So we'd like to move the nodes in our kube cluster to docker 17.03 so we can implement some pod security policies that 1.12 doesn't support and 18.03 is problematic because it's not certified by kubernetes.

I see that 17.03 seems to be referenced with some stability in the manifests returned from: https://tectonic-torcx.release.core-os.net/manifests/$COREOS_RELEASE_BOARD/$COREOS_RELEASE_VERSION/torcx_manifest.json

However that 17.03 tarball isn't packaged with the release so we need to prefetch it (for the release version) pre torcx and stick it into /usr/share/torcx/store ... no problem we could do that with ignition we know what ami we are requesting. However we currently use the default locksmith/update engine which means that 17.03 tarball's contents could drift as we move from version to version.

I'm not a huge systemd guy, but the docs say that all generators are run in parallel, so if I wrote a binary to snag the proper tarball and put it into place is there a way to delay the torcx run until after that happens?

I can't be the first person to run into this? Is the solution to pin the version of coreos, deliver the proper tarball via ignition and manage the upgrades through the upgrade operator (and have it upgrade the tarball before it reboots the node?)...