-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix keyring file missing after Vault restart #15946
Conversation
Fix keyring file missing after Vault restart Vault can be killed by signal SIGTERM in anytime. If Vault is doing keyring rotation and the fd is still not closed at that time, the size of the keyring file will be zero. The orignal key will be lost totally. Because the file is opened with os.O_TRUNC, and the fd will be closed automatically after Vault exits. Then try to unseal Vault after it startup again, the keyring file will be deleted in getInternal function due to its size is zero. So that is why the keyring file is missing. And the Vault cannot be unsealed anymore due to the file missing. Write data into a temp file then move it can avoid the file crash. Fix:hashicorp#15680
How to add maintainer ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for working on this! I had one small suggestion for your changelog entry.
changelog/15946.txt
Outdated
@@ -0,0 +1,3 @@ | |||
```release-note:bug | |||
core/seal: write a temp file and encrypt it, then rename it to the target path file. This can avoid the orignal file crash if Vault restart. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This changelog entry should indicate what changed from a user's perspective. For example, in this case, maybe something like:
Fix possible keyring truncation when using the file backend.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok. I am new in github, If I still needs to update the file in my repository (Vault fork project) ? How can I squash this pull request(There are three commits so far). It seems no branch name and I have no permission.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Anyway I update the file in the fouth commit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, no need to worry about squashing. That will happen automatically when the PR is merged.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, thanks for working on this!
@raskchanky If this change can be ported back to other release like 1.8 1,9 ? Because this is the version we are using and meet the problem. I do not know how to port back it and if I have permission I can do it. |
@shujun10086 We support n-2 versions, so with 1.11 just released, this can be backported to 1.10 and 1.9. I can handle that for you. |
Co-authored-by: shujun10086 <[email protected]>
Co-authored-by: shujun10086 <[email protected]>
Co-authored-by: shujun10086 <[email protected]>
Fix keyring file missing after Vault restart