mnt/oem
-    mkdir -p "${src}"
-    mount /dev/disk/by-label/OEM "${src}"
-    # Workaround, "chmod" is not available
-    cp -a /bin/cat /bin/is-live-image
-    printf '#!/bin/sh\nexit 1\n' > /bin/is-live-image
-    ;;
-pxe)
-    # OEM directory in the initramfs itself.
-    src=/oem
-    # Workaround, "chmod" is not available
-    cp -a /bin/cat /bin/is-live-image
-    printf '#!/bin/sh\nexit 0\n' > /bin/is-live-image
-    ;;
-*)
-    echo "Usage: $0 {normal|pxe}" >&2
-    exit 1
-esac
-
-dst=/usr/lib/ignition
-mkdir -p "${dst}/base.d"
-
-if [[ -e "${src}/base/base.ign" ]]; then
-        cp "${src}/base/base.ign" "${dst}/base.d/"
-fi
-if [[ -e "${src}/config.ign" ]]; then
-    cp "${src}/config.ign" "${dst}/user.ign"
-fi
diff --git a/dracut/53ignition/is-live-image.sh b/dracut/53ignition/is-live-image.sh
new file mode 100755
index 0000000..d7b8b64
--- /dev/null
+++ b/dracut/53ignition/is-live-image.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+re='\b(mount\.)?usr=\S'
+[[ $(< /proc/cmdline) =~ ${re} || ! -f /usr.squashfs ]]
diff --git a/dracut/53ignition/module-setup.sh b/dracut/53ignition/module-setup.sh
index 1c3e0d7..61f818a 100755
--- a/dracut/53ignition/module-setup.sh
+++ b/dracut/53ignition/module-setup.sh
@@ -72,10 +72,6 @@ install() {
     inst_script "$moddir/ignition-kargs-helper" \
         "/usr/sbin/ignition-kargs-helper"
 
-    # Flatcar: add ignition-setup
-    inst_script "$moddir/ignition-setup.sh" \
-        "/usr/sbin/ignition-setup"
-
     # Flatcar: add ignition-setup-pre
     inst_script "$moddir/ignition-setup-pre.sh" \
         "/usr/sbin/ignition-setup-pre"
@@ -92,6 +88,10 @@ install() {
     inst_script "$moddir/retry-umount.sh" \
         "/usr/sbin/retry-umount"
 
+    # Ignition calls is-live-image.
+    inst_script "$moddir/is-live-image.sh" \
+        /bin/is-live-image
+
     inst_simple "$moddir/ignition-generator" \
         "$systemdutildir/system-generators/ignition-generator"
 
@@ -169,6 +169,12 @@ EOF
     # Ensure /sysusr/usr is mounted before decrypting root.
     inst_simple "$moddir/sysusr-usr-revdeps.conf" \
         "$systemdsystemunitdir/systemd-cryptsetup@rootencrypted.service.d/sysusr-usr.conf"
+
+    # Ignition reads user.ign and base.d/* in /usr/lib/ignition by default, but
+    # our initrd is not writeable. Create symlinks pointing to /oem in advance.
+    mkdir -m0755 -p "${initdir}"/usr/lib/ignition
+    ln -snf /oem/config.ign "${initdir}"/usr/lib/ignition/user.ign
+    ln -snf /oem/base/ "${initdir}"/usr/lib/ignition/base.d
 }
 
