Upgrading OpenStack to 2023.1 Antelope

Note

The steps described in this guide are required:

  • if you were already using Fleio with an OpenStack release before the OpenStack 2023.1 Antelope release and you upgraded OpenStack to Antelope,

  • or you are connecting a non-empty OpenStack 2023.1 Antelope to Fleio. By non-empty we mean that the OpenStack cloud already has projects that you want to assign to Fleio services/clients.

If you are connecting an empty OpenStack 2023.1 Antelope to Fleio, you do not need to apply the steps in this guide.

OpenStack 2023.1 (Antelope) has made some changes to OpenStack roles and Fleio requires the admin user to have both member and _member_ roles in each OpenStack project that is associated and used with a Fleio service (assuming admin is the OpenStack administrator user configured in Fleio settings).

Also since OpenStack 2023.1 (Antelope) any regular OpenStack API user should also have the member role on the projects

For an OpenStack project created by the client sign-up automation feature, Fleio automatically adds two roles. The following steps are needed in the following scenarios:

  • You initially installed an OpenStack release before the OpenStack 2023.1 Antelope release and you used Fleio with this installation. You later upgraded OpenStack to 2023.1 (Antelope). You probably have OpenStack projects assigned to Fleio services. These services may no longer work correctly since the OpenStack projects are missing one of the two OpenStack roles.

  • You have a non-empty OpenStack 2023.1 (Antelope) installation and you connect it to Fleio for the first time. A pre-existing OpenStack project may not work correctly in Fleio after you assign the project to a Fleio service.

Note

Running the following scripts may take quite a lot of time. Depending on how many OpenStack projects you have, it may take hours or even days.

Add admin user roles on projects

To list and correct projects for which the admin user is missing member role respectively _member_ role load the OpenStack environment variables (so that you can successfully run the openstack command), and then run the following scripts:

Add the following code to a new script file, e.g. nano list_missing_roles.sh:

#!/bin/bash

# The script shows OpenStack projects that are missing "member" role, and "_member_" role respectively

projects="$(openstack project list -f value -c ID -c Name)"
missing_member=""
missing__member_=""

while IFS="" read -r line || [ -n "$line" ]; do
    project_name="$(echo $line |  cut -d' ' -f2-)"

    if [ "$project_name" = "admin" ]; then
        continue
    fi

    project_id="$(echo $line | cut -d' ' -f1)"

    roles="$(openstack role assignment list --user admin --project $project_id --names -c Role -f value)"
    # replace new lines with spaces
    roles="${roles//$'\n'/ }"
    if [[ ! " $roles " =~ .*\ member\ .* ]]; then
        missing_member="$missing_member $project_id"
    fi
    if [[ ! " $roles " =~ .*\ _member_\ .* ]]; then
        missing__member_="$missing__member_ $project_id"
    fi
done <<<$(echo "$projects")

if [ "$missing_member" = "" ]; then
    echo 'admin user has "member" role in all projects'
else
    echo 'The following projects are missing the "member" role'
    echo "$missing_member"
    echo
fi

if [ "$missing__member_" = "" ]; then
    echo 'admin user has "_member_" role in all projects'
else
    echo 'The following projects are missing the "_member_" role'
    echo "$missing__member_"
fi

Run bash list_missing_roles.sh. If this shows any OpenStack project missing member or _member_ role for the admin user, create the following script to add these roles.

Add the following code to a new script file, e.g. nano add_missing_roles.sh:

#!/bin/bash

# The script adds "member" add "_member_" role for the "admin" user to all OpenStack projects

projects="$(openstack project list -f value -c ID -c Name)"
missing_member=""
missing__member_=""

while IFS="" read -r line || [ -n "$line" ]; do
    project_name="$(echo $line |  cut -d' ' -f2-)"

    if [ "$project_name" = "admin" ]; then
        continue
    fi

    project_id="$(echo $line | cut -d' ' -f1)"

    roles="$(openstack role assignment list --user admin --project $project_id --names -c Role -f value)"
    # replace new lines with spaces
    roles="${roles//$'\n'/ }"
    if [[ ! " $roles " =~ .*\ member\ .* ]]; then
        missing_member="$missing_member $project_id"
        openstack role add --user admin --project $project_id member
    fi
    if [[ ! " $roles " =~ .*\ _member_\ .* ]]; then
        missing__member_="$missing_member $project_id"
        openstack role add --user admin --project $project_id _member_
    fi
done <<<$(echo "$projects")

if [ "$missing_member" = "" ]; then
    echo 'admin user has "member" role in all projects'
else
    echo 'The "member" role has been added for "admin" user in the following projects:'
    echo "$missing_member"
    echo
fi

if [ "$missing__member_" = "" ]; then
    echo 'admin user has "_member_" role in all projects'
else
    echo 'The "_member_" role has been added for "admin" user in the following projects:'
    echo "$missing__member_"
fi

