Hello~ I have a OpenStack Rocky platform. My nova.cfg has configured "[consoleauth] token_ttl=360000 [workarounds] enable_consoleauth=true", I get the console url and access my VM console in web. the console url invalid after two or one minutes not 360000s. How can I resolve this? Look forward to hearing from you. Ankele!
On 11/19/20 01:35, Ankele zhang wrote:
Hello~ I have a OpenStack Rocky platform. My nova.cfg has configured "[consoleauth] token_ttl=360000 [workarounds] enable_consoleauth=true", I get the console url and access my VM console in web. the console url invalid after two or one minutes not 360000s. How can I resolve this? Look forward to hearing from you.
Hi Ankele, I'm sure you have already read this but for reference, this is the blurb in the release notes around the console proxy changes [1]. Note that the [workarounds]enable_consoleauth option has been removed in the Train release, so to avoid interruptions in consoles during an upgrade to Train, you must ensure your deployment has fully migrated to the new per-cell console proxy model in Rocky or Stein. In Rocky, console token auths are stored in the cell database(s) (new way) and if [workarounds]enable_consoleauth=true on the nova-api nodes, they are additionally stored in the nova-consoleauth service (old way). Then, on the console proxy side, if [workarounds]enable_consoleauth=true on the nova-novncproxy nodes, the proxy will first try to validate the token in the nova-consoleauth service (old way) and if that's not successful, it will fall back to contacting the cell database to validate the token (new way). In order for it to succeed at validating the token in the cell database, the nova-novncproxy needs to be deployed per cell and have access to the cell database [database]connection. If you need to use nova-consoleauth to transition to the database-backend model, you must set [workarounds]enable_consoleauth=true on both the nova-novncproxy nodes (for token validation) and the nova-api nodes (for token auth storage in the old way). The [consoleauth]token_ttl option needs to be set to the value you desire on both the nova-consoleauth nodes (old way) and nova-compute nodes (new way). So, I suspect the issue is you need to set the aforementioned config options on nodes where you don't yet have them set. To transition to the new way without console interruption, you will need to (1) deploy nova-novncproxy services to each of your cells and make sure they have [database]connection set to the corresponding cell database, (2) wait until all token auths generated before Rocky are expired, (3) set [workarounds]enable_consoleauth=false on nova-novncproxy and nova-api nodes, (4) remove the nova-consoleauth service from your deployment. Hope this helps, -melanie [1] https://docs.openstack.org/releasenotes/nova/rocky.html#relnotes-18-0-0-stab...
Thank you very much! Melanie I should read the Nova installation documentation carefully. melanie witt <melwittt@gmail.com> 于2020年11月20日周五 上午5:25写道:
On 11/19/20 01:35, Ankele zhang wrote:
Hello~ I have a OpenStack Rocky platform. My nova.cfg has configured "[consoleauth] token_ttl=360000 [workarounds] enable_consoleauth=true", I get the console url and access my VM console in web. the console url invalid after two or one minutes not 360000s. How can I resolve this? Look forward to hearing from you.
Hi Ankele,
I'm sure you have already read this but for reference, this is the blurb in the release notes around the console proxy changes [1]. Note that the [workarounds]enable_consoleauth option has been removed in the Train release, so to avoid interruptions in consoles during an upgrade to Train, you must ensure your deployment has fully migrated to the new per-cell console proxy model in Rocky or Stein.
In Rocky, console token auths are stored in the cell database(s) (new way) and if [workarounds]enable_consoleauth=true on the nova-api nodes, they are additionally stored in the nova-consoleauth service (old way). Then, on the console proxy side, if [workarounds]enable_consoleauth=true on the nova-novncproxy nodes, the proxy will first try to validate the token in the nova-consoleauth service (old way) and if that's not successful, it will fall back to contacting the cell database to validate the token (new way). In order for it to succeed at validating the token in the cell database, the nova-novncproxy needs to be deployed per cell and have access to the cell database [database]connection.
If you need to use nova-consoleauth to transition to the database-backend model, you must set [workarounds]enable_consoleauth=true on both the nova-novncproxy nodes (for token validation) and the nova-api nodes (for token auth storage in the old way). The [consoleauth]token_ttl option needs to be set to the value you desire on both the nova-consoleauth nodes (old way) and nova-compute nodes (new way).
So, I suspect the issue is you need to set the aforementioned config options on nodes where you don't yet have them set.
To transition to the new way without console interruption, you will need to (1) deploy nova-novncproxy services to each of your cells and make sure they have [database]connection set to the corresponding cell database, (2) wait until all token auths generated before Rocky are expired, (3) set [workarounds]enable_consoleauth=false on nova-novncproxy and nova-api nodes, (4) remove the nova-consoleauth service from your deployment.
Hope this helps, -melanie
[1]
https://docs.openstack.org/releasenotes/nova/rocky.html#relnotes-18-0-0-stab...
participants (2)
-
Ankele zhang
-
melanie witt