OCPBUGS-84332: Fix ssh and password rollbacks

[pablintino]

Closes: #OCPBUGS-84332

- What I did

This change fixes the issue in SSH keys and user passwords that made the rollback useless as it tried to apply the new configuration instead of the previous one.

- How to verify it

TBD

- Description for the changelog

This change fixes the issue in SSH keys and user passwords that made the rollback useless as it tried to apply the new configuration instead of the previous one.

Summary by CodeRabbit

• Bug Fixes
  • Fixed an issue where failed daemon updates did not properly rollback SSH key and password configurations to their previous state. Update failures will now correctly restore the original configuration.

[openshift-ci-robot]

@pablintino: This pull request references Jira Issue OCPBUGS-84332, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Closes: #OCPBUGS-84332

- What I did

This change fixes the issue in SSH keys and user passwords that made the rollback useless as it tried to apply the new configuration instead of the previous one.

- How to verify it

TBD

- Description for the changelog

This change fixes the issue in SSH keys and user passwords that made the rollback useless as it tried to apply the new configuration instead of the previous one.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7a4c5ec5-c844-4a83-8250-82c54f297b09

📥 Commits

Reviewing files that changed from the base of the PR and between e0916a2 and 3d98512.

📒 Files selected for processing (1)

• pkg/daemon/update.go

---

Walkthrough

A bug fix in the Daemon.update method corrects the rollback logic to properly revert SSH key and password hash updates when an error occurs. The argument order to updateSSHKeys and SetPasswordHash functions was reversed from (newUsers, oldUsers) to (oldUsers, newUsers) to correctly restore previous state.

Changes

Cohort / File(s)	Summary
Rollback Logic Correction pkg/daemon/update.go	Swapped argument order in defer-time calls to updateSSHKeys and SetPasswordHash to properly revert from new configuration back to old configuration on error.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Test Structure And Quality	❓ Inconclusive	Unable to verify: no git repository context or actual code changes provided in input.	Please provide actual git diff output or source code changes to verify.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly describes the main change: fixing SSH and password rollback logic in the daemon update process.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The pull request does not modify any Ginkgo test files; changes are limited to production code in pkg/daemon/update.go fixing SSH key and password rollback behavior.
Microshift Test Compatibility	✅ Passed	The PR only modifies pkg/daemon/update.go to fix rollback logic for SSH keys and password hashes by correcting defer statement argument order. No new Ginkgo e2e tests are added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies only pkg/daemon/update.go, a source file with no new Ginkgo e2e tests. The SNO Test Compatibility check applies only to new e2e tests, making it not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only daemon-level rollback logic in pkg/daemon/update.go without introducing any scheduling constraints, deployment manifests, or topology-aware assumptions that could break on SNO, Two-Node, or HyperShift clusters.
Ote Binary Stdout Contract	✅ Passed	The PR modifies argument order in daemon update logic with no impact on process-level stdout contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only modifies daemon update logic in pkg/daemon/update.go to fix SSH and password rollback behavior. No new Ginkgo e2e tests are added.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[umohnani8]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-upgrade
/test e2e-gcp-op-part1
/test e2e-gcp-op-part2
/test e2e-gcp-op-single-node
/test e2e-hypershift

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pablintino, umohnani8

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [pablintino,umohnani8]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[isabella-janssen]

/jira refresh

[openshift-ci-robot]

@isabella-janssen: This pull request references Jira Issue OCPBUGS-84332, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[HarshwardhanPatil07]

Pre-merge Verification: PASSED
Cluster version: 4.22.0-0-2026-04-29-050426-test-ci-ln-5rzgwi2-latest

Steps Performed:

