Updating the operating system (OS) on a host, by either upgrading across major releases or updating the system software for a minor release, can impact the OKD software running on those machines. In particular, these updates can affect the iptables rules or ovs flows that OKD requires to operate.

Updating the operating system on a host

To safely upgrade the OS on a host:

  1. Drain the node in preparation for maintenance:

    $ oc adm drain <node_name> --force --delete-local-data --ignore-daemonsets
  2. To protect sensitive packages that do not need to be updated, apply the exclude rules to the host:

    # atomic-openshift-docker-excluder exclude
    # atomic-openshift-excluder exclude
  3. Update the host packages and reboot the host. A reboot ensures that the host is running the newest versions and means that the docker and OKD processes have been restarted, which forces them to check that all of the rules in other services are correct.

    # yum update
    # reboot

    However, instead of rebooting a node host, you can restart the services that are affected or preserve the iptables state. Both processes are described in the OKD iptables topic. The ovs flow rules do not need to be saved, but restarting the OKD node software fixes the flow rules.

  4. Configure the host to be schedulable again:

    $ oc adm uncordon <node_name>