openshift · cheesesashimi · Mar 20, 2026 · patrickdillon · Mar 23, 2026 · cheesesashimi
diff --git a/data/data/bootstrap/files/usr/local/bin/node-image-pull.sh.template b/data/data/bootstrap/files/usr/local/bin/node-image-pull.sh.template
@@ -4,13 +4,39 @@ set -euo pipefail
 # shellcheck source=release-image.sh.template
 . /usr/local/bin/release-image.sh
 
-# yuck... this is a good argument for renaming the node image to just `node` in both OCP and OKD
-coreos_img={{.StreamTag}}
-until COREOS_IMAGE=$(image_for ${coreos_img}); do
-    echo 'Failed to query release image; retrying...'
+# Get the Machine Config Operator image from the release payload
+until MCO_IMAGE=$(image_for 'machine-config-operator'); do
+    echo 'Failed to query MCO image from release; retrying...'
     sleep 10
 done
 
+# Create temporary directory for binary extraction
+TEMP_DIR=$(mktemp -d)
+echo "Extracting machine-config-osimagestream binary to ${TEMP_DIR}"
+
+# Extract the machine-config-osimagestream binary from the MCO image. This avoids having to munge podman args, paths, env vars, etc.
+podman create --name mco-osimagestream "${MCO_IMAGE}"
+podman cp mco-osimagestream:/usr/bin/machine-config-osimagestream "${TEMP_DIR}/machine-config-osimagestream"
+podman rm mco-osimagestream
 bootkube_podman_run() { 
     # we run all commands in the host-network to prevent IP conflicts with 
     # end-user infrastructure. 
     podman run --quiet --net=host --rm --log-driver=k8s-file "${@}" 
 } 
 bootkube_podman_run() { 
     # we run all commands in the host-network to prevent IP conflicts with 
     # end-user infrastructure. 
     podman run --quiet --net=host --rm --log-driver=k8s-file "${@}" 
 } 
+
+# Execute the binary to get the CoreOS image pullspec
+# Note: Proxy environment variables (HTTP_PROXY, HTTPS_PROXY, NO_PROXY) are
+# automatically inherited from the environment if set via /etc/profile.d/proxy.sh
+until COREOS_IMAGE=$("${TEMP_DIR}/machine-config-osimagestream" \
+    get os-image-pullspec \
+    --release-image "${RELEASE_IMAGE_DIGEST}" \
+    --authfile /root/.docker/config.json \
+    --per-host-certs /etc/containers/certs.d \
+    --osimagestream-name '{{ .OSImageStream }}' \
+    --trust-bundle /etc/pki/ca-trust/source/anchors \
+    --registry-config /etc/containers/registries.conf); do
+    echo 'Failed to query for OS image pullspec; retrying...'
+    sleep 10
+done
+
+# Clean up temporary directory
+rm -rf "${TEMP_DIR}"
+
 # need to use rpm-ostree here since `bootc status` doesn't work in the live ISO currently
 # https://github.com/containers/bootc/issues/1043
 booted_version=$(rpm-ostree status --json | jq -r .deployments[0].version)

diff --git a/pkg/asset/ignition/bootstrap/common.go b/pkg/asset/ignition/bootstrap/common.go
@@ -39,9 +39,9 @@ import (
 	"github.com/openshift/installer/pkg/asset/machines"
 	"github.com/openshift/installer/pkg/asset/manifests"
 	"github.com/openshift/installer/pkg/asset/releaseimage"
-	"github.com/openshift/installer/pkg/asset/rhcos"
+	rhcosAsset "github.com/openshift/installer/pkg/asset/rhcos"
 	"github.com/openshift/installer/pkg/asset/tls"
-	rhcosutils "github.com/openshift/installer/pkg/rhcos"
+	"github.com/openshift/installer/pkg/rhcos"
 	"github.com/openshift/installer/pkg/types"
 	awstypes "github.com/openshift/installer/pkg/types/aws"
 	aztypes "github.com/openshift/installer/pkg/types/azure"
@@ -99,7 +99,7 @@ type bootstrapTemplateData struct {
 	FeatureSet            configv1.FeatureSet
 	Invoker               string
 	ClusterDomain         string
-	StreamTag             string
+	OSImageStream         types.OSImageStream
 }
 
 // platformTemplateData is the data to use to replace values in bootstrap
@@ -176,7 +176,7 @@ func (a *Common) Dependencies() []asset.Asset {
 		&tls.ServiceAccountKeyPair{},
 		&tls.IronicTLSCert{},
 		&releaseimage.Image{},
-		new(rhcos.Image),
+		new(rhcosAsset.Image),
 	}
 }
 
@@ -286,7 +286,7 @@ func (a *Common) getTemplateData(dependencies asset.Parents, bootstrapInPlace bo
 	installConfig := &installconfig.InstallConfig{}
 	proxy := &manifests.Proxy{}
 	releaseImage := &releaseimage.Image{}
-	rhcosImage := new(rhcos.Image)
+	rhcosImage := new(rhcosAsset.Image)
 	bootstrapSSHKeyPair := &tls.BootstrapSSHKeyPair{}
 	ironicCreds := &baremetal.IronicCreds{}
 	dependencies.Get(installConfig, proxy, releaseImage, rhcosImage, bootstrapSSHKeyPair, ironicCreds)
@@ -380,6 +380,11 @@ func (a *Common) getTemplateData(dependencies asset.Parents, bootstrapInPlace bo
 
 	openshiftInstallInvoker := os.Getenv("OPENSHIFT_INSTALL_INVOKER")
 
+	osImageStream := installConfig.Config.OSImageStream
+	if osImageStream == "" {
+		osImageStream = rhcos.DefaultOSImageStream
+	}
+
 	return &bootstrapTemplateData{
 		AdditionalTrustBundle: installConfig.Config.AdditionalTrustBundle,
 		FIPS:                  installConfig.Config.FIPS,
@@ -403,7 +408,7 @@ func (a *Common) getTemplateData(dependencies asset.Parents, bootstrapInPlace bo
 		FeatureSet:            installConfig.Config.FeatureSet,
 		Invoker:               openshiftInstallInvoker,
 		ClusterDomain:         installConfig.Config.ClusterDomain(),
-		StreamTag:             rhcosutils.GetPayloadImageStreamTag(installConfig.Config.OSImageStream),
+		OSImageStream:         osImageStream,
 	}
 }
 

diff --git a/pkg/rhcos/stream_scos.go b/pkg/rhcos/stream_scos.go
@@ -5,7 +5,7 @@ package rhcos
 import "github.com/openshift/installer/pkg/types"
 
 // DefaultOSImageStream Not used in SCOS
-const DefaultOSImageStream types.OSImageStream = ""
+const DefaultOSImageStream types.OSImageStream = "centos-10"
 
 func getStreamFileName(_ types.OSImageStream) string {
 	return "coreos/scos.json"