From 212a2c5fee389b413b69050d93a06831326b9192 Mon Sep 17 00:00:00 2001 From: melanie witt Date: Thu, 23 Aug 2018 04:53:18 +0000 Subject: Correct the release notes related to nova-consoleauth The release notes said it was okay not to run the nova-consoleauth service in Rocky, but that's not true because the Rocky code is storing new console authorization tokens in both the database backend and the existing nova-consoleauth backend. The use of nova-consoleauth will be discontinued in Stein (for non-cells v1). We can't remove nova-consoleauth until we remove cells v1. Closes-Bug: #1788470 Change-Id: Ibbdc7c50c312da2acc59dfe64de95a519f87f123 (cherry picked from commit 4f01f4ff88de571218a36ba7c4e998296a7b52a4) --- nova/conf/workarounds.py | 14 +++++++----- ...eprecate-nova-consoleauth-ed6ccbc324a0fb10.yaml | 12 ++++++++--- ...rounds-enable-consoleauth-71d68c3879dc2c8a.yaml | 25 +++++++++++----------- 3 files changed, 31 insertions(+), 20 deletions(-) diff --git a/nova/conf/workarounds.py b/nova/conf/workarounds.py index 62cc1ab4be..0bdc918f7a 100644 --- a/nova/conf/workarounds.py +++ b/nova/conf/workarounds.py @@ -166,11 +166,15 @@ Operators that have much longer token TTL configured or otherwise wish to avoid immediately resetting all existing consoles can enable this flag to continue using the ``nova-consoleauth`` service in addition to the database backend. Once all of the old ``nova-consoleauth`` supported console tokens have expired, -this flag should be disabled and it will be no longer necessary to run the -``nova-consoleauth`` service. For example, if a deployment has configured a -token TTL of one hour, the operator may disable the flag and stop running the -``nova-consoleauth`` service one hour after deploying the new code during an -upgrade. +this flag should be disabled. For example, if a deployment has configured a +token TTL of one hour, the operator may disable the flag, one hour after +deploying the new code during an upgrade. + +.. note:: Cells v1 was not converted to use the database backend for + console token authorizations. Cells v1 console token authorizations will + continue to be supported by the ``nova-consoleauth`` service and use of + the ``[workarounds]/enable_consoleauth`` option does not apply to + Cells v1 users. Related options: diff --git a/releasenotes/notes/deprecate-nova-consoleauth-ed6ccbc324a0fb10.yaml b/releasenotes/notes/deprecate-nova-consoleauth-ed6ccbc324a0fb10.yaml index 803d2db380..d9bb747230 100644 --- a/releasenotes/notes/deprecate-nova-consoleauth-ed6ccbc324a0fb10.yaml +++ b/releasenotes/notes/deprecate-nova-consoleauth-ed6ccbc324a0fb10.yaml @@ -1,6 +1,12 @@ --- deprecations: - | - The ``nova-consoleauth`` service is deprecated as console token - authorization storage has moved from the ``nova-consoleauth`` service - backend to the database backend. + The ``nova-consoleauth`` service has been deprecated. Console token + authorization storage is moving from the ``nova-consoleauth`` service + backend to the database backend, with storage happening in both, in Rocky. + In Stein, only the database backend will be used for console token + authorization storage. + + .. note:: Cells v1 was not converted to use the database backend for + console token authorizations. Cells v1 console token authorizations will + continue to be supported by the ``nova-consoleauth`` service. diff --git a/releasenotes/notes/workarounds-enable-consoleauth-71d68c3879dc2c8a.yaml b/releasenotes/notes/workarounds-enable-consoleauth-71d68c3879dc2c8a.yaml index a6f21497ec..166dc744f8 100644 --- a/releasenotes/notes/workarounds-enable-consoleauth-71d68c3879dc2c8a.yaml +++ b/releasenotes/notes/workarounds-enable-consoleauth-71d68c3879dc2c8a.yaml @@ -2,11 +2,11 @@ upgrade: - | The ``nova-consoleauth`` service has been deprecated and new consoles will - have their token authorizations stored in cell databases instead of in the - ``nova-consoleauth`` service backend. With this, console proxies are - required to be deployed per cell. All existing consoles will be reset. For - most operators, this should be a minimal disruption as the default TTL of a - console token is 10 minutes. + have their token authorizations stored in cell databases, in addition to + the ``nova-consoleauth`` service backend, in Rocky. With this, console + proxies are required to be deployed per cell. All existing consoles will be + reset. For most operators, this should be a minimal disruption as the + default TTL of a console token is 10 minutes. Operators that have configured a much longer token TTL or otherwise wish to avoid immediately resetting all existing consoles can use the new @@ -14,11 +14,12 @@ upgrade: the ``nova-consoleauth`` service for locating existing console authorizations. The option defaults to False. Once all of the existing consoles have naturally expired, operators may unset the configuration - option and discontinue running the consoleauth service. For example, if - a deployment has configured a token TTL of one hour, the operator may - disable the ``[workarounds]/enable_consoleauth`` option and stop running - the ``nova-consoleauth`` service one hour after deploying the new code. + option. For example, if a deployment has configured a token TTL of one + hour, the operator may disable the ``[workarounds]/enable_consoleauth`` + option, one hour after deploying the new code. - Operators who do not need to use the ``[workarounds]/enable_consoleauth`` - configuration option may discontinue running the consoleauth service - immediately. + .. note:: Cells v1 was not converted to use the database backend for + console token authorizations. Cells v1 console token authorizations will + continue to be supported by the ``nova-consoleauth`` service and use of + the ``[workarounds]/enable_consoleauth`` option does not apply to + Cells v1 users. -- cgit v1.2.1