Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-26189

rhoso - edpm_users role should disable password expiration for service accounts

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • edpm-ansible
    • None
    • True
    • Hide

      Red Hat

      Show
      Red Hat
    • False
    • ?
    • rhos-ops-day1day2-edpm
    • None
    • EDPM Sprint 20
    • 1
    • Moderate

      ###Summary

      On hardened systems where PASS_MAX_DAYS is defined in /etc/login.defs, system users created by the edpm_users role (such as nova) may eventually expire.

          1. Problem

      When the nova account expires, operations that rely on SSH—such as cold live migrations—fail because the expired account cannot authenticate.
      ~~~~
      sudo chage -l nova
      [sudo] password for ccs-user:
      Last password change : Jan 22, 2026
      Password expires : Jan 22, 2027
      Password inactive : Feb 21, 2027
      Account expires : never
      Minimum number of days between password change : 7
      Maximum number of days between password change : 365
      Number of days of warning before password expires : 7
      ~~~~

          1. Proposed Solution

      Update the edpm_users role (

      https://github.com/openstack-k8s-operators/edpm-ansible/blob/43c8ae13d85939e9a3f9cddbe838cbe4616199f7/roles/edpm_users/tasks/create_users_and_groups.yml#L40C7-L40C27

      ) to ensure that the system users it creates have non-expiring passwords, preventing unexpected account expiration on systems enforcing PASS_MAX_DAYS.

              jslagle@redhat.com James Slagle
              rhn-engineering-gkadam Ganesh Kadam
              rhos-dfg-df
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: