Command to force a leader election

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management

https://www.vaultproject.io/

Other

31.19k stars 4.21k forks source link

Command to force a leader election #494

Closed nbrownus closed 8 years ago

nbrownus commented 9 years ago

Found myself in a situation where I needed to change the leader of a vault cluster. I did this by sealing the existing leader. It would be preferable to have a way to do force an election without sealing the leader since unsealing may require multiple people to enter key shares.

Ideally the existing leader would not be eligible.

sheldonh commented 8 years ago

I have a consul-backed vault cluster where all three vaults are in standby, reporting a leader IP that left the cluster some time ago. :-(

jefferai commented 8 years ago

This was fixed in 0.5.2 (via #1146) with the step-down command.

sheldonh commented 8 years ago

Ah, nice one. Will upgrade. Thanks!

jefferai commented 8 years ago

@sheldonh To be clear, I have no idea if your problem is fixed. My comment and closing are because the original request was fixed. But, upgrading can't hurt. If you still have an issue, open a new ticket.

1hanymhajna commented 7 years ago

i'm using vault HA version: 0.6.4 and still have same problem, vault standby nodes reporting a leader IP that left the cluster some time ago, Is there an option to make it automatically without need to run step-down on it?

VVMichaelSawyer commented 7 years ago

I had this same issue. Turns out the audit log was not writable by the newly spun up vault server. Changing ownership of the audit log back to the proper user allowed the servers to elect a new leader. Hope this helps.

weaseal commented 4 years ago

I just spent hours and hours debugging Vault and found that @VVMichaelSawyer 's hint here solved my issue. I've been cobbling together a vault instance from a backup and had configured an audit-log-directory prior to the backup's creation, that did not exist on the restore instance. Even with Vault debugging enabled, the stdout/stderr log contained zero information about leader election issues nor the related missing directory problem. Vault 1.1.3

oliverisaac commented 1 year ago

I keep coming back to this thread when trying to fix election issues so figured I'd add this link: if you have lost quorum and need to force another vault pod to become leader, hashicorp has docs on how to do that: https://developer.hashicorp.com/vault/tutorials/raft/raft-lost-quorum