1. Apply the first MC

harshpat@harshpat-thinkpadp1gen4i:~/Downloads$ cat <<'EOF' | oc apply -f -
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: worker
  name: mc-tc-88821-rollback
spec:
  config:
    ignition:
      version: 3.5.0
    passwd:
      users:
        - name: core
          passwordHash: $6$rounds=5000$saltsalt$abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSv1
          sshAuthorizedKeys:
            - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDtest1234567890 testv1@mco
    storage:
      files:
        - contents:
            source: data:,mco-test-content-v1%0A
          mode: 0644
          overwrite: true
          path: /etc/mco-test-file.conf
    systemd:
      units:
        - contents: |
            [Unit]
            Description=MCO test unit
            [Service]
            Type=oneshot
            ExecStart=/bin/true
            Environment="MCO_TEST_UNIT=v1"
            [Install]
            WantedBy=multi-user.target
          enabled: true
          name: mco-test.service
          dropins:
            - contents: |
                [Service]
                Environment="MCO_TEST=v1"
              name: 99-mco-test.conf
        - name: wait-for-ipsec-connect.service
        - contents: |
            [Unit]
            Description=Snapshot all tracked files on change
            [Service]
            Type=forking
            ExecStart=/bin/bash -c '\
              ( dir=/tmp/drift-snapshots/$(date +%%Y%%m%%d-%%H%%M%%S.%%N); \
              mkdir -p $dir; \
              for f in \
                /etc/mco-test-file.conf \
                /etc/mco-test-new-file.conf \
                /etc/systemd/system/mco-test.service \
                /etc/systemd/system/mco-test-new.service \
                /etc/systemd/system/wait-for-ipsec-connect.service.d/99-mco-test.conf \
                /etc/systemd/system/wait-for-ipsec-connect.service.d/99-mco-test-new.conf \
                /home/core/.ssh/authorized_keys.d/ignition \
                /etc/shadow; \
              do \
                name=$(echo $f | sed "s|/|_|g"); \
                if [ -f "$f" ]; then \
                  cp "$f" "$dir/$name"; \
                else \
                  echo "ABSENT" > "$dir/$name"; \
                fi; \
              done ) &'
          name: mco-drift-snapshot.service
        - contents: |
            [Unit]
            Description=Watch existing tracked files for changes
            [Path]
            PathChanged=/etc/mco-test-file.conf
            PathChanged=/etc/systemd/system/mco-test.service
            PathChanged=/etc/systemd/system/wait-for-ipsec-connect.service.d/99-mco-test.conf
            PathChanged=/home/core/.ssh/authorized_keys.d/ignition
            PathChanged=/etc/shadow
            [Install]
            WantedBy=multi-user.target
          enabled: true
          name: mco-drift-snapshot.path
        - contents: |
            [Unit]
            Description=Watch for new files being created
            [Path]
            PathExists=/etc/mco-test-new-file.conf
            PathExists=/etc/systemd/system/mco-test-new.service
            PathExists=/etc/systemd/system/wait-for-ipsec-connect.service.d/99-mco-test-new.conf
            [Install]
            WantedBy=multi-user.target
          enabled: true
          name: mco-drift-snapshot-new.path
        - contents: |
            [Unit]
            Description=Snapshot when new files appear then watch for removal
            [Service]
            Type=oneshot
            ExecStart=/bin/bash -c '\
              /usr/bin/systemctl start mco-drift-snapshot.service; \
              /usr/bin/systemctl start mco-drift-snapshot-removal.path'
          name: mco-drift-snapshot-new.service
        - contents: |
            [Unit]
            Description=Watch for new files being removed
            [Path]
            PathChanged=/etc/mco-test-new-file.conf
            PathChanged=/etc/systemd/system/mco-test-new.service
            PathChanged=/etc/systemd/system/wait-for-ipsec-connect.service.d/99-mco-test-new.conf
            [Install]
            WantedBy=multi-user.target
          enabled: true
          name: mco-drift-snapshot-removal.path
        - contents: |
            [Unit]
            Description=Snapshot when new files are removed
            [Service]
            Type=oneshot
            ExecStart=/usr/bin/systemctl start mco-drift-snapshot.service
          name: mco-drift-snapshot-removal.service
EOF
machineconfig.machineconfiguration.openshift.io/mc-tc-88821-rollback created

2. Wait for mcp to get updated

harshpat@harshpat-thinkpadp1gen4i:~/Downloads$ oc get mcp
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-ea2b91bd318f4982d593dcec2c5a17f8   True      False      False      3              3                   3                     0                      81m
worker   rendered-worker-ab6a569937433aac6f603675126fa01b   True      False      False      3              3                   3                     0                      81m

harshpat@harshpat-thinkpadp1gen4i:~/Downloads$ oc get mc mc-tc-88821-rollback 
NAME                   GENERATEDBYCONTROLLER   IGNITIONVERSION   AGE
mc-tc-88821-rollback                           3.5.0             20m

