-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make AES key never hit disk on the master #19323
Conversation
In the past we've been doing coordination of the aes key using dropfiles etc. Not only is this significantly more costly (at least 1 stat per reqserver request) it also means that the symmetric key we use to pub/req messages has been on disk. This re-works the aes key to be a multiprocessing.Array() (char array) which is shared amongst the processes. Now the dropfile is just a request for the master to rotate the key, and this means that *all* key rotation on the master will generate the appropriate event (instead of just ones who passed in sock_dir to dropfile())
Go Go Jenkins! |
Looks like this may break the pillar |
Go Go Jenkins! |
We should probably not put "aes" in the global opts dict, but rather as a class attribute of auth/crypticle or something
@thatch45 And that it did ;) It appears that the aes key is passed in the opts all over creation-- and multiprocessing.Array is not deepcopy-able (which the git external pillar does). This should fix the issue for now, but as part of my cleanup I plan on moving the AES key out of the opts dict all together. |
Go Go Jenkins! |
I agree, this is great stuff, thanks! |
That test failure seems unrelated ;) |
Make AES key never hit disk on the master
W00t! tests ran! |
Very exciting, From my local testing this compared to just the stat (not the reading of the aes key of disk) will be at least an order of magnitude faster! Very exciting |
This is seriously awesome. |
In the past we've been doing coordination of the aes key using dropfiles etc. Not only is this significantly more costly (at least 1 stat per reqserver request) it also means that the symmetric key we use to pub/req messages has been on disk. This re-works the aes key to be a multiprocessing.Array() (char array) which is shared amongst the processes. Now the dropfile is just a request for the master to rotate the key, and this means that all key rotation on the master will generate the appropriate event (instead of just ones who passed in sock_dir to dropfile())