[openstack-dev] [kolla][keyston] better way to rotate and distribution keystone fernet keys in container env
zhang.lei.fly at gmail.com
Mon Mar 6 04:28:17 UTC 2017
Kolla have support keystone fernet keys. But there are still some
topics worth to talk.
The key issue is key distribution. Kolla's solution is like
* there is a task run frequently by cronjob to check whether
the key should be rotate. This is controlled by
* When key rotate is required, the task in cron job will generate a
new key by using `keystone-manage fernet-rotate` and distribute all
keys in /etc/keystone/fernet-keys folder to other by using
one issue is: there is no global lock in rotate and distribute steps.
above command is ran on all controllers. it may cause issues if
all controllers run this at the same time.
Since we are using Ansible as deployment tools. there is not daemon
agent at all to keep rotate and distribution atomic. Is there any
easier way to implement a global lock?
1. configure cron job with different time on each controller
2. implement a global lock? ( no idea how )
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev