From 46ccb88184bec16180c36dbc04bb1f818c8a8cb7 Mon Sep 17 00:00:00 2001 From: Jim Kalafut Date: Fri, 12 Oct 2018 09:29:15 -0700 Subject: [PATCH] Don't copy HA lock file during migration (#5503) --- command/operator_migrate.go | 3 ++- command/operator_migrate_test.go | 13 +++++++++++++ vault/core.go | 4 ++-- vault/ha.go | 4 ++-- 4 files changed, 19 insertions(+), 5 deletions(-) diff --git a/command/operator_migrate.go b/command/operator_migrate.go index c31fb285ed..a8845617c7 100644 --- a/command/operator_migrate.go +++ b/command/operator_migrate.go @@ -16,6 +16,7 @@ import ( "github.com/hashicorp/vault/command/server" "github.com/hashicorp/vault/helper/logging" "github.com/hashicorp/vault/physical" + "github.com/hashicorp/vault/vault" "github.com/mitchellh/cli" "github.com/pkg/errors" "github.com/posener/complete" @@ -196,7 +197,7 @@ func (c *OperatorMigrateCommand) migrate(config *migratorConfig) error { // migrateAll copies all keys in lexicographic order. func (c *OperatorMigrateCommand) migrateAll(ctx context.Context, from physical.Backend, to physical.Backend) error { return dfsScan(ctx, from, func(ctx context.Context, path string) error { - if path < c.flagStart || path == migrationLock { + if path < c.flagStart || path == migrationLock || path == vault.CoreLockPath { return nil } diff --git a/command/operator_migrate_test.go b/command/operator_migrate_test.go index 358c3e7a87..bd4845a6a3 100644 --- a/command/operator_migrate_test.go +++ b/command/operator_migrate_test.go @@ -20,6 +20,7 @@ import ( "github.com/hashicorp/vault/helper/base62" "github.com/hashicorp/vault/helper/testhelpers" "github.com/hashicorp/vault/physical" + "github.com/hashicorp/vault/vault" ) func init() { @@ -262,6 +263,10 @@ func generateData() map[string][]byte { result[strings.Join(segments, "/")] = data } + // Add special keys that should be excluded from migration + result[migrationLock] = []byte{} + result[vault.CoreLockPath] = []byte{} + return result } @@ -286,6 +291,14 @@ func compareStoredData(s physical.Backend, ref map[string][]byte, start string) if err != nil { return err } + + if k == migrationLock || k == vault.CoreLockPath { + if entry == nil { + continue + } + return fmt.Errorf("key found that should have been excluded: %s", k) + } + if k >= start { if entry == nil { return fmt.Errorf("key not found: %s", k) diff --git a/vault/core.go b/vault/core.go index 93d635e5a1..5fa03e76d3 100644 --- a/vault/core.go +++ b/vault/core.go @@ -37,9 +37,9 @@ import ( ) const ( - // coreLockPath is the path used to acquire a coordinating lock + // CoreLockPath is the path used to acquire a coordinating lock // for a highly-available deploy. - coreLockPath = "core/lock" + CoreLockPath = "core/lock" // The poison pill is used as a check during certain scenarios to indicate // to standby nodes that they should seal diff --git a/vault/ha.go b/vault/ha.go index 7d4e5990da..adb4f0e5fe 100644 --- a/vault/ha.go +++ b/vault/ha.go @@ -91,7 +91,7 @@ func (c *Core) Leader() (isLeader bool, leaderAddr, clusterAddr string, err erro } // Initialize a lock - lock, err := c.ha.LockWith(coreLockPath, "read") + lock, err := c.ha.LockWith(CoreLockPath, "read") if err != nil { c.stateLock.RUnlock() return false, "", "", err @@ -392,7 +392,7 @@ func (c *Core) waitForLeadership(newLeaderCh chan func(), manualStepDownCh, stop c.logger.Error("failed to generate uuid", "error", err) return } - lock, err := c.ha.LockWith(coreLockPath, uuid) + lock, err := c.ha.LockWith(CoreLockPath, uuid) if err != nil { c.logger.Error("failed to create lock", "error", err) return