Closed aphorise closed 2 years ago
we recently started exploring vault integrated storage backend and faced this issue. vault operator raft join <vault-node-addr>
returns joined: true
even when the node doesn't join the network. I think this is a small but serious bug which should be handled on priority
I was not able to reproduce this issue:
ncc$ ./vault operator raft join http://192.168.0.2:8200; echo $?
Error joining the node to the Raft cluster: Error making API request.
URL: POST http://127.0.0.3:8200/v1/sys/storage/raft/join
Code: 500. Errors:
* failed to join raft cluster: failed to join any raft leader node
2
In the logs:
2021-07-20T17:24:43.339-0400 [INFO] core: attempting to join possible raft leader node: leader_addr=http://192.168.0.2:8200
2021-07-20T17:25:13.345-0400 [WARN] core: join attempt failed: error="error during raft bootstrap init call: Put "http://192.168.0.2:8200/v1/sys/storage/raft/bootstrap/challenge": dial tcp 192.168.0.2:8200: i/o timeout"
2021-07-20T17:25:13.345-0400 [ERROR] core: failed to join raft cluster: error="failed to join any raft leader node"
The 192.168.0.2 node status:
ncc$ ./vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
...
I suspect we've improved this behaviour in recent versions. Please open a new issue if you observe this in current Vault versions.
EDIT: missed the "make a new issue" bit, sorry. LMK if it's worthwhile making a new issue.
Perhaps not the same problem, but it definitely should fail in some obvious cases:
[root@rom:~]# vault operator raft join http://10.1.1.92:8200
Key Value
--- -----
Joined true
[root@rom:~]# vault operator raft join http://10.1.1.92:8201
Key Value
--- -----
Joined true
[root@rom:~]# vault operator raft join http://10.1.1.92:82
Key Value
--- -----
Joined true
[root@rom:~]# vault operator raft join http://10
Key Value
--- -----
Joined true
[root@rom:~]# vault operator raft join http://10dddddd
Key Value
--- -----
Joined true
[root@rom:~]# vault --version
Vault v1.10.3 (v1.10.3) (cgo)
During initialisation when a node is not yet unsealed - a success
joined
& 0 exit code is unconditionally returned when performingvault operator raft join ...
.The
/sys/storage/raft/join
API similarly returns a HTTP-200 with ajoined
json response body.There's presently no way to determine when a node has been successfully added to raft peers list (without an additional
list-peers
after request and deductive comparisons)To Reproduce
Expected behavior Provide contextual response which express a HTTP-2xx / 0 exit code and
joined
message only when a node has actually been added / peered.Environment:
vault status
):uname -pisorv ; # Linux 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) GNU/Linux
Vault server configuration file(s):