Merge "Fix keystone-startup.sh - remove Fernet key age check"

This commit is contained in:
Zuul 2020-10-23 21:03:59 +00:00 committed by Gerrit Code Review
commit b77b4eb829
2 changed files with 15 additions and 18 deletions

View File

@ -4,32 +4,21 @@
set -o errexit set -o errexit
set -o pipefail set -o pipefail
TOKEN_DIR="/etc/keystone/fernet-keys" FERNET_KEY_DIR="/etc/keystone/fernet-keys"
# Ensure tokens are populated, check for 0 (staging) key # Ensure Fernet keys are populated, check for 0 (staging) key
n=0 n=0
while [ ! -f "${TOKEN_DIR}/0" ]; do while [ ! -f "${FERNET_KEY_DIR}/0" ]; do
if [ $n -lt 36 ]; then if [ $n -lt 36 ]; then
n=$(( n + 1 )) n=$(( n + 1 ))
echo "ERROR: Fernet tokens have not been populated, rechecking in 5 seconds" echo "ERROR: Fernet keys have not been populated, rechecking in 5 seconds"
echo "DEBUG: ${TOKEN_DIR} contents:" echo "DEBUG: ${FERNET_KEY_DIR} contents:"
ls -l ${TOKEN_DIR} ls -l ${FERNET_KEY_DIR}
sleep 5 sleep 5
else else
echo "CRITICAL: Waited for 10 minutes - failing" echo "CRITICAL: Waited for 3 minutes - failing"
exit 1 exit 1
fi fi
done done
# Ensure tokens are not stale
# Get primary token (file with highest number)
TOKEN_PRIMARY=$(ls -1 ${TOKEN_DIR} | sort -hr | head -n 1)
# Check it's age in seconds
TOKEN_AGE=$(($(date +%s) - $(date +%s -r "${TOKEN_DIR}/${TOKEN_PRIMARY}")))
# Compare if it's older than fernet_key_rotation_interval and fail if it's stale
if [ "${TOKEN_AGE}" -gt "{{ fernet_key_rotation_interval }}" ]; then
echo "ERROR: Primary token ${TOKEN_PRIMARY} is stale."
exit 1
fi
exec /usr/sbin/{{ keystone_cmd }} $@ exec /usr/sbin/{{ keystone_cmd }} $@

View File

@ -0,0 +1,8 @@
---
fixes:
- |
Fixes an issue with Keystone startup when Fernet key rotation does not
occur within the configured interval. This may happen due to one of the
Keystone hosts being down at the scheduled time of rotation, or due to
uneven intervals between cron jobs. `LP#1895723
<https://bugs.launchpad.net/kolla-ansible/+bug/1895723>`__