Merge pull request #28090 from mburke5678/mco-avoid-reboots

mburke5678 · web-flow · commit a8e4c4eaed28 · 2020-12-18T17:04:33.000-05:00
Avoid reboots in select cases
diff --git a/modules/images-configuration-file.adoc b/modules/images-configuration-file.adoc
@@ -9,8 +9,9 @@
 You can configure image registry settings by editing the
 `image.config.openshift.io/cluster` resource. The
 Machine Config Operator (MCO) watches the
-`image.config.openshift.io/cluster` for any changes to registries
-and reboots the nodes when it detects changes.
+`image.config.openshift.io/cluster` resource for any changes to the registries.
+When the MCO detects a change, it drains the nodes, applies the change, 
+and uncordons the nodes.
 
 .Procedure
 
diff --git a/modules/images-configuration-insecure.adoc b/modules/images-configuration-insecure.adoc
@@ -57,9 +57,13 @@ status:
 registries are allowed. Either `blockedRegistries` or `allowedRegistries` can be set, but not both.
 <3> Specify registries that should be permitted for image pull and push actions. All other registries are denied. Either `blockedRegistries` or `allowedRegistries` can be set, but not both.
 +
-The Machine Config Operator (MCO) watches the `image.config.openshift.io/cluster`
-for any changes to registries and reboots the nodes when it detects changes.
-Changes to the registries appear in the `/host/etc/containers/registries.conf` file on each node.
+The Machine Config Operator (MCO) watches the `image.config.openshift.io/cluster` resource
+for any changes to registries. When the MCO detects a change, it drains the nodes, applies the change, reloads the `crio` systemd service on the host, and uncordons the nodes. Changes to the registries appear in the `/etc/containers/registries.conf` file on each node.
++
+[NOTE]
+====
+As of {product-title} 4.7, changes to the registries no longer trigger a reboot.
+====
 +
 [source,terminal]
 ----
diff --git a/modules/images-configuration-parameters.adoc b/modules/images-configuration-parameters.adoc
@@ -65,7 +65,7 @@ registries are allowed.
 `allowedRegistries`: Allowlisted for image pull and push actions. All other
 registries are blocked.
 
-Only one of `blockedRegistries` or `allowedRegistries` may be set
+Only one of `blockedRegistries` or `allowedRegistries` can be set.
 
 |===
 
diff --git a/modules/images-update-global-pull-secret.adoc b/modules/images-update-global-pull-secret.adoc
@@ -12,9 +12,11 @@ You can update the global pull secret for your cluster.
 Cluster resources must adjust to the new pull secret, which can temporarily limit the usability of the cluster.
 ====
 
-[WARNING]
+Updating the global pull secret causes the Machine Config Operator to drain the nodes, apply the change, and uncordon the nodes. 
+
+[NOTE]
 ====
-Updating the global pull secret will cause node reboots while the Machine Config Operator (MCO) syncs the changes.
+As of {product-title} 4.7, changes to the global pull secret no longer trigger a reboot.
 ====
 
 .Prerequisites
diff --git a/modules/machine-config-overview.adoc b/modules/machine-config-overview.adoc
@@ -11,7 +11,7 @@ CRI-O and Kubelet, the kernel, Network Manager and other
 system features.
 It also offers a MachineConfig CRD that can write configuration files
 onto the host (see
-link:https://github.com/openshift/machine-config-operator#machine-config-operator[machine-config-operator])
+link:https://github.com/openshift/machine-config-operator#machine-config-operator[machine-config-operator]).
 Understanding what MCO does and how it interacts with other components
 is critical to making advanced, system-level changes to an
 {product-title} cluster. Here are some things you should know about MCO,
diff --git a/modules/nodes-pods-secrets-creating.adoc b/modules/nodes-pods-secrets-creating.adoc
@@ -25,7 +25,7 @@ a pod in three ways:
 
 Volume type secrets write data into the container as a file using the volume
 mechanism. Image pull secrets use service accounts for the automatic injection of
-the secret into all pods in a namespaces.
+the secret into all pods in a namespace.
 
 When a template contains a secret definition, the only way for the template to
 use the provided secret is to ensure that the secret volume sources are
diff --git a/modules/troubleshooting-disabling-autoreboot-mco.adoc b/modules/troubleshooting-disabling-autoreboot-mco.adoc
@@ -3,9 +3,20 @@
 // * support/troubleshooting/troubleshooting-operator-issues.adoc
 
 [id="troubleshooting-disabling-autoreboot-mco_{context}"]
-= Disabling Machine Config Operator from automatically rebooting
+= Disabling Machine Config Operator from automatically rebooting	
 
-When configuration changes are made by the Machine Config Operator, {op-system-first} must reboot for the changes to take effect. Whether the configuration change is automatic, such as when a `kube-apiserver-to-kubelet-signer` CA is rotated, or manual, such as when a registry or SSH key is updated, an {op-system} node reboots automatically unless it is paused.
+When configuration changes are made by the Machine Config Operator (MCO), {op-system-first} must reboot for the changes to take effect. Whether the configuration change is automatic, such as when a `kube-apiserver-to-kubelet-signer` certificate authority (CA) is rotated, or manual, an {op-system} node reboots automatically unless it is paused.
+
+[NOTE]
+====
+The following modifications do not trigger a node reboot:
+
+* changes to the SSH key in the `spec.config.ignition.passwd.users.sshAuthorizedKeys` parameter of a machine config
+* changes to the global pull secret or pull secret in the `openshift-config` namespace
+* changes to the `/etc/containers/registries.conf` file, such as adding or editing an `ImageContentSourcePolicy` object
+
+When the MCO detects any of these changes, it drains the corresponding nodes, applies the changes, and uncordons the nodes. 
+====
 
 To avoid unwanted disruptions, you can modify the machine config pool to prevent automatic rebooting after the Operator makes changes to the machine config.
 
diff --git a/modules/understanding-machine-config-operator.adoc b/modules/understanding-machine-config-operator.adoc
@@ -41,8 +41,16 @@ When you perform node management operations, you create or modify a
 
 [IMPORTANT]
 ====
-When changes are made to a machine configuration, the Machine Config Operator automatically reboots all corresponding nodes in order for the changes to take effect.
+When changes are made to a machine configuration, the Machine Config Operator (MCO) automatically reboots all corresponding nodes in order for the changes to take effect.
 
 To prevent the nodes from automatically rebooting after machine configuration changes, before making the changes, you must pause the autoreboot process by setting the `spec.paused` field to `true` in the corresponding machine config pool. When paused, machine configuration changes are not applied until you set the `spec.paused` field to `false` and the nodes have rebooted into the new configuration.
+
+The following modifications do not trigger a node reboot:
+
+* changes to the SSH key in the `spec.config.ignition.passwd.users.sshAuthorizedKeys` parameter of a machine config
+* changes to the global pull secret or pull secret in the `openshift-config` namespace
+* changes to the `/etc/containers/registries.conf` file, such as adding or editing an `ImageContentSourcePolicy` object
+
+When the MCO detects any of these changes, it drains the corresponding nodes, applies the changes, and uncordons the nodes. 
 ====
 
