nova novnc timeout

melanie witt melwittt at
Thu Nov 19 21:25:36 UTC 2020

On 11/19/20 01:35, Ankele zhang wrote:
> Hello~
>      I have a OpenStack Rocky platform. My nova.cfg has configured 
> "[consoleauth] token_ttl=360000 [workarounds] enable_consoleauth=true", 
> I get the console url and access my VM console in web. the console url 
> invalid after two or one minutes not 360000s.
>      How can I resolve this?
>      Look forward to hearing from you.

Hi Ankele,

I'm sure you have already read this but for reference, this is the blurb 
in the release notes around the console proxy changes [1]. Note that the 
[workarounds]enable_consoleauth option has been removed in the Train 
release, so to avoid interruptions in consoles during an upgrade to 
Train, you must ensure your deployment has fully migrated to the new 
per-cell console proxy model in Rocky or Stein.

In Rocky, console token auths are stored in the cell database(s) (new 
way) and if [workarounds]enable_consoleauth=true on the nova-api nodes, 
they are additionally stored in the nova-consoleauth service (old way). 
Then, on the console proxy side, if [workarounds]enable_consoleauth=true 
on the nova-novncproxy nodes, the proxy will first try to validate the 
token in the nova-consoleauth service (old way) and if that's not 
successful, it will fall back to contacting the cell database to 
validate the token (new way). In order for it to succeed at validating 
the token in the cell database, the nova-novncproxy needs to be deployed 
per cell and have access to the cell database [database]connection.

If you need to use nova-consoleauth to transition to the 
database-backend model, you must set 
[workarounds]enable_consoleauth=true on both the nova-novncproxy nodes 
(for token validation) and the nova-api nodes (for token auth storage in 
the old way). The [consoleauth]token_ttl option needs to be set to the 
value you desire on both the nova-consoleauth nodes (old way) and 
nova-compute nodes (new way).

So, I suspect the issue is you need to set the aforementioned config 
options on nodes where you don't yet have them set.

To transition to the new way without console interruption, you will need 
to (1) deploy nova-novncproxy services to each of your cells and make 
sure they have [database]connection set to the corresponding cell 
database, (2) wait until all token auths generated before Rocky are 
expired, (3) set [workarounds]enable_consoleauth=false on 
nova-novncproxy and nova-api nodes, (4) remove the nova-consoleauth 
service from your deployment.

Hope this helps,


More information about the openstack-discuss mailing list