[Openstack-operators] [openstack-dev][openstack-operators]flush expired tokens and moves deleted instance

Fischer, Matt matthew.fischer at twcable.com
Tue Jan 27 17:13:35 UTC 2015

Our keystone database is clustered across regions, so we have this job running on node1 in each site on alternating hours. I don’t think you’d want a bunch of cron jobs firing off all at once to cleanup tokens on multiple clustered nodes. That’s one reason I know not to put this in the code.

Are there other reasons that an operator might like to keep old tokens? Auditing?

From: Tim Bell <Tim.Bell at cern.ch<mailto:Tim.Bell at cern.ch>>
Date: Sunday, January 25, 2015 at 11:10 PM
To: Mike Smith <mismith at overstock.com<mailto:mismith at overstock.com>>, Daniel Comnea <comnea.dani at gmail.com<mailto:comnea.dani at gmail.com>>
Cc: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>, "openstack-operators at lists.openstack.org<mailto:openstack-operators at lists.openstack.org>" <openstack-operators at lists.openstack.org<mailto:openstack-operators at lists.openstack.org>>
Subject: Re: [Openstack-operators] [openstack-dev][openstack-operators]flush expired tokens and moves deleted instance

This is often mentioned as one of those items which catches every OpenStack cloud operator at some time. It’s not clear to me that there could not be a scheduled job built into the system with a default frequency (configurable, ideally).

If we are all configuring this as a cron job, is there a reason that it could not be built into the code ?


From: Mike Smith [mailto:mismith at overstock.com]
Sent: 24 January 2015 18:08
To: Daniel Comnea
Cc: OpenStack Development Mailing List (not for usage questions); openstack-operators at lists.openstack.org<mailto:openstack-operators at lists.openstack.org>
Subject: Re: [Openstack-operators] [openstack-dev][openstack-operators]flush expired tokens and moves deleted instance

It is still mentioned in the Juno installation docs:

By default, the Identity service stores expired tokens in the database indefinitely. The
accumulation of expired tokens considerably increases the database size and might degrade
service performance, particularly in environments with limited resources.
We recommend that you use cron to configure a periodic task that purges expired tokens
# (crontab -l -u keystone 2>&1 | grep -q token_flush) || \
echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/
keystone-tokenflush.log 2>&1' \
>> /var/spool/cron/keystone

Mike Smith
Principal Engineer, Website Systems

On Jan 24, 2015, at 10:03 AM, Daniel Comnea <comnea.dani at gmail.com<mailto:comnea.dani at gmail.com>> wrote:

Hi all,

I just bumped into Sebastien's blog where he suggested a cron job should run in production to tidy up expired tokens - see blog[1]
Could you please remind me if this is still required in IceHouse/ Juno? (i kind of remember i've seen some work being done in this direction but i can't find the emails)


[1] http://www.sebastien-han.fr/blog/2014/08/18/a-must-have-cron-job-on-your-openstack-cloud/
OpenStack-operators mailing list
OpenStack-operators at lists.openstack.org<mailto:OpenStack-operators at lists.openstack.org>


CONFIDENTIALITY NOTICE: This message is intended only for the use and review of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message solely to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify sender immediately by telephone or return email. Thank you.

This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150127/357838b4/attachment.html>

More information about the OpenStack-operators mailing list