Vault 1.0.0 will not start without seal configuration

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management

https://www.vaultproject.io/

Other

31.18k stars 4.21k forks source link

Vault 1.0.0 will not start without seal configuration #5938

Closed jdavisp3 closed 5 years ago

jdavisp3 commented 5 years ago

Describe the bug When attempting to upgrade from 0.10.4 to 1.0.0 in a configuration that has always used manual unseal Vault will not start in server mode.

More details are in this thread, including the error message in the log file: https://groups.google.com/d/msgid/vault-tool/42B9735A-9B0D-443E-896E-050AE4741C9A%40ttys0.net?utm_medium=email&utm_source=footer

To Reproduce Steps to reproduce the behavior:

Run vault server -config...
See error

Expected behavior I expected Vault to start up and let me unseal it like all previous upgrades.

Environment:

Vault Server Version (retrieve with vault status): 0.10.4 -> 1.0.0
Vault CLI Version (retrieve with vault version): Same
Server Operating System/Architecture: Ubuntu on AWS EC2

Vault server configuration file(s):

{"backend":{"consul":{"address":"127.0.0.1:8500","path":"vault-dev-2"}},"listener":{"tcp":{"address":"0.0.0.0:8200","tls_cert_file":"***","tls_key_file":"***"}}, "ui": true}

jefferai commented 5 years ago

What env vars do you have set? I don't know what might be causing this be but we've had no other reports.

jdavisp3 commented 5 years ago

This is the environment of the server:

USER=vault
UPSTART_INSTANCE=
GROUP=vault
PID_FILE=/var/run/vault.pid
UPSTART_JOB=vault
VAULT=/usr/local/bin/vault
TERM=linux
PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin
CONFIG=/etc/vault/config.json
LOG_FILE=/var/log/vault.log
PWD=/
GOMAXPROCS=1

mjrlee commented 5 years ago

Did you try migrating at any point? This is the message we got on our standby nodes while we were migrating.

jdavisp3 commented 5 years ago

Did you try migrating at any point? This is the message we got on our standby nodes while we were migrating.

I don't think so? I've never tried to use the auto-unsealing mechanism.

briankassouf commented 5 years ago

@jdavisp3 I wasn't able to reproduce using the same config file, have you ever ran vault enterprise?

Also, could you run the following command and paste the data here?

consul kv get vault-dev-2/core/seal-config

jdavisp3 commented 5 years ago

@briankassouf I've never run the enterprise version. We've been using Vault since a fairly early release.

{"secret_shares":1,"pgp_keys":null,"secret_threshold":1,"nonce":"...","backup":false}

jdavisp3 commented 5 years ago

Thanks for the fix! Is there a way I could upgrade to 1.0.0 now or should I wait for 1.0.1?

briankassouf commented 5 years ago

1.0.1 will be out pretty soon, but a current work around would be to manually edit the JSON in consul and add "type":"shamir", as an item in vault-dev-2/core/seal-config

jdavisp3 commented 5 years ago

Gotcha, thanks. I'll just wait for 1.0.1.