Logically-bound image pull reliability improvements #2013
Description
Discussed in #2011
Originally posted by csssuf February 18, 2026
As I've been working with logically-bound images, I've encountered a couple of challenges around reliability. These can more or less be summed up by saying that errors pulling LBIs are not really handled, which makes it tough to rely on bootc switch/upgrade when LBIs are involved.
The two main challenges are:
- If an LBI cannot be pulled, there is no clean way to retry it.
- If any LBIs fail to be pulled, the new deployment is still staged for next boot.
These two issues combine to make updates with any LBI changes nearly impossible to apply atomically - we expect LBIs to be available immediately on boot, but we cannot retry them if the initial fetch fails. Right now, we're working around this by using physically-embedded images, but this is painful for other reasons (we lose the layering from the embedded images, so updates are huge, and loading images into c/storage is fallible at boot-time).
I'm not sure what the best option here is - off the top of my head, it seems safest to unstage a deployment (if this is possible) if we can't fetch its LBIs; that way, we're back in the state we started in and it's up to the caller to retry the bootc operation that failed.