Description of problem: When upgrading controller nodes in a TLS Everywhere deployment, leapp upgrade failed with error : Risk Factor: high (inhibitor) Title: Missing required answers in the answer file Summary: One or more sections in answerfile are missing user choices: authselect_check.confirm For more information consult https://leapp.readthedocs.io/en/latest/dialogs.html Remediation: [hint] Please register user choices with leapp answer cli command or by manually editing the answerfile. [command] leapp answer --section authselect_check.confirm=True Version-Release number of selected component (if applicable): eapp-deps-0.12.0-1.el7_9.noarch leapp-0.12.0-1.el7_9.noarch python2-leapp-0.12.0-1.el7_9.noarch leapp-repository-0.13.0-2.el7_9.noarch leapp-repository-deps-0.13.0-2.el7_9.noarch Seems we need to add authselect_check.confirm=False to leapp answer file
We encountered this issue during the TLS-everywhere internal testing and we workarounded it by running the suggested command: leapp answer --section authselect_check.confirm ,however we missed to document it/cover it. Basically, leapp wants an answer if we want to migrate to authselect or leave the system using authconfig. It is something specific from this job (as our FFU jobs do not use TLS-everywhere). According to leapp folks, if setting this option to True then it will configure PAM and nsswitch.conf with authselect. If set to False, then it will leave authconfig. The simplest way to solve this issue is: * For the Undercloud leapp-upgrade: Run the command "leapp answer --section authselect_check.confirm=True" before triggering the leapp upgrade command (right after step 7): https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.1/html-single/framework_for_upgrades_13_to_16.1/index#performing-a-leapp-upgrade-on-the-undercloud * For the Overcloud node leapp-upgrade: Make use of the LeappInitCommand Heat parameter to pass the command to run. Add the following Heat parameter in the templates/upgrades-environment.yaml, set the parameter to True if wanting to migrate from authconfig to authselect, otherwise leave it as False: parameter_defaults: ... LeappInitCommand: | sudo leapp answer --section authselect_check.confirm=True --add We will move this into docs, as it's a limitation from Leapp: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/upgrading_from_rhel_7_to_rhel_8/index#known-issues_troubleshooting And we need the user to choose if migrating to authselect or not.
16.2: https://rhos-ci-jenkins.lab.eng.tlv2.redhat.com/view/DFG/view/upgrades/view/ffu/job/DFG-upgrades-ffu-16.2-from-13-latest_cdn-3cont_3db_3msg_2net_3hci-ipv6-ovs_dvr/92/ core_puddle: 2021-07-15.2 core_puddle: RHOS-16.2-RHEL-8-20210811.n.1 http://rhos-ci-logs.lab.eng.tlv2.redhat.com/logs/rcj/DFG-upgrades-ffu-16.2-from-13-latest_cdn-3cont_3db_3msg_2net_3hci-ipv6-ovs_dvr/92/undercloud-0/home/stack/overcloud_system_upgrade-controller-0,database-0,messaging-0,networker-0.log.gz 2021-08-15 01:35:47 | 2021-08-15 01:17:29.967307 | 52540052-55b3-3efb-36a5-00000000024f | TASK | set leapp required answers 2021-08-15 01:35:47 | 2021-08-15 01:17:30.945108 | 52540052-55b3-3efb-36a5-00000000024f | CHANGED | set leapp required answers | networker-0 2021-08-15 01:35:47 | 2021-08-15 01:17:30.946330 | 52540052-55b3-3efb-36a5-00000000024f | TIMING | set leapp required answers | networker-0 | 0:03:29.971046 | 0.98s 16.1: https://rhos-ci-jenkins.lab.eng.tlv2.redhat.com/view/DFG/view/upgrades/view/ffu/job/DFG-upgrades-ffu-16.1-from-13-latest_cdn-3cont_3hci-ipv4-ovs_dvr/194/ core_puddle: 2021-07-15.2 core_puddle: RHOS-16.1-RHEL-8-20210804.n.0 2021-08-13 00:28:46 | TASK [set leapp required answers] ********************************************** 2021-08-13 00:28:46 | Friday 13 August 2021 00:10:34 +0000 (0:00:00.707) 0:06:21.909 ********* 2021-08-13 00:28:46 | changed: [controller-0] => {"changed": true, "cmd": "# PAM module pam_pkcs11 is no longer available in RHEL-8 since it was replaced by SSSD\nleapp answer --section remove_pam_pkcs11_module_check.confirm=True --add\n# Required for TLS-Everywhere, switch from authconfig to authselect\nleapp answer --section authselect_check.confirm=True --add\n", "delta": "0:00:00.741660", "end": "2021-08-13 00:10:35.103686", "rc": 0, "start": "2021-08-13 00:10:34.362026", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
Ack, merged and published for 13 -> 16.1 FFU guide: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.1/html-single/framework_for_upgrades_13_to_16.1/index#performing-a-leapp-upgrade-on-the-undercloud Patch is already merged and published for 13 -> 16.2 FFU guide: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.2/html-single/framework_for_upgrades_13_to_16.2/index#performing-a-leapp-upgrade-on-the-undercloud
Perfect, thank you Alex.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat OpenStack Platform 16.1.7 (Train) bug fix and enhancement advisory), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:3762