We had an operator come to us with an interesting issue regarding rolling upgrades from Mitaka to Newton. The conversation was logged in #openstack-keystone. This notepad is my attempt to recreate the issue and document whatever I find.
I documented most of the installation process while testing the migration for encrypted credentials. I'm going to essentially use the same steps to install keystone. The steps after setup are specific to creating test data for credentials. Here we are going to document the upgrade process separately since it doesn't have to be specific to credentials.
Once we have Mitaka up and running - we can go ahead and populate it with some data:
openstack project create accounting
openstack project create marketing
openstack project create sales
openstack project create engineering
openstack user create --project accounting --password password --enable bob
openstack user create --project accounting --password password --enable susan
openstack user create --project marketing --password password --enable jeff
openstack user create --project marketing --password password --enable jerry
openstack user create --project marketing --password password --enable jim
openstack user create --project marketing --password password --enable jane
openstack user create --project sales --password password --enable tom
openstack user create --project engineering --password password --enable jill
openstack user create --project engineering --password password --enable jack
openstack user create --project engineering --password password --enable george
openstack user create --project engineering --password password --enable sarah
openstack role create member
openstack role add --user bob --project accounting member
openstack role add --user susan --project accounting member
openstack role add --user jeff --project marketing member
openstack role add --user jerry --project marketing member
openstack role add --user jim --project marketing member
openstack role add --user jane --project marketing member
openstack role add --user tom --project sales member
openstack role add --user jill --project engineering member
openstack role add --user jack --project engineering member
openstack role add --user george --project engineering member
openstack role add --user sarah --project engineering member
I'm going to follow the steps as they are in keystone's documentation.
sudo mysqldump keystone > keystone-backup-1477326267.sql
Since I'm using an eventlet process for testing (keystone-wsgi-admin
), this just consists of stopping that process.
(mitaka) ubuntu@upgrade-1:~$ ps aux | grep keystone
ubuntu 51020 0.0 0.0 12944 1088 pts/1 S+ 16:40 0:00 grep --color=auto keystone
git clone -b stable/newton https://github.com/openstack/keystone keystone-newton
Lets create a new virtualenv for our Newton source:
virtualenv newton
source newton/bin/activate
pip install -e keystone-newton/
pip install python-memcached osprofiler mysql-python
(newton) ubuntu@upgrade-1:~$ keystone-manage doctor
Option "verbose" from group "DEFAULT" is deprecated for removal. Its value may be silently ignored in the future.
Checking for caching disabled...
Checking for caching enabled without a backend...
Checking for keys in credential fernet key repository...
Checking for unique key repositories...
Checking for usability of credential fernet key repository...
Checking for database connection is not SQLite...
Checking for comma in SAML private key file path...
Checking for comma in SAML public certificate path...
Checking for LDAP group members are ids disabled...
Checking for LDAP user enabled emulation dn ignored...
Checking for LDAP user enabled emulation use group config ignored...
Checking for invalid password regular expression...
Checking for minimum password age should be less than password expires days...
Checking for password regular expression description not set...
Checking for unreasonable max token size...
Checking for keys in Fernet key repository...
Checking for usability of Fernet key repository...
(newton) ubuntu@upgrade-1:~$ keystone-manage db_sync --expand
2016-10-24 16:43:35.031 51249 INFO migrate.versioning.api [-] 97 -> 98...
2016-10-24 16:43:35.037 51249 INFO migrate.versioning.api [-] done
2016-10-24 16:43:35.037 51249 INFO migrate.versioning.api [-] 98 -> 99...
2016-10-24 16:43:35.042 51249 INFO migrate.versioning.api [-] done
2016-10-24 16:43:35.042 51249 INFO migrate.versioning.api [-] 99 -> 100...
2016-10-24 16:43:35.047 51249 INFO migrate.versioning.api [-] done
2016-10-24 16:43:35.047 51249 INFO migrate.versioning.api [-] 100 -> 101...
2016-10-24 16:43:35.055 51249 INFO migrate.versioning.api [-] done
2016-10-24 16:43:35.055 51249 INFO migrate.versioning.api [-] 101 -> 102...
2016-10-24 16:43:35.068 51249 INFO migrate.versioning.api [-] done
2016-10-24 16:43:35.068 51249 INFO migrate.versioning.api [-] 102 -> 103...
2016-10-24 16:43:35.092 51249 INFO migrate.versioning.api [-] done
2016-10-24 16:43:35.093 51249 INFO migrate.versioning.api [-] 103 -> 104...
2016-10-24 16:43:35.100 51249 INFO migrate.versioning.api [-] done
2016-10-24 16:43:35.100 51249 INFO migrate.versioning.api [-] 104 -> 105...
