daemon: ensure pinned image updates are a reload action

Signed-off-by: Sam Batschelet <[email protected]>
openshift · Jan 24, 2024 · 35cfd63 · 35cfd63
1 parent 37c3dad
commit 35cfd63
Showing 1 changed file with 16 additions and 9 deletions.
diff --git a/pkg/daemon/update.go b/pkg/daemon/update.go
@@ -60,6 +60,8 @@ const (
 	// GPGNoRebootPath is the path MCO expects will contain GPG key updates. MCO will attempt to only reload crio for
 	// changes to this path. Note that other files added to the parent directory will not be handled specially
 	GPGNoRebootPath = "/etc/machine-config-daemon/no-reboot/containers-gpg.pub"
+	// pinnedImagePathRegex is the regex MCO expects will contain pinned image updates.
+	pinnedImagePathRegex = `crio\.conf\.d\/[0-9]{2}-pinned-images$`
 )
 
 func getNodeRef(node *corev1.Node) *corev1.ObjectReference {
@@ -408,35 +410,40 @@ func (dn *CoreOSDaemon) applyOSChanges(mcDiff machineConfigDiff, oldConfig, newC
 	return nil
 }
 
-func calculatePostConfigChangeActionFromFileDiffs(diffFileSet []string) (actions []string) {
+func calculatePostConfigChangeActionFromFileDiffs(diffFileSet []string) ([]string, error) {
 	filesPostConfigChangeActionNone := []string{
 		caBundleFilePath,
 		imageRegistryAuthFile,
 		"/var/lib/kubelet/config.json",
 	}
-	filesPostConfigChangeActionReloadCrio := []string{
+	regexPostConfigActionReloadCrio := []string{
 		constants.ContainerRegistryConfPath,
 		GPGNoRebootPath,
 		"/etc/containers/policy.json",
+		pinnedImagePathRegex,
 	}
 	filesPostConfigChangeActionRestartCrio := []string{
 		"/etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt",
 	}
 
-	actions = []string{postConfigChangeActionNone}
+	actions := []string{postConfigChangeActionNone}
 	for _, path := range diffFileSet {
-		if ctrlcommon.InSlice(path, filesPostConfigChangeActionNone) {
-			continue
-		} else if ctrlcommon.InSlice(path, filesPostConfigChangeActionReloadCrio) {
+		actionReloadCrio, err := ctrlcommon.InSliceRegex(path, regexPostConfigActionReloadCrio)
+		if err != nil {
+			return nil, err
+		}
+		if actionReloadCrio {
 			actions = []string{postConfigChangeActionReloadCrio}
+		} else if ctrlcommon.InSlice(path, filesPostConfigChangeActionNone) {
+			continue
 		} else if ctrlcommon.InSlice(path, filesPostConfigChangeActionRestartCrio) {
 			actions = []string{postConfigChangeActionRestartCrio}
 		} else {
 			actions = []string{postConfigChangeActionReboot}
-			return
+			return actions, nil
 		}
 	}
-	return
+	return actions, nil
 }
 
 func calculatePostConfigChangeAction(diff *machineConfigDiff, diffFileSet []string) ([]string, error) {
@@ -457,7 +464,7 @@ func calculatePostConfigChangeAction(diff *machineConfigDiff, diffFileSet []stri
 	}
 
 	// We don't actually have to consider ssh keys changes, which is the only section of passwd that is allowed to change
-	return calculatePostConfigChangeActionFromFileDiffs(diffFileSet), nil
+	return calculatePostConfigChangeActionFromFileDiffs(diffFileSet)
 }
 
 // This is another update function implementation for the special case of