Bug 1952574

Summary: [OSP13->OSP16.1] Leapp upgrade failed with TLSEverywhere
Product: Red Hat OpenStack Reporter: Stephane Vigan <svigan>
Component: openstack-tripleo-heat-templatesAssignee: Jose Luis Franco <jfrancoa>
Status: CLOSED ERRATA QA Contact: Jason Grosso <jgrosso>
Severity: medium Docs Contact:
Priority: high    
Version: 16.1 (Train)CC: amcleod, gregraka, jfrancoa, jpretori, lbezdick, mburns
Target Milestone: z7Keywords: Triaged
Target Release: 16.1 (Train on RHEL 8.2)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-11.3.2-1.20210616103304.29a02c1.el8ost Doc Type: Bug Fix
Doc Text:
Before this update, if your environment was deployed with a TLS-Everywhere architecture and it used the deprecated `authconfig` utility to configure authentication on your system, you had to configure your RHEL 8 system with the `authselect` utility. Without performing this action, the `leapp` process failed with the inhibitor named `Missing required answers in the answer file`. The workaround was to add `sudo leapp answer --section authselect_check.confirm=True --add` in the `LeappInitCommand` in the upgrades environment file. With this update, the configuration entry is no longer needed, and the upgrade now completes without intervention.
 Story Points: ---
Clone Of:
: 1978228 (view as bug list) Environment:
Last Closed: 2021-12-09 20:19:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1978228    

Description Stephane Vigan 2021-04-22 15:00:15 UTC 
Description of problem:

When upgrading controller nodes in a TLS Everywhere deployment, leapp upgrade failed with error :

Risk Factor: high (inhibitor)
Title: Missing required answers in the answer file
Summary: One or more sections in answerfile are missing user choices: authselect_check.confirm
For more information consult https://leapp.readthedocs.io/en/latest/dialogs.html
Remediation: [hint] Please register user choices with leapp answer cli command or by manually editing the answerfile.
[command] leapp answer --section authselect_check.confirm=True

Version-Release number of selected component (if applicable):

eapp-deps-0.12.0-1.el7_9.noarch
leapp-0.12.0-1.el7_9.noarch
python2-leapp-0.12.0-1.el7_9.noarch
leapp-repository-0.13.0-2.el7_9.noarch
leapp-repository-deps-0.13.0-2.el7_9.noarch

Seems we need to add authselect_check.confirm=False to leapp answer file
Comment 1 Jose Luis Franco 2021-04-22 16:02:49 UTC 
We encountered this issue during the TLS-everywhere internal testing and we workarounded it by running the suggested command: leapp answer --section authselect_check.confirm ,however we missed to document it/cover it.

Basically, leapp wants an answer if we want to migrate to authselect or leave the system using authconfig. It is something specific from this job (as our FFU jobs do not use TLS-everywhere). According to leapp folks, if setting this option to True then it will configure PAM and nsswitch.conf with authselect. If set to False, then it will leave authconfig.

The simplest way to solve this issue is:

 * For the Undercloud leapp-upgrade:
Run the command "leapp answer --section authselect_check.confirm=True" before triggering the leapp upgrade command (right after step 7): https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.1/html-single/framework_for_upgrades_13_to_16.1/index#performing-a-leapp-upgrade-on-the-undercloud

 * For the Overcloud node leapp-upgrade:
Make use of the LeappInitCommand Heat parameter to pass the command to run. Add the following Heat parameter in the templates/upgrades-environment.yaml, set the parameter to True if wanting to migrate from authconfig to authselect, otherwise leave it as False:
parameter_defaults:
   ...
  LeappInitCommand: |
    sudo leapp answer --section authselect_check.confirm=True --add
 
We will move this into docs, as it's a limitation from Leapp: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/upgrading_from_rhel_7_to_rhel_8/index#known-issues_troubleshooting

And we need the user to choose if migrating to authselect or not.
Comment 19 Lukas Bezdicka 2021-08-16 12:00:20 UTC 
16.2:
https://rhos-ci-jenkins.lab.eng.tlv2.redhat.com/view/DFG/view/upgrades/view/ffu/job/DFG-upgrades-ffu-16.2-from-13-latest_cdn-3cont_3db_3msg_2net_3hci-ipv6-ovs_dvr/92/

core_puddle: 2021-07-15.2
core_puddle: RHOS-16.2-RHEL-8-20210811.n.1


http://rhos-ci-logs.lab.eng.tlv2.redhat.com/logs/rcj/DFG-upgrades-ffu-16.2-from-13-latest_cdn-3cont_3db_3msg_2net_3hci-ipv6-ovs_dvr/92/undercloud-0/home/stack/overcloud_system_upgrade-controller-0,database-0,messaging-0,networker-0.log.gz


2021-08-15 01:35:47 | 2021-08-15 01:17:29.967307 | 52540052-55b3-3efb-36a5-00000000024f |       TASK | set leapp required answers
2021-08-15 01:35:47 | 2021-08-15 01:17:30.945108 | 52540052-55b3-3efb-36a5-00000000024f |    CHANGED | set leapp required answers | networker-0
2021-08-15 01:35:47 | 2021-08-15 01:17:30.946330 | 52540052-55b3-3efb-36a5-00000000024f |     TIMING | set leapp required answers | networker-0 | 0:03:29.971046 | 0.98s

16.1:
https://rhos-ci-jenkins.lab.eng.tlv2.redhat.com/view/DFG/view/upgrades/view/ffu/job/DFG-upgrades-ffu-16.1-from-13-latest_cdn-3cont_3hci-ipv4-ovs_dvr/194/

core_puddle: 2021-07-15.2
core_puddle: RHOS-16.1-RHEL-8-20210804.n.0

2021-08-13 00:28:46 | TASK [set leapp required answers] **********************************************
2021-08-13 00:28:46 | Friday 13 August 2021  00:10:34 +0000 (0:00:00.707)       0:06:21.909 ********* 
2021-08-13 00:28:46 | changed: [controller-0] => {"changed": true, "cmd": "# PAM module pam_pkcs11 is no longer available in RHEL-8 since it was replaced by SSSD\nleapp answer --section remove_pam_pkcs11_module_check.confirm=True --add\n# Required for TLS-Everywhere, switch from authconfig to authselect\nleapp answer --section authselect_check.confirm=True --add\n", "delta": "0:00:00.741660", "end": "2021-08-13 00:10:35.103686", "rc": 0, "start": "2021-08-13 00:10:34.362026", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
Comment 26 Alex McLeod 2021-11-23 19:48:10 UTC 
Ack, merged and published for 13 -> 16.1 FFU guide:

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.1/html-single/framework_for_upgrades_13_to_16.1/index#performing-a-leapp-upgrade-on-the-undercloud

Patch is already merged and published for 13 -> 16.2 FFU guide:

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.2/html-single/framework_for_upgrades_13_to_16.2/index#performing-a-leapp-upgrade-on-the-undercloud
Comment 27 Jesse Pretorius 2021-11-24 09:33:56 UTC 
Perfect, thank you Alex.
Comment 39 errata-xmlrpc 2021-12-09 20:19:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1.7 (Train) bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:3762