 # See: https://github.com/coreos/ignition/commit/d304850c3d3696822bc05e0833ee4b27df9d7a38
diff --git a/dracut/55ca-certs/module-setup.sh b/dracut/55ca-certs/module-setup.sh
old mode 100644
new mode 100755
diff --git a/dracut/99dracut-root/parse-stub.sh b/dracut/99dracut-root/parse-stub.sh
old mode 100644
new mode 100755
diff --git a/dracut/99flatcar-debloat/module-setup.sh b/dracut/99flatcar-debloat/module-setup.sh
old mode 100644
new mode 100755
diff --git a/dracut/99setup-root/initrd-setup-root b/dracut/99setup-root/initrd-setup-root
index 1d68418..d028b33 100755
--- a/dracut/99setup-root/initrd-setup-root
+++ b/dracut/99setup-root/initrd-setup-root
@@ -174,8 +174,3 @@ SYSTEMD_IN_INITRD=0 systemd-confext --root=/sysroot status | grep flatcar-defaul
 # to have default files but then we need to reload for any user confexts
 # to be applied and we can later rely on the confext/sysext .services
 # for that while the above call is specific to Flatcar/Ignition.
-
-# PXE initrds may provide OEM.
-if [ -d /oem ] && mountpoint --quiet /sysroot/oem; then
-    cp -Ra /oem/. /sysroot/oem
-fi
diff --git a/dracut/99setup-root/initrd-setup-root-after-ignition.service b/dracut/99setup-root/initrd-setup-root-after-ignition.service
index 69039c0..59f4d59 100644
--- a/dracut/99setup-root/initrd-setup-root-after-ignition.service
+++ b/dracut/99setup-root/initrd-setup-root-after-ignition.service
@@ -1,15 +1,19 @@
 [Unit]
 Description=Root filesystem completion
 DefaultDependencies=no
-RequiresMountsFor=/sysroot/usr/ /sysroot/oem/
+RequiresMountsFor=/sysroot/usr/
 After=initrd-root-fs.target ignition-files.service initrd-setup-root.service
 Before=initrd-parse-etc.service
 OnFailure=emergency.target
-OnFailureJobMode=isolate
+OnFailureJobMode=replace-irreversibly
 
 [Service]
 Type=oneshot
 RemainAfterExit=yes
+# Flatcar: Start the /sysroot/oem bind mount and its underlying /oem mount.
+# Don't use RequiresMountsFor for this because /oem may get unmounted earlier in
+# the same systemd transaction, preventing this unit from starting.
+ExecStartPre=-systemctl start sysroot-oem.mount
 ExecStart=/sbin/initrd-setup-root-after-ignition
 
 [Install]
diff --git a/dracut/99setup-root/initrd-setup-root.service b/dracut/99setup-root/initrd-setup-root.service
index 374d112..a464e2f 100644
--- a/dracut/99setup-root/initrd-setup-root.service
+++ b/dracut/99setup-root/initrd-setup-root.service
@@ -5,7 +5,7 @@ RequiresMountsFor=/sysroot/usr/
 After=initrd-root-fs.target
 Before=initrd-parse-etc.service
 OnFailure=emergency.target
-OnFailureJobMode=isolate
+OnFailureJobMode=replace-irreversibly
 
 [Service]
 Type=oneshot
diff --git a/dracut/99switch-root/module-setup.sh b/dracut/99switch-root/module-setup.sh
old mode 100644
new mode 100755
diff --git a/minimal-init b/minimal-init
index 9a0652b..1145a2d 100755
--- a/minimal-init
+++ b/minimal-init
@@ -190,8 +190,10 @@ mount -t overlay -o rw,lowerdir=/underlay,upperdir=/work/realinit,workdir=/work/
 mkdir -p /realinit/sysusr/usr
 mount -o move /sysusr/usr /realinit/sysusr/usr
 if [ "${usr}" = /usr.squashfs ]; then
-  # Move either /oem (preferred) or /usr/share/oem (legacy) into the new root.
-  mv /oem /realinit || mv /usr/share/oem /realinit || true
+  mkdir -p /realinit/oem
+  mount -t tmpfs -o size=0,mode=755,nodev tmpfs /realinit/oem
+  # Copy /oem (preferred) or /usr/share/oem (legacy) into the new root.
+  cp -a /oem/. /realinit/oem || cp -a /usr/share/oem/. /realinit/oem || true
   mv /usr.squashfs /realinit
 fi
 debug_sh 4/4: before switch_root to /realinit