如何重置或 "un-initialize" 保管库?
How to reset or "un-initialize" vault?
我正在尝试使用 consul v0.9.1 后端自动化 Vault v0.8.0 部署(来自 Hashicorp 的 vaultproject)。
因为这是一个反复试验的过程,所以我需要 运行 "vault init" 几次(直到我做对为止)并拿到钥匙。
不幸的是,我丢失了密钥和根令牌。
我试图停止 vault 和 consul 服务 - 没有
“* Vault 已初始化”和“* Vault 已密封”
我停止了 vault,从 consul 中删除了 vault 路径,启动了 vault - 结果相同 - 在 "vault init" 我收到了这个错误:
* expiration state restore failed: failed to scan for leases: list failed at path '': Unexpected response code: 403
它正在 consul 中再次创建保险库/路径并保持密封。
我怎样才能 "reset" 保管它或使其未初始化并从 "vault init" 重新开始?
这是日志:
Aug 10 05:01:49 TSLASOWROMM01 vault[9156]: ==> Vault server started! Log data will stream in below:
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.238436 [INFO ] core: security barrier not initialized
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.271844 [INFO ] core: security barrier initialized: shares=5 threshold=3
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.320363 [INFO ] core: post-unseal setup starting
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.342931 [INFO ] core: loaded wrapping token key
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.356895 [INFO ] core: successfully mounted backend: type=generic path=secret/
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.357342 [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.357736 [INFO ] core: successfully mounted backend: type=system path=sys/
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.358293 [INFO ] rollback: starting rollback manager
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.381808 [INFO ] expiration: restoring leases
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.383943 [INFO ] core: pre-seal teardown starting
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.384154 [INFO ] core: cluster listeners not running
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.384365 [INFO ] rollback: stopping rollback manager
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.384633 [INFO ] core: pre-seal teardown complete
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.384909 [ERROR] core: post-unseal setup failed during init: error=expiration state restore failed: failed to scan for leases: list failed at path '': Unexpected response code: 403
根据此处对同一问题的讨论:https://groups.google.com/forum/#!msg/vault-tool/xuO8IInubDg/SBHMP2PKAwAJ,答案是:
Vault is storing its state in Consul, so if you shut down Vault and delete Vault's key prefix in Consul things should start clean again.
使用 Vault 的任何存储后端,您应该能够删除您的存储。看起来你 运行 遇到了旧版本 Consul 的错误。
以防万一有人和我一样读这个 post -> 寻找“文件”-backend 或“数据库”-backend
文件后端:
如果您查看保管库配置文件(例如 /etc/vault.d/vault.hcl)
有指令storage "file" { path = "/some/file/name" ......
清空目录/some/file/name(不删除,清空)。
数据库后端:
您只需 truncate“vault_kv_store”table 并重新启动保险库:
psql -U myvaultdbuser -h myvaultDB.host.name -p5432 vaultdatabasname -c 'truncate table vault_kv_store';
... 并再次初始化:
然后将您的浏览器指向例如http://localhost:8820/ui/vault/init 再次初始化
使用 Vault 版本 Vault v1.7.3。我注意到它创建了一个文件夹 vault-data,我不得不将其重命名为 un-initialize。
我正在尝试使用 consul v0.9.1 后端自动化 Vault v0.8.0 部署(来自 Hashicorp 的 vaultproject)。
因为这是一个反复试验的过程,所以我需要 运行 "vault init" 几次(直到我做对为止)并拿到钥匙。
不幸的是,我丢失了密钥和根令牌。
我试图停止 vault 和 consul 服务 - 没有 “* Vault 已初始化”和“* Vault 已密封”
我停止了 vault,从 consul 中删除了 vault 路径,启动了 vault - 结果相同 - 在 "vault init" 我收到了这个错误:
* expiration state restore failed: failed to scan for leases: list failed at path '': Unexpected response code: 403
它正在 consul 中再次创建保险库/路径并保持密封。
我怎样才能 "reset" 保管它或使其未初始化并从 "vault init" 重新开始?
这是日志:
Aug 10 05:01:49 TSLASOWROMM01 vault[9156]: ==> Vault server started! Log data will stream in below:
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.238436 [INFO ] core: security barrier not initialized
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.271844 [INFO ] core: security barrier initialized: shares=5 threshold=3
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.320363 [INFO ] core: post-unseal setup starting
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.342931 [INFO ] core: loaded wrapping token key
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.356895 [INFO ] core: successfully mounted backend: type=generic path=secret/
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.357342 [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.357736 [INFO ] core: successfully mounted backend: type=system path=sys/
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.358293 [INFO ] rollback: starting rollback manager
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.381808 [INFO ] expiration: restoring leases
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.383943 [INFO ] core: pre-seal teardown starting
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.384154 [INFO ] core: cluster listeners not running
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.384365 [INFO ] rollback: stopping rollback manager
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.384633 [INFO ] core: pre-seal teardown complete
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.384909 [ERROR] core: post-unseal setup failed during init: error=expiration state restore failed: failed to scan for leases: list failed at path '': Unexpected response code: 403
根据此处对同一问题的讨论:https://groups.google.com/forum/#!msg/vault-tool/xuO8IInubDg/SBHMP2PKAwAJ,答案是:
Vault is storing its state in Consul, so if you shut down Vault and delete Vault's key prefix in Consul things should start clean again.
使用 Vault 的任何存储后端,您应该能够删除您的存储。看起来你 运行 遇到了旧版本 Consul 的错误。
以防万一有人和我一样读这个 post -> 寻找“文件”-backend 或“数据库”-backend
文件后端:
如果您查看保管库配置文件(例如 /etc/vault.d/vault.hcl)
有指令storage "file" { path = "/some/file/name" ......
清空目录/some/file/name(不删除,清空)。
数据库后端:
您只需 truncate“vault_kv_store”table 并重新启动保险库:
psql -U myvaultdbuser -h myvaultDB.host.name -p5432 vaultdatabasname -c 'truncate table vault_kv_store';
... 并再次初始化:
然后将您的浏览器指向例如http://localhost:8820/ui/vault/init 再次初始化
使用 Vault 版本 Vault v1.7.3。我注意到它创建了一个文件夹 vault-data,我不得不将其重命名为 un-initialize。