OCPBUGS-83830: Apply password only if changes exist

[pablintino]

Closes: #OCPBUGS-83830

- What I did

This bugfix ensures that the MCD only runs usermod if the password hash has actually changed and not in every update. This aligns the behavior we currently have for SSH passwords.

- How to verify it

TBD

- Description for the changelog

This bugfix ensures that the MCD only runs usermod if the password hash has actually changed and not in every update.

Summary by CodeRabbit

• Bug Fixes
  • Fixed password and SSH key update handling to properly rollback changes when updates fail, ensuring system state is restored on error.
  • Avoids reapplying unchanged password hashes by detecting existing shadow entries, reducing unnecessary system calls and preventing redundant password updates.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@pablintino: This pull request references Jira Issue OCPBUGS-83830, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Closes: #OCPBUGS-83830

- What I did

This bugfix ensures that the MCD only runs usermod if the password hash has actually changed and not in every update. This aligns the behavior we currently have for SSH passwords.

- How to verify it

TBD

- Description for the changelog

This bugfix ensures that the MCD only runs usermod if the password hash has actually changed and not in every update.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e7b08b2d-b43d-49a6-88b2-2e47c5684575

📥 Commits

Reviewing files that changed from the base of the PR and between fdfe7de and 867a618.

📒 Files selected for processing (1)

• pkg/daemon/update.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/daemon/update.go

---

Walkthrough

The update flow restricts password-hash changes to the diff.passwd path, fixes rollback defers for SSH keys and password hashes to revert new→old, and adds logic to read current shadow hashes to avoid redundant usermod -p calls.

Changes

Cohort / File(s)	Summary
Password/SSH rollback & password-hash logic pkg/daemon/update.go	Moved SetPasswordHash(...) into the if diff.passwd block; corrected rollback defers to call updateSSHKeys(oldUsers, newUsers) and SetPasswordHash(oldUsers, newUsers) (revert direction); added getUserPasswordHash usage so SetPasswordHash reads current shadow hashes and skips usermod -p when the hash already matches (including "*").

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	❓ Inconclusive	Unable to locate Ginkgo test files associated with this PR's production code changes to pkg/daemon/update.go.	Provide paths to test files included in this PR, or clarify if no test changes are included and this check should not apply.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: applying password only when changes exist, which is the primary bugfix objective of the PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The custom check for stable and deterministic Ginkgo test names is not applicable to this pull request. The PR only modifies pkg/daemon/update.go (a production code file, not a test file) and does not add, modify, or create any test files. The repository uses standard Go testing (testing.T) for unit tests in update_test.go, not Ginkgo, so there are no Ginkgo test declarations (It(), Describe(), Context(), etc.) to evaluate. Since the PR introduces no Ginkgo tests, there are no dynamic test names to flag.
Microshift Test Compatibility	✅ Passed	PR modifies only daemon runtime code with no new e2e tests introduced; MicroShift test compatibility check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies only pkg/daemon/update.go with internal daemon logic changes. No new Ginkgo e2e tests are added.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies internal daemon logic in pkg/daemon/update.go with no changes to Kubernetes manifests, deployment definitions, or scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	The PR modifies password hash handling by adding getUserPasswordHash() with CombinedOutput() and updating SetPasswordHash() to use only klog.Info() for logging. These functions execute during normal daemon operation after flag.Set("logtostderr", "true") is initialized in start.go, ensuring all klog output is properly redirected to stderr and does not corrupt the OTE JSON contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies only production daemon code in pkg/daemon/update.go with no new Ginkgo e2e tests added.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/daemon/update.go`:
- Around line 1252-1255: The passwd-section diff currently triggers
SetPasswordHash even when only SSH keys changed; add a targeted comparison that
detects real password-hash intent changes and use that to guard SetPasswordHash
and the related passwd-handling block (the code that currently checks
diff.passwd). Implement a helper like passwordHashChanged(newUsers, oldUsers)
that normalizes nil/empty to a placeholder and compares per-user password hashes
(and detects removed users with a non-placeholder old hash), then replace the
diff.passwd condition with a call to this helper before invoking
dn.SetPasswordHash (and likewise for the block at the other occurrence around
the SetPasswordHash usage) so usermod -p runs only when hashes actually changed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: fbb6ae67-6748-4e2a-86f0-63abfdbe9764

📥 Commits

Reviewing files that changed from the base of the PR and between e0916a2 and fdfe7de.

