Skip to content

fix(core): pin supervisor image tag to gateway version for all drivers#2070

Open
benoitf wants to merge 1 commit into
NVIDIA:mainfrom
benoitf:2068-pin-supervisor-image/fb
Open

fix(core): pin supervisor image tag to gateway version for all drivers#2070
benoitf wants to merge 1 commit into
NVIDIA:mainfrom
benoitf:2068-pin-supervisor-image/fb

Conversation

@benoitf

@benoitf benoitf commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

Extract the Docker driver's compile-time supervisor image tag resolution into openshell-core so all three compute drivers (Docker, Podman, Kubernetes) pin the supervisor image to the gateway version instead of defaulting to :latest.

Related Issue

Closes #2068

Changes

  • Add resolve_supervisor_image_tag() and default_supervisor_image() to openshell-core::config with the same priority chain the Docker driver already used: OPENSHELL_IMAGE_TAG > IMAGE_TAG > CARGO_PKG_VERSION (falls back to dev for 0.0.0)
  • Add DEFAULT_SUPERVISOR_IMAGE_REPO constant (repo without tag) to openshell-core
  • Deprecate DEFAULT_SUPERVISOR_IMAGE (the :latest constant)
  • Update Podman driver to use default_supervisor_image() in config default and make the CLI --supervisor-image arg optional with version-pinned fallback
  • Update Kubernetes driver to use default_supervisor_image() in config default and CLI fallback
  • Refactor Docker driver to delegate to the shared resolver, removing its local copy
  • Update Podman container tests that asserted :latest to use the dynamic default

Testing

  • mise run pre-commit passes
  • Unit tests added/updated
  • E2E tests added/updated (if applicable)

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (if applicable)

@copy-pr-bot

copy-pr-bot Bot commented Jun 30, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@TaylorMutch TaylorMutch added the test:e2e Requires end-to-end coverage label Jun 30, 2026
@TaylorMutch

Copy link
Copy Markdown
Collaborator

/ok to test cb62ca9

@github-actions

Copy link
Copy Markdown

Label test:e2e applied, but pull-request/2070 is at {"messa while the PR head is cb62ca9. A maintainer needs to comment /ok to test cb62ca9f1715aa52108571d81a17411a07765aeb to refresh the mirror. Once the mirror catches up, re-run Branch E2E Checks from the Actions tab.

Comment thread crates/openshell-core/src/config.rs Outdated
pub const DEFAULT_SERVICE_ROUTING_DOMAIN: &str = "openshell.localhost";

/// Default OCI image for the openshell-sandbox supervisor binary.
#[deprecated(note = "Use `default_supervisor_image()` which pins the tag to the gateway version")]

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need a deprecation notice? We're still alpha - If we do this all in one PR, what would be needed to accomplish that and remove this deprecated value?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@TaylorMutch removed the notice (and the variable)

I also updated the documentation part

@benoitf benoitf force-pushed the 2068-pin-supervisor-image/fb branch 2 times, most recently from e3723ae to 0582804 Compare July 1, 2026 09:32
The Podman and Kubernetes drivers defaulted the supervisor image to
`:latest` via DEFAULT_SUPERVISOR_IMAGE, while the Docker driver already
resolved a version-pinned tag. Extract the tag resolution logic into
openshell-core so all three drivers use the same
OPENSHELL_IMAGE_TAG > IMAGE_TAG > CARGO_PKG_VERSION priority chain.

Closes NVIDIA#2068

Signed-off-by: Florent Benoit <fbenoit@redhat.com>
@benoitf benoitf force-pushed the 2068-pin-supervisor-image/fb branch from 0582804 to aa8af37 Compare July 1, 2026 09:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

test:e2e Requires end-to-end coverage

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Podman and Kubernetes drivers default supervisor image to :latest instead of pinning to gateway version

2 participants