Upgrades are not able to add new keystone users/services/endpoints
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Medium
|
Andy |
Bug Description
Brief Description
-----------------
When we upgrade to a new release of StarlingX, we often introduce new services which require new keystone users/services/
Severity
--------
Critical: No way to add new keystone users/services/
Steps to Reproduce
------------------
See above
Expected Behavior
------------------
See above
Actual Behavior
----------------
See above
Reproducibility
---------------
Reproducible
System Configuration
-------
All configurations
Branch/Pull Time/Commit
-------
All StarlingX releases to date are impacted.
Last Pass
---------
This was possible prior to the initial StarlingX open source release.
Timestamp/Logs
--------------
N/A
Test Activity
-------------
Developer Testing
Workaround
----------
None
CVE References
tags: | added: stx.update |
tags: | added: stx.5.0 |
Changed in starlingx: | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in starlingx: | |
assignee: | nobody → Andy (andy.wrs) |
Changed in starlingx: | |
status: | Triaged → In Progress |
When upgrade.pp is applied during controller-1 upgrade, keystone::upgrade is run and fail. In latest puppet.log on controller-1 we can see:
8053 2020-11- 17T10:04: 33.272 ^[[0;36mDebug: 2020-11-17 10:04:33 +0000 Exec[upgrade token issue]( provider= posix): Executing 'openstack --os-username admin --os-password Li69nux* --os-auth-url http:// 127.0.0. 1:5000/ v3 --os-project-name admin --os-user- domain- name Default --os-project- domain- name Default --os-interfacei nternal --os-identity- api-version 3 token issue -c id -f value > /etc/keystone/ upgrade_ token'^ [[0m 17T10:04: 33.274 ^[[0;36mDebug: 2020-11-17 10:04:33 +0000 Executing: 'openstack --os-username admin --os-password Li69nux* --os-auth-url http:// 127.0.0. 1:5000/ v3 --os-project-name admin --os-user- domain- name Default --os-project- domain- name Default --os-interface internal --os-identity- api-version 3 token issue -c id -f value > /etc/keystone/ upgrade_ token'^ [[0m 17T10:04: 35.650 ^[[mNotice: 2020-11-17 10:04:35 +0000 /Stage[ main]/Keystone/ Exec[upgrade token issue]/returns: The request you have made requires authentication. (HTTP 401) (Request-ID: req-e4834fcc- 953c-489b- b7f1-e80738e12f ef)^[[0m 17T10:04: 35.653 ^[[1;31mError: 2020-11-17 10:04:35 +0000 openstack --os-username admin --os-password Li69nux* --os-auth-url http:// 127.0.0. 1:5000/ v3 --os-project-name admin --os-user- domain- name Default --os-project- domain- name Default --os-interface internal --os-identity- api-version 3 token issue -c id -f value > /etc/keystone/ upgrade_ token returned 1 instead of one of [0]
8054 2020-11-
8055 2020-11-
8056 2020-11-
When checking keystone database, it is found that the DB is empty, there are not users, projects etc.
The cause of this is that: python2. 7/site- packages/ controllerconfi g/upgrades/ management. py:
In /usr/lib64/
44 if sysinv_ constants. SERVICE_ TYPE_IDENTITY not in shared_services: ====> identity is no longer a shared service in DC DATABASE_ SKIP_TABLES. update( {'keystone' : ('token',)})
45 UPGRADE_DATABASES += ('keystone',)
46 UPGRADE_
The checking prevents identity db to be backed up. So data-migration doesn't migrate any data into keystone DB running on controller-1.
This issue is being tracked by: https:/ /bugs.launchpad .net/starlingx/ +bug/1904675