Red Hat Summit Red Hat Summitサポートコンソール開発者トライアルの開始お問い合わせ

Deploy Fernet on the Overcloud

Red Hat OpenStack Platform 16.1

Deploy Fernet on the Red Hat OpenStack Platform overcloud

概要

Deploy Fernet on the Red Hat OpenStack Platform overcloud.

Preface
リンクのコピー

Making open source more inclusive
リンクのコピー

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.

Providing feedback on Red Hat documentation
リンクのコピー

We appreciate your input on our documentation. Tell us how we can make it better.

Using the Direct Documentation Feedback (DDF) function

Use the Add Feedback DDF function for direct comments on specific sentences, paragraphs, or code blocks.

  1. View the documentation in the Multi-page HTML format.
  2. Ensure that you see the Feedback button in the upper right corner of the document.
  3. Highlight the part of text that you want to comment on.
  4. Click Add Feedback.
  5. Complete the Add Feedback field with your comments.
  6. Optional: Add your email address so that the documentation team can contact you for clarification on your issue.
  7. Click Submit.

第1章 Using Fernet keys for encryption in the overcloud
リンクのコピー

Fernet is the default token provider, that replaces uuid. You can review your Fernet deployment and rotate the Fernet keys.

1.1. Reviewing the Fernet deployment
リンクのコピー

Review your configuration to confirm that Fernet tokens are working correctly.

Procedure

  1. Retrieve the IP address of the controller node: 

    [stack@director ~]$ source ~/stackrc
[stack@director ~]$ openstack server list
--------------------------------------------------------------------------------------------+
| ID                                   | Name                    | Status | Networks            |
--------------------------------------------------------------------------------------------+
| 756fbd73-e47b-46e6-959c-e24d7fb71328 | overcloud-controller-0  | ACTIVE | ctlplane=192.0.2.16 |
| 62b869df-1203-4d58-8e45-fac6cd4cfbee | overcloud-novacompute-0 | ACTIVE | ctlplane=192.0.2.8  |
--------------------------------------------------------------------------------------------+
    Copy to Clipboard Toggle word wrap

  2. SSH into the Controller node: 

    [heat-admin@overcloud-controller-0 ~]$ ssh heat-admin@192.0.2.16
    Copy to Clipboard Toggle word wrap

  3. Retrieve the values of the token driver and provider settings: 

    [heat-admin@overcloud-controller-0 ~]$ sudo crudini --get /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf token driver
sql
[heat-admin@overcloud-controller-0 ~]$ sudo crudini --get /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf token provider
fernet
    Copy to Clipboard Toggle word wrap

  4. Test the Fernet provider: 

    [heat-admin@overcloud-controller-0 ~]$ exit
[stack@director ~]$ source ~/overcloudrc
[stack@director ~]$ openstack token issue
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2016-09-20 05:26:17+00:00 |
| id | gAAAAABX4LppE8vaiFZ992eah2i3edpO1aDFxlKZq6a_RJzxUx56QVKORrmW0-oZK3-Xuu2wcnpYq_eek2SGLz250eLpZOzxKBR0GsoMfxJU8mEFF8NzfLNcbuS-iz7SV-N1re3XEywSDG90JcgwjQfXW-8jtCm-n3LL5IaZexAYIw059T_-cd8 |
| project_id | 26156621d0d54fc39bf3adb98e63b63d |
| user_id | 397daf32cadd490a8f3ac23a626ac06c |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    Copy to Clipboard Toggle word wrap

    The result includes the long Fernet token.

1.2. Fernet key rotation cycles
リンクのコピー

When you decide the length of Fernet key rotation cycles, follow the security posture of your organization. If your organization does not have guidance, a monthly rotation cycle is good practice for security reasons.

Fernet uses three types of keys, which are stored in /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys. The highest-numbered directory contains the primary key, which generates new tokens and decrypts existing tokens.

Fernet key rotation uses the following process: . The primary key becomes the secondary key. . The <system> issues a new primary key. The outgoing primary key is no longer valid. You can use secondary keys to decrypt tokens that were associated with previous primary keys, but you cannot issue new tokens.

1.3. Rotating the Fernet keys by using the Workflow service
リンクのコピー

By default, director manages the overcloud Fernet keys. This setting is managed in an environment file using ManageKeystoneFernetKeys. As a result, the Fernet keys are stored in the Workflow service (mistral), in the KeystoneFernetKeys section. This approach means that you can rotate the Fernet keys with the Workflow service and the keys persist after stack updates.