2016-10-24 16:43:35.170 51249 INFO migrate.versioning.api [-] done
2016-10-24 16:43:35.170 51249 INFO migrate.versioning.api [-] 105 -> 106...
2016-10-24 16:43:35.208 51249 INFO migrate.versioning.api [-] done
2016-10-24 16:43:35.208 51249 INFO migrate.versioning.api [-] 106 -> 107...
2016-10-24 16:43:35.264 51249 INFO migrate.versioning.api [-] done
2016-10-24 16:43:35.265 51249 INFO migrate.versioning.api [-] 107 -> 108...
2016-10-24 16:43:35.352 51249 INFO migrate.versioning.api [-] done
2016-10-24 16:43:35.353 51249 INFO migrate.versioning.api [-] 108 -> 109...
2016-10-24 16:43:35.396 51249 INFO migrate.versioning.api [-] done
2016-10-24 16:43:35.423 51249 INFO migrate.versioning.api [-] 0 -> 1...
2016-10-24 16:43:35.428 51249 INFO migrate.versioning.api [-] done
2016-10-24 16:43:35.428 51249 INFO migrate.versioning.api [-] 1 -> 2...
2016-10-24 16:43:35.433 51249 INFO migrate.versioning.api [-] done
2016-10-24 16:43:35.434 51249 INFO migrate.versioning.api [-] 2 -> 3...
2016-10-24 16:43:35.490 51249 INFO migrate.versioning.api [-] done
2016-10-24 16:43:35.490 51249 INFO migrate.versioning.api [-] 3 -> 4...
2016-10-24 16:43:35.495 51249 INFO migrate.versioning.api [-] done
I'm going to make sure I can still get a token from upgrade-2:
(osc) ubuntu@upgrade-2:~$ openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2016-10-24T17:44:59+0000 |
| id | b6cf77d762f64466b8b3bc0eccb62a24 |
| project_id | 5ec043fb4c6a4077b258bc300ec8feb9 |
| user_id | fa1003125a1c4f089654ba6881b2eeda |
+------------+----------------------------------+
(newton) ubuntu@upgrade-1:~$ keystone-manage db_sync --migrate
2016-10-24 16:45:29.417 51379 INFO migrate.versioning.api [-] 0 -> 1...
2016-10-24 16:45:29.423 51379 INFO migrate.versioning.api [-] done
2016-10-24 16:45:29.423 51379 INFO migrate.versioning.api [-] 1 -> 2...
2016-10-24 16:45:29.429 51379 INFO migrate.versioning.api [-] done
2016-10-24 16:45:29.429 51379 INFO migrate.versioning.api [-] 2 -> 3...
2016-10-24 16:45:29.440 51379 INFO migrate.versioning.api [-] done
2016-10-24 16:45:29.440 51379 INFO migrate.versioning.api [-] 3 -> 4...
2016-10-24 16:45:29.446 51379 INFO migrate.versioning.api [-] done
The migration seems to be fine - let's get another token from upgrade-2:
(osc) ubuntu@upgrade-2:~$ openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2016-10-24T17:46:23+0000 |
| id | 1013d1d3ca294a9eab0670b7d7003247 |
| project_id | 5ec043fb4c6a4077b258bc300ec8feb9 |
| user_id | fa1003125a1c4f089654ba6881b2eeda |
+------------+----------------------------------+
At this point I should be able to safely start the keystone-wsgi-admin
process on upgrade-1. We can verify keystone is running by grabbing a token from upgrade-1.
(osc) ubuntu@upgrade-1:~$ openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2016-10-24T17:48:30+0000 |
| id | aec62a358e564e52b1db913d772add21 |
| project_id | 5ec043fb4c6a4077b258bc300ec8feb9 |
| user_id | fa1003125a1c4f089654ba6881b2eeda |
+------------+----------------------------------+
I did the same virtualenv steps for Newton, already documented in step 3:
git clone -b stable/newton https://github.com/openstack/keystone keystone-newton
Lets create a new virtualenv for our Newton source:
virtualenv newton
source newton/bin/activate
pip install -e keystone-newton/
pip install python-memcached osprofiler mysql-python
keystone-wsgi-admin -p 35357
Just double checking that I can still get a token from upgrade-2 after Newton code is running:
(osc) ubuntu@upgrade-2:~$ openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2016-10-24T17:49:00+0000 |
| id | c1cc3560c37447a896afab69e5aef00a |
| project_id | 5ec043fb4c6a4077b258bc300ec8feb9 |
| user_id | fa1003125a1c4f089654ba6881b2eeda |
+------------+----------------------------------+
(newton) ubuntu@upgrade-1:~$ keystone-manage db_sync --contract
2016-10-24 16:50:46.563 51789 INFO migrate.versioning.api [-] 0 -> 1...
