OCPBUGS-84842: Bootloader update attempt should be conditional

[djoshy]

- What I did
Follow-up fix to #5868; this adds a simple shim version check so the bootloader update routine isn't invoked on every node update.

- How to verify it
Bootloader updates should continue to work, but they should not be attempted for shims > 15.8-3.el9_2, i.e. any cluster installed past 4.15.23 or 4.16.0. All bootimages used after those releases have the minimum version that contains the Secure Boot signing keys. This should be verified on amd64 and aarch64 clusters.

Summary by CodeRabbit

Release Notes

• New Features

  • Added Secure Boot shim version validation to ensure minimum version compatibility (15.8-3.el9_2) before bootloader updates.

• Bug Fixes

  • Improved architecture detection for bootloader operations.
  • Bootloader updates now respect shim safety status; gracefully proceeds if validation fails.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@djoshy: This pull request references Jira Issue OCPBUGS-84842, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

- What I did
Follow-up fix to #5868; this adds a simple shim version check so the update routine isn't used on every node update.

- How to verify it
Bootloader updates should continue to work, but they should not be attempted for shims > 15.8-3.el9_2, i.e. any cluster installed past 4.15.23 or 4.16.0. All bootimages used after those releases have the minimum version that contains the Secure Boot signing keys. This should be verified on amd64 and aarch64 clusters.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 066de46e-c9ec-4e60-beba-a26b7da87d05

📥 Commits

Reviewing files that changed from the base of the PR and between c8e84a8 and 63717bc.

📒 Files selected for processing (5)

• pkg/controller/build/buildrequest/buildrequestopts.go
• pkg/controller/common/constants.go
• pkg/daemon/bootupd.go
• pkg/daemon/bootupd_test.go
• pkg/daemon/update.go

✅ Files skipped from review due to trivial changes (3)

• pkg/controller/common/constants.go
• pkg/controller/build/buildrequest/buildrequestopts.go
• pkg/daemon/bootupd_test.go

---

Walkthrough

This change introduces Secure Boot shim safety detection for bootloader updates and standardizes architecture constant usage across the codebase. It adds shim RPM version comparison logic to verify minimum versions before running bootloader updates, and centralizes Go architecture identifiers into shared constants.

Changes

Cohort / File(s)	Summary
Architecture Constants pkg/controller/common/constants.go	Adds GoArchAMD64 and GoArchARM64 constants for standardized Go GOARCH values.
Shim Safety Detection pkg/daemon/bootupd.go	Implements shim RPM version querying and comparison logic to detect Secure Boot shim safety. Uses shared architecture constants instead of hardcoded strings. Adds helpers to check installed shim version against minimum threshold (15.8-3.el9_2). Version check fails open (logs and returns false) on lookup errors.
Shim Safety Tests pkg/daemon/bootupd_test.go	Adds unit tests for shimVersionAtLeast (exact match, newer/older versions, malformed inputs) and compareNumericSegments (numeric segment comparison semantics).
Architecture Constant Usage pkg/daemon/update.go, pkg/controller/build/buildrequest/buildrequestopts.go	Replaces hardcoded "arm64" string literals with ctrlcommon.GoArchARM64 constant reference. Updates updateLayeredOS control flow to run bootupd only when shimIsSafe() returns false.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 55.56% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: making bootloader updates conditional based on shim version checks, which is the primary objective of this PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The pull request adds standard Go unit tests in TestShimVersionAtLeast and TestCompareNumericSegments with static, descriptive function names and dynamic values only in test data.
Test Structure And Quality	✅ Passed	The PR contains standard Go unit tests using *testing.T pattern, not Ginkgo tests, so the Ginkgo-specific check is not applicable.
Microshift Test Compatibility	✅ Passed	This pull request does not add any Ginkgo e2e tests. The changes to pkg/daemon/bootupd_test.go add only standard Go unit tests using the testing package, not Ginkgo-based e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This pull request does not add any Ginkgo e2e tests. The new tests added to bootupd_test.go are standard Go unit tests that verify internal utility functions for disk partition detection and shim version comparison logic. These unit tests do not involve cluster topology assumptions, multi-node scheduling, or any e2e test patterns, so the SNO compatibility check is not applicable to this PR.
Topology-Aware Scheduling Compatibility	✅ Passed	Pull request contains only Go source code changes to daemon and controller packages for bootloader updates, architecture detection, and shim version checking with no Kubernetes deployment manifests, pod scheduling constraints, or topology-aware configurations.
Ote Binary Stdout Contract	✅ Passed	PR introduces no stdout writes in process-level code; all new logging uses logSystem() utility from regular daemon methods invoked at runtime during node updates, maintaining the OTE Binary Stdout Contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only standard Go unit tests, not Ginkgo e2e tests. No IPv4 assumptions or external connectivity requirements detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: djoshy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [djoshy]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@djoshy: This pull request references Jira Issue OCPBUGS-84842, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

- What I did
Follow-up fix to #5868; this adds a simple shim version check so the bootloader update routine isn't invoked on every node update.

- How to verify it
Bootloader updates should continue to work, but they should not be attempted for shims > 15.8-3.el9_2, i.e. any cluster installed past 4.15.23 or 4.16.0. All bootimages used after those releases have the minimum version that contains the Secure Boot signing keys. This should be verified on amd64 and aarch64 clusters.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[djoshy]

I asked claude to simplify this - the original comparison it generated was far too complex. Would really like an RHCOS engineer to let me know if I'm missing something though 😄

[coderabbitai]

🧹 Nitpick comments (1)

pkg/daemon/bootupd.go (1)

243-251: 💤 Low value

Minor: Consider using null-delimited find output for robustness.

The find | xargs sha256sum pattern could fail with filenames containing spaces, though EFI files typically have standard names. Since this is logging-only and doesn't affect the update, it's acceptable.

If you want more robustness for logging:

-	beforeSums, _ := runGetOut("sh", "-c", "find /boot/efi -type f | xargs sha256sum")
+	beforeSums, _ := runGetOut("sh", "-c", "find /boot/efi -type f -print0 | xargs -0 sha256sum")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/daemon/bootupd.go` around lines 243 - 251, The logging of SHA256 sums
uses runGetOut to execute a shell pipeline ("find /boot/efi -type f | xargs
sha256sum") which can break on filenames with whitespace; update the commands
that produce beforeSums and afterSums (the runGetOut invocations) to use a
null-delimited find output combined with a null-aware xargs invocation so
filenames with spaces are handled robustly, leaving runCmdSync and logSystem
calls unchanged; adjust both the beforeSums and afterSums invocations to the
null-delimited variant to keep them symmetric and robust.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/daemon/bootupd.go`:
- Around line 243-251: The logging of SHA256 sums uses runGetOut to execute a
shell pipeline ("find /boot/efi -type f | xargs sha256sum") which can break on
filenames with whitespace; update the commands that produce beforeSums and
afterSums (the runGetOut invocations) to use a null-delimited find output
combined with a null-aware xargs invocation so filenames with spaces are handled
robustly, leaving runCmdSync and logSystem calls unchanged; adjust both the
beforeSums and afterSums invocations to the null-delimited variant to keep them
symmetric and robust.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 250c0400-01f2-4bb9-900f-ff5500552a89

📥 Commits

Reviewing files that changed from the base of the PR and between eb2611c and c8e84a8.

📒 Files selected for processing (4)

• .snyk
• pkg/daemon/bootupd.go
• pkg/daemon/bootupd_test.go
• pkg/daemon/update.go

[openshift-ci]

@djoshy: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-op-ocl-part1	63717bc	link	true	/test e2e-gcp-op-ocl-part1

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.