From a3ac49aa059472d1f2d7acf939ab66ad12df4bee Mon Sep 17 00:00:00 2001 From: Nick Cabatoff Date: Fri, 9 Jul 2021 20:45:50 +0200 Subject: [PATCH] VAULT-2809: Tweak creation of vault.db file (#12034) --- changelog/12034.txt | 3 +++ physical/raft/fsm.go | 16 +++++++++++++++- physical/raft/snapshot.go | 2 +- 3 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 changelog/12034.txt diff --git a/changelog/12034.txt b/changelog/12034.txt new file mode 100644 index 000000000..09f91f8d6 --- /dev/null +++ b/changelog/12034.txt @@ -0,0 +1,3 @@ +```release-note:bug +storage/raft: Tweak creation of vault.db file +``` diff --git a/physical/raft/fsm.go b/physical/raft/fsm.go index b1d548964..fb8eea228 100644 --- a/physical/raft/fsm.go +++ b/physical/raft/fsm.go @@ -6,6 +6,7 @@ import ( "errors" "fmt" "io" + "os" "path/filepath" "strconv" "strings" @@ -154,9 +155,22 @@ func (f *FSM) openDBFile(dbPath string) error { return errors.New("can not open empty filename") } + st, err := os.Stat(dbPath) + switch { + case err != nil && os.IsNotExist(err): + case err != nil: + return fmt.Errorf("error checking raft FSM db file %q: %v", dbPath, err) + default: + perms := st.Mode() & os.ModePerm + if perms&0o077 != 0 { + f.logger.Warn("raft FSM db file has wider permissions than needed", + "needed", os.FileMode(0o600), "existing", perms) + } + } + freelistType, noFreelistSync := freelistOptions() start := time.Now() - boltDB, err := bolt.Open(dbPath, 0o666, &bolt.Options{ + boltDB, err := bolt.Open(dbPath, 0o600, &bolt.Options{ Timeout: 1 * time.Second, FreelistType: freelistType, NoFreelistSync: noFreelistSync, diff --git a/physical/raft/snapshot.go b/physical/raft/snapshot.go index f1503cd41..529c84f26 100644 --- a/physical/raft/snapshot.go +++ b/physical/raft/snapshot.go @@ -330,7 +330,7 @@ func (s *BoltSnapshotSink) writeBoltDBFile() error { // Create the BoltDB file dbPath := filepath.Join(path, databaseFilename) - boltDB, err := bolt.Open(dbPath, 0o666, &bolt.Options{Timeout: 1 * time.Second}) + boltDB, err := bolt.Open(dbPath, 0o600, &bolt.Options{Timeout: 1 * time.Second}) if err != nil { return err }