Bug 1473713
Summary: | Token flush does not complete when expired tokens becomes large enough | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Harry Rybacki <hrybacki> |
Component: | openstack-keystone | Assignee: | John Dennis <jdennis> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Prasanth Anbalagan <panbalag> |
Severity: | high | Docs Contact: | |
Priority: | urgent | ||
Version: | 10.0 (Newton) | CC: | akrzos, cshastri, dhill, dshevrin, jdennis, jjoyce, josorior, jraju, jschluet, kbasil, lmiccini, mlopes, nchandek, nkinder, panbalag, rcritten, rlondhe, rmascena, slinaber, srevivo, tvignaud, vcojot |
Target Milestone: | z2 | Keywords: | Reopened, Triaged, ZStream |
Target Release: | 11.0 (Ocata) | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openstack-keystone-11.0.3-1.el7ost | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | 1404324 | Environment: | |
Last Closed: | 2018-04-17 12:07:11 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1404324, 1476762 | ||
Bug Blocks: | 1451122, 1467120, 1469457, 1470221, 1470226, 1470227, 1470230 |
Comment 4
Prasanth Anbalagan
2017-08-30 17:54:35 UTC
Verified as follows - token database gets flused as expected. Note that the parameter "allow_expired_window" needs to be configured in /etc/keystone/keystone.conf (starting from OSP11 onwards) in order for the hourly cron job to flush tokens. *********** LOGS *********** [heat-admin@controller-0 ~]$ sudo crontab -u keystone -l # HEADER: This file was autogenerated at 2017-08-31 13:54:59 +0000 by puppet. # HEADER: While it can still be managed manually, it is definitely not recommended. # HEADER: Note particularly that the comments starting with 'Puppet Name' should # HEADER: not be deleted, as doing so could cause duplicate cron jobs. # Puppet Name: keystone-manage token_flush PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh 1 * * * * keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1 # Puppet Name: cinder-manage db purge PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh 1 0 * * * cinder-manage db purge 0 >>/var/log/cinder/cinder-rowsflush.log 2>&1 *********************************** Thu Aug 31 15:50:56 UTC 2017 *********************************** [heat-admin@controller-0 ~]$ date Thu Aug 31 15:50:56 UTC 2017 [heat-admin@controller-0 ~]$ sudo mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 8806 Server version: 5.5.42-MariaDB-wsrep MariaDB Server, wsrep_25.11.r4026 Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> use keystone; select count(*) from token; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed +----------+ | count(*) | +----------+ | 10408 | +----------+ 1 row in set (0.01 sec) [heat-admin@controller-0 ~]$ date Thu Aug 31 19:04:59 UTC 2017 [heat-admin@controller-0 ~]$ MariaDB [keystone]> use keystone; select count(*) from token; Database changed +----------+ | count(*) | +----------+ | 10 | +----------+ 1 row in set (0.00 sec) Verified as follows - token database gets flushed as expected. Note that the parameter "allow_expired_window" needs to be configured in /etc/keystone/keystone.conf (starting from OSP11 onwards) in order for the hourly cron job to flush tokens. *********** LOGS *********** [heat-admin@controller-0 ~]$ sudo crontab -u keystone -l # HEADER: This file was autogenerated at 2017-08-31 13:54:59 +0000 by puppet. # HEADER: While it can still be managed manually, it is definitely not recommended. # HEADER: Note particularly that the comments starting with 'Puppet Name' should # HEADER: not be deleted, as doing so could cause duplicate cron jobs. # Puppet Name: keystone-manage token_flush PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh 1 * * * * keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1 # Puppet Name: cinder-manage db purge PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh 1 0 * * * cinder-manage db purge 0 >>/var/log/cinder/cinder-rowsflush.log 2>&1 *********************************** Thu Aug 31 15:50:56 UTC 2017 *********************************** [heat-admin@controller-0 ~]$ date Thu Aug 31 15:50:56 UTC 2017 [heat-admin@controller-0 ~]$ sudo mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 8806 Server version: 5.5.42-MariaDB-wsrep MariaDB Server, wsrep_25.11.r4026 Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> use keystone; select count(*) from token; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed +----------+ | count(*) | +----------+ | 10408 | +----------+ 1 row in set (0.01 sec) [heat-admin@controller-0 ~]$ date Thu Aug 31 19:04:59 UTC 2017 [heat-admin@controller-0 ~]$ MariaDB [keystone]> use keystone; select count(*) from token; Database changed +----------+ | count(*) | +----------+ | 10 | +----------+ 1 row in set (0.00 sec) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2719 Hi Rohit, So, we made the backport (and not a workaround) for that issue in the OSP10 and we verified that the patch had, in fact, made it into the respective build. So, can you give to us more details on how this issue still happing? Do you know if they follow properly the steps described by the QE here: https://bugzilla.redhat.com/show_bug.cgi?id=1473713#c7 Hi Rohit, Did you had time to take a look in my previous response about that? Hi Rohit, Sorry for be asking you about that again, but do you have any updates from Cu about this BZ? Hi Rohit, So based on our previous comments and also in the lack of response from Customer, I'm closing this bug as CURRENTRELEASE since in point of view it was already fixed from this release. If the Customer believes that the issue still exists, feel free to reopen it. |