I don't think it would cause an issue if every controller rotated all at once. The issues are more along the lines of rotating to key C when there are tokens out there that are encrypted with keys A and B. In other words over-rotation. As long as your keys are properly staged, do the rotation all at once or space them out, should not make any difference.
On Sun, Mar 5, 2017 at 10:52 PM, Jeffrey Zhang <zhang.lei....@gmail.com> wrote: > fix subject typo > > On Mon, Mar 6, 2017 at 12:28 PM, Jeffrey Zhang <zhang.lei....@gmail.com> > wrote: > >> Kolla have support keystone fernet keys. But there are still some >> topics worth to talk. >> >> The key issue is key distribution. Kolla's solution is like >> >> * there is a task run frequently by cronjob to check whether >> the key should be rotate. This is controlled by >> `fernet_token_expiry` variable >> * When key rotate is required, the task in cron job will generate a >> new key by using `keystone-manage fernet-rotate` and distribute all >> keys in /etc/keystone/fernet-keys folder to other by using >> `rsync --delete` >> >> one issue is: there is no global lock in rotate and distribute steps. >> above command is ran on all controllers. it may cause issues if >> all controllers run this at the same time. >> >> Since we are using Ansible as deployment tools. there is not daemon >> agent at all to keep rotate and distribution atomic. Is there any >> easier way to implement a global lock? >> >> possible solution: >> 1. configure cron job with different time on each controller >> 2. implement a global lock? ( no idea how ) >> >> [0] https://docs.openstack.org/admin-guide/identity-fernet-token-faq.html >> >> -- >> Regards, >> Jeffrey Zhang >> Blog: http://xcodest.me >> > > > > -- > Regards, > Jeffrey Zhang > Blog: http://xcodest.me > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev