Upgrading OpenStack to 2023.1 Antelope¶
Note
The steps described in this guide are required:
if you were already using Fleio with an OpenStack release before the OpenStack 2023.1 Antelope release and you upgraded OpenStack to Antelope,
or you are connecting a non-empty OpenStack 2023.1 Antelope to Fleio. By non-empty we mean that the OpenStack cloud already has projects that you want to assign to Fleio services/clients.
If you are connecting an empty OpenStack 2023.1 Antelope to Fleio, you do not need to apply the steps in this guide.
OpenStack 2023.1 (Antelope) has made some changes to OpenStack roles and Fleio requires the admin
user to have
both member
and _member_
roles in each OpenStack project that is associated and used with a Fleio service
(assuming admin
is the OpenStack administrator user configured in Fleio settings).
Also since OpenStack 2023.1 (Antelope) any regular OpenStack API user should also have the member role on the projects
For an OpenStack project created by the client sign-up automation feature, Fleio automatically adds two roles. The following steps are needed in the following scenarios:
You initially installed an OpenStack release before the OpenStack 2023.1 Antelope release and you used Fleio with this installation. You later upgraded OpenStack to 2023.1 (Antelope). You probably have OpenStack projects assigned to Fleio services. These services may no longer work correctly since the OpenStack projects are missing one of the two OpenStack roles.
You have a non-empty OpenStack 2023.1 (Antelope) installation and you connect it to Fleio for the first time. A pre-existing OpenStack project may not work correctly in Fleio after you assign the project to a Fleio service.
Note
Running the following scripts may take quite a lot of time. Depending on how many OpenStack projects you have, it may take hours or even days.
Add admin user roles on projects¶
To list and correct projects for which the admin
user is missing member
role respectively _member_
role
load the OpenStack environment variables (so that you can successfully run the openstack
command), and then run
the following scripts:
Add the following code to a new script file, e.g. nano list_missing_roles.sh
:
#!/bin/bash
# The script shows OpenStack projects that are missing "member" role, and "_member_" role respectively
projects="$(openstack project list -f value -c ID -c Name)"
missing_member=""
missing__member_=""
while IFS="" read -r line || [ -n "$line" ]; do
project_name="$(echo $line | cut -d' ' -f2-)"
if [ "$project_name" = "admin" ]; then
continue
fi
project_id="$(echo $line | cut -d' ' -f1)"
roles="$(openstack role assignment list --user admin --project $project_id --names -c Role -f value)"
# replace new lines with spaces
roles="${roles//$'\n'/ }"
if [[ ! " $roles " =~ .*\ member\ .* ]]; then
missing_member="$missing_member $project_id"
fi
if [[ ! " $roles " =~ .*\ _member_\ .* ]]; then
missing__member_="$missing__member_ $project_id"
fi
done <<<$(echo "$projects")
if [ "$missing_member" = "" ]; then
echo 'admin user has "member" role in all projects'
else
echo 'The following projects are missing the "member" role'
echo "$missing_member"
echo
fi
if [ "$missing__member_" = "" ]; then
echo 'admin user has "_member_" role in all projects'
else
echo 'The following projects are missing the "_member_" role'
echo "$missing__member_"
fi
Run bash list_missing_roles.sh
. If this shows any OpenStack project missing member
or _member_
role for the
admin
user, create the following script to add these roles.
Add the following code to a new script file, e.g. nano add_missing_roles.sh
:
#!/bin/bash
# The script adds "member" add "_member_" role for the "admin" user to all OpenStack projects
projects="$(openstack project list -f value -c ID -c Name)"
missing_member=""
missing__member_=""
while IFS="" read -r line || [ -n "$line" ]; do
project_name="$(echo $line | cut -d' ' -f2-)"
if [ "$project_name" = "admin" ]; then
continue
fi
project_id="$(echo $line | cut -d' ' -f1)"
roles="$(openstack role assignment list --user admin --project $project_id --names -c Role -f value)"
# replace new lines with spaces
roles="${roles//$'\n'/ }"
if [[ ! " $roles " =~ .*\ member\ .* ]]; then
missing_member="$missing_member $project_id"
openstack role add --user admin --project $project_id member
fi
if [[ ! " $roles " =~ .*\ _member_\ .* ]]; then
missing__member_="$missing_member $project_id"
openstack role add --user admin --project $project_id _member_
fi
done <<<$(echo "$projects")
if [ "$missing_member" = "" ]; then
echo 'admin user has "member" role in all projects'
else
echo 'The "member" role has been added for "admin" user in the following projects:'
echo "$missing_member"
echo
fi
if [ "$missing__member_" = "" ]; then
echo 'admin user has "_member_" role in all projects'
else
echo 'The "_member_" role has been added for "admin" user in the following projects:'
echo "$missing__member_"
fi
To add member
and _member_
role to all OpenStack projects, run bash add_missing_roles.sh
.
