diff --git a/modules/images-configuration-file.adoc b/modules/images-configuration-file.adoc index 5778dd148a4b..832fa1d3009a 100644 --- a/modules/images-configuration-file.adoc +++ b/modules/images-configuration-file.adoc @@ -9,8 +9,9 @@ You can configure image registry settings by editing the `image.config.openshift.io/cluster` resource. The Machine Config Operator (MCO) watches the -`image.config.openshift.io/cluster` for any changes to registries -and reboots the nodes when it detects changes. +`image.config.openshift.io/cluster` resource for any changes to the registries. +When the MCO detects a change, it drains the nodes, applies the change, +and uncordons the nodes. .Procedure diff --git a/modules/images-configuration-insecure.adoc b/modules/images-configuration-insecure.adoc index 16686aa38318..5d6ac325b5e2 100644 --- a/modules/images-configuration-insecure.adoc +++ b/modules/images-configuration-insecure.adoc @@ -57,9 +57,13 @@ status: registries are allowed. Either `blockedRegistries` or `allowedRegistries` can be set, but not both. <3> Specify registries that should be permitted for image pull and push actions. All other registries are denied. Either `blockedRegistries` or `allowedRegistries` can be set, but not both. + -The Machine Config Operator (MCO) watches the `image.config.openshift.io/cluster` -for any changes to registries and reboots the nodes when it detects changes. -Changes to the registries appear in the `/host/etc/containers/registries.conf` file on each node. +The Machine Config Operator (MCO) watches the `image.config.openshift.io/cluster` resource +for any changes to registries. When the MCO detects a change, it drains the nodes, applies the change, reloads the `crio` systemd service on the host, and uncordons the nodes. Changes to the registries appear in the `/etc/containers/registries.conf` file on each node. ++ +[NOTE] +==== +As of {product-title} 4.7, changes to the registries no longer trigger a reboot. +==== + [source,terminal] ---- diff --git a/modules/images-configuration-parameters.adoc b/modules/images-configuration-parameters.adoc index 3efc21696d4a..1cf5d51903e5 100644 --- a/modules/images-configuration-parameters.adoc +++ b/modules/images-configuration-parameters.adoc @@ -65,7 +65,7 @@ registries are allowed. `allowedRegistries`: Allowlisted for image pull and push actions. All other registries are blocked. -Only one of `blockedRegistries` or `allowedRegistries` may be set +Only one of `blockedRegistries` or `allowedRegistries` can be set. |=== diff --git a/modules/images-update-global-pull-secret.adoc b/modules/images-update-global-pull-secret.adoc index 4797e5869337..d4a390093547 100644 --- a/modules/images-update-global-pull-secret.adoc +++ b/modules/images-update-global-pull-secret.adoc @@ -12,9 +12,11 @@ You can update the global pull secret for your cluster. Cluster resources must adjust to the new pull secret, which can temporarily limit the usability of the cluster. ==== -[WARNING] +Updating the global pull secret causes the Machine Config Operator to drain the nodes, apply the change, and uncordon the nodes. + +[NOTE] ==== -Updating the global pull secret will cause node reboots while the Machine Config Operator (MCO) syncs the changes. +As of {product-title} 4.7, changes to the global pull secret no longer trigger a reboot. ==== .Prerequisites diff --git a/modules/machine-config-overview.adoc b/modules/machine-config-overview.adoc index d6cba9d15bcd..fe8bd6b5bac5 100644 --- a/modules/machine-config-overview.adoc +++ b/modules/machine-config-overview.adoc @@ -11,7 +11,7 @@ CRI-O and Kubelet, the kernel, Network Manager and other system features. It also offers a MachineConfig CRD that can write configuration files onto the host (see -link:https://github.com/openshift/machine-config-operator#machine-config-operator[machine-config-operator]) +link:https://github.com/openshift/machine-config-operator#machine-config-operator[machine-config-operator]). Understanding what MCO does and how it interacts with other components is critical to making advanced, system-level changes to an {product-title} cluster. Here are some things you should know about MCO, diff --git a/modules/nodes-pods-secrets-creating.adoc