NO-JIRA: daemon: expand os image presence check

[dustymabe]

- What I did

In #5868 [1] we started running bootupd from the OS update container, which means the container image gets pulled down and is already present. Let's expand the GetPodmanImageInfoByReference check here to run it unconditionally, not just if isPisConfigured.

This should prevent us pulling the OS image into container storage and then having rpm-ostree separately pull it (directly into ostree storage). If podmanImageInfo isn't nil then we'll rebase directly from containers-storage: transport.

[1] #5868

- How to verify it

Look at the logs and verify the rebase is coming from containers-storage:.

- Description for the changelog

Tell rpm-ostree rebase to use the image from containers-storage if the image is already present, which will be true if we previously updated the bootloader.

Summary by CodeRabbit

• Bug Fixes
  • OS updates now always check for and reuse locally cached images when present, reducing redundant downloads and speeding updates.
  • Local image lookup errors are surfaced earlier in the update flow, improving visibility of issues during updates.
  • Update status accurately reflects registry/pull state and retry/backoff behavior when remote pulls occur.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

Walkthrough

updateLayeredOS in pkg/daemon/update.go now always queries Podman for the target OS image (GetPodmanImageInfoByReference(newURL)) and returns on lookup errors; the prior PIS-gated conditional and isPinnedImageSetConfigured helper were removed. The function still rebases from local container storage when the image is present, otherwise it proceeds with the remote rebase and status updates.

Changes

Local vs Remote Rebase Flow

Layer / File(s)	Summary
Podman lookup (control change) pkg/daemon/update.go	updateLayeredOS now unconditionally calls dn.podmanInterface.GetPodmanImageInfoByReference(newURL) and immediately returns on lookup error; removed PIS-config gating.
Local rebase path pkg/daemon/update.go	If podmanImageInfo != nil, code pivots to RebaseLayeredFromContainerStorage (unchanged aside from unconditional lookup).
Remote rebase & status pkg/daemon/update.go	If local image absent, code updates MachineConfigNodeImagePulledFromRegistry status conditions and proceeds with remote RebaseLayered(newURL) including retry/backoff handling.
Removed helper pkg/daemon/update.go	Deleted func (dn *Daemon) isPinnedImageSetConfigured() (bool, error) which previously gated the local-image lookup.

Sequence Diagram

sequenceDiagram
    participant Daemon
    participant Podman
    participant Registry
    participant Status

    Daemon->>Podman: GetPodmanImageInfoByReference(newURL)
    alt Podman lookup error
        Podman-->>Daemon: error
        Daemon->>Status: return early (propagate error)
    else Image present
        Podman-->>Daemon: podmanImageInfo
        Daemon->>Daemon: RebaseLayeredFromContainerStorage(image)
        Daemon->>Status: update status (local rebase)
    else Image absent
        Podman-->>Daemon: nil
        Daemon->>Registry: RebaseLayered(newURL) (pull)
        Registry-->>Daemon: image data / errors (with retries)
        Daemon->>Status: update MachineConfigNodeImagePulledFromRegistry conditions
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Topology-Aware Scheduling Compatibility	⚠️ Warning	Machine Config Controller deployment uses nodeSelector targeting control-plane nodes. This breaks on HyperShift where no control-plane nodes exist in-cluster.	Replace nodeSelector with tolerations or add topology-aware scheduling that handles HyperShift's External control plane topology.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Check not applicable. PR only modifies pkg/daemon/update.go with no test files added/changed. No Ginkgo tests in modified files.
Test Structure And Quality	✅ Passed	Not applicable. PR only modifies update.go. No test files changed. Existing tests use standard Go testing, not Ginkgo.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. The commit only modifies pkg/daemon/update.go (daemon code logic), not test files. The MicroShift Test Compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. Changes are limited to pkg/daemon/update.go (daemon code). The SNO test compatibility check is not applicable.
Ote Binary Stdout Contract	✅ Passed	PR changes only pkg/daemon/update.go, which is daemon library code. OTE Binary Stdout Contract applies only to OTE process-level code (main, init, TestMain, suite setup), not daemon library functions.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests added. PR modifies daemon business logic (update.go) and contains only standard Go unit tests (update_test.go). Check not applicable.
Title check	✅ Passed	The title 'daemon: expand os image presence check' accurately describes the main change: making GetPodmanImageInfoByReference run unconditionally rather than only when PIS is configured, thereby expanding when the OS image presence check occurs.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dustymabe]

/hold

I want to look at the logs from the CI run

[dustymabe]

/test ci/prow/e2e-aws-ovn

[dustymabe]

/test e2e-aws-ovn

[dustymabe]

/test unit

[yuqi-zhang]

Hmm, so we added the PIS check in https://github.com/openshift/machine-config-operator/pull/5333/changes . Looking at the bug, we did it because the local pull can get cleaned up unless PIS configured crio not to delete the image.

