[Openstack-operators] [openstack-operators] Fernet key rotation
Hi In a multi node HA deployment for production does key rotate need a keystone process reboot or should we just run the fernet rotate on one node and distribute it without restarting any process I presume keystone can handle the rotation without a restart? I also assume this key rotation can happen without a maintenance window What do folks typically do in production and how often do you rotate keys Ajay ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [openstack-operators] Fernet key rotation
Fernet key rotation is easy. 1) You don't need a maintenance window 2) You can do one node at a time even with a long delay between 3) You don't need to restart anything We rotate approximately weekly. On Wed, Mar 16, 2016 at 3:44 PM, Ajay Kalambur (akalambu) < akala...@cisco.com> wrote: > Hi > In a multi node HA deployment for production does key rotate need a > keystone process reboot or should we just run the fernet rotate on one node > and distribute it without restarting any process > I presume keystone can handle the rotation without a restart? > > I also assume this key rotation can happen without a maintenance window > > What do folks typically do in production and how often do you rotate keys > > Ajay > > ___ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [openstack-operators] Fernet key rotation
You can just rotate without restarting services. We're rotating currently only once a day. We rotate on one machine, then rsync the data to the others in a cron job. Has been working well for a couple of months now. Thanks, Kevin From: Ajay Kalambur (akalambu) [akala...@cisco.com] Sent: Wednesday, March 16, 2016 2:44 PM To: OpenStack Operators Subject: [Openstack-operators] [openstack-operators] Fernet key rotation Hi In a multi node HA deployment for production does key rotate need a keystone process reboot or should we just run the fernet rotate on one node and distribute it without restarting any process I presume keystone can handle the rotation without a restart? I also assume this key rotation can happen without a maintenance window What do folks typically do in production and how often do you rotate keys Ajay ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
