Page MenuHomePhabricator
Create Task
Maniphest T332194

Cannot create magnum cluster
Closed, ResolvedPublic
Actions

Description

Cluster failing to build:

| status_reason        | Failed to create trustee or trust for Cluster: e850f43f-59eb-48de-a65d-022397d96baf                                       |

Perhaps related to https://docs.openstack.org/magnum/latest/admin/troubleshooting-guide.html#trustee-for-cluster

To recreate:

source novaenv.sh
export OS_PROJECT_ID=paws
openstack coe cluster create test-remove --cluster-template paws-k8s22 --master-count 1 --node-count 3

Seeing the same with the 1.23 template

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedrookT328489 Upgrade paws to Kubernetes 1.23 in prod
 ResolvedAndrewT332194 Cannot create magnum cluster

Event Timeline

rook created this task.Mar 15 2023, 3:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 15 2023, 3:57 PM
rook mentioned this in T328489: Upgrade paws to Kubernetes 1.23 in prod.Mar 15 2023, 3:57 PM
rook added a parent task: T328489: Upgrade paws to Kubernetes 1.23 in prod.
rook added a comment.Mar 15 2023, 8:46 PM

Perhaps related to T330759

rook mentioned this in T330759: Modernize openstack rbac.Mar 15 2023, 8:46 PM
Andrew subscribed.Mar 17 2023, 12:50 AM

This is related to the role refactor, but I'm not sure how. When it comes time to create the keystone trust, keystone says that it can't find the 'member' role. Of course it can find it in all other contexts.

Andrew added a comment.Mar 17 2023, 3:04 AM

I think the issue with 'not found' is that it was trying to delegate a role from novadmin to the service user which novaadmin didn't have in the first place. Now that novaadmin does have those roles it gets further, but not as far as I'd like.

If I remove the [trust] roles=reader,member setting from the config then all the roles of novaadmin get delegated (including 'admin') and that seems to complete the cluster. I don't love delegating adminship though...

Andrew closed this task as Resolved.Mar 17 2023, 3:14 AM
Andrew claimed this task.

Works for me, now! I left the config as is but made sure that novaadmin has reader + member everywhere. I'm pretty sure that for a normal non-novadmin user this bug wouldn't have appeared in the first place since every other user has those roles.

rook reopened this task as Open.Mar 18 2023, 2:32 PM
rook added a comment.Mar 18 2023, 2:37 PM

I'm seeing the same problem in codfw1dev when I try to create a cluster with terraform. Probably I haven't set up the application credential correctly, though I would need help identifying how to set it up correctly. I can create a VM, so the cred has some access.

This seems like the appropriate ticket to reopen, though I can open another ticket if preferred.

Andrew added a comment.Mar 20 2023, 12:53 PM

I've mirrored the role changes I made on this task in codfw1dev so this can be retested. Is terraform creating the cluster as 'novaadmin' or as a human user?

rook added a subscriber: taavi.Mar 20 2023, 3:24 PM

This is resolved by using a credential with the "Unrestricted (dangerous)" checkbox selected. Thank you @taavi for the solution

rook closed this task as Resolved.Mar 20 2023, 3:24 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL