[openstack-dev] [kolla][keystone] better way to rotate and distribution keystone fernet keys in container env

Jeffrey Zhang zhang.lei.fly at gmail.com
Tue Mar 7 00:45:32 UTC 2017


On Mon, Mar 6, 2017 at 6:05 PM, Paul Bourke <paul.bourke at oracle.com> wrote:

> Two initial ideas:
>
> We could create a specific ansible task to rotate the keys, and document
> that operator should set up a cron job on the deployment node to run this
> periodically.
>
> We could also look at making use of VRRP (keepalived). Potentially the
> cron job could run on every controller, but only take action if it
> identifies it's the one with the VIP.
>
> The second seems preferable to me as it requires no additional effort on
> the part of the operator. Maybe there's problems with this though that I'm
> not thinking of.
>
> -Paul
>

​Thanks Paul, ​

​second seems better. We can implement a file lock to ensure only one
rotate and distribute process is running at the same time.




-- 
Regards,
Jeffrey Zhang
Blog: http://xcodest.me
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170307/ed7b063c/attachment.html>


More information about the OpenStack-dev mailing list