From 9026b5b3e7443bd520dd6645a54ee1dc2d6a8ff4 Mon Sep 17 00:00:00 2001
From: gursewak1997 <gursmangat@gmail.com>
Date: Tue, 23 Jan 2024 16:57:20 -0800
Subject: [PATCH] Add Podman v5 breaking changes checks

Podman 5 will come with breaking changes affecting upgradability.
CGroups v1 environments will be required to switch to CGroups v2
and CNI plugin environemnts will need to switch to netavark.
Updated the existing cgroups-version check and added the check
for CNI networking
---
 manifests/fedora-coreos.yaml                  |  1 +
 .../lib/systemd/system-preset/14-fcos.preset  |  1 +
 .../coreos-cni-networking-check.service       | 11 +++++++
 .../usr/libexec/coreos-cni-networking-check   | 30 +++++++++++++++++++
 .../lib/systemd/system-preset/45-fcos.preset  |  2 +-
 ...e => coreos-check-cgroups-version.service} |  2 +-
 ...k-cgroups => coreos-check-cgroups-version} | 13 ++++----
 7 files changed, 51 insertions(+), 9 deletions(-)
 create mode 100644 overlay.d/14container/usr/lib/systemd/system-preset/14-fcos.preset
 create mode 100644 overlay.d/14container/usr/lib/systemd/system/coreos-cni-networking-check.service
 create mode 100755 overlay.d/14container/usr/libexec/coreos-cni-networking-check
 rename overlay.d/15fcos/usr/lib/systemd/system/{coreos-check-cgroups.service => coreos-check-cgroups-version.service} (83%)
 rename overlay.d/15fcos/usr/libexec/{coreos-check-cgroups => coreos-check-cgroups-version} (63%)

diff --git a/manifests/fedora-coreos.yaml b/manifests/fedora-coreos.yaml
index edd8679cb9..c40a8c2af0 100644
--- a/manifests/fedora-coreos.yaml
+++ b/manifests/fedora-coreos.yaml
@@ -36,6 +36,7 @@ conditional-include:
 
