mgr/cephadm: fix 'auth get-or-create' call#40071
Conversation
c3d3ef1 to
7c6d722
Compare
|
Is this specifically to fix upgrades from a version < 15.2.1 to a version > 15.2.1 where this is a temporary issue while the mgr daemons have already been upgraded but the mon daemons have not been upgraded yet? I'm guessing we can't just leave it in a state like this where we call 'auth get-or-create' without caps then add them in after with 'auth caps' if 'auth caps' doesn't work because then any newly created daemons wouldn't have their caps set. |
Right. And I think the first question is how and why did the mgr caps change to cause this problem. Reproducing again to get a closer look... |
1- Pass caps to 'auth get-or-create' 2- Only try 'auth caps' if the get-or-create failed Note that the 'auth caps' step can fail if upgrading from 15.2.0 since 'profile mgr' didn't include 'auth caps' until 15.2.1. We're not addressing that for now... Fixes: 7c0d532 Signed-off-by: Sage Weil <sage@newdream.net>
|
jenkins test make check |
adk3798
left a comment
There was a problem hiding this comment.
LGTM, do we still want a log message when the 'auth caps' call fails like you had originally?
If we're upgrading from 15.2.0, we may fail to update caps. Instead of failing the upgrade hard, warn to the log and continue. This is less than ideal, but the caps will get corrected the next time the daemon is redeployed on the next upgrade, and most likely the previous caps will continue to work (given they were presumably working before the upgrade). Signed-off-by: Sage Weil <sage@newdream.net>
|
@adk3798 added another patch that adds the warning and allows the upgrade to proceed (instead of failing hard, which breaks our rados/cephadm/upgrade tests that start from 15.2.0) |
If get-or-create caps doesn't work, we do 'auth caps' to update caps,
but this can also fail if the mons are running 15.2.0 (the 'mgr' profile
was updated to allow 'auth caps' in 15.2.1, see 467a27a).
Signed-off-by: Sage Weil sage@newdream.net