I suggest to use pacemaker multistate clone resource to rotate and rsync fernet tokens from local directories across cluster nodes. The resource prototype is described here https://etherpad.openstack.org/p/fernet_tokens_pacemaker Pros: Pacemaker will care about CAP/split-brain stuff for us, we just design rotate and rsync logic. Also no shared FS/DB involved but only Corosync CIB - to store few internal resource state related params, not tokens. Cons: Keystone nodes hosting fernet tokens directories must be members of pacemaker cluster. Also custom OCF script should be created to implement this. __ Regards, Bogdan Dobrelya. IRC: bogdando Matt Fischer also discusses key rotation here: http://www.mattfischer.com/blog/?p=648 And here: http://www.mattfischer.com/blog/?p=665 On Mon, Jul 27, 2015 at 2:30 PM, Dolph Mathews <dolph.mathews at gmail.com> wrote: … -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150801/1a9edc3a/attachment.html>