Open Stack

On Tue, Aug 4, 2015 at 1:37 AM, Boris Bobrov <bbobrov at mirantis.com> wrote:

> On Monday 03 August 2015 21:05:00 David Stanek wrote:
>
> > On Sat, Aug 1, 2015 at 8:03 PM, Boris Bobrov <bbobrov at mirantis.com>
> wrote:
>
> > > On Sat, Aug 1, 2015 at 3:41 PM, Clint Byrum <clint at fewbar.com> wrote:
>
> > > > This too is overly complex and will cause failures. If you replace
> key
>
> > > > 0,
>
> > > >
>
> > > > you will stop validating tokens that were encrypted with the old key
> 0.
>
> > >
>
> > > No. Key 0 is replaced after rotation.
>
> > >
>
> > >
>
> > >
>
> > > Also, come on, does http://paste.openstack.org/show/406674/ look
> overly
>
> > > complex? (it should be launched from Fuel master node).
>
> >
>
> > I'm reading this on a small phone, so I may have it wrong, but the script
>
> > appears to be broken.
>
> >
>
> > It will ssh to node-1 and rotate. In the simplest case this takes key 0
> and
>
> > moves it to the next highest key number. Then a new key 0 is generated.
>
> >
>
> > Later there is a loop that will again ssh into node-1 and run the
> rotation
>
> > script. If there is a limit set on the number of keys and you are at that
>
> > limit a key will be deleted. This extra rotation on node-1 means that
> it's
>
> > possible that it has a different set of keys than are on node-2 and
> node-3.
>
>
>
> You are absolutely right. Node-1 should be excluded from the loop.
>
>
>
> pinc also lacks "-c 1".
>
>
>
> I am sure that other issues can be found.
>
>
>
> In my excuse I want to say that I never ran the script and wrote it just
> to show how simple it should be. Thank for review though!
>
>
>
> I also hope that no one is going to use a script from a mailing list.
>
>
>
> > What's the issue with just a simple rsync of the directory?
>
>
>
> None I think. I just want to reuse the interface provided by
> keystone-manage.
>

You wanted to use the interface from keystone-manage to handle the actual
promotion of the staged key, right? This is why there were two
fernet_rotate commands issued?


>
>
> --
>
> С наилучшими пожеланиями,
>
> Boris
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150804/f2b02028/attachment.html>