On 10/07/18 14:37, Konstantin Shalygin wrote: >> If I >> want to rotate the keys for that I can simply do that ceph cluster side, >> but then I also need to do that on the client side (in my case virtual >> machine hypervisors). DUring this window (which might be tiny with >> decent tooling, but still non-zero) my clients can't do new connections >> to the ceph cluster, which I assume will cause issues. > > It's depends on orchestrator. For example, oVirt maintain cephx keys > by ovirt-engine. So, if key is changed we need to update key in oVirt, > after this - every new client will use new key = zero downtime. Simple > k,v storage. I think you are missing the part where if you update a key in ceph, in the space between that and when you update it in ovirt-engine any new connections to ceph by any ovirt nodes will fail (as the key they have ovirt side no longer matches what you have in ovirt-engine and all the ovirt nodes). That's the problem (unless I am misunderstanding what you are saying) > > Don't know how it looks in pure OpenStack, but oVirt hosts not need > ceph.conf, keys always pushed by ovirt-engine. > > > > k > _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com