Nova not detaching volumes during instance deletions

Question

I ran a fresh installation of OpenStack 2023.1 (Antelope) on 10 Ubuntu 22.04 LTS servers.

I have a controller and 9 computing nodes.

On the controller node, I have installed:

- nova (3:27.1.0-0ubuntu1.2\~cloud0)
- neutron (2:22.0.2-0ubuntu1\~cloud0)
- glance (2:26.0.0-0ubuntu1.2\~cloud0)
- keystone (2:23.0.1-0ubuntu1\~cloud0)
- placement (1:9.0.0-0ubuntu1~cloud0)
- cinder (2:22.1.1-0ubuntu1.3~cloud0)
- horizon (4:23.2.0-0ubuntu1~cloud0)

Everything works, but I only have one problem related to deleting volumes.

When I delete an instance, the volume remains "In Use" and "Attached to" an instance that no longer exists.

If I make the volume available, detach and delete the volume via cinder commands, everything works.

When I remove the instance from Nova, in the /var/log/apache2/cinder_error.log logs I read something about a Bug #2004555\x1b[00:

2024-07-22 15:39:59.078701 2024-07-22 15:39:59.078 1708 ERROR cinder.volume.api [req-4885e5c9-66ea-4aab-aec1-9f39c8b7bd32 req-1b2453d9-ea43-4650-b7f9-c1512a92ec5e 66539d0050564dbd99bee47c4aca412f 173f06b4888d40fca241261a6477f7c4 - - default default] Detected user call to delete in-use attachment. Call must come from the nova service and nova must be configured to send the service token. **Bug #2004555\x1b[00m**
2024-07-22 15:39:59.080976 2024-07-22 15:39:59.079 1708 ERROR cinder.api.middleware.fault [req-4885e5c9-66ea-4aab-aec1-9f39c8b7bd32 req-1b2453d9-ea43-4650-b7f9-c1512a92ec5e 66539d0050564dbd99bee47c4aca412f 173f06b4888d40fca241261a6477f7c4 - - default default] Caught error: <class 'cinder.exception.ConflictNovaUsingAttachment'> Detach volume from instance 2438d612-c648-4450-aa2f-3b13533ff101 using the Compute API: cinder.exception.ConflictNovaUsingAttachment: Detach volume from instance 2438d612-c648-4450-aa2f-3b13533ff101 using the Compute API
 .....
2024-07-22 15:39:59.081473 2024-07-22 15:39:59.079 1708 ERROR cinder.api.middleware.fault   File "/usr/lib/python3/dist-packages/cinder/volume/api.py", line 2616, in attachment_deletion_allowed
2024-07-22 15:39:59.081481 2024-07-22 15:39:59.079 1708 ERROR cinder.api.middleware.fault     raise exception.ConflictNovaUsingAttachment(instance_id=server_id)
2024-07-22 15:39:59.081489 2024-07-22 15:39:59.079 1708 ERROR cinder.api.middleware.fault **cinder.exception.ConflictNovaUsingAttachment: Detach volume from instance 2438d612-c648-4450-aa2f-3b13533ff101 using the Compute API**
2024-07-22 15:39:59.081498 2024-07-22 15:39:59.079 1708 ERROR cinder.api.middleware.fault \x1b[00m
2024-07-22 15:39:59.082033 2024-07-22 15:39:59.081 1708 INFO cinder.api.middleware.fault [req-4885e5c9-66ea-4aab-aec1-9f39c8b7bd32 req-1b2453d9-ea43-4650-b7f9-c1512a92ec5e 66539d0050564dbd99bee47c4aca412f 173f06b4888d40fca241261a6477f7c4 - - default default] http://ta-mgmt00:8776/v3/173f06b4888d40fca241261a6477f7c4/attachments/6b2f573d-a784-4376-a25b-41069a49d02a returned with HTTP 409\x1b[00m

I already tried to configure in both nova.conf and cinder.conf the [service_user] but without success.

nova.conf:

[service_user]
send_service_user_token = true
auth_url = http://ta-mgmt00:5000
auth_strategy = keystone
auth_type = password
project_domain_name = Default
project_name = service
user_domain_name = Default
username = nova
password = NOVA_PASSWORD
...
[keystone_authtoken]
www_authenticate_uri = http://ta-mgmt00:5000/
auth_url = http://ta-mgmt00:5000/
memcached_servers = ta-mgmt00:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = nova
password = NOVA_PASSWORD
service_token_roles_required = true
service_token_roles = service

on cinder.conf:

[service_user]
send_service_user_token = true
auth_url = http://ta-mgmt00:5000
auth_strategy = keystone
auth_type = password
project_domain_name = Default
project_name = service
user_domain_name = Default
username = cinder
password = CINDER_PASSWORD
...
[keystone_authtoken]
www_authenticate_uri = http://ta-mgmt00:5000
auth_url = http://ta-mgmt00:5000
memcached_servers = ta-mgmt00:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = cinder
password = CINDER_PASSWORD
service_token_roles = service
service_token_roles_required = true

Cinder is configured to write to a Synology NAS, but the integration works as volumes are created and if removed via CLI they are successfully deleted.