overlay.d/15fcos: add a migration script to move to OCI images

To simplify testing for coreos/fedora-coreos-tracker#1823
ship a script to fake the ostree origin to appear like it's on an
OCI deployement.

Just ship the migration script for now, without the systemd unit, to
allow testing.

overlay.d/15fcos/usr/libexec/coreos-oci-rebase

@@ -0,0 +1,99 @@
+#!/bin/bash
+
+# This is a migration script to move FCOS to OCI transport
+#
+# Users that have disabled Zincati or use a non default ostree remote
+# won't be migrated, but a MOTD will be displayed.
+# This should be shipped as a barrier-release.
+#
+# see https://fedoraproject.org/wiki/Changes/CoreOSOstree2OCIUpdates
+# and https://github.com/coreos/fedora-coreos-tracker/issues/1823
+
+
+# Maybe the machine is already on an OCI deployment
+booted_imgref=$(rpm-ostree status --json --booted | jq -r '.deployments[0]."container-image-reference"')
+
+if [ "$booted_imgref" != "null" ]; then
+    echo "The booted deployement is already an OCI container."
+    exit 0
+fi
+
+# check if the origin was changed
+origin=$(rpm-ostree status --json --booted | jq -r '.deployments[0].origin' | cut -d ':' -f 1)
+origin_url=$(ostree remote show-url "$origin")
+if [ "$origin_url" != "https://ostree.fedoraproject.org" ]; then
+    write_motd 
+    exit 0 
+fi
+
+# If Zincati is disabled, do nothing
+if ! systemctl is-enabled --quiet zincati; then 
+ write_motd
+ exit 0
+fi
+
+# Proceed with the migration by faking the origin file,
+# so at the next update, Zincati will pull the OCI image
+
+# get the currently booted ostree checksum
+checksum=$(rpm-ostree status --booted --json | jq -r '.deployments[0].checksum')
+# fetch the SHA checksum of the matching OCI image for the booted deployment
+version=$(rpm-ostree status --booted --json | jq -r '.deployments[0].version')
+stream=$(rpm-ostree status --booted --json | jq -r '.deployments[0]."base-commit-meta"."fedora-coreos.stream"')
+arch=$(arch)
+cincinnati_url="https://raw-updates.coreos.fedoraproject.org/v1/graph?basearch=$arch&stream=$stream&oci=true"
+imgref=$(curl "$cincinnati_url" -s | jq --arg VERSION "$version" -r '.nodes[]  | select(.version==$VERSION) | .payload')
+
+
+# Empty the current origin
+tmpfile=$(mktemp)
+sed -e '/^refspec=/d' \
+    -e '/^baserefspec=/d' /ostree/deploy/fedora-coreos/deploy/"$checksum".0.origin > "$tmpfile"
+
+{
+    echo "container-image-reference=ostree-remote-image:fedora:registry:$imgref"
+    echo "custom-url=ostree-remote-image:fedora:registry:$imgref"
+    echo "custom-description=Fedora CoreOS testing stream" 
+} >> "$tmpfile"
+
+mount -o remount,rw /sysroot
+
+# Replace the origin with our crafted one
+cp "$tmpfile" /ostree/deploy/fedora-coreos/deploy/"$checksum".0.origin
+
+
+# Restart Zincati
+systemctl restart zincati
+
+write_motd () {
+
+# Change the output color to yellow
+warn=$(echo -e '\033[0;33m')
+# No color
+nc=$(echo -e '\033[0m')
+
+motd_path=/run/motd.d/40-fcos-oci-rebase.motd
+
+cat << EOF > "${motd_path}"
+${warn}
+##########################################################################
+WARNING: Fedora CoreOS will be distributed through OCI images, to better
+align with the bootable containers initiative.
+The OSTree repository is expected to be retired after the Fedora 43 
+release.
+
+The migration service detected this system either have automatic updates
+disabled or is using a non-default ostree origin URL.
+
+The following command will rebase your system to the latest $stream release:
+sudo rpm-ostree rebase <insert image>
+
+See more details at <link to documentation page>
+
+To disable this warning, use:
+sudo systemctl disable coreos-oci-migration.service
+##########################################################################
+${nc}
+EOF
+
+}