The code around it seems to have changed a bit, but curious if that's still a problem

[dustymabe]

Definitely would like more eyes on the code here, but IIUC the existing code only checks if the image is present if PIS was configured. i.e. it assumes the only reason the image would already be present is if PIS was configured.

The change here basically revolves arount the fact that the image could be present for multiple reasons so let's always check if it's present first and proceed accordingly if it is.

[yuqi-zhang]

Right, I want to say that we only wanted to rebase from the local image if PIS is configured, and not for any other case explicitly, even if it does incur an extra cost.

@pablintino does that sound right?

[pablintino]

@yuqi-zhang @dustymabe I think this change is safe to perform now given we did #5345. The check to see if PIS was enabled was introduced as a really short term fix for customers that faced the original bug that basically caused clusters with the image already in local storage to fail if a really tied pull policy was in place. As most users didn't have PIS enabled this if condition made all cluster go through the pull path instead of the local storage one. Now that we always manipulate the policies to make sure local storage is usable I don't think we will hace issues.
Apart from that, totally agree with the idea of this change to avoid the extra pull.

[dustymabe]

/pipeline required

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-upgrade
/test e2e-gcp-op-part1
/test e2e-gcp-op-part2
/test e2e-gcp-op-single-node
/test e2e-hypershift

[dustymabe]

/test e2e-gcp-op-ocl-part2

[pablintino]

isPinnedImageSetConfigured can now be removed as it's dead code.

[dustymabe]

done

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/daemon/update.go`:
- Around line 2781-2788: Remove the orphaned comment fragment "// the local
image" that interrupts the comment block before the call to
dn.podmanInterface.GetPodmanImageInfoByReference(newURL); update the surrounding
comment to be a single coherent sentence (or remove the fragment entirely) so
the comment reads cleanly: e.g., keep the explanation about checking whether the
new container image is already present and delete the stray fragment.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2d715bbe-d36a-426d-b41e-6507b98dd4e9

📥 Commits

Reviewing files that changed from the base of the PR and between f9d91f6 and b95edf8.

📒 Files selected for processing (1)

• pkg/daemon/update.go

[yuqi-zhang]

/lgtm

Do you want to backport this @dustymabe ? I can create a bug for that. This will currently merge into 5.0 only

[dustymabe]

/lgtm

Do you want to backport this @dustymabe ? I can create a bug for that. This will currently merge into 5.0 only

I think it should go anywhere the bootupd code landed. almost to be considered like a fixup for that code. wish we didn't have to do a bunch of paperwork for that.

[yuqi-zhang]

I think it should go anywhere the bootupd code landed. almost to be considered like a fixup for that code. wish we didn't have to do a bunch of paperwork for that.

I think given the context that:

1. we're running it conditionally (only if the bootloader needs updating, so at most 1 time per cluster)
2. we want to remove the bootupd code in the MCO in favour of doing it properly in RHCOS, once that's available
3. the bootupd code only got backported to 4.22

I'm fine with having this generally only for main (5.0) and onwards, and consider it less of a fix but more of a operation improvement, unless you think there's a specific risk in double-pulls in 4.22 that we should get this in for

[dustymabe]

ok, sounds good

[yuqi-zhang]

Given its minor scope, adding no-Jira

/lgtm

From my end

[dustymabe]

/unhold

[yuqi-zhang]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-upgrade
/test e2e-gcp-op-ocl-part1
/test e2e-gcp-op-ocl-part2
/test e2e-gcp-op-part1
/test e2e-gcp-op-part2
/test e2e-gcp-op-single-node
/test e2e-hypershift

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dustymabe, yuqi-zhang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [yuqi-zhang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@dustymabe: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-op-part1	46930d4	link	true	/test e2e-gcp-op-part1

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.