New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vault does not start anymore #3573
Comments
The error there is happening because the keyring coming into Vault is nil. This suggests an issue either in Consul or with that key in Consul. You may want to try looking at the path |
vault/core/keyring is not readable from the consul UI. How can i check that this value is ok ? Another way of solving that issue would be to reinitialize the Vault service, as the critical data can actually be reimported. |
Hi there. Due to the old version I misread something when I first looked at it. The issue isn't with the keyring; it's with one of the leases under The ideal thing to do would be to figure out which lease and remove it. A more brute-force approach would be to simply delete the underlying leases, but this will mean that revocations will not take place when they should for dynamic secrets (including tokens). |
I upgraded my cluster to Consul-1.0.0 and Vault-0.9.0, and reimported a consul snapshot. Everything went ok. Then i followed your suggestion, and removed the expiring keys: But when i restart + unlock the vault again, i get the same error: 2017/11/15 16:55:56.447906 [WARN ] physical/consul: appending trailing forward slash to path goroutine 164 [running]: But, fortunately, with the new consul version, i managed to remove the path vault/sys/expire/ from the GUI, after that everything seems to be working again Thank you for your help. |
I believe the kv CLI command isn't recursive unless you specify a flag. Glad it's fixed! |
Environment:
0.7.0
Amazon AMI
Linux consul-i-0cca6d2136e1a2b8e 4.4.11-23.53.amzn1.x86_64 Initial Website Import #1 SMP Wed Jun 1 22:22:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Vault Config File:
disable_mlock=true
backend "consul" {
address = "127.0.0.1:8500"
path = "vault"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}
Startup Log Output:
vault server -config=/etc/vault/vault-config.hcl [84/15883]
==> Vault server configuration:
==> Vault server started! Log data will stream in below:
2017/11/13 16:50:59.483992 [WARN ] physical/consul: appending trailing forward slash to path
2017/11/13 16:51:54.222936 [INFO ] core: vault is unsealed
2017/11/13 16:51:54.222953 [WARN ] physical/consul: Concurrent sealed state change notify dropped
2017/11/13 16:51:54.223000 [INFO ] core: entering standby mode
2017/11/13 16:51:54.235068 [INFO ] core: acquired lock, enabling active operation
2017/11/13 16:51:54.315911 [WARN ] physical/consul: Concurrent state change notify dropped
2017/11/13 16:51:54.315929 [INFO ] core: post-unseal setup starting
2017/11/13 16:51:54.317168 [INFO ] core: loaded wrapping token key
2017/11/13 16:51:54.319493 [INFO ] core: successfully mounted backend: type=generic path=secret/
2017/11/13 16:51:54.319589 [INFO ] core: successfully mounted backend: type=system path=sys/
2017/11/13 16:51:54.319607 [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2017/11/13 16:51:54.319666 [INFO ] rollback: starting rollback manager
2017/11/13 16:51:54.325838 [INFO ] expiration: restoring leases
panic: runtime error: slice bounds out of range
goroutine 59 [running]:
github.com/hashicorp/vault/vault.(*AESGCMBarrier).decryptKeyring(0x1a091770, 0x19ed65c0, 0x20, 0x0, 0x0, 0x0, 0xe, 0x13afe3c6, 0x9aeae00, 0x0, ...)
/gopath/src/github.com/hashicorp/vault/vault/barrier_aes_gcm.go:816 +0x497
github.com/hashicorp/vault/vault.(*AESGCMBarrier).Get(0x1a091770, 0x19ed65c0, 0x20, 0x0, 0x0, 0x0)
/gopath/src/github.com/hashicorp/vault/vault/barrier_aes_gcm.go:669 +0x197
github.com/hashicorp/vault/vault.(*BarrierView).Get(0x1a167640, 0x19ed6260, 0x12, 0x1a16cfb0, 0x807b41a, 0x1a16cf88)
/gopath/src/github.com/hashicorp/vault/vault/barrier_view.go:53 +0x94
github.com/hashicorp/vault/vault.(*ExpirationManager).loadEntry(0x1a13a990, 0x19ed6260, 0x12, 0x1a16cf00, 0x1, 0x0)
/gopath/src/github.com/hashicorp/vault/vault/expiration.go:725 +0x38
github.com/hashicorp/vault/vault.(*ExpirationManager).Restore.func1(0x1a17def0, 0x1a07c5c0, 0x1a13a990, 0x1a07c680, 0x1a07c6c0, 0x1a07c600)
/gopath/src/github.com/hashicorp/vault/vault/expiration.go:155 +0xdd
created by github.com/hashicorp/vault/vault.(*ExpirationManager).Restore
/gopath/src/github.com/hashicorp/vault/vault/expiration.go:169 +0x305
Expected Behavior:
starting vault
unlocking vault
vault is running
Actual Behavior:
starting vault
unlocking vault
then vault crashes.
Steps to Reproduce:
start + unlock any of the 3 nodes, running inside a 3 nodes consul Cluster
Important Factoids:
After one week of vacation following intense Vault usage (integration in a Terraform/Ansible stack), i found Vault lying on the floor, with that error
References:
The text was updated successfully, but these errors were encountered: