[openstack-dev] [kolla][keystone] better way to rotate and distribution keystone fernet keys in container env

Jeffrey Zhang zhang.lei.fly at gmail.com
Mon Mar 6 05:52:01 UTC 2017

fix subject typo

On Mon, Mar 6, 2017 at 12:28 PM, Jeffrey Zhang <zhang.lei.fly at gmail.com>

> Kolla have support keystone fernet keys. But there are still some
> topics worth to talk.
> The key issue is key distribution. Kolla's solution is like
> * there is a task run frequently by cronjob to check whether
>   the key should be rotate. This is controlled by
>   `fernet_token_expiry` variable
> * When key rotate is required, the task in cron job will generate a
>   new key by using `keystone-manage fernet-rotate` and distribute all
>   keys in /etc/keystone/fernet-keys folder to other by using
>   `rsync --delete`
> one issue is: there is no global lock in rotate and distribute steps.
> above command is ran on all controllers. it may cause issues if
> all controllers run this at the same time.
> Since we are using Ansible as deployment tools. there is not daemon
> agent at all to keep rotate and distribution atomic. Is there any
> easier way to implement a global lock?
> possible solution:
> 1. configure cron job with different time on each controller
> 2. implement a global lock? ( no idea how )
> [0] https://docs.openstack.org/admin-guide/identity-fernet-token-faq.html
> --
> Regards,
> Jeffrey Zhang
> Blog: http://xcodest.me

Jeffrey Zhang
Blog: http://xcodest.me
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170306/b9514b0b/attachment.html>

More information about the OpenStack-dev mailing list