b/modules/nodes-pods-secrets-creating.adoc index 4bf2a2aeb2f9..226d8dcfd20b 100644 --- a/modules/nodes-pods-secrets-creating.adoc +++ b/modules/nodes-pods-secrets-creating.adoc @@ -25,7 +25,7 @@ a pod in three ways: Volume type secrets write data into the container as a file using the volume mechanism. Image pull secrets use service accounts for the automatic injection of -the secret into all pods in a namespaces. +the secret into all pods in a namespace. When a template contains a secret definition, the only way for the template to use the provided secret is to ensure that the secret volume sources are diff --git a/modules/troubleshooting-disabling-autoreboot-mco.adoc b/modules/troubleshooting-disabling-autoreboot-mco.adoc index fe464ef5a1e5..3fe240b69765 100644 --- a/modules/troubleshooting-disabling-autoreboot-mco.adoc +++ b/modules/troubleshooting-disabling-autoreboot-mco.adoc @@ -3,9 +3,20 @@ // * support/troubleshooting/troubleshooting-operator-issues.adoc [id="troubleshooting-disabling-autoreboot-mco_{context}"] -= Disabling Machine Config Operator from automatically rebooting += Disabling Machine Config Operator from automatically rebooting -When configuration changes are made by the Machine Config Operator, {op-system-first} must reboot for the changes to take effect. Whether the configuration change is automatic, such as when a `kube-apiserver-to-kubelet-signer` CA is rotated, or manual, such as when a registry or SSH key is updated, an {op-system} node reboots automatically unless it is paused. +When configuration changes are made by the Machine Config Operator (MCO), {op-system-first} must reboot for the changes to take effect. Whether the configuration change is automatic, such as when a `kube-apiserver-to-kubelet-signer` certificate authority (CA) is rotated, or manual, an {op-system} node reboots automatically unless it is paused. + +[NOTE] +==== +The following modifications do not trigger a node reboot: + +* changes to the SSH key in the `spec.config.ignition.passwd.users.sshAuthorizedKeys` parameter of a machine config +* changes to the global pull secret or pull secret in the `openshift-config` namespace +* changes to the `/etc/containers/registries.conf` file, such as adding or editing an `ImageContentSourcePolicy` object + +When the MCO detects any of these changes, it drains the corresponding nodes, applies the changes, and uncordons the nodes. +==== To avoid unwanted disruptions, you can modify the machine config pool to prevent automatic rebooting after the Operator makes changes to the machine config. diff --git a/modules/understanding-machine-config-operator.adoc b/modules/understanding-machine-config-operator.adoc index 7cb257974da9..60b9e84dbbdd 100644 --- a/modules/understanding-machine-config-operator.adoc +++ b/modules/understanding-machine-config-operator.adoc @@ -41,8 +41,16 @@ When you perform node management operations, you create or modify a [IMPORTANT] ==== -When changes are made to a machine configuration, the Machine Config Operator automatically reboots all corresponding nodes in order for the changes to take effect. +When changes are made to a machine configuration, the Machine Config Operator (MCO) automatically reboots all corresponding nodes in order for the changes to take effect. To prevent the nodes from automatically rebooting after machine configuration changes, before making the changes, you must pause the autoreboot process by setting the `spec.paused` field to `true` in the corresponding machine config pool. When paused, machine configuration changes are not applied until you set the `spec.paused` field to `false` and the nodes have rebooted into the new configuration. + +The following modifications do not trigger a node reboot: + +* changes to the SSH key in the `spec.config.ignition.passwd.users.sshAuthorizedKeys` parameter of a machine config +* changes to the global pull secret or pull secret in the `openshift-config` namespace +* changes to the `/etc/containers/registries.conf` file, such as adding or editing an `ImageContentSourcePolicy` object + +When the MCO detects any of these changes, it drains the corresponding nodes, applies the changes, and uncordons the nodes. ====