mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-07 07:07:05 +02:00
Code Issues Projects Releases Wiki Activity

Sync

Browse Source
This commit is contained in:
Jeff Mitchell 2019-06-20 20:55:10 -04:00
parent 8411a3e4a5
commit a342dcbb29
7 changed files with 48 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
command/base_predict_test.go
View File

@ -340,6 +340,7 @@ func TestPredict_Plugins(t *testing.T) {
"hana-database-plugin", "hana-database-plugin",
"influxdb-database-plugin", "influxdb-database-plugin",
"jwt", "jwt",
"kmip",
"kubernetes", "kubernetes",
"kv", "kv",
"ldap", "ldap",

21
physical/raft/raft.go
View File

@ -832,6 +832,27 @@ func (l *RaftLock) monitorLeadership(stopCh <-chan struct{}) <-chan struct{} {
// Lock blocks until we become leader or are shutdown. It returns a channel that // Lock blocks until we become leader or are shutdown. It returns a channel that
// is closed when we detect a loss of leadership. // is closed when we detect a loss of leadership.
func (l *RaftLock) Lock(stopCh <-chan struct{}) (<-chan struct{}, error) { func (l *RaftLock) Lock(stopCh <-chan struct{}) (<-chan struct{}, error) {
// Check to see if we are already leader.
l.b.l.RLock()
if l.b.raft.State() == raft.Leader {
err := l.b.applyLog(context.Background(), &LogData{
Operations: []*LogOperation{
&LogOperation{
OpType: putOp,
Key: l.key,
Value: l.value,
},
},
})
l.b.l.RUnlock()
if err != nil {
return nil, err
}
return l.monitorLeadership(stopCh), nil
}
l.b.l.RUnlock()
for { for {
select { select {
case isLeader := <-l.b.raftNotifyCh: case isLeader := <-l.b.raftNotifyCh:

24
vault/core.go
View File

@ -1420,10 +1420,10 @@ func (c *Core) UIHeaders() (http.Header, error) {
// sealInternal is an internal method used to seal the vault. It does not do // sealInternal is an internal method used to seal the vault. It does not do
// any authorization checking. // any authorization checking.
func (c *Core) sealInternal() error { func (c *Core) sealInternal() error {
return c.sealInternalWithOptions(true, false) return c.sealInternalWithOptions(true, false, true)
} }
func (c *Core) sealInternalWithOptions(grabStateLock, keepHALock bool) error { func (c *Core) sealInternalWithOptions(grabStateLock, keepHALock, shutdownRaft bool) error {
// Mark sealed, and if already marked return // Mark sealed, and if already marked return
if swapped := atomic.CompareAndSwapUint32(c.sealed, 0, 1); !swapped { if swapped := atomic.CompareAndSwapUint32(c.sealed, 0, 1); !swapped {
return nil return nil
@ -1503,15 +1503,17 @@ func (c *Core) sealInternalWithOptions(grabStateLock, keepHALock bool) error {
} }
// If the storage backend needs to be sealed // If the storage backend needs to be sealed
if raftStorage, ok := c.underlyingPhysical.(*raft.RaftBackend); ok { if shutdownRaft {
if err := raftStorage.TeardownCluster(c.clusterListener); err != nil { if raftStorage, ok := c.underlyingPhysical.(*raft.RaftBackend); ok {
c.logger.Error("error stopping storage cluster", "error", err) if err := raftStorage.TeardownCluster(c.clusterListener); err != nil {
return err c.logger.Error("error stopping storage cluster", "error", err)
return err
}
} }
}
// Stop the cluster listener // Stop the cluster listener
c.stopClusterListener() c.stopClusterListener()
}
c.logger.Debug("sealing barrier") c.logger.Debug("sealing barrier")
if err := c.barrier.Seal(); err != nil { if err := c.barrier.Seal(); err != nil {
@ -1702,14 +1704,14 @@ func (c *Core) preSeal() error {
c.stopPeriodicRaftTLSRotate() c.stopPeriodicRaftTLSRotate()
c.stopForwarding()
c.clusterParamsLock.Lock() c.clusterParamsLock.Lock()
if err := stopReplication(c); err != nil { if err := stopReplication(c); err != nil {
result = multierror.Append(result, errwrap.Wrapf("error stopping replication: {{err}}", err)) result = multierror.Append(result, errwrap.Wrapf("error stopping replication: {{err}}", err))
} }
c.clusterParamsLock.Unlock() c.clusterParamsLock.Unlock()
c.stopForwarding()
if err := c.teardownAudits(); err != nil { if err := c.teardownAudits(); err != nil {
result = multierror.Append(result, errwrap.Wrapf("error tearing down audits: {{err}}", err)) result = multierror.Append(result, errwrap.Wrapf("error tearing down audits: {{err}}", err))
} }

