Peter Souter petems

## gist:66895a19ba4cd2ca74c222d52be5b9bf
* error performing token check: failed to persist lease entry: cannot write to readonly storage (retry attempt 1 after "250ms")

Fixed in Vault Enterprise 1.5.4

Changelog entry:

> replication (enterprise): Improve race condition when using a newly created token on a performance standby node"

## test
"production" = {
  "host" = "cool.example.com"
  "password" = "xPYmDlsYDQKCbcaY3Xa68-SwdM-wYkHnNYn_ARiYbWRon2UNuzw6RG5DAZjO0Dmz6O-iMVIjX-hWc1ihT3WX"
  "port" = 22
  "user" = "bob"
}

## vault-raft-snapshot.sh
# 2020-06-23
# this shows creating a Vault instance running integrated storage/raft,
# then adding a KV and taking a snapshot
# then kill the raft DB files to simulate a storage failure
# repeat new Vault instance, restore snapshot, unseal and auth with orig keys
# and read some data to show how backup/restore works

cat << EOF > ./vault_raft.hcl
ui=true
disable_mlock = true

## gist:46f17923c6e9402ceefa57db0c940f82
$ curl     --header "X-Vault-Token: $VAULT_TOKEN"     --request LIST     http://127.0.0.1:8200/v1/pki/certs
{"request_id":"de47662c-784a-86b7-a387-fb7d4997f929","lease_id":"","renewable":false,"lease_duration":0,"data":{"keys":["22-d0-f7-2f-f6-c1-26-ca-2c-7c-fa-d7-63-ac-2b-a9-7d-3a-89-30","6b-0d-c3-94-c9-e1-20-d1-9a-eb-76-66-db-3d-8a-37-23-75-dc-1b"]},"wrap_info":null,"warnings":null,"auth":null}
$ curl --header "X-Vault-Token: $VAULT_TOKEN" http://127.0.0.1:8200/v1/pki/cert/22-d0-f7-2f-f6-c1-26-ca-2c-7c-fa-d7-63-ac-2b-a9-7d-3a-89-30
{"request_id":"7eb822aa-4a88-fc32-7cf3-86d4a5b3f0f6","lease_id":"","renewable":false,"lease_duration":0,"data":{"certificate":"-----BEGIN CERTIFICATE-----\nMIIDpjCCAo6gAwIBAgIUItD3L/bBJsosfPrXY6wrqX06iTAwDQYJKoZIhvcNAQEL\nBQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMjAwMzEzMTQzNzMxWhcNMjUw\nMzEyMTQzODAxWjAtMSswKQYDVQQDEyJleGFtcGxlLmNvbSBJbnRlcm1lZGlhdGUg\nQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1veq6qgz\nX8X7efKNQLF7BzTKd5iFm7MypSZTpfd6kunUSKCrLoIPH+oNTUbxXLsGXPxsKvSt

## gist:998649766cd7b4e6ffefa48badc1e946
$ curl     --header "X-Vault-Token: $VAULT_TOKEN"     --request LIST     http://127.0.0.1:8200/v1/pki/certs
{"request_id":"de47662c-784a-86b7-a387-fb7d4997f929","lease_id":"","renewable":false,"lease_duration":0,"data":{"keys":["22-d0-f7-2f-f6-c1-26-ca-2c-7c-fa-d7-63-ac-2b-a9-7d-3a-89-30","6b-0d-c3-94-c9-e1-20-d1-9a-eb-76-66-db-3d-8a-37-23-75-dc-1b"]},"wrap_info":null,"warnings":null,"auth":null}
$ curl --header "X-Vault-Token: $VAULT_TOKEN" http://127.0.0.1:8200/v1/pki/cert/22-d0-f7-2f-f6-c1-26-ca-2c-7c-fa-d7-63-ac-2b-a9-7d-3a-89-30
{"request_id":"7eb822aa-4a88-fc32-7cf3-86d4a5b3f0f6","lease_id":"","renewable":false,"lease_duration":0,"data":{"certificate":"-----BEGIN CERTIFICATE-----\nMIIDpjCCAo6gAwIBAgIUItD3L/bBJsosfPrXY6wrqX06iTAwDQYJKoZIhvcNAQEL\nBQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMjAwMzEzMTQzNzMxWhcNMjUw\nMzEyMTQzODAxWjAtMSswKQYDVQQDEyJleGFtcGxlLmNvbSBJbnRlcm1lZGlhdGUg\nQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1veq6qgz\nX8X7efKNQLF7BzTKd5iFm7MypSZTpfd6kunUSKCrLoIPH+oNTUbxXLsGXPxsKvSt

## gist:ec2a722f3bb7c8614c277958a759b420
createSnapshot, err := blockBlobURL.CreateSnapshot(ctx, azblob.Metadata{}, azblob.BlobAccessConditions{})
	if err == nil {
		createSnapshot.Snapshot()
		snapshot := createSnapshot.Snapshot()
		snapshotBlobURL := blockBlobURL.WithSnapshot(snapshot)
		l.logger.Printf("Created Azure Blob Snapshot - %s", snapshotBlobURL)
	} else {
		l.logger.Printf("Attempt to create blob snapshot failed - %s - Skipping", err)
	}

