From e6806ff32d696c9e51f06230f72fce983d65fe74 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Fri, 14 Apr 2017 10:53:01 -0700
Subject: [PATCH] Add kerberos maintenance docs

This adds docs on how to perform maintenance on the kerberos service
without a service outage.

Change-Id: Ie98bcfa952825d5102c21bbf1efda499307fb88a
---
 doc/source/kerberos.rst | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/doc/source/kerberos.rst b/doc/source/kerberos.rst
index 8fb550eb38..7a16ba3fc9 100644
--- a/doc/source/kerberos.rst
+++ b/doc/source/kerberos.rst
@@ -97,3 +97,25 @@ should be capitalized.
 Then save the principal's keytab::
 
   kadmin: ktadd -k /path/to/$NAME.keytab service/$NAME@OPENSTACK.ORG
+
+No Service Outage Server Maintenance
+------------------------------------
+
+Should you need perform maintenance on the kerberos server that requires
+taking kerberos processes offline you can do this by performing your
+updates on a single server at a time.
+
+`kdc01.openstack.org` is our primary server and `kdc02.openstack.org`
+is the hot standby. Perform your maintenance on `kdc02.openstack.org`
+first. Then once that is done we can prepare for taking down the
+primary. On `kdc01.openstack.org` run::
+
+  root@kdc01:~# /usr/local/bin/run-kprop.sh
+
+You should see::
+
+  Database propagation to kdc02.openstack.org: SUCCEEDED
+
+Once this is done the standby server is ready and we can take kdc01
+offline. When kdc01 is back online rerun `run-kprop.sh` to ensure
+everything is working again.