[openstack-ansible][wallaby deployment getting failed] error:- Service user token configuration is required for all Nova
Dear Team,
I am trying to deploy openstack-ansible wallaby but it is getting failed with error:
service user token configuration is required for all Nova services. For more details see the following: https://docs.openstack.org/latest/nova/admin/configuration/service-user-toke...
But the mentioned webpage is not available.
This is fixed in yoga but wallay is still failing.
I tried to copy few variables from Yoga but that is working for me.
Can someone please help me on this ? where I need to make some changes to deploy openstack-ansible wallaby?
Thanks in advance :)
Regards, Danish
Hey Danish,
This failure is related to the security vulnerability [1]. There are several things to mention with this regards: 1. Cinder has not backported fix to Wallaby, due to its complexity, so vulnerability is still not fully covered there. 2. Nova has backported the fix, which is raising the error you see 3. In OpenStack-Ansible we also have not backported work that is required to support service tokens to Wallaby, as there was huge amount of changes that are required for this to fix, while vulnerability is not fixed in services themselves. 4. There is huge ongoing discussion in Technical Commetee on what to do with releases in Extended Maintenance and if we should End Of Life them or not due, which was raised by this vulnerability.
Keeping all that in mind, you still should be able to deploy OpenStack-Ansible. And there are several ways of doing that.
1. Deploy vulnerable version of services. So I would try using 23.4.3 instead of stable/wallaby or 23.4.4 or wallaby-em. You can also override nova SHA to install not patched version by providing `nova_git_install_branch: a9e81626c5e9dac897759c5f66c7ae1b4efa3c6d` to user-variables 2. Apply manual config overrides for nova and cinder services to comply with new requirements for this vulnerability. So you need smth like that:
nova_nova_conf_overrides: keystone_authtoken: service_token_roles_required: True service_token_roles: admin service_user: send_service_user_token: True region_name: "{{ nova_service_region }}" auth_type: password username: "{{ nova_service_user_name }}" password: "{{ nova_service_password }}" project_name: "{{ nova_service_project_name }}" user_domain_id: "{{ nova_service_user_domain_id }}" project_domain_id: "{{ nova_service_project_domain_id }}" auth_url: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure | bool }}"
[1] https://security.openstack.org/ossa/OSSA-2023-003.html
On Sun, Jul 23, 2023, 01:25 Danish Khan danish52.jmi@gmail.com wrote:
Dear Team,
I am trying to deploy openstack-ansible wallaby but it is getting failed with error:
service user token configuration is required for all Nova services. For more details see the following:
https://docs.openstack.org/latest/nova/admin/configuration/service-user-toke...
But the mentioned webpage is not available.
This is fixed in yoga but wallay is still failing.
I tried to copy few variables from Yoga but that is working for me.
Can someone please help me on this ? where I need to make some changes to deploy openstack-ansible wallaby?
Thanks in advance :)
Regards, Danish
participants (2)
-
Danish Khan
-
Dmitriy Rabotyagov