diff --git a/ansible/roles/keystone/templates/keystone-startup.sh.j2 b/ansible/roles/keystone/templates/keystone-startup.sh.j2 index 2304df1ab2..2ea21744cd 100644 --- a/ansible/roles/keystone/templates/keystone-startup.sh.j2 +++ b/ansible/roles/keystone/templates/keystone-startup.sh.j2 @@ -4,32 +4,21 @@ set -o errexit set -o pipefail -TOKEN_DIR="/etc/keystone/fernet-keys" +FERNET_KEY_DIR="/etc/keystone/fernet-keys" -# Ensure tokens are populated, check for 0 (staging) key +# Ensure Fernet keys are populated, check for 0 (staging) key n=0 -while [ ! -f "${TOKEN_DIR}/0" ]; do +while [ ! -f "${FERNET_KEY_DIR}/0" ]; do if [ $n -lt 36 ]; then n=$(( n + 1 )) - echo "ERROR: Fernet tokens have not been populated, rechecking in 5 seconds" - echo "DEBUG: ${TOKEN_DIR} contents:" - ls -l ${TOKEN_DIR} + echo "ERROR: Fernet keys have not been populated, rechecking in 5 seconds" + echo "DEBUG: ${FERNET_KEY_DIR} contents:" + ls -l ${FERNET_KEY_DIR} sleep 5 else - echo "CRITICAL: Waited for 10 minutes - failing" + echo "CRITICAL: Waited for 3 minutes - failing" exit 1 fi done -# Ensure tokens are not stale -# Get primary token (file with highest number) -TOKEN_PRIMARY=$(ls -1 ${TOKEN_DIR} | sort -hr | head -n 1) -# Check it's age in seconds -TOKEN_AGE=$(($(date +%s) - $(date +%s -r "${TOKEN_DIR}/${TOKEN_PRIMARY}"))) -# Compare if it's older than fernet_key_rotation_interval and fail if it's stale -if [ "${TOKEN_AGE}" -gt "{{ fernet_key_rotation_interval }}" ]; then - echo "ERROR: Primary token ${TOKEN_PRIMARY} is stale." - exit 1 -fi - exec /usr/sbin/{{ keystone_cmd }} $@ diff --git a/releasenotes/notes/fix-keystone-startup-66c5aa11a464a562.yaml b/releasenotes/notes/fix-keystone-startup-66c5aa11a464a562.yaml new file mode 100644 index 0000000000..37c425331a --- /dev/null +++ b/releasenotes/notes/fix-keystone-startup-66c5aa11a464a562.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + Fixes an issue with Keystone startup when Fernet key rotation does not + occur within the configured interval. This may happen due to one of the + Keystone hosts being down at the scheduled time of rotation, or due to + uneven intervals between cron jobs. `LP#1895723 + `__