Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Continuously attempt to unseal if sealed keys are supported #6039

Merged
merged 4 commits into from
Jan 23, 2019
Merged

Continuously attempt to unseal if sealed keys are supported #6039

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a5ea384
Add helper for checking if an error is a fatal error
sethvargo Jan 14, 2019
a5e6c60
Check return value of UnsealWithStoredKeys in sys/init
sethvargo Jan 14, 2019
5ad512c
Return proper error types when attempting unseal with stored key
sethvargo Jan 14, 2019
9e646ee
Continuously attempt to unseal if sealed keys are supported
sethvargo Jan 14, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Continuously attempt to unseal if sealed keys are supported 
This fixes a bug that occurs on bootstrapping an initial cluster. Given a collection of Vault nodes and an initialized storage backend, they will all go into standby waiting for initialization. After one node is initialized, the other nodes had no mechanism by which they "re-check" to see if unseal keys are present. This adds a goroutine to the server command which continually waits for unseal keys to exist. It exits in the following conditions:

- the node is unsealed
- the node does not support stored keys
- a fatal error occurs (as defined by Vault)
- the server is shutting down

In all other situations, the routine wakes up at the specified interval and attempts to unseal with the stored keys.
  • Loading branch information
@sethvargo
sethvargo committed Jan 23, 2019
commit 9e646ee613f5bbb5573a5bc69c31eec7d5a426ee
29 changes: 24 additions & 5 deletions command/server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -937,12 +937,31 @@ CLUSTER_SYNTHESIS_COMPLETE:
return 1
}

if err := core.UnsealWithStoredKeys(context.Background()); err != nil {
if vault.IsFatalError(err) {
c.UI.Error(fmt.Sprintf("Error initializing core: %s", err))
return 1
// Attempt unsealing in a background goroutine. This is needed for when a
// Vault cluster with multiple servers is configured with auto-unseal but is
// uninitialized. Once one server initializes the storage backend, this
// goroutine will pick up the unseal keys and unseal this instance.
go func() {
for {
err := core.UnsealWithStoredKeys(context.Background())
if err == nil {
return
}

if vault.IsFatalError(err) {
c.logger.Error(fmt.Sprintf("Error unsealing core", "error", err))
return
} else {
c.logger.Warn(fmt.Sprintf("Failed to unseal core", "error" err))
}

select {
case <-c.ShutdownCh:
return
case <-time.After(5 * time.Second):
}
}
}
}()

// Perform service discovery registrations and initialization of
// HTTP server after the verifyOnly check.
Expand Down
2 changes: 1 addition & 1 deletion vault/init.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -281,7 +281,7 @@ func (c *Core) UnsealWithStoredKeys(ctx context.Context) error {
defer c.unsealWithStoredKeysLock.Unlock()

if !c.seal.StoredKeysSupported() {
return errors.New("stored keys are not supported")
return nil
}

// Disallow auto-unsealing when migrating
Expand Down