error: security barrier not initialized
1,651 views
Skip to first unread message
george....@mx.com
Aug 16, 2016, 12:20:27 PM8/16/16
to Vault
Hi,
Getting the following after running vault for a while without issue:
[INFO] core: security barrier not initialized
Running postgresql backend (non-HA)
What circumstances would cause this? I know that the backend is the primary thing to look at here, but would simply not being able to connect cause this, or would it more likely be data corruption or something?
Thanks in advance.
Jeff Mitchell
Aug 16, 2016, 12:26:06 PM8/16/16
to vault...@googlegroups.com
Hi George,
As you suspected, that means that Vault doesn't think that its backend
data store is initialized. If the issue is due to an error, like a
postgres connection problem, you'd probably also be seeing other
errors in the log (containing "failed to check for initialization"),
but if not, it suggests a deeper problem. The keyring lives at
"core/keyring", in whatever way that translates to Postgres, so as a
primary check you should ensure that value exists.
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/97488e2e-488b-4385-a325-5745ec749683%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
As you suspected, that means that Vault doesn't think that its backend
data store is initialized. If the issue is due to an error, like a
postgres connection problem, you'd probably also be seeing other
errors in the log (containing "failed to check for initialization"),
but if not, it suggests a deeper problem. The keyring lives at
"core/keyring", in whatever way that translates to Postgres, so as a
primary check you should ensure that value exists.
Best,
Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/97488e2e-488b-4385-a325-5745ec749683%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
george....@mx.com
Aug 16, 2016, 1:01:55 PM8/16/16
to Vault
Thanks Jeff!
Yeah, it looks like that record is not there. I assume that is created on initialization. Is there anything in vault that would un-initialize a vault backend?
Jeff Mitchell
Aug 16, 2016, 2:36:08 PM8/16/16
to vault...@googlegroups.com
Hi George,
Nothing in Vault un-initializes. I wonder if you are indeed hitting
some kind of issue with your postgres connection; if so, try
restarting Vault?
Best,
Jeff
> https://groups.google.com/d/msgid/vault-tool/e7032b33-c38a-4968-af2b-567bf53e0adb%40googlegroups.com.
Nothing in Vault un-initializes. I wonder if you are indeed hitting
some kind of issue with your postgres connection; if so, try
restarting Vault?
Best,
Jeff
George Lambson
Aug 16, 2016, 3:37:03 PM8/16/16
to vault...@googlegroups.com
So nothing should delete that key?
From: vault...@googlegroups.com <vault...@googlegroups.com> on behalf of Jeff Mitchell <je...@hashicorp.com>
Sent: Tuesday, August 16, 2016 12:35:47 PM
To: vault...@googlegroups.com
Subject: Re: [vault] error: security barrier not initialized
Sent: Tuesday, August 16, 2016 12:35:47 PM
To: vault...@googlegroups.com
Subject: Re: [vault] error: security barrier not initialized
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/Gn6zwtstqvk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GHffYMhMDOOUturN9V%3DhGhKaazTAWwiBPmW2V%2BYHCbn%2Bg%40mail.gmail.com.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/Gn6zwtstqvk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GHffYMhMDOOUturN9V%3DhGhKaazTAWwiBPmW2V%2BYHCbn%2Bg%40mail.gmail.com.
Jeff Mitchell
Aug 16, 2016, 3:39:31 PM8/16/16
to vault...@googlegroups.com
Nope. The only way to uninitialize vault is through user
operation...as in, the user wiping out the data store. For safety,
there is no call within Vault that *ever* does a write to that value
outside of 'vault init', and that always checks to see whether the
keyring exists before it performs any action.
Best,
Jeff
> https://groups.google.com/d/msgid/vault-tool/CY4PR12MB1397CACD99D370698A10AE11E3130%40CY4PR12MB1397.namprd12.prod.outlook.com.
operation...as in, the user wiping out the data store. For safety,
there is no call within Vault that *ever* does a write to that value
outside of 'vault init', and that always checks to see whether the
keyring exists before it performs any action.
Best,
Jeff
Reply all
Reply to author
Forward
0 new messages