From 7317aaa5807672d8af65771dbf90cd7c1d8e44d1 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Thu, 8 Jul 2021 13:33:24 -0400
Subject: [PATCH] 15fcos: remember when Ignition ran and print on console

Some users sometimes may not realize that they're using a pre-booted
version of a CoreOS image. This makes things confusing because they then
don't understand why the Ignition config wasn't applied.

There's no way to consistently detect this, but at least we can print an
informational message about (1) when Ignition ran, and (2) how many
boots ago that was.

This enhances the Ignition issue we already write for whether a
user config was provided rather than creating a separate one.

Related: bugzilla.redhat.com/show_bug.cgi?id=1977949
Related: https://github.com/coreos/ignition/issues/1214
---
 .../coreos-ignition-firstboot-complete        | 30 +++++++++
 .../coreos-check-ignition-config.service      | 14 +++--
 .../usr/libexec/coreos-check-ignition-config  | 62 ++++++++++++-------
 3 files changed, 78 insertions(+), 28 deletions(-)

diff --git a/overlay.d/05core/usr/libexec/coreos-ignition-firstboot-complete b/overlay.d/05core/usr/libexec/coreos-ignition-firstboot-complete
index 3973d11e04..8de601e3ae 100755
--- a/overlay.d/05core/usr/libexec/coreos-ignition-firstboot-complete
+++ b/overlay.d/05core/usr/libexec/coreos-ignition-firstboot-complete
@@ -1,6 +1,14 @@
 #!/bin/bash
 set -euo pipefail
 
+# We put this in /run and it's then moved by
+# coreos-check-ignition-config.service into /var/lib/coreos. The reason is that
+# I don't want to use RequiresMountsFor=/var/lib on this service to keep it less
+# fallible. Once we move this service to the initramfs, then we can directly
+# write there since /var mounts are in place and we can safely trigger
+# emergency.target if we fail.
+IGNITION_INFO=/run/ignition.info.json
+
 mount -o remount,rw /boot
 