📒 Files selected for processing (1)

• pkg/daemon/update.go

[pablintino]

/test unit

[pablintino]

/test unit

[yuqi-zhang]

/lgtm

Left some thoughts inline but logically should be sound

[yuqi-zhang]

Good thing this almost never fails since we probably never had a functional rollback

[pablintino]

Agree on that.

[yuqi-zhang]

So the vast majority of users would never have this set. I guess with our current logic, we'd always just be doing a usermod with an empty password hash and this is triggering the policy described in the bug?

I'm wondering if we just exit out of this function if passwordhash is unset. I guess we'd have to have special logic if the user deletes a password entry, so probably fine to keep it as is since most users wouldn't be hitting this with your conditional changes above.(just thinking if we can bypass the ondisk check)

[pablintino]

Yeah, I thought about it, but I took the "Ansible" approach. "I'd do my best to make your state match the machine state". With an early exit or check, the user would be able to modify the node shadow and we won't never try to patch it to match the MC, that I'd say it's the sourth of true.

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-upgrade
/test e2e-gcp-op-part1
/test e2e-gcp-op-part2
/test e2e-gcp-op-single-node
/test e2e-hypershift

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pablintino, yuqi-zhang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [pablintino,yuqi-zhang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[pablintino]

/retest-required

[ptalgulk01]

Pre-merge verification:

Environment setup
OCP version: 4.23.0-0-2026-05-04-045145-test-ci-ln-y0mfg0k-latest
Platform: AWS

Steps:

• Applied below MC:

cat <<EOF | oc apply -f -
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: 99-worker-core-password-test
  labels:
    machineconfiguration.openshift.io/role: worker
spec:
  config:
    ignition:
      version: 3.2.0
    passwd:
      users:
      - name: core
        passwordHash: "\$6\$rounds=4096\$saltsalt\$hashhash2"
EOF
machineconfig.machineconfiguration.openshift.io/99-worker-core-password-test created

• Check the MCD logs and verify the logs have been triggered

$ oc logs machine-config-daemon-m5hrp | grep -i pass
Defaulted container "machine-config-daemon" out of: machine-config-daemon, kube-rbac-proxy
I0504 09:24:54.865427    2595 update.go:3050] "Starting update from rendered-worker-737dab4eec887af16a8ddbaeb4c5f2c9 to rendered-worker-6777d90e72fda93e143ed864ed564d2e: &{osUpdate:false kargs:false fips:false passwd:false files:true units:false kernelType:false extensions:false oclEnabled:false revertFromOCL:false}"
I0504 12:18:35.475096    2595 update.go:3050] "Starting update from rendered-worker-6777d90e72fda93e143ed864ed564d2e to rendered-worker-9f5f45a95e1cfd12963390242321d1e2: &{osUpdate:false kargs:false fips:false passwd:true files:false units:false kernelType:false extensions:false oclEnabled:false revertFromOCL:false}"
I0504 12:18:36.373371    2595 update.go:2495] Password has been configured

• Update/change the passwordHash in MC

$ oc logs machine-config-daemon-m5hrp | grep -i pass
Defaulted container "machine-config-daemon" out of: machine-config-daemon, kube-rbac-proxy
I0504 09:24:54.865427    2595 update.go:3050] "Starting update from rendered-worker-737dab4eec887af16a8ddbaeb4c5f2c9 to rendered-worker-6777d90e72fda93e143ed864ed564d2e: &{osUpdate:false kargs:false fips:false passwd:false files:true units:false kernelType:false extensions:false oclEnabled:false revertFromOCL:false}"
I0504 12:18:35.475096    2595 update.go:3050] "Starting update from rendered-worker-6777d90e72fda93e143ed864ed564d2e to rendered-worker-9f5f45a95e1cfd12963390242321d1e2: &{osUpdate:false kargs:false fips:false passwd:true files:false units:false kernelType:false extensions:false oclEnabled:false revertFromOCL:false}"
I0504 12:18:36.373371    2595 update.go:2495] Password has been configured
I0504 12:33:16.327508    2595 update.go:3050] "Starting update from rendered-worker-9f5f45a95e1cfd12963390242321d1e2 to rendered-worker-8fa8dc0847e6def22b9195de217fbb7d: &{osUpdate:false kargs:false fips:false passwd:true files:false units:false kernelType:false extensions:false oclEnabled:false revertFromOCL:false}"
I0504 12:33:17.157884    2595 update.go:2495] Password has been configured

