[PVE-User] Clearing outdated entries from certificate cache
Fabian Grünbichler
f.gruenbichler at proxmox.com
Mon Jan 9 08:32:59 CET 2017
On Wed, Jan 04, 2017 at 06:16:54PM +0100, Marco Gaiarin wrote:
>
> In a cluster of 5 PVE servers i receive, from ony one of that, logs
> like:
> Jan 4 17:02:52 thor pveproxy[58010]: Clearing outdated entries from certificate cache
>
> before christmas, i get the same line from another server in the same
> cluster (the last row):
> Dec 23 09:56:28 hulk pveproxy[39515]: Clearing outdated entries from certificate cache
>
> Cluster works as expected.
>
>
> I have to be afraid for? Thanks.
>
no need to be afraid. we recently introduced certificate pinning for the
inter cluster proxying of API requests. to reduce the load, we cache the
certificate fingerprints loaded from /etc/pve/nodes/NODE/.. , and clear
the cache every 30 minutes to remove potentially stale entries (we
already remove the old cached fingerprint of a node if we find a new
cert when updating, which happens for example on a mismatch, so this is
mainly for stuff like deleted nodes).
since the cache has been live from some time now (end of november in
git), and there don't seem to be any problems, maybe we can remove that
log line (or demote it to a lower log level?).
in retrospect I have to agree that it might sound a bit strange without
having the background knowledge ;)
More information about the pve-user
mailing list