OCPBUGS-83830: Apply password only if changes exist

[pablintino]

Closes: #OCPBUGS-83830

- What I did

This bugfix ensures that the MCD only runs usermod if the password hash has actually changed and not in every update. This aligns the behavior we currently have for SSH passwords.

- How to verify it

TBD

- Description for the changelog

This bugfix ensures that the MCD only runs usermod if the password hash has actually changed and not in every update.

Summary by CodeRabbit

• Bug Fixes
  • Fixed password and SSH key update handling to properly rollback changes when updates fail, ensuring system state is restored on error.
  • Avoids reapplying unchanged password hashes by detecting existing shadow entries, reducing unnecessary system calls and preventing redundant password updates.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@pablintino: This pull request references Jira Issue OCPBUGS-83830, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Closes: #OCPBUGS-83830

- What I did

This bugfix ensures that the MCD only runs usermod if the password hash has actually changed and not in every update. This aligns the behavior we currently have for SSH passwords.

- How to verify it

TBD

- Description for the changelog

This bugfix ensures that the MCD only runs usermod if the password hash has actually changed and not in every update.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e7b08b2d-b43d-49a6-88b2-2e47c5684575

📥 Commits

Reviewing files that changed from the base of the PR and between fdfe7de and 867a618.

📒 Files selected for processing (1)

• pkg/daemon/update.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/daemon/update.go

---

Walkthrough

The update flow restricts password-hash changes to the diff.passwd path, fixes rollback defers for SSH keys and password hashes to revert new→old, and adds logic to read current shadow hashes to avoid redundant usermod -p calls.

Changes

Cohort / File(s)	Summary
Password/SSH rollback & password-hash logic pkg/daemon/update.go	Moved SetPasswordHash(...) into the if diff.passwd block; corrected rollback defers to call updateSSHKeys(oldUsers, newUsers) and SetPasswordHash(oldUsers, newUsers) (revert direction); added getUserPasswordHash usage so SetPasswordHash reads current shadow hashes and skips usermod -p when the hash already matches (including "*").

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	❓ Inconclusive	Unable to locate Ginkgo test files associated with this PR's production code changes to pkg/daemon/update.go.	Provide paths to test files included in this PR, or clarify if no test changes are included and this check should not apply.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: applying password only when changes exist, which is the primary bugfix objective of the PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The custom check for stable and deterministic Ginkgo test names is not applicable to this pull request. The PR only modifies pkg/daemon/update.go (a production code file, not a test file) and does not add, modify, or create any test files. The repository uses standard Go testing (testing.T) for unit tests in update_test.go, not Ginkgo, so there are no Ginkgo test declarations (It(), Describe(), Context(), etc.) to evaluate. Since the PR introduces no Ginkgo tests, there are no dynamic test names to flag.
Microshift Test Compatibility	✅ Passed	PR modifies only daemon runtime code with no new e2e tests introduced; MicroShift test compatibility check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies only pkg/daemon/update.go with internal daemon logic changes. No new Ginkgo e2e tests are added.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies internal daemon logic in pkg/daemon/update.go with no changes to Kubernetes manifests, deployment definitions, or scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	The PR modifies password hash handling by adding getUserPasswordHash() with CombinedOutput() and updating SetPasswordHash() to use only klog.Info() for logging. These functions execute during normal daemon operation after flag.Set("logtostderr", "true") is initialized in start.go, ensuring all klog output is properly redirected to stderr and does not corrupt the OTE JSON contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies only production daemon code in pkg/daemon/update.go with no new Ginkgo e2e tests added.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/daemon/update.go`:
- Around line 1252-1255: The passwd-section diff currently triggers
SetPasswordHash even when only SSH keys changed; add a targeted comparison that
detects real password-hash intent changes and use that to guard SetPasswordHash
and the related passwd-handling block (the code that currently checks
diff.passwd). Implement a helper like passwordHashChanged(newUsers, oldUsers)
that normalizes nil/empty to a placeholder and compares per-user password hashes
(and detects removed users with a non-placeholder old hash), then replace the
diff.passwd condition with a call to this helper before invoking
dn.SetPasswordHash (and likewise for the block at the other occurrence around
the SetPasswordHash usage) so usermod -p runs only when hashes actually changed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: fbb6ae67-6748-4e2a-86f0-63abfdbe9764

📥 Commits

Reviewing files that changed from the base of the PR and between e0916a2 and fdfe7de.

📒 Files selected for processing (1)

• pkg/daemon/update.go

[pablintino]

/test unit

[pablintino]

/test unit

[yuqi-zhang]

/lgtm

Left some thoughts inline but logically should be sound

[yuqi-zhang]

Good thing this almost never fails since we probably never had a functional rollback

[pablintino]

Agree on that.

[yuqi-zhang]

So the vast majority of users would never have this set. I guess with our current logic, we'd always just be doing a usermod with an empty password hash and this is triggering the policy described in the bug?

I'm wondering if we just exit out of this function if passwordhash is unset. I guess we'd have to have special logic if the user deletes a password entry, so probably fine to keep it as is since most users wouldn't be hitting this with your conditional changes above.(just thinking if we can bypass the ondisk check)

[pablintino]

Yeah, I thought about it, but I took the "Ansible" approach. "I'd do my best to make your state match the machine state". With an early exit or check, the user would be able to modify the node shadow and we won't never try to patch it to match the MC, that I'd say it's the sourth of true.

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-upgrade
/test e2e-gcp-op-part1
/test e2e-gcp-op-part2
/test e2e-gcp-op-single-node
/test e2e-hypershift

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pablintino, yuqi-zhang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [pablintino,yuqi-zhang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@pablintino: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-upgrade	867a618	link	true	/test e2e-aws-ovn-upgrade
ci/prow/e2e-gcp-op-part1	867a618	link	true	/test e2e-gcp-op-part1

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.