[Openstack-operators] [openstack-operators] Fernet key rotation
Fox, Kevin M
Kevin.Fox at pnnl.gov
Wed Mar 16 21:56:04 UTC 2016
You can just rotate without restarting services.
We're rotating currently only once a day.
We rotate on one machine, then rsync the data to the others in a cron job. Has been working well for a couple of months now.
Thanks,
Kevin
________________________________________
From: Ajay Kalambur (akalambu) [akalambu at cisco.com]
Sent: Wednesday, March 16, 2016 2:44 PM
To: OpenStack Operators
Subject: [Openstack-operators] [openstack-operators] Fernet key rotation
Hi
In a multi node HA deployment for production does key rotate need a keystone process reboot or should we just run the fernet rotate on one node and distribute it without restarting any process
I presume keystone can handle the rotation without a restart?
I also assume this key rotation can happen without a maintenance window
What do folks typically do in production and how often do you rotate keys
Ajay
_______________________________________________
OpenStack-operators mailing list
OpenStack-operators at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
More information about the OpenStack-operators
mailing list