Set Keystone ignore_lockout_failure_attempts for user sysinv

Rehoming can fail when 'sysinv' is locked out due to differing controller passwords on systems originally installed on STX 5 and later upgraded. A STX 6 change enabled ignore-lockout only for fresh installs, leaving upgraded systems exposed. This commit adds an idempotent platform-upgrade step that ensures the Keystone 'sysinv' user has ignore-lockout-failure-attempts. The steps: - runs on active controllers - updates in place, inserts if missing - is safe to re-run - not changed in case of rollback This prevents auth lockouts that break rehome workflows. Test Plan PASS: AIO-SX e2e upgrade stx-10 to stx-11 - On a stx-10 set ignore-lockout flag to false. - Perform platform upgrade. - Verify flag set as true after activation. Closes-bug: 2121906 Change-Id: Ief6c787f83e4ef74f40daeb7c0a533bd02d46799 Signed-off-by: Eduardo Almeida <Eduardo.AlmeidadosSantos@windriver.com>
2025-09-03 11:15:08 -03:00
parent 849c0826d2
commit b797fb7016
1 changed files with 73 additions and 0 deletions
--- a/software/upgrade-scripts/31-set-ignore-lockout-failure-attempts.py
+++ b/software/upgrade-scripts/31-set-ignore-lockout-failure-attempts.py
@@ -0,0 +1,73 @@
+#!/usr/bin/env python
+# Copyright (c) 2025 Wind River Systems
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Set Keystone "ignore_lockout_failure_attempts"
+# for user "sysinv" during upgrade-activate.
+
+import logging
+import subprocess
+import sys
+
+from software.utilities.utils import configure_logging
+
+LOG = logging.getLogger("main_logger")
+
+USER = "sysinv"
+FLAG = "ignore_lockout_failure_attempts"
+FLAG_PARAM = "--ignore-lockout-failure-attempts"
+COMMAND_TIMEOUT = 20
+
+
+def set_flag():
+    LOG.info(f"Setting up Keystone flag {FLAG}")
+
+    subprocess.run(
+        ["openstack", "user", "set", USER, FLAG_PARAM],
+        capture_output=True,
+        text=True,
+        check=True,
+        timeout=COMMAND_TIMEOUT
+    )
+
+    LOG.info(f"User option {FLAG} is set.")
+
+
+def main():
+    argv = sys.argv
+
+    if len(argv) > 5:
+        print(f"Invalid option {argv[5]}.")
+        return 1
+
+    from_release = argv[1] if len(argv) > 1 else None
+    to_release = argv[2] if len(argv) > 2 else None
+    action = argv[3] if len(argv) > 3 else None
+    # Not used by this script.
+    # postgres_port = argv[4] if len(argv) > 4 else None
+
+    configure_logging()
+
+    if action != "activate":
+        LOG.info(f"Nothing to do for action '{action}'.")
+        return 0
+
+    LOG.info("%s invoked with from_release %s to_release %s and action %s",
+             sys.argv[0], from_release, to_release, action)
+
+    try:
+        set_flag()
+    except subprocess.CalledProcessError as e:
+        LOG.error("Fail to set Keystone flag %s: %s",
+                  FLAG, e.stderr.strip())
+        return 1
+    except Exception as e:
+        LOG.error("Unexpected error: %s", e)
+        return 1
+
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())