OpenStack Compute (nova)

The periodic task to clean up expired console_auth tokens is invalid

Bug #1816399 reported by jiangyuhao
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Takashi Natsume

Bug Description

Description
===========
In compute node, the periodic task to clean up expired console_auth tokens is invalid, can't remove expired console auth tokens for this host.

Steps to reproduce
==================
1.In controller node, config nova-novncproxy using database to store novnc auth tokens.
enable_consoleauth=false

2.In compute node, config vnc server address and token_ttl.
server_proxyclient_address=10.43.203.225
token_ttl=60

3.Restart nova-compute and nova-novncproxy.

4.Using nova command to get novncproxy_base_url and token.

Expected result
===============
The periodic task can remove expired console auth tokens in database.

Actual result
=============

This periodic task is invalid.

Environment
===========
1. Exact version of OpenStack you are running. See the following
master

2. Which hypervisor did you use?
Libvirt + KVM

3. Which networking type did you use?
Neutron with OpenVSwitch

Logs & Configs
==============
1. In console_auth_tokens table, host's value is CONF.vnc.server_proxyclient_address.

    def get_vnc_console(self, context, instance):
        def get_vnc_port_for_instance(instance_name):
            guest = self._host.get_guest(instance)

            xml = guest.get_xml_desc()
            xml_dom = etree.fromstring(xml)

            graphic = xml_dom.find("./devices/graphics[@type='vnc']")
            if graphic is not None:
                return graphic.get('port')
            # NOTE(rmk): We had VNC consoles enabled but the instance in
            # question is not actually listening for connections.
            raise exception.ConsoleTypeUnavailable(console_type='vnc')

        port = get_vnc_port_for_instance(instance.name)
        host = CONF.vnc.server_proxyclient_address

        return ctype.ConsoleVNC(host=host, port=port)

2. In periodic task, the host's value is hostname.

    @periodic_task.periodic_task(spacing=CONF.instance_delete_interval)
    def _cleanup_expired_console_auth_tokens(self, context):
        """Remove expired console auth tokens for this host.

        Console authorization tokens and their connection data are stored
        in the database when a user asks for a console connection to an
        instance. After a time they expire. We periodically remove any expired
        tokens from the database.
        """
        # If the database backend isn't in use, don't bother looking for
        # expired tokens. The database backend is not supported for cells v1.
        if not CONF.cells.enable:
            objects.ConsoleAuthToken.\
                clean_expired_console_auths_for_host(context, self.host)

Tags: console
Takashi Natsume (natsume-takashi)
tags: added: console
Takashi Natsume (natsume-takashi)
Changed in nova:
assignee: nobody → Takashi NATSUME (natsume-takashi)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/637716

melanie witt (melwitt)
tags: added: stein-rc-potential
Revision history for this message
Matt Riedemann (mriedem) wrote :

I've dropped the stein-rc-potential tag since this is a latent bug since at least Rocky and not a new regression in Stein.

tags: removed: stein-rc-potential
melanie witt (melwitt)
Changed in nova:
importance: Undecided → Medium
Revision history for this message
melanie witt (melwitt) wrote :

I just realized that the fix for this cannot be backported because it involves a versioned object bump.

no longer affects: nova/rocky
no longer affects: nova/stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.opendev.org/637716
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=57112a7174945cdcd9f395d20fd6a242cecf5072
Submitter: Zuul
Branch: master

commit 57112a7174945cdcd9f395d20fd6a242cecf5072
Author: Takashi NATSUME <email address hidden>
Date: Fri May 3 22:19:17 2019 +0900

    Fix cleaning up console tokens

    The periodic task to clean up expired console_auth tokens
    does not work properly because there are cases that 'host'
    in the 'console_auth_tokens' table is different from
    hosts where nova-compute processes run.

    So make the periodic task to clear all expired console tokens
    regardless of hosts where nova-compute processes run.

    Change-Id: I61cee4245e612b4bef1ffaacc634a8302cf836e9
    Closes-Bug: #1816399

Changed in nova:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 20.0.0.0rc1

This issue was fixed in the openstack/nova 20.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.