release notes erroneously say that nova-consoleauth doesn't have to run in Rocky

Bug #1788470 reported by melanie witt on 2018-08-22
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Medium
melanie witt
Rocky
Medium
melanie witt

Bug Description

The release notes for Rocky currently say that the nova-consoleauth service can be turned off in Rocky, if the option [workarounds]/enable_consoleauth = False, but that's not true because console token authorizations are stored in *both* the nova-consoleauth service and the database in the Rocky code.

We will remove the use of the nova-consoleauth service in Stein.

This bug is for fixing the docs.

Matt Riedemann (mriedem) on 2018-08-22
Changed in nova:
status: New → Confirmed
melanie witt (melwitt) on 2018-08-23
description: updated

Fix proposed to branch: master
Review: https://review.openstack.org/595455

Changed in nova:
status: Confirmed → In Progress
melanie witt (melwitt) on 2018-08-23
summary: - release notes and docs erroneously say that nova-consoleauth doesn't
- have to run in Rocky
+ release notes erroneously say that nova-consoleauth doesn't have to run
+ in Rocky
description: updated

Reviewed: https://review.openstack.org/595455
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=4f01f4ff88de571218a36ba7c4e998296a7b52a4
Submitter: Zuul
Branch: master

commit 4f01f4ff88de571218a36ba7c4e998296a7b52a4
Author: melanie witt <email address hidden>
Date: Thu Aug 23 04:53:18 2018 +0000

    Correct the release notes related to nova-consoleauth

    The release notes said it was okay not to run the nova-consoleauth
    service in Rocky, but that's not true because the Rocky code is storing
    new console authorization tokens in both the database backend and the
    existing nova-consoleauth backend. The use of nova-consoleauth will be
    discontinued in Stein (for non-cells v1). We can't remove
    nova-consoleauth until we remove cells v1.

    Closes-Bug: #1788470

    Change-Id: Ibbdc7c50c312da2acc59dfe64de95a519f87f123

Changed in nova:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/595890
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=212a2c5fee389b413b69050d93a06831326b9192
Submitter: Zuul
Branch: stable/rocky

commit 212a2c5fee389b413b69050d93a06831326b9192
Author: melanie witt <email address hidden>
Date: Thu Aug 23 04:53:18 2018 +0000

    Correct the release notes related to nova-consoleauth

    The release notes said it was okay not to run the nova-consoleauth
    service in Rocky, but that's not true because the Rocky code is storing
    new console authorization tokens in both the database backend and the
    existing nova-consoleauth backend. The use of nova-consoleauth will be
    discontinued in Stein (for non-cells v1). We can't remove
    nova-consoleauth until we remove cells v1.

    Closes-Bug: #1788470

    Change-Id: Ibbdc7c50c312da2acc59dfe64de95a519f87f123
    (cherry picked from commit 4f01f4ff88de571218a36ba7c4e998296a7b52a4)

This issue was fixed in the openstack/nova 18.0.0.0rc3 release candidate.

Reviewed: https://review.openstack.org/607068
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=b49209cc29f5ccd529b8074b68be074c5a2f742f
Submitter: Zuul
Branch: master

commit b49209cc29f5ccd529b8074b68be074c5a2f742f
Author: melanie witt <email address hidden>
Date: Mon Oct 1 23:47:28 2018 +0000

    Use nova-consoleauth only if workaround enabled

    In Rocky, we deprecated the nova-consoleauth service but there were
    unconditional calls to nova-consoleauth in the compute/api, which
    made it impossible to avoid running the nova-consoleauth service.

    This adds conditional checks to call nova-consoleauth only if the
    [workarounds]enable_consoleauth configuration option is True. The
    option defaults to False because the default console token auth TTL
    is 10 minutes and only operators who have configured much longer TTL
    or otherwise wish to avoid resetting all consoles at upgrade time
    need to use the option.

    This also updates the /os-console-auth-tokens/{console_token} API to
    use nova-consoleauth only if the [workarounds] option is enabled. This
    had to be done in the same change because the conditional checks in
    the compute/api code caused the /os-console-auth-tokens API functional
    tests to fail to find token authorizations in nova-consoleauth.

    Closes-Bug: #1788470
    Closes-Bug: #1795982

    Change-Id: Iff6020f1a10afc476864f979faf251ef5a1a6184

Change abandoned by melanie witt (<email address hidden>) on branch: master
Review: https://review.openstack.org/605250
Reason: Instead of un-deprecating, we fixed the code to actually make nova-consoleauth optional:

https://review.openstack.org/607068

Change abandoned by melanie witt (<email address hidden>) on branch: stable/rocky
Review: https://review.openstack.org/607037
Reason: Instead of un-deprecating, we fixed the code to actually make nova-consoleauth optional:

https://review.openstack.org/607068

Reviewed: https://review.openstack.org/610673
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=3c69c1fdef4c868fb7b3775285d44d4c54358af4
Submitter: Zuul
Branch: stable/rocky

commit 3c69c1fdef4c868fb7b3775285d44d4c54358af4
Author: melanie witt <email address hidden>
Date: Mon Oct 1 23:47:28 2018 +0000

    Use nova-consoleauth only if workaround enabled

    In Rocky, we deprecated the nova-consoleauth service but there were
    unconditional calls to nova-consoleauth in the compute/api, which
    made it impossible to avoid running the nova-consoleauth service.

    This adds conditional checks to call nova-consoleauth only if the
    [workarounds]enable_consoleauth configuration option is True. The
    option defaults to False because the default console token auth TTL
    is 10 minutes and only operators who have configured much longer TTL
    or otherwise wish to avoid resetting all consoles at upgrade time
    need to use the option.

    This also updates the /os-console-auth-tokens/{console_token} API to
    use nova-consoleauth only if the [workarounds] option is enabled. This
    had to be done in the same change because the conditional checks in
    the compute/api code caused the /os-console-auth-tokens API functional
    tests to fail to find token authorizations in nova-consoleauth.

    Closes-Bug: #1788470
    Closes-Bug: #1795982

    Change-Id: Iff6020f1a10afc476864f979faf251ef5a1a6184
    (cherry picked from commit b49209cc29f5ccd529b8074b68be074c5a2f742f)

Artur Ruta (artur-ruta) wrote :

Just to let you know...when installing openstack on top of Ubuntu 18.10 it's no longer necessary (nor allowed) to add the cloud-archive:rocky (it's only supported for bionic)
Openstack install proceeds with no issues using the repositories included in the opsys...until we stunble on the issue of the need for nova-console-auth
When using the cloud-archive it was easy to bypass the issue just installing the nova-console-auth but on 18.10 using the repositories included with the opsys this package is not available and therefore there's no clear workarround until de fix for not needing nova-console-auth is released.
I guess the number of people stumbling on this will grow as they try ubuntu 18.10
Best regards.

This issue was fixed in the openstack/nova 18.0.3 release.

This issue was fixed in the openstack/nova 19.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers