[openstack-ansible][wallaby deployment getting failed] error:- Service user token configuration is required for all Nova

Dmitriy Rabotyagov noonedeadpunk at gmail.com
Sun Jul 23 04:41:41 UTC 2023 

Hey Danish,

This failure is related to the security vulnerability [1].
There are several things to mention with this regards:
1. Cinder has not backported fix to Wallaby, due to its complexity, so
vulnerability is still not fully covered there.
2. Nova has backported the fix, which is raising the error you see
3. In OpenStack-Ansible we also have not backported work that is required
to support service tokens to Wallaby, as there was huge amount of changes
that are required for this to fix, while vulnerability is not fixed in
services themselves.
4. There is huge ongoing discussion in Technical Commetee on what to do
with releases in Extended Maintenance and if we should End Of Life them or
not due, which was raised by this vulnerability.

Keeping all that in mind, you still should be able to deploy
OpenStack-Ansible. And there are several ways of doing that.

1. Deploy vulnerable version of services. So I would try using 23.4.3
instead of stable/wallaby or 23.4.4 or wallaby-em.
You can also override nova SHA to install not patched version by providing
`nova_git_install_branch: a9e81626c5e9dac897759c5f66c7ae1b4efa3c6d` to
user-variables
2. Apply manual config overrides for nova and cinder services to comply
with new requirements for this vulnerability. So you need smth like that:

nova_nova_conf_overrides:
  keystone_authtoken:
    service_token_roles_required: True
    service_token_roles: admin
  service_user:
    send_service_user_token: True
    region_name: "{{ nova_service_region }}"
    auth_type: password
    username: "{{ nova_service_user_name }}"
    password: "{{ nova_service_password }}"
    project_name: "{{ nova_service_project_name }}"
    user_domain_id: "{{ nova_service_user_domain_id }}"
    project_domain_id: "{{ nova_service_project_domain_id }}"
    auth_url: "{{ keystone_service_adminurl }}"
    insecure: "{{ keystone_service_adminuri_insecure | bool }}"


[1] https://security.openstack.org/ossa/OSSA-2023-003.html


On Sun, Jul 23, 2023, 01:25 Danish Khan <danish52.jmi at gmail.com> wrote:

> Dear Team,
>
> I am trying to deploy openstack-ansible wallaby but it is getting
> failed with error:
>
> service user token configuration is required for all Nova services.
> For more details see the following:
>
> https://docs.openstack.org/latest/nova/admin/configuration/service-user-token.html
>
> But the mentioned webpage is not available.
>
> This is fixed in yoga but wallay is still failing.
>
> I tried to copy few variables from Yoga but that is working for me.
>
> Can someone please help me on this ? where I need to make some changes
> to deploy openstack-ansible wallaby?
>
> Thanks in advance :)
>
> Regards,
> Danish
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230723/ea120bb7/attachment.htm>

More information about the openstack-discuss mailing list