Keystone is restarting due to stale primary key
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned | ||
kolla-ansible |
Fix Released
|
High
|
Mark Goddard | ||
Train |
Fix Released
|
High
|
Radosław Piliszek | ||
Ussuri |
Fix Released
|
High
|
Radosław Piliszek | ||
Victoria |
Fix Released
|
High
|
Mark Goddard |
Bug Description
After restart of keystone's container, it keeps restarting. I found only this error in docker logs keystone:
Running command: '/usr/bin/
+ exec /usr/bin/
+ set -o errexit
+ set -o pipefail
+ TOKEN_DIR=
+ n=0
+ '[' '!' -f /etc/keystone/
++ ls -1 /etc/keystone/
++ sort -hr
++ head -n 1
+ TOKEN_PRIMARY=5
++ date +%s
++ date +%s -r /etc/keystone/
+ TOKEN_AGE=589164
+ '[' 589164 -gt 86400 ']'
+ echo 'ERROR: Primary token 5 is stale.'
+ exit 1
Workaround is change expiration from 86400 to 864000 in /etc/kolla/
# Compare if it's older than fernet_token_expiry and run key rotation if needed
if [ "${TOKEN_AGE}" -gt "864000" ]; then
echo "ERROR: Primary token ${TOKEN_PRIMARY} is stale."
exit 1
fi
Regarding the comment in code, It should also run rotation of primary key. But this part is missing, it only throws an exception as mentioned. Or I would like to ask, why the primary key wasn't rotated automatically when it was needed.
I am using 2 weeks old deployment of Ussuri, deployd by kolla-ansible on CentOS8.
Changed in kolla-ansible: | |
status: | New → In Progress |
I believe it was fixed already but let Michał see.