[Openstack] [kolla][keystone] better way to rotate and distribution keystone fernet keys in container env
Jeffrey Zhang
zhang.lei.fly at gmail.com
Mon Mar 6 05:52:01 UTC 2017
fix subject typo
On Mon, Mar 6, 2017 at 12:28 PM, Jeffrey Zhang <zhang.lei.fly at gmail.com>
wrote:
> Kolla have support keystone fernet keys. But there are still some
> topics worth to talk.
>
> The key issue is key distribution. Kolla's solution is like
>
> * there is a task run frequently by cronjob to check whether
> the key should be rotate. This is controlled by
> `fernet_token_expiry` variable
> * When key rotate is required, the task in cron job will generate a
> new key by using `keystone-manage fernet-rotate` and distribute all
> keys in /etc/keystone/fernet-keys folder to other by using
> `rsync --delete`
>
> one issue is: there is no global lock in rotate and distribute steps.
> above command is ran on all controllers. it may cause issues if
> all controllers run this at the same time.
>
> Since we are using Ansible as deployment tools. there is not daemon
> agent at all to keep rotate and distribution atomic. Is there any
> easier way to implement a global lock?
>
> possible solution:
> 1. configure cron job with different time on each controller
> 2. implement a global lock? ( no idea how )
>
> [0] https://docs.openstack.org/admin-guide/identity-fernet-token-faq.html
>
> --
> Regards,
> Jeffrey Zhang
> Blog: http://xcodest.me
>
--
Regards,
Jeffrey Zhang
Blog: http://xcodest.me
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20170306/b9514b0b/attachment.html>
More information about the Openstack
mailing list