Created attachment 1262401 [details]
Description of problem:
OSP10 -> OSP11 upgrade fails on environment with radosgw deployed on a custom role:
Error: Execution of '/usr/bin/openstack role create --format shell member' returned 1: Conflict occurred attempting to store role - Duplicate entry found with name member. (HTTP 409) (Request-ID: req-7a0ec0ae-bcb2-4574-bcaf-c8921f55ca5f)
Error: /Stage[main]/Ceph::Rgw::Keystone::Auth/Keystone_role[member]/ensure: change from absent to present failed: Execution of '/usr/bin/openstack role create --format shell member' returned 1: Conflict occurred attempting to store role - Duplicate entry found with name member. (HTTP 409) (Request-ID: req-7a0ec0ae-bcb2-4574-bcaf-c8921f55ca5f)
Warning: /Stage[main]/Ceph::Rgw::Keystone::Auth/Keystone_user_role[swift@service]: Skipping because of failed dependencies
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Deploy OSP10 with radosgw service enabled on a custom role running systemd managed services
2. Run upgrade OSP10->OSP11 procedure on top of it
Upgrade fails during major-upgrade-composable-steps.yaml
Attaching the os-collect-config log.
I was able to reproduce this issue on an environment where the radosgw service is running on monolithic controllers(3 controllers, 2 computes and 3 ceph osd nodes).
Which set of documentation are you using for your upgrade?
(In reply to Keith Schincke from comment #2)
> Which set of documentation are you using for your upgrade?
The upgrade procedure:
I have found the where the error is occurring.
ceph::rgw:keystone:auth has a call to create the needed roles (1). The keystone provider checks for the role existing(2) before attempting to add (3). OpenStack 10/Newton adds a role named "Member". OpenStack 11/Ocata adds a role named 'member'. The check does not match "Member" is not the same as "member" but the add fails in keystone because "Member" already exists.
I am working with the stream people to get a fix.
verified on openstack-tripleo-heat-templates-6.0.0-7.el7ost.noarch
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.