jhunt
commented
6 years ago What does find -L /var/vcap/store -name '*.crypt' return?
Closed eujungkim closed 6 years ago
jhunt
commented
6 years ago What does find -L /var/vcap/store -name '*.crypt' return?
eujungkim
commented
6 years ago There is no file matched to find -L /var/vcap/store -name '*.crypt'.
These are the return of find /var/vcap/store -not -path '*/\.*'.
. ./shield ./shield/main.db ./shield/vault ./shield/vault/sys ./shield/vault/sys/token ./shield/vault/sys/token/id ./shield/vault/sys/token/id/_aa618aa14c25f34045dca1f88fa986a442a3942f ./shield/vault/sys/token/accessor ./shield/vault/sys/token/accessor/_59e6718684672a80c33501b9da86c3f3102df5bc ./shield/vault/sys/token/_salt ./shield/vault/sys/policy ./shield/vault/sys/policy/_default ./shield/vault/sys/policy/_response-wrapping ./shield/vault/logical ./shield/vault/logical/16ff1479-ded8-71e4-da7b-6e0e51161d5c ./shield/vault/logical/16ff1479-ded8-71e4-da7b-6e0e51161d5c/secret ./shield/vault/logical/16ff1479-ded8-71e4-da7b-6e0e51161d5c/secret/archives ./shield/vault/logical/16ff1479-ded8-71e4-da7b-6e0e51161d5c/secret/archives/_bafa813a-5d86-4c34-907b-cc5eefa1a860 ... omitted ./shield/vault/logical/16ff1479-ded8-71e4-da7b-6e0e51161d5c/secret/archives/_0365b29e-f64b-47dc-8ad8-64d97c5127d9 ./shield/vault/logical/16ff1479-ded8-71e4-da7b-6e0e51161d5c/secret/archives/_fixed_key ./shield/vault/core ./shield/vault/core/_audit ./shield/vault/core/wrapping ./shield/vault/core/wrapping/_jwtkey ./shield/vault/core/_master ./shield/vault/core/_keyring ./shield/vault/core/_seal-config ./shield/vault/core/cluster ./shield/vault/core/cluster/local ./shield/vault/core/cluster/local/_info ./shield/vault/core/_local-mounts ./shield/vault/core/_auth ./shield/vault/core/_local-audit ./shield/vault/core/_local-auth ./shield/vault/core/_mounts ./shield/vault.keys ./lost+found
Additionally, I attach my shield manifest. I used same manifest and just change shield release version. shield-manifest.yml.txt
jhunt
commented
6 years ago Apparently, we have a disagreement (internal to SHIELD / BOSH release) on what to name the file that stores the encrypted seal keys. 8.0.8 SHIELD and prior seems to want to call it vault.crypt, whereas 8.0.10 seems to want to call it vault.keys.
What happens if you manually mv /var/vcap/store/shield/vault.keys /var/vcap/store/shield/vault.crypt, and then try to unlock the SHIELD core?
eujungkim
commented
6 years ago I do mv /var/vcap/store/shield/vault.keys /var/vcap/store/shield/vault/vault.crypt,
not mv /var/vcap/store/shield/vault.keys /var/vcap/store/shield/vault.crypt .
And it works well in v8.0.10.
And one more different thing between v8.0.8 and v8.0.10 I found is sqlite db file name.
So for now, will shield bosh release keep file name vault.crypt and shield.db?
Thank you for kind reply.
jhunt
commented
6 years ago did your data survive the upgrade to 8.0.10? or did you end up with a clean database after the upgrade?
eujungkim
commented
6 years ago I did some more tests about upgrade from v8.0.8 to v8.0.10.
First of all, after mv /var/vcap/store/shield/vault.keys /var/vcap/store/shield/vault.crypt, my data of v8.0.8 survived at v8.0.10.
But restoring at v8.0.10 using backup archive made at v8.0.8 was failed with below error,
Running restore task (using bzip2 compression)
==============================================
bunzip2: (stdin) is not a bzip2 file.
I think there are some changes of compress mechanism in v8.0.10, like https://github.com/starkandwayne/shield/issues/419.
I am worried about another inconsistency in the next version like between v8.0.8 and v8.0.10.
I failed to upgrade from v8.0.8 to v8.0.10 like https://github.com/starkandwayne/shield-boshrelease/issues/130.
My admin id and password in v8.0.8 woks well to login in v8.0.10, too. But unlocking SHIELD is failed.
"Unable to unlock the SHIELD Core." message is displayed in Web UI.
And shiledd.log in shield vm is like below.
2018-06-18 11:17:57.958350495 +000 UTC /var/vcap/packages/shield/bin/shieldd: ERROR: failed to read vault credentials from /var/vcap/store/shield/vault/vault.crypt: open /var/vcap/store/shield/vault/vault.crypt: no such file or directory 2018-06-18 11:17:57.958384389 +000 UTC /var/vcap/packages/shield/bin/shieldd: ERROR: POST /v2/unlock errored: open /var/vcap/store/shield/vault/vault.crypt: no such file or directoryIn my shield vm with v8.0.8, /var/vcap/store/shield/vault/vault.crypt file does not exist.
Can you check it again?