What were you trying to do that didn't work?

We use RHEL image mode. We build on os image with oci container images embedded into it (MicroShift runtime container images).

Then install that image and start it, and dynamically add additional containers at runtime.

This results in a container runtime with two oci image stores on the system: the static images, part of the os image, and the dynamic part.  During dynamic container deployment, some layers are re-used and the image layer stack points to the static base layer.

Then we upgrade the os image. The upgrade also includes new versions of the oci container images.

When the new version comes up, some of the containers that have been dynamically added fail to start. 

We tracked this down to the dynamically containers having some layers, which are also part of the static images. Hence, those layeres are referenced initially. But with the upgrade, those layers are replaced by newer version, so the the reference is then dead. Re-pulling the containers resolves the issue, but that is an ugly workaround. It happens esp. if the dynamic containers are based on 

We would love to avoid the issue in the first place, e.g. by having the two local image stores configured as "non-shareable", to avoid images in the dynamic part referencing from the static part. 

What is the impact of this issue to you?

Solution fails to start and needs manual intervention / workarounds, which is a huge issue for edge deployments. 

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

always

Steps to reproduce

see above, we will provide a re-producer with bootc and podman only if required.

Expected results

After upgrade, dynamic solution containers should come up 

Actual results

dynamic solution containers fail to start due to missing layers.