Run token flush cron job hourly by default

Running this job once a day has proven problematic for large deployments as seen in the bug report. Setting it to run hourly would be an improvement to the current situation, as the flushes wouldn't need to process as much data. Note that this only affects people using UUID as the token provider. Change-Id: I462e4da2bfdbcba0403ecde5d613386938e2283a Related-Bug: #1649616 (cherry picked from commit 65e643aca2)
2017-07-12 13:25:30 +00:00 · 2017-07-12 13:25:30 +00:00 · 6299a169b4
parent 3633d16daa
commit 6299a169b4
2 changed files with 61 additions and 0 deletions
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@ -98,6 +98,51 @@ parameters:
    default:
      tag: openstack.keystone
      path: /var/log/keystone/keystone.log
+  KeystoneCronTokenFlushEnsure:
+    type: string
+    description: >
+        Cron to purge expired tokens - Ensure
+    default: "present"
+  KeystoneCronTokenFlushMinute:
+    type: comma_delimited_list
+    description: >
+        Cron to purge expired tokens - Minute
+    default: '1'
+  KeystoneCronTokenFlushHour:
+    type: comma_delimited_list
+    description: >
+        Cron to purge expired tokens - Hour
+    default: '*'
+  KeystoneCronTokenFlushMonthday:
+    type: comma_delimited_list
+    description: >
+        Cron to purge expired tokens - Month Day
+    default: '*'
+  KeystoneCronTokenFlushMonth:
+    type: comma_delimited_list
+    description: >
+        Cron to purge expired tokens - Month
+    default: '*'
+  KeystoneCronTokenFlushWeekday:
+    type: comma_delimited_list
+    description: >
+        Cron to purge expired tokens - Week Day
+    default: '*'
+  KeystoneCronTokenFlushMaxDelay:
+    type: string
+    description: >
+        Cron to purge expired tokens - Max Delay
+    default: '0'
+  KeystoneCronTokenFlushDestination:
+    type: string
+    description: >
+        Cron to purge expired tokens - Log destination
+    default: '/var/log/keystone/keystone-tokenflush.log'
+  KeystoneCronTokenFlushUser:
+    type: string
+    description: >
+        Cron to purge expired tokens - User
+    default: "keystone"

 resources:

@ -202,6 +247,15 @@ outputs:
            keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
            keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
            keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
+            keystone::cron::token_flush::ensure: {get_param: KeystoneCronTokenFlushEnsure}
+            keystone::cron::token_flush::minute: {get_param: KeystoneCronTokenFlushMinute}
+            keystone::cron::token_flush::hour: {get_param: KeystoneCronTokenFlushHour}
+            keystone::cron::token_flush::monthday: {get_param: KeystoneCronTokenFlushMonthday}
+            keystone::cron::token_flush::month: {get_param: KeystoneCronTokenFlushMonth}
+            keystone::cron::token_flush::weekday: {get_param: KeystoneCronTokenFlushWeekday}
+            keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay}
+            keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination}
+            keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser}
      step_config: |
        include ::tripleo::profile::base::keystone
      service_config_settings:
--- a/releasenotes/notes/token-flush-twice-a-day-d4b00a2953a6b383.yaml
+++ b/releasenotes/notes/token-flush-twice-a-day-d4b00a2953a6b383.yaml
@ -0,0 +1,7 @@
+---
+fixes:
+  - The token flush cron job has been modified to run hourly instead of once
+    a day. This is because this was causing issues with larger deployments, as
+    the operation would take too long and sometimes even fail because of the
+    transaction being so large. Note that this only affects people using the
+    UUID token provider.