7
vault/ha.go
View File

@ -15,6 +15,7 @@ import (
multierror "github.com/hashicorp/go-multierror" multierror "github.com/hashicorp/go-multierror"
uuid "github.com/hashicorp/go-uuid" uuid "github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/helper/namespace" "github.com/hashicorp/vault/helper/namespace"
"github.com/hashicorp/vault/physical/raft"
"github.com/hashicorp/vault/sdk/helper/certutil" "github.com/hashicorp/vault/sdk/helper/certutil"
"github.com/hashicorp/vault/sdk/helper/consts" "github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/hashicorp/vault/sdk/helper/jsonutil"
@ -678,6 +679,7 @@ func (c *Core) periodicLeaderRefresh(newLeaderCh chan func(), stopCh chan struct
// periodicCheckKeyUpgrade is used to watch for key rotation events as a standby // periodicCheckKeyUpgrade is used to watch for key rotation events as a standby
func (c *Core) periodicCheckKeyUpgrades(ctx context.Context, stopCh chan struct{}) { func (c *Core) periodicCheckKeyUpgrades(ctx context.Context, stopCh chan struct{}) {
opCount := new(int32) opCount := new(int32)
_, isRaft := c.underlyingPhysical.(*raft.RaftBackend)
for { for {
select { select {
case <-time.After(keyRotateCheckInterval): case <-time.After(keyRotateCheckInterval):
@ -706,7 +708,10 @@ func (c *Core) periodicCheckKeyUpgrades(ctx context.Context, stopCh chan struct{
entry, _ := c.barrier.Get(ctx, poisonPillPath) entry, _ := c.barrier.Get(ctx, poisonPillPath)
if entry != nil && len(entry.Value) > 0 { if entry != nil && len(entry.Value) > 0 {
c.logger.Warn("encryption keys have changed out from underneath us (possibly due to replication enabling), must be unsealed again") c.logger.Warn("encryption keys have changed out from underneath us (possibly due to replication enabling), must be unsealed again")
go c.Shutdown() // If we are using raft storage we do not want to shut down
// raft during replication secondary enablement. This will
// allow us to keep making progress on the raft log.
go c.sealInternalWithOptions(true, false, !isRaft)
atomic.AddInt32(lopCount, -1) atomic.AddInt32(lopCount, -1)
return return
} }

4
vault/mount.go
View File

@ -483,8 +483,6 @@ func (c *Core) mountInternal(ctx context.Context, entry *MountEntry, updateStora
addPathCheckers(c, entry, backend, viewPath) addPathCheckers(c, entry, backend, viewPath)
addLicenseCallback(c, backend)
c.setCoreBackend(entry, backend, view) c.setCoreBackend(entry, backend, view)
// If the mount is filtered or we are on a DR secondary we don't want to // If the mount is filtered or we are on a DR secondary we don't want to
@ -1218,6 +1216,8 @@ func (c *Core) newLogicalBackend(ctx context.Context, entry *MountEntry, sysView
if b == nil { if b == nil {
return nil, fmt.Errorf("nil backend of type %q returned from factory", t) return nil, fmt.Errorf("nil backend of type %q returned from factory", t)
} }
addLicenseCallback(c, b)
return b, nil return b, nil
} }

2
vault/policy_store.go
View File

@ -261,7 +261,7 @@ func (c *Core) setupPolicyStore(ctx context.Context) error {
return err return err
} }
if c.ReplicationState().HasState(consts.ReplicationPerformanceSecondary) { if c.ReplicationState().HasState(consts.ReplicationPerformanceSecondary | consts.ReplicationDRSecondary) {
// Policies will sync from the primary // Policies will sync from the primary
return nil return nil
} }

8
vault/raft.go
View File

@ -402,7 +402,7 @@ func (c *Core) raftSnapshotRestoreCallback(grabLock bool) func() error {
// Seal ourselves // Seal ourselves
c.logger.Info("failed to perform key upgrades, sealing", "error", err) c.logger.Info("failed to perform key upgrades, sealing", "error", err)
c.sealInternalWithOptions(false, false) c.sealInternalWithOptions(false, false, true)
return err return err
default: default:
// If we are using an auto-unseal we can try to use the seal to // If we are using an auto-unseal we can try to use the seal to
@ -412,17 +412,17 @@ func (c *Core) raftSnapshotRestoreCallback(grabLock bool) func() error {
keys, err := c.seal.GetStoredKeys(ctx) keys, err := c.seal.GetStoredKeys(ctx)
if err != nil { if err != nil {
c.logger.Error("raft snapshot restore failed to get stored keys", "error", err) c.logger.Error("raft snapshot restore failed to get stored keys", "error", err)
c.sealInternalWithOptions(false, false) c.sealInternalWithOptions(false, false, true)
return err return err
} }
if err := c.barrier.Seal(); err != nil { if err := c.barrier.Seal(); err != nil {
c.logger.Error("raft snapshot restore failed to seal barrier", "error", err) c.logger.Error("raft snapshot restore failed to seal barrier", "error", err)
c.sealInternalWithOptions(false, false) c.sealInternalWithOptions(false, false, true)
return err return err
} }
if err := c.barrier.Unseal(ctx, keys[0]); err != nil { if err := c.barrier.Unseal(ctx, keys[0]); err != nil {
c.logger.Error("raft snapshot restore failed to unseal barrier", "error", err) c.logger.Error("raft snapshot restore failed to unseal barrier", "error", err)
c.sealInternalWithOptions(false, false) c.sealInternalWithOptions(false, false, true)
return err return err
} }
c.logger.Info("done reloading master key using auto seal") c.logger.Info("done reloading master key using auto seal")