diff --git a/doc/source/operations/upgrading.rst b/doc/source/operations/upgrading.rst index bb7096fe2..c5215a4df 100644 --- a/doc/source/operations/upgrading.rst +++ b/doc/source/operations/upgrading.rst @@ -68,6 +68,14 @@ Some things to watch out for: will not be granted those roles. This may include the ``reader`` role, which is referenced in some of the new secure RBAC policies. See `Keystone bug 2030061 `_. +* If you have overwritten ``[auth] tempest_roles`` in your Tempest config, such + as to add the ``creator`` role for Barbican, you will need to also add the + ``member role``. eg: + + .. code-block:: ini + + [auth] + tempest_roles = creator,member OVN enabled by default ---------------------- @@ -107,6 +115,29 @@ Known issues * The OVN sync repair tool removes metadata ports, breaking OVN load balancers. See `LP#2038091 `__. +* When you try to generate config before the 2023.1 upgrade (i.e. using 2023.1 + Kolla-Ansible but still running Zed kolla-toolbox), it will fail on Octavia. + This patch is needed to fix this: + https://review.opendev.org/c/openstack/kolla-ansible/+/905500 + +* If you run ``kayobe overcloud service upgrade`` twice, it will cause shard + allocation to be disabled in OpenSearch. See `LP#2049512 + `__ for details. + + You can check if this is affecting your system with the following command. If + ``transient.cluster.routing.allocation.enable=none`` is present, shard + allocation is disabled. + + .. code-block:: console + + curl http://:9200/_cluster/settings + + For now, the easiest way to fix this is to turn allocation back on: + + .. code-block:: console + + curl -X PUT http://:9200/_cluster/settings -H 'Content-Type:application/json' -d '{"transient":{"cluster":{"routing":{"allocation":{"enable":"all"}}}}}' + Security baseline =================