Add Podman v5 breaking changes checks

Podman 5 will come with breaking changes affecting upgradability. CGroups v1 environments will be required to switch to CGroups v2 and CNI plugin environemnts will need to switch to netavark. Updated the existing cgroups-version check and added the check for CNI networking
coreos · Feb 14, 2024 · 9026b5b · 9026b5b
1 parent 6f073a2
commit 9026b5b
Show file tree

Hide file tree

Showing 7 changed files with 51 additions and 9 deletions.
diff --git a/manifests/fedora-coreos.yaml b/manifests/fedora-coreos.yaml
@@ -36,6 +36,7 @@ conditional-include:
 
 ostree-layers:
   - overlay/15fcos
+  - overlay/14container
 
 automatic-version-prefix: "${releasever}.<date:%Y%m%d>.dev"
 mutate-os-release: "${releasever}"

diff --git a/overlay.d/14container/usr/lib/systemd/system-preset/14-fcos.preset b/overlay.d/14container/usr/lib/systemd/system-preset/14-fcos.preset
@@ -0,0 +1 @@
+enable coreos-cni-networking-check.service
diff --git a/overlay.d/14container/usr/lib/systemd/system/coreos-cni-networking-check.service b/overlay.d/14container/usr/lib/systemd/system/coreos-cni-networking-check.service
@@ -0,0 +1,11 @@
+# This service checks if the system nodes are still using
+# CNI networking. If so, they will be warned to move
+# their nodes to netavark respectively.
+[Unit]
+Description=Check if nodes are still using CNI networking
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/coreos-cni-networking-check
+RemainAfterExit=yes
+[Install]
+WantedBy=multi-user.target
diff --git a/overlay.d/14container/usr/libexec/coreos-cni-networking-check b/overlay.d/14container/usr/libexec/coreos-cni-networking-check
@@ -0,0 +1,30 @@
+#!/usr/bin/bash
+# Podman is dropping support for CNI networking.
+# Podman 5 changes: https://fedoraproject.org/wiki/Changes/Podman5
+# This script checks if the system nodes are still using CNI
+# networking. If so, they will warned to move their nodes to netavark.
+
+# Change the output color to yellow
+warn=$(echo -e '\033[0;33m')
+# No color
+nc=$(echo -e '\033[0m')
+
+# Podman supports two network backends Netavark and CNI.
+# Netavark is the default network backend and was added in
+# Podman version 4.0. CNI is deprecated and is removed
+# in Podman version 5.0, in preference of Netavark.
+podmanBackend=$(podman info --format "{{.Host.NetworkBackend}}")
+
+if [[ $podmanBackend != "netavark" ]]; then
+ motd_path=/run/motd.d/35_cni_warning.motd
+
+ cat << EOF > "${motd_path}"
+${warn}
+###########################################################################
+WARNING: This system is using CNI networking. CNI is deprecated and will be
+removed in the upcoming Podman v5.0, in preference of netavark. To switch
+from CNI networking to netavark, you must run 'podman system reset --force'
+command. This will delete all of your images, containers, and custom networks.
+${nc}
+EOF
+fi
diff --git a/overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset b/overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset
@@ -1,5 +1,5 @@
 enable coreos-check-ssh-keys.service
 # Check if cgroupsv1 is still being used
-enable coreos-check-cgroups.service
+enable coreos-check-cgroups-version.service
 # https://fedoraproject.org/wiki/Changes/EnableFwupdRefreshByDefault
 enable fwupd-refresh.timer
diff --git a/...stemd/system/coreos-check-cgroups.service → ...stem/coreos-check-cgroups-version.service b/...stemd/system/coreos-check-cgroups.service → ...stem/coreos-check-cgroups-version.service
@@ -5,7 +5,7 @@ Description=Check if cgroupsv1 Is Still Being Used
 ConditionControlGroupController=v1
 [Service]
 Type=oneshot
-ExecStart=/usr/libexec/coreos-check-cgroups
+ExecStart=/usr/libexec/coreos-check-cgroups-version
 RemainAfterExit=yes
 [Install]
 WantedBy=multi-user.target
diff --git a/...d/15fcos/usr/libexec/coreos-check-cgroups → .../usr/libexec/coreos-check-cgroups-version b/...d/15fcos/usr/libexec/coreos-check-cgroups → .../usr/libexec/coreos-check-cgroups-version
@@ -11,15 +11,14 @@ motd_path=/run/motd.d/30_cgroupsv1_warning.motd
 
 cat << EOF > "${motd_path}"
 ${warn}
-############################################################################
-WARNING: This system is using cgroups v1. For increased reliability
-it is strongly recommended to migrate this system and your workloads
-to use cgroups v2. For instructions on how to adjust kernel arguments
-to use cgroups v2, see:
+##########################################################################
+WARNING: This system is using cgroups v1. Podman has dropped support for
+cgroups v1. Move your nodes to cgroups v2 if not already. For instructions
+on how to adjust kernel arguments to use cgroups v2, see:
 https://docs.fedoraproject.org/en-US/fedora-coreos/kernel-args/
 
 To disable this warning, use:
-sudo systemctl disable coreos-check-cgroups.service
-############################################################################
+sudo systemctl disable coreos-check-cgroups-version.service
+###########################################################################
 ${nc}
 EOF