Dear Gordon,
Why would you need to move the rpmdb? Users probably aren't
installing rpm packages in containers at run time (particularly if
/usr is read-only); installation typically happens when building the
container image, at which point /usr isn't read-only.
I do actually install RPM package inside containers, but in my case
I'm using containers more as short-lived virtual machines for testing
than as a deployment mechanism. That said, I don't think that this
nullifies your point, as I'm not using a read-only /usr inside these
containers.
Best wishes,
Sebastian