On Monday 03 August 2015 21:05:00 David Stanek wrote: > On Sat, Aug 1, 2015 at 8:03 PM, Boris Bobrov <bbob...@mirantis.com> wrote: > > On Sat, Aug 1, 2015 at 3:41 PM, Clint Byrum <cl...@fewbar.com> wrote: > > > This too is overly complex and will cause failures. If you replace key > > > 0, > > > > > > you will stop validating tokens that were encrypted with the old key 0. > > > > No. Key 0 is replaced after rotation. > > > > > > > > Also, come on, does http://paste.openstack.org/show/406674/ look overly > > complex? (it should be launched from Fuel master node). > > I'm reading this on a small phone, so I may have it wrong, but the script > appears to be broken. > > It will ssh to node-1 and rotate. In the simplest case this takes key 0 and > moves it to the next highest key number. Then a new key 0 is generated. > > Later there is a loop that will again ssh into node-1 and run the rotation > script. If there is a limit set on the number of keys and you are at that > limit a key will be deleted. This extra rotation on node-1 means that it's > possible that it has a different set of keys than are on node-2 and node-3.
You are absolutely right. Node-1 should be excluded from the loop. pinc also lacks "-c 1". I am sure that other issues can be found. In my excuse I want to say that I never ran the script and wrote it just to show how simple it should be. Thank for review though! I also hope that no one is going to use a script from a mailing list. > What's the issue with just a simple rsync of the directory? None I think. I just want to reuse the interface provided by keystone- manage. -- С наилучшими пожеланиями, Boris
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev