From 5d47236c891dafd786552a91520dd0bc95d5d4a2 Mon Sep 17 00:00:00 2001
From: Kevin Carter <kevin@cloudnull.com>
Date: Wed, 20 Feb 2019 21:43:35 -0600
Subject: [PATCH] Correct fernet token sync race condition

The fernet token rotation is subject to a race condition when using
aggressive rotation in a high volume, high traffic, high capacity cloud.
This change addresses the potential race condition by converting our
fernet token sync method from rsync to scp and by sorting the fernet
keys in reverse version ordering. This will ensure that the key with
the highest index is always synchronized first and will ensure that
the underlying file structure of a given target node always remains
intact during a sync operation.

Related-Bug: 1816927
Change-Id: I9087d953f7dabe04a2ad19af6121dae71544e5b2
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
(cherry picked from commit 28a0c5abbf654ff8b625edc0c12af50a3def2429)
---
 templates/keystone-fernet-rotate.sh.j2 | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/templates/keystone-fernet-rotate.sh.j2 b/templates/keystone-fernet-rotate.sh.j2
index 121b383a..403b280d 100644
--- a/templates/keystone-fernet-rotate.sh.j2
+++ b/templates/keystone-fernet-rotate.sh.j2
@@ -31,6 +31,11 @@ function autorotate {
     {% if inventory_hostname != host %}
 
     # Fernet sync job to "{{ host }}"
+    scp -o UserKnownHostsFile=/dev/null \
+        -o StrictHostKeyChecking=no \
+        $(ls -dtr {{ keystone_fernet_tokens_key_repository }}/* | sort -Vr) \
+        {{ keystone_system_user_name }}@{{ hostvars[host]['ansible_host'] }}:{{ keystone_fernet_tokens_key_repository }}/
+
     rsync -e 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
           -avz \
           --delete \