On Sat, Aug 1, 2015 at 8:03 PM, Boris Bobrov <bbob...@mirantis.com> wrote:
> On Sat, Aug 1, 2015 at 3:41 PM, Clint Byrum <cl...@fewbar.com> wrote: > > > This too is overly complex and will cause failures. If you replace key 0, > > > you will stop validating tokens that were encrypted with the old key 0. > > > > No. Key 0 is replaced after rotation. > > > > Also, come on, does http://paste.openstack.org/show/406674/ look overly > complex? (it should be launched from Fuel master node). > I'm reading this on a small phone, so I may have it wrong, but the script appears to be broken. It will ssh to node-1 and rotate. In the simplest case this takes key 0 and moves it to the next highest key number. Then a new key 0 is generated. Later there is a loop that will again ssh into node-1 and run the rotation script. If there is a limit set on the number of keys and you are at that limit a key will be deleted. This extra rotation on node-1 means that it's possible that it has a different set of keys than are on node-2 and node-3. What's the issue with just a simple rsync of the directory? -- David blog: http://www.traceback.org twitter: http://twitter.com/dstanek www: http://dstanek.com
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev