Peter Souter petems

## Gemfile
source "https://rubygems.org"

gem "progressbar"

## gist:66895a19ba4cd2ca74c222d52be5b9bf
* error performing token check: failed to persist lease entry: cannot write to readonly storage (retry attempt 1 after "250ms")

Fixed in Vault Enterprise 1.5.4

Changelog entry:

> replication (enterprise): Improve race condition when using a newly created token on a performance standby node"

## test
"production" = {
  "host" = "cool.example.com"
  "password" = "xPYmDlsYDQKCbcaY3Xa68-SwdM-wYkHnNYn_ARiYbWRon2UNuzw6RG5DAZjO0Dmz6O-iMVIjX-hWc1ihT3WX"
  "port" = 22
  "user" = "bob"
}

## vault-raft-snapshot.sh
# 2020-06-23
# this shows creating a Vault instance running integrated storage/raft,
# then adding a KV and taking a snapshot
# then kill the raft DB files to simulate a storage failure
# repeat new Vault instance, restore snapshot, unseal and auth with orig keys
# and read some data to show how backup/restore works

cat << EOF > ./vault_raft.hcl
ui=true
disable_mlock = true

## Vagrantfile
MIN_REQUIRED_VAGRANT_VERSION = '1.2.1'

if Vagrant::VERSION < MIN_REQUIRED_VAGRANT_VERSION
  $stderr.puts "ERROR: We require Vagrant version >=#{min_required_vagrant_version}. Please upgrade. http://downloads.vagrantup.com/\n"
  exit 1
end

Vagrant.configure("2") do |config|
  config.vm.box = "precise64"
  config.vm.hostname = 'foo'

## gist:46f17923c6e9402ceefa57db0c940f82
$ curl     --header "X-Vault-Token: $VAULT_TOKEN"     --request LIST     http://127.0.0.1:8200/v1/pki/certs
{"request_id":"de47662c-784a-86b7-a387-fb7d4997f929","lease_id":"","renewable":false,"lease_duration":0,"data":{"keys":["22-d0-f7-2f-f6-c1-26-ca-2c-7c-fa-d7-63-ac-2b-a9-7d-3a-89-30","6b-0d-c3-94-c9-e1-20-d1-9a-eb-76-66-db-3d-8a-37-23-75-dc-1b"]},"wrap_info":null,"warnings":null,"auth":null}
$ curl --header "X-Vault-Token: $VAULT_TOKEN" http://127.0.0.1:8200/v1/pki/cert/22-d0-f7-2f-f6-c1-26-ca-2c-7c-fa-d7-63-ac-2b-a9-7d-3a-89-30
{"request_id":"7eb822aa-4a88-fc32-7cf3-86d4a5b3f0f6","lease_id":"","renewable":false,"lease_duration":0,"data":{"certificate":"-----BEGIN CERTIFICATE-----\nMIIDpjCCAo6gAwIBAgIUItD3L/bBJsosfPrXY6wrqX06iTAwDQYJKoZIhvcNAQEL\nBQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMjAwMzEzMTQzNzMxWhcNMjUw\nMzEyMTQzODAxWjAtMSswKQYDVQQDEyJleGFtcGxlLmNvbSBJbnRlcm1lZGlhdGUg\nQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1veq6qgz\nX8X7efKNQLF7BzTKd5iFm7MypSZTpfd6kunUSKCrLoIPH+oNTUbxXLsGXPxsKvSt

## gist:998649766cd7b4e6ffefa48badc1e946
$ curl     --header "X-Vault-Token: $VAULT_TOKEN"     --request LIST     http://127.0.0.1:8200/v1/pki/certs
{"request_id":"de47662c-784a-86b7-a387-fb7d4997f929","lease_id":"","renewable":false,"lease_duration":0,"data":{"keys":["22-d0-f7-2f-f6-c1-26-ca-2c-7c-fa-d7-63-ac-2b-a9-7d-3a-89-30","6b-0d-c3-94-c9-e1-20-d1-9a-eb-76-66-db-3d-8a-37-23-75-dc-1b"]},"wrap_info":null,"warnings":null,"auth":null}
$ curl --header "X-Vault-Token: $VAULT_TOKEN" http://127.0.0.1:8200/v1/pki/cert/22-d0-f7-2f-f6-c1-26-ca-2c-7c-fa-d7-63-ac-2b-a9-7d-3a-89-30
{"request_id":"7eb822aa-4a88-fc32-7cf3-86d4a5b3f0f6","lease_id":"","renewable":false,"lease_duration":0,"data":{"certificate":"-----BEGIN CERTIFICATE-----\nMIIDpjCCAo6gAwIBAgIUItD3L/bBJsosfPrXY6wrqX06iTAwDQYJKoZIhvcNAQEL\nBQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMjAwMzEzMTQzNzMxWhcNMjUw\nMzEyMTQzODAxWjAtMSswKQYDVQQDEyJleGFtcGxlLmNvbSBJbnRlcm1lZGlhdGUg\nQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1veq6qgz\nX8X7efKNQLF7BzTKd5iFm7MypSZTpfd6kunUSKCrLoIPH+oNTUbxXLsGXPxsKvSt

## check_if_ruby_is_system.sh
#!/bin/bash

command_exists () {
  command "$1" &> /dev/null ;
}

if command_exists rbenv
then
  echo 'rbenv found, no action needed'
elif command_exists rvm

## CentOS 7 Error Log
[root@centos-2gb-lon1-01 ~]# yum install -y git
Loaded plugins: fastestmirror
base                                                     | 3.6 kB     00:00
extras                                                   | 3.4 kB     00:00
updates                                                  | 3.4 kB     00:00
(1/4): base/7/x86_64/group_gz                              | 155 kB   00:00
(2/4): extras/7/x86_64/primary_db                          | 101 kB   00:00
(3/4): updates/7/x86_64/primary_db                         | 3.1 MB   00:00
(4/4): base/7/x86_64/primary_db                            | 5.3 MB   00:00
Determining fastest mirrors

## remove_requiretty.sh
echo "Removing requiretty"
sed -i "s/^.*requiretty/#Defaults requiretty/" /etc/sudoers
echo "Complete!"
	* error performing token check: failed to persist lease entry: cannot write to readonly storage (retry attempt 1 after "250ms")

	Fixed in Vault Enterprise 1.5.4

	Changelog entry:

	> replication (enterprise): Improve race condition when using a newly created token on a performance standby node"
	"production" = {
	"host" = "cool.example.com"
	"password" = "xPYmDlsYDQKCbcaY3Xa68-SwdM-wYkHnNYn_ARiYbWRon2UNuzw6RG5DAZjO0Dmz6O-iMVIjX-hWc1ihT3WX"
	"port" = 22
	"user" = "bob"
	}
	# 2020-06-23
	# this shows creating a Vault instance running integrated storage/raft,
	# then adding a KV and taking a snapshot
	# then kill the raft DB files to simulate a storage failure
	# repeat new Vault instance, restore snapshot, unseal and auth with orig keys
	# and read some data to show how backup/restore works

	cat << EOF > ./vault_raft.hcl
	ui=true
	disable_mlock = true
	MIN_REQUIRED_VAGRANT_VERSION = '1.2.1'

	if Vagrant::VERSION < MIN_REQUIRED_VAGRANT_VERSION
	$stderr.puts "ERROR: We require Vagrant version >=#{min_required_vagrant_version}. Please upgrade. http://downloads.vagrantup.com/\n"
	exit 1
	end

	Vagrant.configure("2") do \|config\|
	config.vm.box = "precise64"
	config.vm.hostname = 'foo'
	$ curl --header "X-Vault-Token: $VAULT_TOKEN" --request LIST http://127.0.0.1:8200/v1/pki/certs
	{"request_id":"de47662c-784a-86b7-a387-fb7d4997f929","lease_id":"","renewable":false,"lease_duration":0,"data":{"keys":["22-d0-f7-2f-f6-c1-26-ca-2c-7c-fa-d7-63-ac-2b-a9-7d-3a-89-30","6b-0d-c3-94-c9-e1-20-d1-9a-eb-76-66-db-3d-8a-37-23-75-dc-1b"]},"wrap_info":null,"warnings":null,"auth":null}
	$ curl --header "X-Vault-Token: $VAULT_TOKEN" http://127.0.0.1:8200/v1/pki/cert/22-d0-f7-2f-f6-c1-26-ca-2c-7c-fa-d7-63-ac-2b-a9-7d-3a-89-30
	{"request_id":"7eb822aa-4a88-fc32-7cf3-86d4a5b3f0f6","lease_id":"","renewable":false,"lease_duration":0,"data":{"certificate":"-----BEGIN CERTIFICATE-----\nMIIDpjCCAo6gAwIBAgIUItD3L/bBJsosfPrXY6wrqX06iTAwDQYJKoZIhvcNAQEL\nBQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMjAwMzEzMTQzNzMxWhcNMjUw\nMzEyMTQzODAxWjAtMSswKQYDVQQDEyJleGFtcGxlLmNvbSBJbnRlcm1lZGlhdGUg\nQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1veq6qgz\nX8X7efKNQLF7BzTKd5iFm7MypSZTpfd6kunUSKCrLoIPH+oNTUbxXLsGXPxsKvSt
	#!/bin/bash

	command_exists () {
	command "$1" &> /dev/null ;
	}

	if command_exists rbenv
	then
	echo 'rbenv found, no action needed'
	elif command_exists rvm
	[root@centos-2gb-lon1-01 ~]# yum install -y git
	Loaded plugins: fastestmirror
	base \| 3.6 kB 00:00
	extras \| 3.4 kB 00:00
	updates \| 3.4 kB 00:00
	(1/4): base/7/x86_64/group_gz \| 155 kB 00:00
	(2/4): extras/7/x86_64/primary_db \| 101 kB 00:00
	(3/4): updates/7/x86_64/primary_db \| 3.1 MB 00:00
	(4/4): base/7/x86_64/primary_db \| 5.3 MB 00:00
	Determining fastest mirrors
	echo "Removing requiretty"
	sed -i "s/^.*requiretty/#Defaults requiretty/" /etc/sudoers
	echo "Complete!"