[openstack-dev] [kolla][keystone] better way to rotate and distribution keystone fernet keys in container env

Matt Fischer matt at mattfischer.com
Mon Mar 6 18:09:15 UTC 2017

I don't think it would cause an issue if every controller rotated all at
once. The issues are more along the lines of rotating to key C when there
are tokens out there that are encrypted with keys A and B. In other words
over-rotation. As long as your keys are properly staged, do the rotation
all at once or space them out, should not make any difference.

On Sun, Mar 5, 2017 at 10:52 PM, Jeffrey Zhang <zhang.lei.fly at gmail.com>

> fix subject typo
> On Mon, Mar 6, 2017 at 12:28 PM, Jeffrey Zhang <zhang.lei.fly at gmail.com>
> wrote:
>> Kolla have support keystone fernet keys. But there are still some
>> topics worth to talk.
>> The key issue is key distribution. Kolla's solution is like
>> * there is a task run frequently by cronjob to check whether
>>   the key should be rotate. This is controlled by
>>   `fernet_token_expiry` variable
>> * When key rotate is required, the task in cron job will generate a
>>   new key by using `keystone-manage fernet-rotate` and distribute all
>>   keys in /etc/keystone/fernet-keys folder to other by using
>>   `rsync --delete`
>> one issue is: there is no global lock in rotate and distribute steps.
>> above command is ran on all controllers. it may cause issues if
>> all controllers run this at the same time.
>> Since we are using Ansible as deployment tools. there is not daemon
>> agent at all to keep rotate and distribution atomic. Is there any
>> easier way to implement a global lock?
>> possible solution:
>> 1. configure cron job with different time on each controller
>> 2. implement a global lock? ( no idea how )
>> [0] https://docs.openstack.org/admin-guide/identity-fernet-token-faq.html
>> --
>> Regards,
>> Jeffrey Zhang
>> Blog: http://xcodest.me
> --
> Regards,
> Jeffrey Zhang
> Blog: http://xcodest.me
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170306/03c82450/attachment.html>

More information about the OpenStack-dev mailing list