 ostree-layers:
   - overlay/15fcos
+  - overlay/14container
 
 automatic-version-prefix: "${releasever}.<date:%Y%m%d>.dev"
 mutate-os-release: "${releasever}"
diff --git a/overlay.d/14container/usr/lib/systemd/system-preset/14-fcos.preset b/overlay.d/14container/usr/lib/systemd/system-preset/14-fcos.preset
new file mode 100644
index 0000000000..28f419bc04
--- /dev/null
+++ b/overlay.d/14container/usr/lib/systemd/system-preset/14-fcos.preset
@@ -0,0 +1 @@
+enable coreos-cni-networking-check.service
diff --git a/overlay.d/14container/usr/lib/systemd/system/coreos-cni-networking-check.service b/overlay.d/14container/usr/lib/systemd/system/coreos-cni-networking-check.service
new file mode 100644
index 0000000000..2b243e8cc1
--- /dev/null
+++ b/overlay.d/14container/usr/lib/systemd/system/coreos-cni-networking-check.service
@@ -0,0 +1,11 @@
+# This service checks if the system nodes are still using
+# CNI networking. If so, they will be warned to move
+# their nodes to netavark respectively.
+[Unit]
+Description=Check if nodes are still using CNI networking
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/coreos-cni-networking-check
+RemainAfterExit=yes
+[Install]
+WantedBy=multi-user.target
diff --git a/overlay.d/14container/usr/libexec/coreos-cni-networking-check b/overlay.d/14container/usr/libexec/coreos-cni-networking-check
new file mode 100755
index 0000000000..cb62266605
--- /dev/null
+++ b/overlay.d/14container/usr/libexec/coreos-cni-networking-check
@@ -0,0 +1,30 @@
+#!/usr/bin/bash
+# Podman is dropping support for CNI networking.
+# Podman 5 changes: https://fedoraproject.org/wiki/Changes/Podman5
+# This script checks if the system nodes are still using CNI
+# networking. If so, they will warned to move their nodes to netavark.
+
+# Change the output color to yellow
+warn=$(echo -e '\033[0;33m')
+# No color
+nc=$(echo -e '\033[0m')
+
+# Podman supports two network backends Netavark and CNI.
+# Netavark is the default network backend and was added in
+# Podman version 4.0. CNI is deprecated and is removed
+# in Podman version 5.0, in preference of Netavark.
+podmanBackend=$(podman info --format "{{.Host.NetworkBackend}}")
+
+if [[ $podmanBackend != "netavark" ]]; then
+ motd_path=/run/motd.d/35_cni_warning.motd
+
+ cat << EOF > "${motd_path}"
+${warn}
+###########################################################################
+WARNING: This system is using CNI networking. CNI is deprecated and will be
+removed in the upcoming Podman v5.0, in preference of netavark. To switch
+from CNI networking to netavark, you must run 'podman system reset --force'
+command. This will delete all of your images, containers, and custom networks.
+${nc}
+EOF
+fi
diff --git a/overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset b/overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset
index 12ca639f39..27780787c9 100644
--- a/overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset
+++ b/overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset
@@ -1,5 +1,5 @@
 enable coreos-check-ssh-keys.service
 # Check if cgroupsv1 is still being used
-enable coreos-check-cgroups.service
+enable coreos-check-cgroups-version.service
 # https://fedoraproject.org/wiki/Changes/EnableFwupdRefreshByDefault
 enable fwupd-refresh.timer
diff --git a/overlay.d/15fcos/usr/lib/systemd/system/coreos-check-cgroups.service b/overlay.d/15fcos/usr/lib/systemd/system/coreos-check-cgroups-version.service
similarity index 83%
rename from overlay.d/15fcos/usr/lib/systemd/system/coreos-check-cgroups.service
rename to overlay.d/15fcos/usr/lib/systemd/system/coreos-check-cgroups-version.service
index 08055efe73..2aff8f6cdb 100644
--- a/overlay.d/15fcos/usr/lib/systemd/system/coreos-check-cgroups.service
+++ b/overlay.d/15fcos/usr/lib/systemd/system/coreos-check-cgroups-version.service
@@ -5,7 +5,7 @@ Description=Check if cgroupsv1 Is Still Being Used
 ConditionControlGroupController=v1
 [Service]
 Type=oneshot
-ExecStart=/usr/libexec/coreos-check-cgroups
+ExecStart=/usr/libexec/coreos-check-cgroups-version
 RemainAfterExit=yes
 [Install]
 WantedBy=multi-user.target
diff --git a/overlay.d/15fcos/usr/libexec/coreos-check-cgroups b/overlay.d/15fcos/usr/libexec/coreos-check-cgroups-version
similarity index 63%
rename from overlay.d/15fcos/usr/libexec/coreos-check-cgroups
rename to overlay.d/15fcos/usr/libexec/coreos-check-cgroups-version
index 39a68b7178..533f99d8bb 100755
--- a/overlay.d/15fcos/usr/libexec/coreos-check-cgroups
+++ b/overlay.d/15fcos/usr/libexec/coreos-check-cgroups-version
@@ -11,15 +11,14 @@ motd_path=/run/motd.d/30_cgroupsv1_warning.motd
 
 cat << EOF > "${motd_path}"
 ${warn}
-############################################################################
-WARNING: This system is using cgroups v1. For increased reliability
-it is strongly recommended to migrate this system and your workloads
-to use cgroups v2. For instructions on how to adjust kernel arguments
-to use cgroups v2, see:
+##########################################################################
+WARNING: This system is using cgroups v1. Podman has dropped support for
+cgroups v1. Move your nodes to cgroups v2 if not already. For instructions
+on how to adjust kernel arguments to use cgroups v2, see:
 https://docs.fedoraproject.org/en-US/fedora-coreos/kernel-args/
 
 To disable this warning, use:
-sudo systemctl disable coreos-check-cgroups.service
-############################################################################
+sudo systemctl disable coreos-check-cgroups-version.service
+###########################################################################
 ${nc}
 EOF