## gist:109a77ccff3187dc0deb85a0e3f3ad89
Vagrant.require_version ">= 2.0.0"

Vagrant.configure("2") do |config|

  config.vm.define "statsbox", autostart: true do |statsbox|
    statsbox.vm.box = "bento/ubuntu-16.04"
    statsbox.vm.provider "virtualbox" do |vb|
      vb.linked_clone = true
      vb.memory = "1024"
    end

## pub_key.pp

  file { '/home/psouter/.ssh':
    ensure =>  directory,
    owner  =>  'psouter',
    group  =>  'psouter',
    mode   =>  '0700',
  }
  -> ssh_authorized_key { 'hashicorp-laptop-key@homedir':
    ensure => present,
    user   => 'psouter',

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                petems
                / keybase.md
            
            
              Created
              February 19, 2018 10:09
            
              
                keybase.md
              
          
    Keybase proof

I hereby claim:

I am petems on github.
I am petersouter (https://keybase.io/petersouter) on keybase.
I have a public key whose fingerprint is 0CAF 42ED EB4E 16B4 243F  8148 AE3A 33F6 B70C 5AFD

To claim this, I am signing this object:

  
## catalina.json

{
  "servers": [
    {
      "host": "foo",
      "port": "9010",
      "alias": "catalina.java",
      "queries": [
        {
          "obj": "java.lang:type=ClassLoading",
	* error performing token check: failed to persist lease entry: cannot write to readonly storage (retry attempt 1 after "250ms")

	Fixed in Vault Enterprise 1.5.4

	Changelog entry:

	> replication (enterprise): Improve race condition when using a newly created token on a performance standby node"
	"production" = {
	"host" = "cool.example.com"
	"password" = "xPYmDlsYDQKCbcaY3Xa68-SwdM-wYkHnNYn_ARiYbWRon2UNuzw6RG5DAZjO0Dmz6O-iMVIjX-hWc1ihT3WX"
	"port" = 22
	"user" = "bob"
	}
	# 2020-06-23
	# this shows creating a Vault instance running integrated storage/raft,
	# then adding a KV and taking a snapshot
	# then kill the raft DB files to simulate a storage failure
	# repeat new Vault instance, restore snapshot, unseal and auth with orig keys
	# and read some data to show how backup/restore works

	cat << EOF > ./vault_raft.hcl
	ui=true
	disable_mlock = true
	$ curl --header "X-Vault-Token: $VAULT_TOKEN" --request LIST http://127.0.0.1:8200/v1/pki/certs
	{"request_id":"de47662c-784a-86b7-a387-fb7d4997f929","lease_id":"","renewable":false,"lease_duration":0,"data":{"keys":["22-d0-f7-2f-f6-c1-26-ca-2c-7c-fa-d7-63-ac-2b-a9-7d-3a-89-30","6b-0d-c3-94-c9-e1-20-d1-9a-eb-76-66-db-3d-8a-37-23-75-dc-1b"]},"wrap_info":null,"warnings":null,"auth":null}
	$ curl --header "X-Vault-Token: $VAULT_TOKEN" http://127.0.0.1:8200/v1/pki/cert/22-d0-f7-2f-f6-c1-26-ca-2c-7c-fa-d7-63-ac-2b-a9-7d-3a-89-30
	{"request_id":"7eb822aa-4a88-fc32-7cf3-86d4a5b3f0f6","lease_id":"","renewable":false,"lease_duration":0,"data":{"certificate":"-----BEGIN CERTIFICATE-----\nMIIDpjCCAo6gAwIBAgIUItD3L/bBJsosfPrXY6wrqX06iTAwDQYJKoZIhvcNAQEL\nBQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMjAwMzEzMTQzNzMxWhcNMjUw\nMzEyMTQzODAxWjAtMSswKQYDVQQDEyJleGFtcGxlLmNvbSBJbnRlcm1lZGlhdGUg\nQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1veq6qgz\nX8X7efKNQLF7BzTKd5iFm7MypSZTpfd6kunUSKCrLoIPH+oNTUbxXLsGXPxsKvSt
	createSnapshot, err := blockBlobURL.CreateSnapshot(ctx, azblob.Metadata{}, azblob.BlobAccessConditions{})
	if err == nil {
	createSnapshot.Snapshot()
	snapshot := createSnapshot.Snapshot()
	snapshotBlobURL := blockBlobURL.WithSnapshot(snapshot)
	l.logger.Printf("Created Azure Blob Snapshot - %s", snapshotBlobURL)
	} else {
	l.logger.Printf("Attempt to create blob snapshot failed - %s - Skipping", err)
	}
	Vagrant.require_version ">= 2.0.0"

	Vagrant.configure("2") do \|config\|

	config.vm.define "statsbox", autostart: true do \|statsbox\|
	statsbox.vm.box = "bento/ubuntu-16.04"
	statsbox.vm.provider "virtualbox" do \|vb\|
	vb.linked_clone = true
	vb.memory = "1024"
	end

	file { '/home/psouter/.ssh':
	ensure => directory,
	owner => 'psouter',
	group => 'psouter',
	mode => '0700',
	}
	-> ssh_authorized_key { 'hashicorp-laptop-key@homedir':
	ensure => present,
	user => 'psouter',

	{
	"servers": [
	{
	"host": "foo",
	"port": "9010",
	"alias": "catalina.java",
	"queries": [
	{
	"obj": "java.lang:type=ClassLoading",