• Added the ssh into MC and verify no logs are trigger for this

sshAuthorizedKeys:
             - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnewkey123... test-ssh-key

oc logs machine-config-daemon-m5hrp | grep -i pass
Defaulted container "machine-config-daemon" out of: machine-config-daemon, kube-rbac-proxy
I0504 09:24:54.865427    2595 update.go:3050] "Starting update from rendered-worker-737dab4eec887af16a8ddbaeb4c5f2c9 to rendered-worker-6777d90e72fda93e143ed864ed564d2e: &{osUpdate:false kargs:false fips:false passwd:false files:true units:false kernelType:false extensions:false oclEnabled:false revertFromOCL:false}"
I0504 12:18:35.475096    2595 update.go:3050] "Starting update from rendered-worker-6777d90e72fda93e143ed864ed564d2e to rendered-worker-9f5f45a95e1cfd12963390242321d1e2: &{osUpdate:false kargs:false fips:false passwd:true files:false units:false kernelType:false extensions:false oclEnabled:false revertFromOCL:false}"
I0504 12:18:36.373371    2595 update.go:2495] Password has been configured
I0504 12:33:16.327508    2595 update.go:3050] "Starting update from rendered-worker-9f5f45a95e1cfd12963390242321d1e2 to rendered-worker-8fa8dc0847e6def22b9195de217fbb7d: &{osUpdate:false kargs:false fips:false passwd:true files:false units:false kernelType:false extensions:false oclEnabled:false revertFromOCL:false}"
I0504 12:33:17.157884    2595 update.go:2495] Password has been configured
I0504 13:11:26.418025    2595 update.go:3050] "Starting update from rendered-worker-8fa8dc0847e6def22b9195de217fbb7d to rendered-worker-9f5f45a95e1cfd12963390242321d1e2: &{osUpdate:false kargs:false fips:false passwd:true files:false units:false kernelType:false extensions:false oclEnabled:false revertFromOCL:false}"
I0504 13:11:27.218298    2595 update.go:2495] Password has been configured
I0504 13:15:08.095333    2595 update.go:3050] "Starting update from rendered-worker-9f5f45a95e1cfd12963390242321d1e2 to rendered-worker-33078feceb88417cbaf25d4c6f200810: &{osUpdate:false kargs:false fips:false passwd:true files:false units:false kernelType:false extensions:false oclEnabled:false revertFromOCL:false}"

On without fix cluster, the logs were triggered for ssh.

/label qe-approved
/verified by @ptalgulk01

[openshift-ci-robot]

@ptalgulk01: This PR has been marked as verified by @ptalgulk01.

Details

In response to this:

Pre-merge verification:

Environment setup
OCP version: 4.23.0-0-2026-05-04-045145-test-ci-ln-y0mfg0k-latest
Platform: AWS

Steps:

• Applied below MC:

MC Template

cat <

• Check the MCD logs and verify the logs have been triggered

$ oc logs machine-config-daemon-m5hrp | grep -i pass
Defaulted container "machine-config-daemon" out of: machine-config-daemon, kube-rbac-proxy
I0504 09:24:54.865427    2595 update.go:3050] "Starting update from rendered-worker-737dab4eec887af16a8ddbaeb4c5f2c9 to rendered-worker-6777d90e72fda93e143ed864ed564d2e: &{osUpdate:false kargs:false fips:false passwd:false files:true units:false kernelType:false extensions:false oclEnabled:false revertFromOCL:false}"
I0504 12:18:35.475096    2595 update.go:3050] "Starting update from rendered-worker-6777d90e72fda93e143ed864ed564d2e to rendered-worker-9f5f45a95e1cfd12963390242321d1e2: &{osUpdate:false kargs:false fips:false passwd:true files:false units:false kernelType:false extensions:false oclEnabled:false revertFromOCL:false}"
I0504 12:18:36.373371    2595 update.go:2495] Password has been configured

• Update/change the passwordHash in MC

$ oc logs machine-config-daemon-m5hrp | grep -i pass
Defaulted container "machine-config-daemon" out of: machine-config-daemon, kube-rbac-proxy
I0504 09:24:54.865427    2595 update.go:3050] "Starting update from rendered-worker-737dab4eec887af16a8ddbaeb4c5f2c9 to rendered-worker-6777d90e72fda93e143ed864ed564d2e: &{osUpdate:false kargs:false fips:false passwd:false files:true units:false kernelType:false extensions:false oclEnabled:false revertFromOCL:false}"
I0504 12:18:35.475096    2595 update.go:3050] "Starting update from rendered-worker-6777d90e72fda93e143ed864ed564d2e to rendered-worker-9f5f45a95e1cfd12963390242321d1e2: &{osUpdate:false kargs:false fips:false passwd:true files:false units:false kernelType:false extensions:false oclEnabled:false revertFromOCL:false}"
I0504 12:18:36.373371    2595 update.go:2495] Password has been configured
I0504 12:33:16.327508    2595 update.go:3050] "Starting update from rendered-worker-9f5f45a95e1cfd12963390242321d1e2 to rendered-worker-8fa8dc0847e6def22b9195de217fbb7d: &{osUpdate:false kargs:false fips:false passwd:true files:false units:false kernelType:false extensions:false oclEnabled:false revertFromOCL:false}"
I0504 12:33:17.157884    2595 update.go:2495] Password has been configured

