# DOCFIX-064 -- phase-08 runbook change-list (DRAFT, 2026-07-01)

RESERVED number: DOCFIX-064 (per changelog next-free note). This is the accumulated
phase-08 operator-runbook (single-consumer acceptance) sweep. Written as a change-LIST with
exact anchors + evidence so the edit is mechanical when phase-08 is finalized. NOT yet applied
to runbooks/phase-08-workload-cluster-acceptance.md.

Scope note: these are fixes to the OPERATOR single-consumer acceptance path (capi-test-1 in
capi-mgmt scope). The multi-tenant tenant->cluster flow is a SEPARATE deliverable
(tenant-onboarding-v2-DRAFT.md). Some items overlap (image --public, image-by-UUID, template
ownership scope) because both paths hit them.

--------------------------------------------------------------------------------
## Items
--------------------------------------------------------------------------------

1. IMAGE SEED MUST create the image `--public`  [Step 8.0, image create]
   Evidence: a shared/owner-only kube image causes magnum cluster/template create to fail with
   `Cluster type (vm, Unset, kubernetes) not supported` -- a non-owner (or the driver acting in
   another project) cannot read `os_distro`, so type-derivation returns Unset. Fix: the seed
   `openstack image create ... --public` (and re-verify visibility=public post-create).

2. SEED HARDENING  [Step 8.0]
   - curl with retry + connect/max timeout (fail loud on partial/hung download).
   - sha512 verify against the published manifest is a hard GATE (already present -- keep).
   - poll image to `active` as a hard-gate loop (not a fixed sleep).
   - POST-active property re-verify: kube_version, os_distro, visibility=public, disk_format.

3. IMAGE-ABSENT PRESENCE GUARD  [Step 8.0]
   Explicitly branch "image present -> verify props" vs "absent -> seed", so a re-run does not
   double-seed and a present-but-wrong-visibility image is caught (ties to item 1).

4. IMAGE BY UUID, not name  [Step 8.0 template create; 8.1]
   Evidence: a doubled-quoted image NAME resolved to the literal `'name'` (no image) -> Unset
   type -> 400. Passing the resolved UUID removes the quoting/resolution surface. Gate the UUID
   with `grep -qE '^[0-9a-f-]{36}$'` before use.

5. TEMPLATE CREATE -- OWNER PROJECT SCOPE  [Step 8.0]
   Evidence: `coe cluster template create/show` and `cluster create --cluster-template <name>`
   resolve the template within the CALLER'S project (templates are visible by ownership).
   A private template created in capi-mgmt is NOT selectable by name from admin scope (create
   404s while `template list` still shows it). Fix: run the template create AND the cluster
   create in the SAME project scope that owns the template (capi-mgmt for the operator path).
   Add the capi-mgmt scope preamble (resolve `capi-mgmt` --domain capi dynamically; export
   OS_PROJECT_ID) before both.

6. FLAVOR-FLOOR PRE-CHECK  [Step 8.0 template create]
   Magnum requires master/node flavors >= 2 vcpu and >= 2048 MB. Pre-check the chosen flavors
   against the floor and fail loud, rather than surfacing an opaque driver error later.

7. OCTAVIA PREREQ -- CAPTURE REAL EXIT  [Prerequisites / Step 8.0]
   The octavia-healthy probe must capture the actual command result and test it, NOT
   `... | head || echo` (which masks failure -- head succeeds on empty input). Same
   capture-and-test-result discipline applied across the onboarding v2 blocks.

8. 8.1 PRE-CHECKS -- D-039 role + keypair  [Step 8.1]
   Before cluster create, assert (a) the trustor holds member + load-balancer_member (+ reader)
   on the cluster project (D-039 -- else CAPO 403s at the Octavia LB step), and (b) the keypair
   exists in the creating scope. Fail loud pre-create.

9. POLICYD ZIP PATH UNDER $HOME (snap confinement)  [appendix-C section C.3]
   Evidence: `juju attach-resource ... /tmp/overrides.zip` failed "no such file or directory"
   though the shell saw the file -- the confined juju snap cannot read /tmp. Build the zip under
   $HOME. Also: `zip` is absent on the jumphost -- build via python3 zipfile (arcname=top-level).
   Fix appendix-C C.3 to use a $HOME path and the python3 zipfile method (currently shows
   `zip -j /tmp/overrides.zip`).

--------------------------------------------------------------------------------
## Cross-doc corrections (already staged in this package)
--------------------------------------------------------------------------------
- appendix-C: manager domain-enumeration is own-domain-only on this cloud (2.5d finding);
  the cloud-wide names-only leak does NOT manifest. (Applied in appendix-C-identity-rbac.md here.)
- appendix-D: cluster-create trust model; D.7 status updated (Stages 1-4 validated, Stage 6
  create_trust outstanding). Needs committing (was packaged, not yet in repo).

--------------------------------------------------------------------------------
## Sequencing
--------------------------------------------------------------------------------
Apply items 1-8 to phase-08 and item 9 to appendix-C only AFTER Stage 6 (create_trust) is
resolved -- if the multi-tenant trust step surfaces a further phase-08-relevant fix (e.g. a
CONF.trust.roles pin), fold it into the same DOCFIX-064 sweep rather than reopening.
