Cleanup keystone tokens
Every once in a while you really want to cleanup the token table of the Keystone database. A couple of weeks ago while backuping my cloud controller I noticed that the backup of the Keystone database was longer than the other databases. After that, I checked the size of the dump (compressed) 60MB. Hummm but there is almost nothing in the Keystone database: users, tenants… wait.. could it be TOKENS?!
The token validity is manage via the following options in keystone.conf
:
[token]
driver = keystone.token.backends.sql.Token
# Amount of time a token should remain valid (in seconds)
expiration = 86400
One option could be to use different backend to store the tokens:
- The keystone.token.backends.memcache, Memcached storage backend
- The keystone.token.backends.kvs, Key Value storage backend
I will prefer another backend to store the tokens in order to make database dump shorter and smaller. I’m not quite sure if memcache is a good candidat though. This could make things harder for some reasons like:
- Does the token remain forever in memcache?
- Cache consistency, if a server crash
- Makes the setup more complex, try to achieve a replicated memcache
See this launchpad discussion for more details.
Every nova/glance/cinder commands ask for a token while trying to execute a command.
I personnally end up with the following:
$ sudo mysql -uroot -p -e 'USE keystone; SELECT * FROM token;' | wc -l |
The setup runs for 2 months now and already 1970938 and I don’t run a public cloud. I can’t imagine the nightmare with a public cloud…
Little bash script:
|
If during the process you endup with this error:
ERROR 1205 (HY000) at line 1: Lock wait timeout exceeded; try restarting transaction
Simply increase the innodb_lock_wait_timeout
:
mysql> show variables like 'innodb_lock_wait_timeout'; |
Then re-run your command again.
Note: I volontary let a retention of 2 days in the command since I work with days and not with hours. It’s not always day per day, thus some token could overlap and be valid. So 2 days are fine.
II. Bonus
II.1. Retrieve a token with curl
If you want to retrieve a token via curl
:
$ curl -s -d "{\"auth\":{\"passwordCredentials\": {\"username\": \"admin\", \"password\": \"admin\"}, \"tenantName\": \"admin\"}}" -H "Content-type: application/json" http://127.0.0.1:5000/v2.0/tokens | tr ',' 'n' | grep '"id":' | cut -d'"' -f12 | head --lines 1 |
II.2. Cron task for the cleanup script
Script to execute periodically:
|
II.3. Use memcached to store Keystone tokens
Install memcached:
$ sudo apt-get install memcached -y |
Put the following option in your keystone.conf
:
[token]
driver = keystone.token.backends.memcache.Token
Then restart the service Keystone:
$ sudo service keystone restart |
Check if the connection is well established:
$ sudo lsof -i :11211 |
Retrieve cache object count:
$ sudo telnet 127.0.0.1 11211 |
You should see the STAT items:10:number
growing and growing.
Simply run the script aaaaaannnd it’s gone!
Comments