To add member and _member_ role to all OpenStack projects, run bash add_missing_roles.sh.

To confirm that admin has the two roles in all projects, run bash list_missing_roles.sh again.

Add member role for regular users

To list and correct regular API users roles on projects load the OpenStack environment variables (so that you can successfully run the openstack command), and then run the following scripts:

Add the following code to a new script file, e.g. nano list_missing_user_roles.sh:

#!/bin/bash

# The script check if regular user have "member" role on their default project

users="$(openstack user list -f value -c ID -c Name)"
user_count=$(echo "$users" | wc -l)
missing_member=""

echo "Checking $user_count users ..."

while IFS="" read -r line || [ -n "$line" ]; do
    user_name="$(echo $line |  cut -d' ' -f2-)"

        if [ "$user_name" = "admin" ] || [ "$user_name" = "keystone" ] || [ "$user_name" = "cinder" ] || [ "$user_name" = "gnocchi" ] || [ "$user_name" = "neutron" ] || [ "$user_name" = "heat" ] || [ "$user_nam>
        continue
    fi

    project_id=$(openstack user show "$user_name" -f value -c default_project_id 2>/dev/null)

    if [[ -n $project_id ]]; then
        echo "Checking user $user_name"
        roles="$(openstack role assignment list --user "$user_name" --names -c Role -f value)"
        # replace new lines with spaces
        roles="${roles//$'\n'/ }"
        if [[ ! " $roles " =~ .*\ member\ .* ]]; then
            missing_member="$missing_member $user_name "
        fi
    else
        echo "Skipping user $user_name with no default project"
    fi
done <<<$(echo "$users")

if [ "$missing_member" = "" ]; then
    echo 'all users have "member" role'
else
    echo 'The following users are missing "member" role:'
    echo "$missing_member"
    echo
fi

Run bash list_missing_user_roles.sh. If this shows any OpenStack user missing member role on their default projects.

Add the following code to a new script file, e.g. nano add_missing_user_roles.sh:

#!/bin/bash

# The script adds "member" role for regular users on their default project

users="$(openstack user list -f value -c ID -c Name)"
user_count=$(echo "$users" | wc -l)
missing_member=""

echo "Checking $user_count users ..."

while IFS="" read -r line || [ -n "$line" ]; do
    user_name="$(echo $line |  cut -d' ' -f2-)"

        if [ "$user_name" = "admin" ] || [ "$user_name" = "keystone" ] || [ "$user_name" = "cinder" ] || [ "$user_name" = "gnocchi" ] || [ "$user_name" = "neutron" ] || [ "$user_name" = "heat" ] || [ "$user_nam>
        continue
    fi

    project_id=$(openstack user show "$user_name" -f value -c default_project_id 2>/dev/null)

    if [[ -n $project_id ]]; then
        echo "Processing user $user_name"
        roles="$(openstack role assignment list --user "$user_name" --names -c Role -f value)"
        # replace new lines with spaces
        roles="${roles//$'\n'/ }"
        if [[ ! " $roles " =~ .*\ member\ .* ]]; then
            echo "Adding member role for user $user_name on project $project_id"
            missing_member="$missing_member $user_name "
            openstack role add --user "$user_name" --project "$project_id" member
        else
           echo "User $user_name already has member role on project $project_id"
        fi
    else
        echo "Skipping user $user_name with no default project"
    fi
done <<<$(echo "$users")

if [ "$missing_member" = "" ]; then
    echo 'all users have "member" role'
else
    echo 'The "member" role has been added for in the following users:'
    echo "$missing_member"
    echo
fi

To add member role for regular users on their default projects run bash add_missing_user_roles.sh.

To confirm regular users have member role on their default project, run bash list_missing_user_roles.sh again.