-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
failed to mount entry &vault.MountEntry{Path:"secret/" #733
Comments
Assuming it's the same underlying cause as #648, the fix is the same too -- you can either upgrade to If possible I'd recommend upgrading to |
With the latest code on master, it did not solve the issue...the logs look a little different...here is a sample: ==> Vault server configuration:
Advertise Address: http://10.1.8.10:8200 ==> Vault server started! Log data will stream in below: 2015/10/30 18:03:14 [INFO] core: vault is unsealed |
I think this is a different problem. What seems to be happening is that, because it cannot open the designated file for writing, the audit backend is failing to start. This is causing the post-unseal setup phase of the node becoming active to fail, however, when this happens it's not cleaning up after itself. Then it realizes it's master and tries to perform the post-unseal setup again. In the short term you can probably solve this by fixing access to your audit file. |
I wasn't aware that I had auditing enabled. When I attempt to auth at the command line I get "Error validating token: http: read on closed response body". Is there another way to disable auditing? |
Does it get into this bad state every time you start it? |
I just pushed a change to master which will cause the file path to be printed in the error message. |
No...but I launched new AMIs so this is a fresh aws instance. So, on this log: 2015/10/30 18:03:15 [ERR] core: failed to create audit entry file/: sanity check failed; unable to open given path for writing What...LOL just got your message ok...will try |
Audit config is stored in the storage backend, so a fresh AWS instance won't help if you're using the same storage. |
Great...so I got this log: 2015/10/30 18:37:21 [ERR] core: failed to create audit entry file/: sanity check failed; unable to open /var/log/vault_audit.log for writing Then went and created that file w/ proper permissions, restarted, unsealed...and all seems fixed!! Thanks :) |
Sure. I'm going to leave this open because I want to look into the underlying issue, but feel free to unsubscribe if you like. |
This also ensures that every error path out of postUnseal returns an error. Fixes #733
I also ran into this with vault 0.3.1, which doesn't print the path of the audit log it is trying to write. I was too lazy to pull from git master and install on our servers, so I did some
and in my case it was trying to write The other curious thing is that I don't remember turning on the audit feature -- maybe I did and forgot, but the poster above said the same so I wonder if it's getting turned on by default perhaps? |
It might be useful to get a new version of vault released with the recent fixes? It might also be handy if there was some way to disable the auth backend when it's causing problems.
Maybe if opening the log file fails, vault can print a message in the log that advises running vault with a new command line option -- e.g.: |
Probably then when it was configured it was given a relative path instead of a full path.
No, like other kinds of backends, audit backends are only enabled via administrative commands.
It will be out soon enough. Although, if you're too lazy to pull from git master and install, won't you be too lazy to get the new release and install? 👅
The problem there is it exposes a relatively easy way for an attacker to turn off audit logging; if Vault is up and operative enough to properly handle an administrative token, it should already be logging things into the audit log. So far, the new behavior of printing the file that Vault is attempting to use seems to be a decent enough workaround (and in 0.3(.1?) it does check that it can write to that file before allowing the backend to be enabled). |
Hmmm. I don't remember doing this, but that of course means nothing as I do lots of things and don't remember them 😄 Especially since I set up Vault a few months ago. Wish I had a way to audit the enabling of audit logs 😄 or maybe just a pill to be less scatter-brained 😄
Yeah, fair point. Though I think I could better sell writing an ansible playbook that updates Vault to the latest released version; folks might wince if I wrote the playbook to be able to pull from git (although that could be pretty cool for situations like these...). I'm using the kbrebanov.vault ansible role and it doesn't seem to work particularly well -- i.e.: I think it failed to update Vault and I had to manually download and unpack the file to upgrade Vault -- any recos for a better role/playbook? Heck since Vault is written in Golang, it should be pretty trivial to do with just a silly little shell script.
Yeah, it very well may be enough to have these things. Obviously, there is a tension between making Vault easy to troubleshoot/maintain and security, which is obvious a paramount concern for Vault. Thanks again @jefferai for all the pointers which helped me get back up and running! |
Unfortunately, I don't know much about the various playbooks/scripts/etc. for using Vault with FWIW, when I was using Ansible with Vault, I just had a simple play that fetched the new binary from where I had stashed it and pushed it onto each server. (I had to stage it and then use |
This issue #648 is happening to me (0.3.0). Does this issue have a known solution? I would really rather not clear all the vault data and restart. I am using Consul as a backend and getting the below message over and over. I swapped out 3 aws instances with Consul and Vault on them with 3 new ones...then shut the old ones down and I believe this started happening when a Vault instance on one of the new servers tried to take leadership. Consul reacted fine to all of this.
Error = failed to mount entry &vault.MountEntry{Path:"secret/", Type:"generic", Description:"generic secret storage", UUID:"b0ebbea3-c775-8cd4-2cf7-c16f91b5e7f9", Config:vault.MountConfig{DefaultLeaseTTL:0, MaxLeaseTTL:0}, Options:map[string]string{}, Tainted:false}: cannot mount under existing mount 'secret/'
The text was updated successfully, but these errors were encountered: