kolla-ansible

Comment 16 for bug 1809469

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-06-20: Fix merged to kolla-ansible (stable/stein)

#16

Reviewed: https://review.opendev.org/666090
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=8e627c1eef5e7ef047cd3860d162a0e2a800e5ab
Submitter: Zuul
Branch: stable/stein

commit 8e627c1eef5e7ef047cd3860d162a0e2a800e5ab
Author: Mark Goddard <email address hidden>
Date: Thu May 16 17:26:45 2019 +0100

Fix keystone fernet key rotation scheduling

    Right now every controller rotates fernet keys. This is nice because
    should any controller die, we know the remaining ones will rotate the
    keys. However, we are currently over-rotating the keys.

When we over rotate keys, we get logs like this:

This is not a recognized Fernet token <token> TokenNotFound

    Most clients can recover and get a new token, but some clients (like
    Nova passing tokens to other services) can't do that because it doesn't
    have the password to regenerate a new token.

With three controllers, in crontab in keystone-fernet we see the once a day
correctly staggered across the three controllers:

    ssh ctrl1 sudo cat /etc/kolla/keystone-fernet/crontab
    0 0 * * * /usr/bin/fernet-rotate.sh
    ssh ctrl2 sudo cat /etc/kolla/keystone-fernet/crontab
    0 8 * * * /usr/bin/fernet-rotate.sh
    ssh ctrl3 sudo cat /etc/kolla/keystone-fernet/crontab
    0 16 * * * /usr/bin/fernet-rotate.sh

Currently with three controllers we have this keystone config:

    [token]
    expiration = 86400 (although, keystone default is one hour)
    allow_expired_window = 172800 (this is the keystone default)

[fernet_tokens]
max_active_keys = 4

Currently, kolla-ansible configures key rotation according to the following:

rotation_interval = token_expiration / num_hosts

This means we rotate keys more quickly the more hosts we have, which doesn't
make much sense.

Keystone docs state:

max_active_keys =
((token_expiration + allow_expired_window) / rotation_interval) + 2

For details see:
https://docs.openstack.org/keystone/stein/admin/fernet-token-faq.html

    Rotation is based on pushing out a staging key, so should any server
    start using that key, other servers will consider that valid. Then each
    server in turn starts using the staging key, each in term demoting the
    existing primary key to a secondary key. Eventually you prune the
    secondary keys when there is no token in the wild that would need to be
    decrypted using that key. So this all makes sense.

    This change adds new variables for fernet_token_allow_expired_window and
    fernet_key_rotation_interval, so that we can correctly calculate the
    correct number of active keys. We now set the default rotation interval
    so as to minimise the number of active keys to 3 - one primary, one
    secondary, one buffer.

This change also fixes the fernet cron job generator, which was broken
in the following cases:

    * requesting an interval of more than 1 day resulted in no jobs
    * requesting an interval of more than 60 minutes, unless an exact
      multiple of 60 minutes, resulted in no jobs

It should now be possible to request any interval up to a week divided
by the number of hosts.

    Change-Id: I10c82dc5f83653beb60ddb86d558c5602153341a
    Closes-Bug: #1809469
    (cherry picked from commit 6c1442c385450004dd253f3f464fe4336194be99)

Reviewed:  https://review.opendev.org/666090
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=8e627c1eef5e7ef047cd3860d162a0e2a800e5ab
Submitter: Zuul
Branch:    stable/stein

commit 8e627c1eef5e7ef047cd3860d162a0e2a800e5ab
Author: Mark Goddard <mark@stackhpc.com>
Date:   Thu May 16 17:26:45 2019 +0100

Fix keystone fernet key rotation scheduling
    
    Right now every controller rotates fernet keys. This is nice because
    should any controller die, we know the remaining ones will rotate the
    keys. However, we are currently over-rotating the keys.
    
    When we over rotate keys, we get logs like this:
    
     This is not a recognized Fernet token <token> TokenNotFound
    
    Most clients can recover and get a new token, but some clients (like
    Nova passing tokens to other services) can't do that because it doesn't
    have the password to regenerate a new token.
    
    With three controllers, in crontab in keystone-fernet we see the once a day
    correctly staggered across the three controllers:
    
    ssh ctrl1 sudo cat /etc/kolla/keystone-fernet/crontab
    0 0 * * * /usr/bin/fernet-rotate.sh
    ssh ctrl2 sudo cat /etc/kolla/keystone-fernet/crontab
    0 8 * * * /usr/bin/fernet-rotate.sh
    ssh ctrl3 sudo cat /etc/kolla/keystone-fernet/crontab
    0 16 * * * /usr/bin/fernet-rotate.sh
    
    Currently with three controllers we have this keystone config:
    
    [token]
    expiration = 86400 (although, keystone default is one hour)
    allow_expired_window = 172800 (this is the keystone default)
    
    [fernet_tokens]
    max_active_keys = 4
    
    Currently, kolla-ansible configures key rotation according to the following:
    
       rotation_interval = token_expiration / num_hosts
    
    This means we rotate keys more quickly the more hosts we have, which doesn't
    make much sense.
    
    Keystone docs state:
    
       max_active_keys =
         ((token_expiration + allow_expired_window) / rotation_interval) + 2
    
    For details see:
    https://docs.openstack.org/keystone/stein/admin/fernet-token-faq.html
    
    Rotation is based on pushing out a staging key, so should any server
    start using that key, other servers will consider that valid. Then each
    server in turn starts using the staging key, each in term demoting the
    existing primary key to a secondary key. Eventually you prune the
    secondary keys when there is no token in the wild that would need to be
    decrypted using that key. So this all makes sense.
    
    This change adds new variables for fernet_token_allow_expired_window and
    fernet_key_rotation_interval, so that we can correctly calculate the
    correct number of active keys. We now set the default rotation interval
    so as to minimise the number of active keys to 3 - one primary, one
    secondary, one buffer.
    
    This change also fixes the fernet cron job generator, which was broken
    in the following cases:
    
    * requesting an interval of more than 1 day resulted in no jobs
    * requesting an interval of more than 60 minutes, unless an exact
      multiple of 60 minutes, resulted in no jobs
    
    It should now be possible to request any interval up to a week divided
    by the number of hosts.
    
    Change-Id: I10c82dc5f83653beb60ddb86d558c5602153341a
    Closes-Bug: #1809469
    (cherry picked from commit 6c1442c385450004dd253f3f464fe4336194be99)