Bug 1127236 - Staypuft does not create the cron job to flush the keystone tokens
Summary: Staypuft does not create the cron job to flush the keystone tokens
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-foreman-installer
Version: 5.0 (RHEL 7)
Hardware: Unspecified
OS: Unspecified
Target Milestone: z2
: Installer
Assignee: Jason Guiditta
QA Contact: Udi
: 1148098 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2014-08-06 12:47 UTC by Udi
Modified: 2014-11-04 17:01 UTC (History)
8 users (show)

Fixed In Version: openstack-foreman-installer-2.0.28-1.el6ost
Doc Type: Bug Fix
Doc Text:
Prior to this update, the Identity Service (keystone) did not automatically flush tokens. Instead, the expectation was that token flushing would be manually performed using the 'keystone-manage' command. If this action was not taken, the Identity Service would build up a large number of tokens, which used up space and potentially slowed performance. With this update, a cron job is setup to flush tokens, and consequently, they do not accumulate and potentially affect Identity Service performance.
Clone Of:
Last Closed: 2014-11-04 17:01:41 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1800 0 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform Installer Bug Fix Advisory 2014-11-04 22:00:19 UTC

Description Udi 2014-08-06 12:47:26 UTC
Description of problem:
The cron job to flush the expired keystone tokens is not configure when installing with staypuft.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install accordint to the instructions here: http://etherpad.corp.redhat.com/Create-staypuft-test-setup
2. On the controller machine, run the command: "crontab -u keystone -l"

Actual results:
cron table is empty

Expected results:
You should see a job that runs every minute:
*/1 * * * * /usr/bin/keystone-manage token_flush >/dev/null 2>&1

Comment 3 Jason Guiditta 2014-08-08 14:45:54 UTC
We could add such a thing like packstack does, but it sounds like a bandaid to me.  Why is this needed?  Are we (and packstack) misconfiguring keystone, or does keystone have a bug?  If we solve this in one of those 2 places, which is where it belongs in my opinion, then this cron task is not needed.  Flushing tokens every minutes sounds like madness to me. Adam, any thoughts on why this is needed and a better way to handle it?

Comment 4 Jason Guiditta 2014-09-30 18:57:05 UTC
*** Bug 1148098 has been marked as a duplicate of this bug. ***

Comment 5 Nathan Kinder 2014-09-30 19:14:43 UTC
The keystone process itself does not flush tokens (ever).  Token flushing is performed by keystone-manage, which has to be explicitly run.  It was handled this way since Keystone didn't have workers, and handling requests would be blocked when performing a large flush of expired tokens.  This is why we set up a cron job.

Every minute seems frequent, but it keeps the amount of tokens that need to be flushed for any given flush event quite low.  There might be a better way to do this in the future, but this is how Keystone works right now.

Comment 6 Jason Guiditta 2014-10-01 18:06:25 UTC
Patch posted:

Comment 9 Udi 2014-10-23 10:59:29 UTC

Comment 11 errata-xmlrpc 2014-11-04 17:01:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.