OpenStack Keystone Charm

token flush cronjob not being enabled on leader unit

Bug #1816807 reported by Andrea Ieri
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
OpenStack Keystone Charm
Fix Released
Medium
James Page
OpenStack Keystone Charm 19.04

Bug Description

I have seen in a few xenial-queens clouds that the token flush cronjob is completely disabled:

jujumanage@MAAS:~$ juju run --application keystone -- 'is-leader; cat /etc/cron.d/keystone-token-flush'
- Stdout: |
    False
    # Purge expired tokens from the keystone database hourly, per OpenStack installation guide.
    # Current unit is not the leader unit. Token flush will be managed by the leader unit.
  UnitId: keystone/0
- Stdout: |
    False
    # Purge expired tokens from the keystone database hourly, per OpenStack installation guide.
    # Current unit is not the leader unit. Token flush will be managed by the leader unit.
  UnitId: keystone/1
- Stdout: |
    True
    # Purge expired tokens from the keystone database hourly, per OpenStack installation guide.
    # Current unit is not the leader unit. Token flush will be managed by the leader unit.
  UnitId: keystone/2

The above happens with charm versions 289, 290, and 291.

The cronjob does however work fine in a xenial-ocata cloud using the 18.05 series, so the bug has probably been introduced somewhere between 18.05 and 18.11

Alvaro Uria (aluria)
tags: added: canonical-bootstack
Revision history for this message
Andrea Ieri (aieri) wrote :

It happens on xenial-pike with keystone v285 as well.

Revision history for this message
Andrea Ieri (aieri) wrote :

Subscribed field-medium, as this affects a lot of clouds we manage and we had observed in the past pretty substantial slowdowns when the flush was not enabled

Revision history for this message
Andrea Ieri (aieri) wrote :

Since the question will probably come up: token-provider is not set in the clouds affected by this bug.
If I understand correctly, that should yield uuid tokens, causing token_flush to be set to True in the context (for the leader unit).

Revision history for this message
James Page (james-page) wrote :

The check in the context looks to see if fernet is enabled and if the unit is the elected leader (using the old style is_elected_leader function).

I think this is wrong - it should be relying on is_leader and juju for this

Changed in charm-keystone:
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → James Page (james-page)
milestone: none → 19.04
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/638431

Revision history for this message
James Page (james-page) wrote :

Confirmed - the fernet token support has a broken check.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-keystone (master)

Reviewed: https://review.openstack.org/638431
Committed: https://git.openstack.org/cgit/openstack/charm-keystone/commit/?id=1a07a7e65731ee2585818f998638ad71d91662a0
Submitter: Zuul
Branch: master

commit 1a07a7e65731ee2585818f998638ad71d91662a0
Author: James Page <email address hidden>
Date: Thu Feb 21 14:58:58 2019 +0000

    Fix issue with crontab enablement

    The token flush and token rotate crontabs are re-written when the
    leader unit changes inline with Juju leadership management.

    Align contexts used to generate crontabs with Juju leadership
    status, rather than corosync/pacemaker.

    Correct use of OpenStackCompareReleases to ensure that releases
    between ocata and queens don't automatically enable fernet
    token behaviour.

    Change-Id: I6db8d006ceac7b61e69f547682c5a49d876cfec6
    Closes-Bug: 1816807

Changed in charm-keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-keystone (stable/18.11)

Fix proposed to branch: stable/18.11
Review: https://review.openstack.org/638609

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-keystone (stable/18.11)

Reviewed: https://review.openstack.org/638609
Committed: https://git.openstack.org/cgit/openstack/charm-keystone/commit/?id=f8c4a81803454b7a4dc8c6b6881ffac925f3e9cb
Submitter: Zuul
Branch: stable/18.11

commit f8c4a81803454b7a4dc8c6b6881ffac925f3e9cb
Author: James Page <email address hidden>
Date: Thu Feb 21 14:58:58 2019 +0000

    Fix issue with crontab enablement

    The token flush and token rotate crontabs are re-written when the
    leader unit changes inline with Juju leadership management.

    Align contexts used to generate crontabs with Juju leadership
    status, rather than corosync/pacemaker.

    Correct use of OpenStackCompareReleases to ensure that releases
    between ocata and queens don't automatically enable fernet
    token behaviour.

    Change-Id: I6db8d006ceac7b61e69f547682c5a49d876cfec6
    Closes-Bug: 1816807
    (cherry picked from commit 1a07a7e65731ee2585818f998638ad71d91662a0)

David Ames (thedac)
Changed in charm-keystone:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.