3. Apply the second MC

harshpat@harshpat-thinkpadp1gen4i:~/Downloads$ cat <<'EOF' | oc apply -f -
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: worker
  name: mc-tc-88821-rollback-v2
spec:
  config:
    ignition:
      version: 3.5.0
    passwd:
      users:
        - name: core
          passwordHash: $6$rounds=5000$saltsalt$zyxwvutsrqponmlkjihgfedcba9876543210ZYXWVUTSRQPONMLKJIv2
          sshAuthorizedKeys:
            - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDmodified9876543210 testv2@mco
    storage:
      files:
        - contents:
            source: data:,mco-test-content-v2%0A
          mode: 0644
          overwrite: true
          path: /etc/mco-test-file.conf
        - contents:
            source: data:,mco-test-new-file-v2%0A
          mode: 0644
          overwrite: true
          path: /etc/mco-test-new-file.conf
    systemd:
      units:
        - contents: |
            [Unit]
            Description=MCO test unit
            [Service]
            Type=oneshot
            ExecStart=/bin/true
            Environment="MCO_TEST_UNIT=v2"
            [Install]
            WantedBy=multi-user.target
          enabled: true
          name: mco-test.service
        - contents: |
            [Unit]
            Description=MCO test new unit
            [Service]
            Type=oneshot
            ExecStart=/bin/true
            Environment="MCO_TEST_NEW_UNIT=v2"
            [Install]
            WantedBy=multi-user.target
          enabled: true
          name: mco-test-new.service
        - dropins:
            - contents: |
                [Service]
                Environment="MCO_TEST=v2"
              name: 99-mco-test.conf
            - contents: |
                [Service]
                Environment="MCO_TEST_NEW_DROPIN=v2"
              name: 99-mco-test-new.conf
          name: wait-for-ipsec-connect.service
  extensions: []
  kernelArguments: []
  osImageURL: quay.io/openshifttest/tc88821fakeimage:latest
EOF
machineconfig.machineconfiguration.openshift.io/mc-tc-88821-rollback-v2 created

4. Wait for mcp to degrade

harshpat@harshpat-thinkpadp1gen4i:~/Downloads$ oc get mcp
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-ea2b91bd318f4982d593dcec2c5a17f8   True      False      False      3              3                   3                     0                      117m
worker   rendered-worker-ab6a569937433aac6f603675126fa01b   False     True       True       3              0                   0                     1                      117m

harshpat@harshpat-thinkpadp1gen4i:~/Downloads$ oc get mcp worker -o jsonpath='{.status.conditions[?(@.type=="Degraded")].message}' | fold -s
Node ip-10-0-16-3.us-east-2.compute.internal is reporting: "Node 
ip-10-0-16-3.us-east-2.compute.internal upgrade failure. Failed to update OS to 
quay.io/openshifttest/tc88821fakeimage:latest after retries: timed out waiting 
for the condition", Node ip-10-0-16-3.us-east-2.compute.internal is reporting: 
"Failed to update OS to quay.io/openshifttest/tc88821fakeimage:latest after 
retries: timed out waiting for the condition"

5. Check all rollback snapshots

harshpat@harshpat-thinkpadp1gen4i:~/Downloads$ NODE=$(oc get nodes -l node-role.kubernetes.io/worker -o jsonpath='{.items[0].metadata.name}')

harshpat@harshpat-thinkpadp1gen4i:~/Downloads$ echo "=== /etc/mco-test-file.conf ==="
oc debug -q node/$NODE -- chroot /host bash -c 'for d in $(ls -d /tmp/drift-snapshots/* 2>/dev/null | sort); do echo "$(basename $d): $(cat $d/_etc_mco-test-file.conf 2>/dev/null)"; done' 2>/dev/null
=== /etc/mco-test-file.conf ===
---
20260429-070555.563971269: mco-test-content-v2
20260429-070555.632212375: mco-test-content-v2
20260429-070556.311659463: mco-test-content-v2
20260429-070717.501814852: mco-test-content-v1
20260429-070718.182021502: mco-test-content-v1
20260429-070718.472947360: mco-test-content-v1
20260429-070719.565260763: mco-test-content-v2
20260429-070719.622025046: mco-test-content-v2
20260429-070720.273521457: mco-test-content-v2
---

harshpat@harshpat-thinkpadp1gen4i:~/Downloads$ echo ""
echo "=== mco-test.service ==="
oc debug -q node/$NODE -- chroot /host bash -c 'for d in $(ls -d /tmp/drift-snapshots/* 2>/dev/null | sort); do echo "$(basename $d): $(grep MCO_TEST_UNIT $d/_etc_systemd_system_mco-test.service 2>/dev/null || cat $d/_etc_systemd_system_mco-test.service 2>/dev/null)"; done' 2>/dev/null