To confirm that admin
has the two roles in all projects, run bash list_missing_roles.sh
again.
Add member role for regular users¶
To list and correct regular API users roles on projects load the OpenStack environment variables (so that you can successfully run the openstack command), and then run the following scripts:
Add the following code to a new script file, e.g. nano list_missing_user_roles.sh
:
#!/bin/bash
# The script check if regular user have "member" role on their default project
users="$(openstack user list -f value -c ID -c Name)"
user_count=$(echo "$users" | wc -l)
missing_member=""
echo "Checking $user_count users ..."
while IFS="" read -r line || [ -n "$line" ]; do
user_name="$(echo $line | cut -d' ' -f2-)"
if [ "$user_name" = "admin" ] || [ "$user_name" = "keystone" ] || [ "$user_name" = "cinder" ] || [ "$user_name" = "gnocchi" ] || [ "$user_name" = "neutron" ] || [ "$user_name" = "heat" ] || [ "$user_nam>
continue
fi
project_id=$(openstack user show "$user_name" -f value -c default_project_id 2>/dev/null)
if [[ -n $project_id ]]; then
echo "Checking user $user_name"
roles="$(openstack role assignment list --user "$user_name" --names -c Role -f value)"
# replace new lines with spaces
roles="${roles//$'\n'/ }"
if [[ ! " $roles " =~ .*\ member\ .* ]]; then
missing_member="$missing_member $user_name "
fi
else
echo "Skipping user $user_name with no default project"
fi
done <<<$(echo "$users")
if [ "$missing_member" = "" ]; then
echo 'all users have "member" role'
else
echo 'The following users are missing "member" role:'
echo "$missing_member"
echo
fi
Run bash list_missing_user_roles.sh
. If this shows any OpenStack user missing member
role on their default
projects.
Add the following code to a new script file, e.g. nano add_missing_user_roles.sh
:
#!/bin/bash
# The script adds "member" role for regular users on their default project
users="$(openstack user list -f value -c ID -c Name)"
user_count=$(echo "$users" | wc -l)
missing_member=""
echo "Checking $user_count users ..."
while IFS="" read -r line || [ -n "$line" ]; do
user_name="$(echo $line | cut -d' ' -f2-)"
if [ "$user_name" = "admin" ] || [ "$user_name" = "keystone" ] || [ "$user_name" = "cinder" ] || [ "$user_name" = "gnocchi" ] || [ "$user_name" = "neutron" ] || [ "$user_name" = "heat" ] || [ "$user_nam>
continue
fi
project_id=$(openstack user show "$user_name" -f value -c default_project_id 2>/dev/null)
if [[ -n $project_id ]]; then
echo "Processing user $user_name"
roles="$(openstack role assignment list --user "$user_name" --names -c Role -f value)"
# replace new lines with spaces
roles="${roles//$'\n'/ }"
if [[ ! " $roles " =~ .*\ member\ .* ]]; then
echo "Adding member role for user $user_name on project $project_id"
missing_member="$missing_member $user_name "
openstack role add --user "$user_name" --project "$project_id" member
else
echo "User $user_name already has member role on project $project_id"
fi
else
echo "Skipping user $user_name with no default project"
fi
done <<<$(echo "$users")
if [ "$missing_member" = "" ]; then
echo 'all users have "member" role'
else
echo 'The "member" role has been added for in the following users:'
echo "$missing_member"
echo
fi
To add member
role for regular users on their default projects run bash add_missing_user_roles.sh
.
To confirm regular users have member
role on their default project, run bash list_missing_user_roles.sh
again.