• Added the ssh into MC and verify no logs are trigger for this

sshAuthorizedKeys:
            - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnewkey123... test-ssh-key

oc logs machine-config-daemon-m5hrp | grep -i pass
Defaulted container "machine-config-daemon" out of: machine-config-daemon, kube-rbac-proxy
I0504 09:24:54.865427    2595 update.go:3050] "Starting update from rendered-worker-737dab4eec887af16a8ddbaeb4c5f2c9 to rendered-worker-6777d90e72fda93e143ed864ed564d2e: &{osUpdate:false kargs:false fips:false passwd:false files:true units:false kernelType:false extensions:false oclEnabled:false revertFromOCL:false}"
I0504 12:18:35.475096    2595 update.go:3050] "Starting update from rendered-worker-6777d90e72fda93e143ed864ed564d2e to rendered-worker-9f5f45a95e1cfd12963390242321d1e2: &{osUpdate:false kargs:false fips:false passwd:true files:false units:false kernelType:false extensions:false oclEnabled:false revertFromOCL:false}"
I0504 12:18:36.373371    2595 update.go:2495] Password has been configured
I0504 12:33:16.327508    2595 update.go:3050] "Starting update from rendered-worker-9f5f45a95e1cfd12963390242321d1e2 to rendered-worker-8fa8dc0847e6def22b9195de217fbb7d: &{osUpdate:false kargs:false fips:false passwd:true files:false units:false kernelType:false extensions:false oclEnabled:false revertFromOCL:false}"
I0504 12:33:17.157884    2595 update.go:2495] Password has been configured
I0504 13:11:26.418025    2595 update.go:3050] "Starting update from rendered-worker-8fa8dc0847e6def22b9195de217fbb7d to rendered-worker-9f5f45a95e1cfd12963390242321d1e2: &{osUpdate:false kargs:false fips:false passwd:true files:false units:false kernelType:false extensions:false oclEnabled:false revertFromOCL:false}"
I0504 13:11:27.218298    2595 update.go:2495] Password has been configured
I0504 13:15:08.095333    2595 update.go:3050] "Starting update from rendered-worker-9f5f45a95e1cfd12963390242321d1e2 to rendered-worker-33078feceb88417cbaf25d4c6f200810: &{osUpdate:false kargs:false fips:false passwd:true files:false units:false kernelType:false extensions:false oclEnabled:false revertFromOCL:false}"

On without fix cluster, the logs were triggered for ssh.

/label qe-approved
/verified by @ptalgulk01

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pablintino]

/jira refresh
/cherry-pick release-4.22

[openshift-cherrypick-robot]

@pablintino: once the present PR merges, I will cherry-pick it on top of release-4.22 in a new PR and assign it to you.

Details

In response to this:

/jira refresh
/cherry-pick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@pablintino: This pull request references Jira Issue OCPBUGS-83830, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh
/cherry-pick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD f9d91f6 and 2 for PR HEAD 867a618 in total

[pablintino]

/retest-required

[openshift-ci]

@pablintino: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@pablintino: Jira Issue Verification Checks: Jira Issue OCPBUGS-83830
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-83830 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Closes: #OCPBUGS-83830

- What I did

This bugfix ensures that the MCD only runs usermod if the password hash has actually changed and not in every update. This aligns the behavior we currently have for SSH passwords.

- How to verify it

TBD

- Description for the changelog

This bugfix ensures that the MCD only runs usermod if the password hash has actually changed and not in every update.

Summary by CodeRabbit

• Bug Fixes
• Fixed password and SSH key update handling to properly rollback changes when updates fail, ensuring system state is restored on error.
• Avoids reapplying unchanged password hashes by detecting existing shadow entries, reducing unnecessary system calls and preventing redundant password updates.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-cherrypick-robot]

@pablintino: new pull request created: #6023

Details

In response to this:

/jira refresh
/cherry-pick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-robot]

Fix included in release 5.0.0-0.nightly-2026-05-09-013211