Credential Encryption breaks deployments without Fernet
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Lance Bragstad | ||
tripleo |
Fix Released
|
Critical
|
Unassigned |
Bug Description
A recent change to encrypt credetials broke RDO/Tripleo deployments:
2016-09-02 17:16:55.074 17619 ERROR keystone.
2016-09-02 17:16:55.074 17619 ERROR keystone.
2016-09-02 17:16:55.074 17619 ERROR keystone.
2016-09-02 17:16:55.074 17619 ERROR keystone.
2016-09-02 17:16:55.074 17619 ERROR keystone.
2016-09-02 17:16:55.074 17619 ERROR keystone.
2016-09-02 17:16:55.074 17619 ERROR keystone.
2016-09-02 17:16:55.074 17619 ERROR keystone.
2016-09-02 17:16:55.074 17619 ERROR keystone.
2016-09-02 17:16:55.074 17619 ERROR keystone.
2016-09-02 17:16:55.074 17619 ERROR keystone.
2016-09-02 17:16:55.074 17619 ERROR keystone.
2016-09-02 17:16:55.074 17619 ERROR keystone.
2016-09-02 17:16:55.074 17619 ERROR keystone.
2016-09-02 17:16:55.074 17619 ERROR keystone.
2016-09-02 17:16:55.074 17619 ERROR keystone.
2016-09-02 17:16:55.074 17619 ERROR keystone.
2016-09-02 17:16:55.074 17619 ERROR keystone.
2016-09-02 17:16:55.074 17619 ERROR keystone.
2016-09-02 17:16:55.074 17619 ERROR keystone.
2016-09-02 17:16:55.074 17619 ERROR keystone.
2016-09-02 17:16:55.074 17619 ERROR keystone.
2016-09-02 17:16:55.074 17619 ERROR keystone.
Changed in tripleo: | |
importance: | Undecided → Critical |
milestone: | none → newton-rc1 |
status: | New → Confirmed |
Changed in keystone: | |
milestone: | none → newton-rc1 |
Changed in keystone: | |
importance: | Undecided → High |
Changed in tripleo: | |
status: | Confirmed → Fix Released |
I'm adding TripleO because we need to automate the process of upgrade regarding: docs.openstack. org/releasenote s/keystone/ unreleased. html#upgrade- notes
http://
"Keystone now supports encrypted credentials at rest. In order to upgrade successfully to Newton, deployers must encrypt all credentials currently stored before contracting the database. Deployers must run keystone-manage credential_setup in order to use the credential API within Newton, or finish the upgrade from Mitaka to Newton. This will result in a service outage for the credential API where credentials will be read-only for the duration of the upgrade process. Once the database is contracted credentials will be writeable again. Database contraction phases only apply to rolling upgrades."
So I'm going to try to make it transparent in puppet-keystone but for sure TripleO will have to run the command in the upgrade scripts.