[openstack-dev] [kolla][keystone] better way to rotate and distribution keystone fernet keys in container env

Jeffrey Zhang zhang.lei.fly at gmail.com
Tue Mar 7 00:56:17 UTC 2017

On Tue, Mar 7, 2017 at 2:09 AM, Matt Fischer <matt at mattfischer.com> wrote:

> I don't think it would cause an issue if every controller rotated all at
> once. The issues are more along the lines of rotating to key C when there
> are tokens out there that are encrypted with keys A and B. In other words
> over-rotation. As long as your keys are properly staged, do the rotation
> all at once or space them out, should not make any difference.

​The issue is "at once".
It takes some time to rotate and distribute the keys. There is one case
controller A and controller B generate a new different keys. Then they copy
the ​key to other by using rsync.

A: 0 1 2 3
B: 0' 1' 2 3

When distributing, the 0/0' and 1/1' may be overrode(rsync hold the delete
file handler and copy it to other one). it will lead to

A: 0' 1' 2 3
B: 0 1 2 3

next rotation, it may become

A: 0' 1' 2' 3
B: 0 1 2 3

after distribute , it become

A: 0 1 2 3
B: 0' 1' 2' 3

Next rotation and distribute, issue happen.

This is a small probability, but it still possible.

Jeffrey Zhang
Blog: http://xcodest.me
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170307/14cc3a14/attachment.html>

More information about the OpenStack-dev mailing list