=== mco-test.service ===
---
20260429-070432.343292042: Environment="MCO_TEST_UNIT=v2"
20260429-070553.913947099: Environment="MCO_TEST_UNIT=v1"
20260429-070554.533559300: Environment="MCO_TEST_UNIT=v1"
20260429-070555.563971269: Environment="MCO_TEST_UNIT=v1"
20260429-070555.632212375: Environment="MCO_TEST_UNIT=v1"
20260429-070556.311659463: Environment="MCO_TEST_UNIT=v2"

---

harshpat@harshpat-thinkpadp1gen4i:~/Downloads$ echo ""
echo "=== 99-mco-test.conf dropin ==="
oc debug -q node/$NODE -- chroot /host bash -c 'for d in $(ls -d /tmp/drift-snapshots/* 2>/dev/null | sort); do echo "$(basename $d): $(grep MCO_TEST $d/_etc_systemd_system_wait-for-ipsec-connect.service.d_99-mco-test.conf 2>/dev/null || cat $d/_etc_systemd_system_wait-for-ipsec-connect.service.d_99-mco-test.conf 2>/dev/null)"; done' 2>/dev/null

=== 99-mco-test.conf dropin ===
---
20260429-070305.944383893: Environment="MCO_TEST=v2"
20260429-070306.277951834: ABSENT
20260429-070306.587866784: ABSENT
20260429-070307.635692857: ABSENT
20260429-070307.701316420: Environment="MCO_TEST=v2"

---

harshpat@harshpat-thinkpadp1gen4i:~/Downloads$ echo ""
echo "=== /etc/mco-test-new-file.conf (new in v2) ==="
oc debug -q node/$NODE -- chroot /host bash -c 'for d in $(ls -d /tmp/drift-snapshots/* 2>/dev/null | sort); do echo "$(basename $d): $(cat $d/_etc_mco-test-new-file.conf 2>/dev/null)"; done' 2>/dev/null

=== /etc/mco-test-new-file.conf (new in v2) ===
---
20260429-070141.917470975: mco-test-new-file-v2
20260429-070142.277812836: ABSENT
20260429-070142.571690444: ABSENT
20260429-070143.674182930: mco-test-new-file-v2

---

harshpat@harshpat-thinkpadp1gen4i:~/Downloads$ echo ""
echo "=== mco-test-new.service (new in v2) ==="
oc debug -q node/$NODE -- chroot /host bash -c 'for d in $(ls -d /tmp/drift-snapshots/* 2>/dev/null | sort); do echo "$(basename $d): $(grep MCO_TEST_NEW_UNIT $d/_etc_systemd_system_mco-test-new.service 2>/dev/null || cat $d/_etc_systemd_system_mco-test-new.service 2>/dev/null)"; done' 2>/dev/null

=== mco-test-new.service (new in v2) ===
---
20260429-070142.277812836: Environment="MCO_TEST_NEW_UNIT=v2"
20260429-070142.571690444: ABSENT
20260429-070143.674182930: ABSENT
20260429-070143.749306372: Environment="MCO_TEST_NEW_UNIT=v2"

---

harshpat@harshpat-thinkpadp1gen4i:~/Downloads$ echo ""
echo "=== 99-mco-test-new.conf dropin (new in v2) ==="
oc debug -q node/$NODE -- chroot /host bash -c 'for d in $(ls -d /tmp/drift-snapshots/* 2>/dev/null | sort); do echo "$(basename $d): $(grep MCO_TEST_NEW_DROPIN $d/_etc_systemd_system_wait-for-ipsec-connect.service.d_99-mco-test-new.conf 2>/dev/null || cat $d/_etc_systemd_system_wait-for-ipsec-connect.service.d_99-mco-test-new.conf 2>/dev/null)"; done' 2>/dev/null

=== 99-mco-test-new.conf dropin (new in v2) ===
---
20260429-070141.917470975: Environment="MCO_TEST_NEW_DROPIN=v2"
20260429-070142.277812836: ABSENT
20260429-070142.571690444: ABSENT
20260429-070143.674182930: ABSENT
20260429-070143.749306372: Environment="MCO_TEST_NEW_DROPIN=v2"

