Change keystone token flush to run hourly

In a recent commit [1] the keystone token flush cron job was changed to run twice a day. However, this change was not enough for big deployments. After getting some customer feedback and looking at what other projects are doing [2] [3] [4]. It seems that running this job hourly is the way to go. [1] Ia0b0fb422318712f4b0f4d023cbb3a61d40bb85d [2] https://www.ibm.com/support/knowledgecenter/en/SSB27U_6.4.0/com.ibm.zvm.v640.hcpo4/exptoken.htm [3] https://review.openstack.org/#/c/88670/8 [4] https://github.com/openstack/charm-keystone/blob/master/templates/keystone-token-flush Conflicts: manifests/cron/token_flush.pp spec/acceptance/keystone_federation_identity_provider_spec.rb spec/acceptance/keystone_federation_shibboleth_spec.rb spec/acceptance/keystone_wsgi_apache_spec.rb spec/classes/keystone_cron_token_flush_spec.rb (cherry picked from commit f694b5551f) Change-Id: I6ec7ec8111bd93e5638cfe96189e36f0e0691d65 Related-Bug: #1649616 (cherry picked from commit 90ffc7f600)
2017-04-18 13:13:27 +03:00 · 2017-04-18 13:13:27 +03:00 · c1bda5f81e
parent 85f1c54b30
commit c1bda5f81e
6 changed files with 14 additions and 7 deletions
--- a/manifests/cron/token_flush.pp
+++ b/manifests/cron/token_flush.pp
@ -29,7 +29,7 @@
 #    (optional) Defaults to '1'.
 #
 #  [*hour*]
-#    (optional) Defaults to '0'.
+#    (optional) Defaults to *.
 #
 #  [*monthday*]
 #    (optional) Defaults to '*'.
@ -56,7 +56,7 @@
 class keystone::cron::token_flush (
  $ensure      = present,
  $minute      = 1,
-  $hour        = 0,
+  $hour        = '*',
  $monthday    = '*',
  $month       = '*',
  $weekday     = '*',
--- a/releasenotes/notes/hourly-token-flush-175800b7f614f26e.yaml
+++ b/releasenotes/notes/hourly-token-flush-175800b7f614f26e.yaml
@ -0,0 +1,7 @@
+---
+fixes:
+  - The token flush cron job has been modified to run every hour instead of
+    once a day. This is because this was causing issues with larger
+    deployments, as the operation would take too long and sometimes even fail
+    because of the transaction being so large. Note that this only affects
+    people using the UUID token provider.
--- a/spec/acceptance/keystone_federation_identity_provider_spec.rb
+++ b/spec/acceptance/keystone_federation_identity_provider_spec.rb
@ -88,7 +88,7 @@ describe 'keystone server running with Apache/WSGI as Identity Provider' do
    end

    describe cron do
-      it { is_expected.to have_entry('1 0 * * * keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1').with_user('keystone') }
+      it { is_expected.to have_entry('1 * * * * keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1').with_user('keystone') }
    end

    shared_examples_for 'keystone user/tenant/service/role/endpoint resources using v2 API' do |auth_creds|
--- a/spec/acceptance/keystone_federation_shibboleth_spec.rb
+++ b/spec/acceptance/keystone_federation_shibboleth_spec.rb
@ -86,7 +86,7 @@ describe 'keystone server running with Apache/WSGI as Service Provider with Shib
    end

    describe cron do
-      it { is_expected.to have_entry('1 0 * * * keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1').with_user('keystone') }
+      it { is_expected.to have_entry('1 * * * * keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1').with_user('keystone') }
    end

    shared_examples_for 'keystone user/tenant/service/role/endpoint resources using v2 API' do |auth_creds|
--- a/spec/acceptance/keystone_wsgi_apache_spec.rb
+++ b/spec/acceptance/keystone_wsgi_apache_spec.rb
@ -82,7 +82,7 @@ describe 'keystone server running with Apache/WSGI with resources' do
    end

    describe cron do
-      it { is_expected.to have_entry('1 0 * * * keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1').with_user('keystone') }
+      it { is_expected.to have_entry('1 * * * * keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1').with_user('keystone') }
    end

    shared_examples_for 'keystone user/tenant/service/role/endpoint resources using v2 API' do |auth_creds|
--- a/spec/classes/keystone_cron_token_flush_spec.rb
+++ b/spec/classes/keystone_cron_token_flush_spec.rb
@ -9,7 +9,7 @@ describe 'keystone::cron::token_flush' do
  let :params do
    { :ensure      => 'present',
      :minute      => 1,
-      :hour        => 0,
+      :hour        => '*',
      :monthday    => '*',
      :month       => '*',
      :weekday     => '*',
@ -71,7 +71,7 @@ describe 'keystone::cron::token_flush' do
        :environment => 'PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh',
        :user        => 'keystonecustom',
        :minute      => 1,
-        :hour        => 0,
+        :hour        => '*',
        :monthday    => '*',
        :month       => '*',
        :weekday     => '*',