Procedure

  1. Review the existing Fernet keys:

    1. Identify the Fernet key location. Log in to a Controller node as the heat-admin user and use the crudini command to query the Fernet keys: 

      [stack@<undercloud_host> ~]$ ssh heat-admin@overcloud-controller-o
[heat-admin@overcloud-controller-0 ~]$ sudo crudini --get /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf fernet_tokens key_repository
/etc/keystone/fernet-keys
      Copy to Clipboard Toggle word wrap
      注記

      The /etc/keystone/ directory refers to the container file system path.

    2. Inspect the current Fernet key directories: 

      [heat-admin@overcloud-controller-0 ~]$ sudo ls /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys
0  1  2
      Copy to Clipboard Toggle word wrap
      • 0 - Contains the staged key, which becomes the next primary key and is always numbered 0.
      • 1 - Contains the secondary key.

      • 2 - Contains the primary key. This number increments each time that the keys rotate. The highest number always serves as the primary key.

        注記
        • The maximum number of keys is set with max_active_keys property. The default is 5 keys.
        • The keys propagate across all Controller nodes.

  2. Rotate the Fernet keys by using the workflow command: 

    [stack@director ~]$ source ~/stackrc
[stack@director ~]$ openstack workflow execution create tripleo.fernet_keys.v1.rotate_fernet_keys {"container": "overcloud"}
--------------------------------------------------------------+
| Field             | Value                                     |
--------------------------------------------------------------+
| ID                | 58c9c664-b966-4f82-b368-af5ed8de5b47      |
| Workflow ID       | 78f0990a-3d34-4bf2-a127-10c149bb275c      |
| Workflow name     | tripleo.fernet_keys.v1.rotate_fernet_keys |
| Description       |                                           |
| Task Execution ID | <none>                                    |
| State             | RUNNING                                   |
| State info        | None                                      |
| Created at        | 2017-12-20 11:13:50                       |
| Updated at        | 2017-12-20 11:13:50                       |
--------------------------------------------------------------+
    Copy to Clipboard Toggle word wrap

Verification

  1. Retrieve the ID and ensure that the workflow is successful. 

    [stack@director ~]$ openstack workflow execution show 58c9c664-b966-4f82-b368-af5ed8de5b47
--------------------------------------------------------------+
| Field             | Value                                     |
--------------------------------------------------------------+
| ID                | 58c9c664-b966-4f82-b368-af5ed8de5b47      |
| Workflow ID       | 78f0990a-3d34-4bf2-a127-10c149bb275c      |
| Workflow name     | tripleo.fernet_keys.v1.rotate_fernet_keys |
| Description       |                                           |
| Task Execution ID | <none>                                    |
| State             | SUCCESS                                   |
| State info        | None                                      |
| Created at        | 2017-12-20 11:13:50                       |
| Updated at        | 2017-12-20 11:15:00                       |
--------------------------------------------------------------+
    Copy to Clipboard Toggle word wrap

  2. On the Controller node, review the number of Fernet keys, and compare with the previous result. 

    [heat-admin@overcloud-controller-0 ~]$ sudo ls /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys
0  1  2  3
    Copy to Clipboard Toggle word wrap
    • 0 - Contains the staged key and always be numbered 0. This key becomes a primary key during the next rotation.
    • 1 & 2 - Contain the secondary keys.

    • 3 - Contains the primary key. This number increments each time the keys rotate. The highest number always serves as the primary key.

      注記
      • The maximum number of keys is set with the max_active_keys property. The default is 5 keys.
      • The keys propagate across all Controller nodes.
Red Hat logoGithubredditYoutubeTwitter

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

Red Hat をお使いのお客様が、信頼できるコンテンツが含まれている製品やサービスを活用することで、イノベーションを行い、目標を達成できるようにします。 最新の更新を見る.

多様性を受け入れるオープンソースの強化

Red Hat では、コード、ドキュメント、Web プロパティーにおける配慮に欠ける用語の置き換えに取り組んでいます。このような変更は、段階的に実施される予定です。詳細情報: Red Hat ブログ.

会社概要

Red Hat は、企業がコアとなるデータセンターからネットワークエッジに至るまで、各種プラットフォームや環境全体で作業を簡素化できるように、強化されたソリューションを提供しています。

Theme

© 2026 Red Hatトップに戻る