---

harshpat@harshpat-thinkpadp1gen4i:~/Downloads$ echo ""
echo "=== authorized_keys (ssh) ==="
oc debug -q node/$NODE -- chroot /host bash -c 'for d in $(ls -d /tmp/drift-snapshots/* 2>/dev/null | sort); do echo "$(basename $d): $(grep -o "test[^ ]*@mco[^ ]*" $d/_home_core_.ssh_authorized_keys.d_ignition 2>/dev/null)"; done' 2>/dev/null

=== authorized_keys (ssh) ===
---
20260429-070012.229867354: testv1@mco
testv2@mco
20260429-070012.273334900: testv1@mco
testv2@mco
20260429-070141.917470975: testv1@mco
20260429-070142.277812836: testv1@mco

---

harshpat@harshpat-thinkpadp1gen4i:~/Downloads$ echo ""
echo "=== shadow (core password) ==="
oc debug -q node/$NODE -- chroot /host bash -c 'for d in $(ls -d /tmp/drift-snapshots/* 2>/dev/null | sort); do echo "$(basename $d): $(grep core $d/_etc_shadow 2>/dev/null | cut -d: -f2 | grep -o "..$")"; done' 2>/dev/null

=== shadow (core password) ===
---
20260429-070012.229867354: v2
20260429-070012.273334900: v2
20260429-070141.917470975: v1
20260429-070142.277812836: v1
20260429-070142.571690444: v1

---

6. Cleanup

harshpat@harshpat-thinkpadp1gen4i:~/Downloads$ oc delete mc mc-tc-88821-rollback-v2
machineconfig.machineconfiguration.openshift.io "mc-tc-88821-rollback-v2" deleted

harshpat@harshpat-thinkpadp1gen4i:~/Downloads$ oc patch node "$NODE" -p "{\"metadata\":{\"annotations\":{\"machineconfiguration.openshift.io/desiredConfig\":\"$(oc get node "$NODE" -o jsonpath='{.metadata.annotations.machineconfiguration\.openshift\.io/currentConfig}')\"}}}"
node/ip-10-0-16-3.us-east-2.compute.internal patched

harshpat@harshpat-thinkpadp1gen4i:~/Downloads$ oc get mcp
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-ea2b91bd318f4982d593dcec2c5a17f8   True      False      False      3              3                   3                     0                      136m
worker   rendered-worker-ab6a569937433aac6f603675126fa01b   True      False      False      3              3                   3                     0                      136m

[HarshwardhanPatil07]

/verified by @HarshwardhanPatil07 here

[openshift-ci-robot]

@HarshwardhanPatil07: This PR has been marked as verified by @HarshwardhanPatil07 [here](https://github.com/openshift/machine-config-operator/pull/5884#pullrequestreview-4195046563).

Details

In response to this:

/verified by @HarshwardhanPatil07 here

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[HarshwardhanPatil07]

/test e2e-gcp-op-single-node

[HarshwardhanPatil07]

/test e2e-hypershift

[HarshwardhanPatil07]

/test e2e-aws-ovn-upgrade

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 89245a0 and 2 for PR HEAD 3d98512 in total

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 19bf44b and 1 for PR HEAD 3d98512 in total

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD b9964db and 0 for PR HEAD 3d98512 in total

[openshift-merge-bot]

/hold

Revision 3d98512 was retested 3 times: holding

[isabella-janssen]

/test e2e-aws-ovn-upgrade

[isabella-janssen]

/unhold

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 384e6fa and 2 for PR HEAD 3d98512 in total

[openshift-ci]

@pablintino: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@pablintino: Jira Issue Verification Checks: Jira Issue OCPBUGS-84332
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-84332 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Closes: #OCPBUGS-84332

- What I did

This change fixes the issue in SSH keys and user passwords that made the rollback useless as it tried to apply the new configuration instead of the previous one.

- How to verify it

TBD

- Description for the changelog

This change fixes the issue in SSH keys and user passwords that made the rollback useless as it tried to apply the new configuration instead of the previous one.

Summary by CodeRabbit

• Bug Fixes
• Fixed an issue where failed daemon updates did not properly rollback SSH key and password configurations to their previous state. Update failures will now correctly restore the original configuration.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pablintino]

/cherry-pick release-4.22

[openshift-cherrypick-robot]

@pablintino: new pull request created: #5906

Details

In response to this:

/cherry-pick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-robot]

Fix included in release 5.0.0-0.nightly-2026-05-01-010944