Vault: Unhelpful raft unseal error and outdated documentation

Created on 27 Apr 2020 · 3Comments · Source: hashicorp/vault

Describe the bug
Vault starts but on last unseal key vault returns 500 and confusing error message because of raft configuration error.

{"errors":["strconv.Atoi: parsing \"1\\n\": invalid syntax"]}

To Reproduce
Steps to reproduce the behavior:

Start vault 1.4.0 cluster with raft storage
Change node configuration performance_multiplier to 1 (integer not string)
Restart vault node
Try to unseal

Expected behavior
Helpful error message or behavior according to documentation.

Additional context

Documentation refers to performance_multiplier as int https://www.vaultproject.io/docs/configuration/storage/raft#performance_multiplier
Tests use string and strconv.Atoi https://github.com/hashicorp/vault/blob/5299537f69dd33faefca721f866cda3166c241be/physical/raft/raft_test.go#L386

Environment:

#deploy> docker stack deploy -c ${file} vault
version: "3.7"
services:
  vault-a: &service
    image: vault:1.4.0
    command: server
    environment: &environment
      #
      # NODE settings
      #
      VAULT_API_ADDR: "http://vault-a:8200"
      VAULT_CLUSTER_ADDR: https://vault-a:8201
      VAULT_RAFT_NODE_ID: vault-raft-a
      #
      # GLOBAL settings
      #
      # disable setcap in entrypoint cap_add is not supported by docker swarm
      # see: https://docs.docker.com/compose/compose-file/#cap_add-cap_drop
      SKIP_SETCAP: "1"
      # enable vault UI
      VAULT_UI: "1"
      VAULT_RAFT_PATH: /vault/file
      # !!! fix is to pass performance_multiplier value as a string "1" !!!
      VAULT_LOCAL_CONFIG: |
        {
            "listener": [{"tcp": {
                "address": "0.0.0.0:8200",
                "tls_disable": true,
                "cluster_address": "0.0.0.0:8201"
            }}],
            "disable_mlock": true,
            "storage": [{"raft": {
                "path": "/vault/file",
                "performance_multiplier": !!! 1 !!!,
                "retry_join": [
                    { "leader_api_addr": "http://vault-a:8200" },
                    { "leader_api_addr": "http://vault-b:8200" },
                    { "leader_api_addr": "http://vault-c:8200" }
                ]
            }}]
        }

  vault-b:
    <<: *service
    environment:
      <<: *environment
      VAULT_API_ADDR: "http://vault-b:8200"
      VAULT_CLUSTER_ADDR: https://vault-b:8201
      VAULT_RAFT_NODE_ID: vault-raft-b
    volumes:
      - vault-b-data:/vault/file

  vault-c:
    <<: *service
    environment:
      <<: *environment
      VAULT_API_ADDR: "http://vault-c:8200"
      VAULT_CLUSTER_ADDR: https://vault-c:8201
      VAULT_RAFT_NODE_ID: vault-raft-c
    volumes:
      - vault-c-data:/vault/file

volumes:
  vault-a-data: {}
  vault-b-data: {}
  vault-c-data: {}

bug corconfig

Source

mishak87

Most helpful comment

In doing some further testing on this, it looks like the error in question gets thrown regardless of file format. I can reproduce the problem with both HCL and JSON formatted config files. Additionally, it seems like the error in question happens not just for integer values, but boolean values as well.

raskchanky on 1 May 2020

👍2

All 3 comments

Thanks for the report! I was able to reproduce the issue. It seems that it only occurs if a JSON-formatted config file is provided. If you provide an integer value on an HCL-formatted config file, it works fine.

calvn on 28 Apr 2020

This seems to come from the fact that json.Encode, which gets called when we're parsing the config map, appends a newline to the resulting value, which is why strconv.Atoi ends up complaining when trying to do the conversion.

calvn on 28 Apr 2020

👀1

raskchanky on 1 May 2020

👍2

Was this page helpful?

0 / 5 - 0 ratings