2016-10-24 16:50:46.570 51789 INFO migrate.versioning.api [-] done
2016-10-24 16:50:46.570 51789 INFO migrate.versioning.api [-] 1 -> 2...
2016-10-24 16:50:46.651 51789 INFO migrate.versioning.api [-] done
2016-10-24 16:50:46.651 51789 INFO migrate.versioning.api [-] 2 -> 3...
2016-10-24 16:50:46.709 51789 INFO migrate.versioning.api [-] done
2016-10-24 16:50:46.709 51789 INFO migrate.versioning.api [-] 3 -> 4...
2016-10-24 16:50:46.818 51789 INFO migrate.versioning.api [-] done
At this point there are no Mitaka nodes running and the database has been upgraded to Newton's schema. I can verify information on both nodes.
Information from upgrade-1
(osc) ubuntu@upgrade-1:~$ openstack user list
+----------------------------------+--------+
| ID | Name |
+----------------------------------+--------+
| 0ef34fc7e35444c6a328bdb302da1287 | jill |
| 1db6450319c240de870f3b47832c0fb8 | jane |
| 23ed3d0d478142dfa05c06c98d9437b7 | jeff |
| 26771559a7e04c64a64de8c6e9d5612e | jack |
| 37329ad64ae146e8bcc2555fcb744ed1 | susan |
| 4db2489ad11e426f9fd5da9492eb484b | tom |
| 5f0a2ee52cda4c7cbe97626e8919fc1d | sarah |
| 65755898e12f42cba58a94160ea49ac6 | jerry |
| 904aa66ae6dc4f959d655eb2df36f54b | bob |
| a45bf02a17694282be21611cc9d2d2ce | george |
| b53b8ccdf1174a20884e73e482bdbea7 | jim |
| fa1003125a1c4f089654ba6881b2eeda | admin |
+----------------------------------+--------+
(osc) ubuntu@upgrade-1:~$ openstack project list
+----------------------------------+-------------+
| ID | Name |
+----------------------------------+-------------+
| 52be18361d504e4bac727fdad7c0972b | sales |
| 5ec043fb4c6a4077b258bc300ec8feb9 | admin |
| 630714b2a6404bc6bf88518054a4a418 | accounting |
| a51dd026cb4f45d6a716e1afbff4242c | marketing |
| f409f94f48bd46bdb7265d51e5bea386 | engineering |
+----------------------------------+-------------+
(osc) ubuntu@upgrade-1:~$ openstack role assignment list
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
| Role | User | Group | Project | Domain | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
| c85c300f3bfb4ecab094a15e48a23918 | 0ef34fc7e35444c6a328bdb302da1287 | | f409f94f48bd46bdb7265d51e5bea386 | | False |
| c85c300f3bfb4ecab094a15e48a23918 | 1db6450319c240de870f3b47832c0fb8 | | a51dd026cb4f45d6a716e1afbff4242c | | False |
| c85c300f3bfb4ecab094a15e48a23918 | 23ed3d0d478142dfa05c06c98d9437b7 | | a51dd026cb4f45d6a716e1afbff4242c | | False |
| c85c300f3bfb4ecab094a15e48a23918 | 26771559a7e04c64a64de8c6e9d5612e | | f409f94f48bd46bdb7265d51e5bea386 | | False |
| c85c300f3bfb4ecab094a15e48a23918 | 37329ad64ae146e8bcc2555fcb744ed1 | | 630714b2a6404bc6bf88518054a4a418 | | False |
| c85c300f3bfb4ecab094a15e48a23918 | 4db2489ad11e426f9fd5da9492eb484b | | 52be18361d504e4bac727fdad7c0972b | | False |
| c85c300f3bfb4ecab094a15e48a23918 | 5f0a2ee52cda4c7cbe97626e8919fc1d | | f409f94f48bd46bdb7265d51e5bea386 | | False |
| c85c300f3bfb4ecab094a15e48a23918 | 65755898e12f42cba58a94160ea49ac6 | | a51dd026cb4f45d6a716e1afbff4242c | | False |
| c85c300f3bfb4ecab094a15e48a23918 | 904aa66ae6dc4f959d655eb2df36f54b | | 630714b2a6404bc6bf88518054a4a418 | | False |
| c85c300f3bfb4ecab094a15e48a23918 | a45bf02a17694282be21611cc9d2d2ce | | f409f94f48bd46bdb7265d51e5bea386 | | False |
| c85c300f3bfb4ecab094a15e48a23918 | b53b8ccdf1174a20884e73e482bdbea7 | | a51dd026cb4f45d6a716e1afbff4242c | | False |
| b9c158cf7f9f4b9f82ffbb15c3fbb6c8 | fa1003125a1c4f089654ba6881b2eeda | | 5ec043fb4c6a4077b258bc300ec8feb9 | | False |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
