<div dir="ltr"><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">Kolla have support keystone fernet keys. But there are still some</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">topics worth to talk.</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">The key issue is key distribution. Kolla's solution is like</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">* there is a task run frequently by cronjob to check whether </div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"> the key should be rotate. This is controlled by </div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"> `fernet_token_expiry` variable</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">* When key rotate is required, the task in cron job will generate a</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"> new key by using `keystone-manage fernet-rotate` and distribute all</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"> keys in /etc/keystone/fernet-keys folder to other by using </div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"> `rsync --delete`</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">one issue is: there is no global lock in rotate and distribute steps.</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">above command is ran on all controllers. it may cause issues if</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">all controllers run this at the same time.</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">Since we are using Ansible as deployment tools. there is not daemon </div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">agent at all to keep rotate and distribution atomic. Is there any</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">easier way to implement a global lock?</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">possible solution:</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">1. configure cron job with different time on each controller</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">2. implement a global lock? ( no idea how )</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">[0] <a href="https://docs.openstack.org/admin-guide/identity-fernet-token-faq.html">https://docs.openstack.org/admin-guide/identity-fernet-token-faq.html</a></div><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><span style="font-size:13px;border-collapse:collapse"><font face="monospace, monospace">Regards,</font></span></div><div><span style="font-size:13px;border-collapse:collapse"><font face="monospace, monospace">Jeffrey Zhang</font></span></div><div><span style="font-family:monospace,monospace;font-size:12.8px">Blog: </span><a href="http://xcodest.me/" style="font-family:monospace,monospace;font-size:12.8px" target="_blank">http://xcodest.me</a><font face="monospace, monospace"><br></font></div></div></div></div></div></div></div></div></div>
</div>