#!/bin/bash # # Wrapper script to rotate keystone fernet keys on active controller only # KEYSTONE_KEYS_ROTATE_INFO="/var/run/keystone-keys-rotate.info" KEYSTONE_KEYS_ROTATE_CMD="/usr/bin/nice -n 2 /usr/bin/keystone-manage fernet_rotate --keystone-user keystone --keystone-group keystone" function is_active_pgserver() { # Determine whether we're running on the same controller as the service. local service=postgres local enabledactive=$(/usr/bin/sm-query service $service| grep enabled-active) if [ "x$enabledactive" == "x" ] then # enabled-active not found for that service on this controller return 1 else # enabled-active found for that resource return 0 fi } if is_active_pgserver then if [ ! -f ${KEYSTONE_KEYS_ROTATE_INFO} ] then echo delay_count=0 > ${KEYSTONE_KEYS_ROTATE_INFO} fi source ${KEYSTONE_KEYS_ROTATE_INFO} sudo -u postgres psql -d fm -c "SELECT alarm_id, entity_instance_id from alarm;" | grep -P "^(?=.*100.101)(?=.*${HOSTNAME})" &>/dev/null if [ $? -eq 0 ] then source /etc/platform/platform.conf if [ "${system_type}" = "All-in-one" ] then source /etc/init.d/task_affinity_functions.sh idle_core=$(get_most_idle_core) if [ "$idle_core" -ne "0" ] then sh -c "exec taskset -c $idle_core ${KEYSTONE_KEYS_ROTATE_CMD}" sed -i "/delay_count/s/=.*/=0/" ${KEYSTONE_KEYS_ROTATE_INFO} exit 0 fi fi if [ "$delay_count" -lt "3" ] then newval=$(($delay_count+1)) sed -i "/delay_count/s/=.*/=$newval/" ${KEYSTONE_KEYS_ROTATE_INFO} (sleep 3600; /usr/bin/keystone-fernet-keys-rotate-active) & exit 0 fi fi eval ${KEYSTONE_KEYS_ROTATE_CMD} sed -i "/delay_count/s/=.*/=0/" ${KEYSTONE_KEYS_ROTATE_INFO} fi exit 0