 if [[ $(uname -m) = s390x ]]; then
@@ -16,3 +24,25 @@ rm -rf /boot/ignition
 # this file. Fail if we are unable to remove it, rather than risking rerunning
 # Ignition at next boot.
 rm /boot/ignition.firstboot
+
+# See https://github.com/coreos/ignition/pull/958 for the MESSAGE_ID source.
+nusercfgs=$(journalctl -o json-pretty MESSAGE_ID=57124006b5c94805b77ce473e92a8aeb \
+                | jq -s '.[] | select(.IGNITION_CONFIG_TYPE == "user")'| wc -l)
+if [ "${nusercfgs}" -gt 0 ]; then
+    usercfg=true
+else
+    usercfg=false
+fi
+
+mkdir -p "$(dirname "${IGNITION_INFO}")"
+
+# This is hardly sooper seekret stuff, but let's be conservative in light of
+# https://github.com/coreos/fedora-coreos-tracker/issues/889.
+touch "${IGNITION_INFO}"
+chmod 600 "${IGNITION_INFO}"
+cat >> "${IGNITION_INFO}" <<EOF
+{
+    "date": "$(date --utc)",
+    "usercfg": ${usercfg}
+}
+EOF
diff --git a/overlay.d/15fcos/usr/lib/systemd/system/coreos-check-ignition-config.service b/overlay.d/15fcos/usr/lib/systemd/system/coreos-check-ignition-config.service
index 1a91853d6b..525cdf8d30 100644
--- a/overlay.d/15fcos/usr/lib/systemd/system/coreos-check-ignition-config.service
+++ b/overlay.d/15fcos/usr/lib/systemd/system/coreos-check-ignition-config.service
@@ -2,15 +2,17 @@
 # no Ignition config is provided.
 [Unit]
 Description=Check if Ignition config is provided
-# Only perform checks on the first (Ignition) boot as they are
-# mostly useful only on that boot. This ensures systems started
-# before Ignition/Afterburn started logging structured data don't
-# get misleading messages. Also handles the case where the journal
-# gets rotated and no longer has the structured log messages.
-ConditionKernelCommandLine=ignition.firstboot
+After=coreos-ignition-firstboot-complete.service
+Before=systemd-user-sessions.service
+RequiresMountsFor=/var/lib/coreos
+ConditionPathExists=|/var/lib/coreos/ignition.info.json
+# See coreos-ignition-firstboot-complete
+ConditionPathExists=|/run/ignition.info.json
+
 [Service]
 Type=oneshot
 ExecStart=/usr/libexec/coreos-check-ignition-config
 RemainAfterExit=yes
+
 [Install]
 WantedBy=multi-user.target
diff --git a/overlay.d/15fcos/usr/libexec/coreos-check-ignition-config b/overlay.d/15fcos/usr/libexec/coreos-check-ignition-config
index 93093bdba0..ba5e29fc1c 100755
--- a/overlay.d/15fcos/usr/libexec/coreos-check-ignition-config
+++ b/overlay.d/15fcos/usr/libexec/coreos-check-ignition-config
@@ -1,26 +1,44 @@
 #!/usr/bin/bash
-# The logic for the message_id is handled in 
-# https://github.com/coreos/ignition/pull/958
-# In this script, we need to capture the journald 
-# log with the particular message_id and query using 
-#`jq` utility to check if a user config is provided.
-
-# Change the output color to yellow
-warn='\033[0;33m'
-# No color
-nc='\033[0m'
-
-# See https://github.com/coreos/ignition/pull/958 for the MESSAGE_ID source.
-# It will track the journal messages related to an Ignition config provided 
-# by the user.
-output=$(journalctl -o json-pretty MESSAGE_ID=57124006b5c94805b77ce473e92a8aeb | jq -s '.[] | select(.IGNITION_CONFIG_TYPE == "user")'| wc -l)
-
-if [[ $output -gt  0 ]];then
-    echo "Ignition: user-provided config was applied" > /etc/issue.d/30_ignition_config_info.issue
+set -euo pipefail
+
+is_firstboot=0
+
+IGNITION_INFO=/var/lib/coreos/ignition.info.json
+
+IGNITION_FIRSTBOOT_INFO=/run/ignition.info.json
+if [ -e "${IGNITION_FIRSTBOOT_INFO}" ]; then
+    is_firstboot=1
+    mkdir -p "$(dirname "${IGNITION_INFO}")"
+    mv "${IGNITION_FIRSTBOOT_INFO}" "${IGNITION_INFO}"
+fi
+
+WARN='\033[0;33m' # yellow
+RESET='\033[0m' # reset
+
+mkdir -p /run/issue.d
+touch /run/issue.d/coreos-ignition-provisioning.issue
+
+d=$(jq -r .date "${IGNITION_INFO}")
+if jq -e .usercfg "${IGNITION_INFO}" &>/dev/null; then
+    usercfg="with Ignition config"
+    prefix=""
+    suffix=""
+else
+    usercfg="without Ignition config"
+    prefix="$WARN"
+    suffix="$RESET"
+fi
+
+if [ "${is_firstboot}" == 1 ]; then
+    echo -e "${prefix}Ignition: ran on ${d} (this boot) ${usercfg}${suffix}" \
+        > /run/issue.d/coreos-ignition-provisioning.issue
 else
-    echo -e "${warn}Ignition: no config provided by user${nc}" > /etc/issue.d/30_ignition_config_info.issue
+    nreboots=$(($(journalctl --list-boots | wc -l) - 1))
+    [ "${nreboots}" -eq 1 ] && boot=boot || boot=boots
+    echo -e "${prefix}Ignition: ran on ${d} (at least $nreboots $boot ago) ${usercfg}${suffix}" \
+        > /run/issue.d/coreos-ignition-provisioning.issue
 fi
 
-# Ask all running agetty instances to reload and update their
-# displayed prompts in case this script was run before agetty.
-/usr/sbin/agetty --reload
+# Our makeshift way of getting /run/issue.d semantics. See:
+# https://github.com/coreos/console-login-helper-messages/blob/e06fc88ae8fbcc3a422bc8c686f70c15aebb9d9a/usr/lib/console-login-helper-messages/issue.defs#L8-L17
+ln -sf /run/issue.d/coreos-ignition-provisioning.issue /etc/issue.d/