(osc) ubuntu@upgrade-1:~$ openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2016-10-24T17:54:38+0000 |
| id | 25fd2bdcb71a4be09c58f545f1d5ab11 |
| project_id | 5ec043fb4c6a4077b258bc300ec8feb9 |
| user_id | fa1003125a1c4f089654ba6881b2eeda |
+------------+----------------------------------+
Information from upgrade-2
(osc) ubuntu@upgrade-2:~$ openstack user list
+----------------------------------+--------+
| ID | Name |
+----------------------------------+--------+
| 0ef34fc7e35444c6a328bdb302da1287 | jill |
| 1db6450319c240de870f3b47832c0fb8 | jane |
| 23ed3d0d478142dfa05c06c98d9437b7 | jeff |
| 26771559a7e04c64a64de8c6e9d5612e | jack |
| 37329ad64ae146e8bcc2555fcb744ed1 | susan |
| 4db2489ad11e426f9fd5da9492eb484b | tom |
| 5f0a2ee52cda4c7cbe97626e8919fc1d | sarah |
| 65755898e12f42cba58a94160ea49ac6 | jerry |
| 904aa66ae6dc4f959d655eb2df36f54b | bob |
| a45bf02a17694282be21611cc9d2d2ce | george |
| b53b8ccdf1174a20884e73e482bdbea7 | jim |
| fa1003125a1c4f089654ba6881b2eeda | admin |
+----------------------------------+--------+
(osc) ubuntu@upgrade-2:~$ openstack project list
+----------------------------------+-------------+
| ID | Name |
+----------------------------------+-------------+
| 52be18361d504e4bac727fdad7c0972b | sales |
| 5ec043fb4c6a4077b258bc300ec8feb9 | admin |
| 630714b2a6404bc6bf88518054a4a418 | accounting |
| a51dd026cb4f45d6a716e1afbff4242c | marketing |
| f409f94f48bd46bdb7265d51e5bea386 | engineering |
+----------------------------------+-------------+
(osc) ubuntu@upgrade-2:~$ openstack role assignment list
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
| Role | User | Group | Project | Domain | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
| c85c300f3bfb4ecab094a15e48a23918 | 0ef34fc7e35444c6a328bdb302da1287 | | f409f94f48bd46bdb7265d51e5bea386 | | False |
| c85c300f3bfb4ecab094a15e48a23918 | 1db6450319c240de870f3b47832c0fb8 | | a51dd026cb4f45d6a716e1afbff4242c | | False |
| c85c300f3bfb4ecab094a15e48a23918 | 23ed3d0d478142dfa05c06c98d9437b7 | | a51dd026cb4f45d6a716e1afbff4242c | | False |
| c85c300f3bfb4ecab094a15e48a23918 | 26771559a7e04c64a64de8c6e9d5612e | | f409f94f48bd46bdb7265d51e5bea386 | | False |
| c85c300f3bfb4ecab094a15e48a23918 | 37329ad64ae146e8bcc2555fcb744ed1 | | 630714b2a6404bc6bf88518054a4a418 | | False |
| c85c300f3bfb4ecab094a15e48a23918 | 4db2489ad11e426f9fd5da9492eb484b | | 52be18361d504e4bac727fdad7c0972b | | False |
| c85c300f3bfb4ecab094a15e48a23918 | 5f0a2ee52cda4c7cbe97626e8919fc1d | | f409f94f48bd46bdb7265d51e5bea386 | | False |
| c85c300f3bfb4ecab094a15e48a23918 | 65755898e12f42cba58a94160ea49ac6 | | a51dd026cb4f45d6a716e1afbff4242c | | False |
| c85c300f3bfb4ecab094a15e48a23918 | 904aa66ae6dc4f959d655eb2df36f54b | | 630714b2a6404bc6bf88518054a4a418 | | False |
| c85c300f3bfb4ecab094a15e48a23918 | a45bf02a17694282be21611cc9d2d2ce | | f409f94f48bd46bdb7265d51e5bea386 | | False |
| c85c300f3bfb4ecab094a15e48a23918 | b53b8ccdf1174a20884e73e482bdbea7 | | a51dd026cb4f45d6a716e1afbff4242c | | False |
| b9c158cf7f9f4b9f82ffbb15c3fbb6c8 | fa1003125a1c4f089654ba6881b2eeda | | 5ec043fb4c6a4077b258bc300ec8feb9 | | False |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
(osc) ubuntu@upgrade-2:~$ openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2016-10-24T17:54:41+0000 |
| id | 11a0f0f98c1d48039a31a1d0f346bd5d |
| project_id | 5ec043fb4c6a4077b258bc300ec8feb9 |
| user_id | fa1003125a1c4f089654ba6881b2eeda |
+------------+----------------------------------+