By default, the latest MCP deployments use rsync for fernet and credential keys rotation. Though, if your MCP version is 2018.8.0 or earlier, GlusterFS is used as a default rotation driver and credential keys rotation driver. This section provides an instruction on how to configure your MCP OpenStack deployment to use rsync with SSH instead of GlusterFS.
To migrate from GlusterFS to rsync:
Log in to the Salt Master node.
On the system level, verify that the following class is included in
keystone/server/cluster.yml
:
- system.keystone.server.fernet_rotation.cluster
Note
The default configuration for the
system.keystone.server.fernet_rotation.cluster
class is defined in
keystone/server/fernet_rotation/cluster.yml
. It includes the default
list of nodes to synchronize fernet and credential keys that are
sync_node01
and sync_node02
. If there are more nodes to
synchronize fernet and credential keys, expand this list as required.
Verify that the crontab job is disabled in the keystone/client/core.yml
and keystone/client/single.yml
system-level files:
linux:
system:
job:
keystone_job_rotate:
command: '/usr/bin/keystone-manage fernet_rotate --keystone-user keystone --keystone-group keystone >> /var/log/key_rotation_log 2>> /var/log/key_rotation_log'
enabled: false
user: root
minute: 0
Apply the Salt orchestration state to configure all required prerequisites like creating an SSH public key, uploading it to mine and secondary control nodes:
salt-run state.orchestrate keystone.orchestrate.deploy
Apply the keystone.server state to put the Keystone rotation
script and run it in the sync
mode hence fernet and credential keys
will be synchronized with the Keystone secondary nodes:
salt -C 'I@keystone:server:role:primary' state.apply keystone.server
salt -C 'I@keystone:server' state.apply keystone.server
Apply the linux.system state to add crontab jobs for the Keystone user:
salt -C 'I@keystone:server' state.apply linux.system
On all OpenStack Controller nodes:
Copy the current credential and fernet keys to temporary directories:
mkdir /tmp/keystone_credential /tmp/keystone_fernet
cp /var/lib/keystone/credential-keys/* /tmp/keystone_credential
cp /var/lib/keystone/fernet-keys/* /tmp/keystone_fernet
Unmount the related GlusterFS mount points:
umount /var/lib/keystone/credential-keys
umount /var/lib/keystone/fernet-keys
Copy the keys from the temporary directories to
var/lib/keystone/credential-keys/
and
/var/lib/keystone/fernet-keys/
:
mkdir -p /var/lib/keystone/credential-keys/ /var/lib/keystone/fernet-keys/
cp /tmp/keystone_credential/* /var/lib/keystone/credential-keys/
cp /tmp/keystone_fernet/* /var/lib/keystone/fernet-keys/
chown -R keystone:keystone /var/lib/keystone/credential-keys/*
chown -R keystone:keystone /var/lib/keystone/fernet-keys/*
On a KVM node, stop and delete the keystone-credential-keys
and
keystone-keys
volumes:
Stop the volumes:
gluster volume stop keystone-credential-keys
gluster volume stop keystone-keys
Delete the GlusterFS volumes:
gluster volume delete keystone-credential-keys
gluster volume delete keystone-keys
On the cluster level model, remove the following GlusterFS classes
included in the openstack/control.yml
file by default:
- system.glusterfs.server.volume.keystone
- system.glusterfs.client.volume.keystone