Commit graph

197 commits

Author SHA1 Message Date
Jeff Mitchell 56940c282b Force dev on when dev-ha is on 2016-08-19 08:29:34 -04:00
Jeff Mitchell 62c69f8e19 Provide base64 keys in addition to hex encoded. (#1734)
* Provide base64 keys in addition to hex encoded.

Accept these at unseal/rekey time.

Also fix a bug where backup would not be honored when doing a rekey with
no operation currently ongoing.
2016-08-15 16:01:15 -04:00
Jeff Mitchell 37320f8798 Request forwarding (#1721)
Add request forwarding.
2016-08-15 09:42:42 -04:00
Jeff Mitchell 6ffefb649d Close the shutdown channel instead of sending a value down 2016-08-01 11:58:45 -04:00
vishalnayak 05b8ce8348 Address review feedback 2016-08-01 11:15:25 -04:00
vishalnayak 5ed10f4074 Make the defer statement of waitgroup to execute last 2016-08-01 10:24:27 -04:00
vishalnayak ea2e677f02 Sharing shutdown message with physical consul backend 2016-07-31 10:09:16 -04:00
vishalnayak a8b4fc0d3c Add waitgroup wait to allow physical consul to deregister checks 2016-07-30 13:17:29 -04:00
vishalnayak a3e6400697 Remove global name/id. Make only cluster name configurable. 2016-07-26 10:01:35 -04:00
vishalnayak c7dabe4def Storing local and global cluster name/id to storage and returning them in health status 2016-07-26 02:32:42 -04:00
matt maier 6519c224ac Circonus integration for telemetry metrics 2016-07-22 15:49:23 -04:00
Jeff Mitchell a3ce0dcb0c Turn off DynamoDB HA by default.
The semantics are wonky and have caused issues from people not reading
docs. It can be enabled but by default is off.
2016-07-18 13:19:58 -04:00
Bill Monkman de8477244e #1486 : Fixed sealed and leader checks for consul backend 2016-06-03 16:00:31 -07:00
Jeff Mitchell 0d9ea2a1a1 Initial Atlas listener implementation 2016-06-02 14:05:47 -04:00
vishalnayak c197414b3b Prioritize dev flags over its env vars 2016-06-01 12:21:29 -04:00
Jeff Mitchell 885cc73b2e Merge branch 'master-oss' into f-vault-service 2016-05-04 17:20:00 -04:00
Jeff Mitchell 2bbb39f4af Properly handle sigint/hup 2016-05-03 14:30:58 -04:00
Jeff Mitchell 749b60d57d Ensure seal finalizing happens even when using verify-only 2016-04-28 14:06:05 -04:00
Sean Chittenden 0b72906fc3 Change the interface of ServiceDiscovery
Instead of passing state, signal that the state has changed and provide a callback handler that can query Core.
2016-04-28 11:05:18 -07:00
Sean Chittenden aeea7628d6 Add a *log.Logger argument to physical.Factory
Logging in the backend is a good thing.  This is a noisy interface change but should be a functional noop.
2016-04-25 20:10:32 -07:00
Sean Chittenden f5183fa506 Collapse UpdateAdvertiseAddr() into RunServiceDiscovery() 2016-04-25 18:01:13 -07:00
Sean Chittenden 60006f550f Various refactoring to clean up code organization
Brought to you by: Dept of 2nd thoughts before pushing enter on `git push`
2016-04-25 18:01:13 -07:00
Sean Chittenden 6b2c83564e Teach Vault how to register with Consul
Vault will now register itself with Consul.  The active node can be found using `active.vault.service.consul`.  All standby vaults are available via `standby.vault.service.consul`.  All unsealed vaults are considered healthy and available via `vault.service.consul`.  Change in status and registration is event driven and should happen at the speed of a write to Consul (~network RTT + ~1x fsync(2)).

Healthy/active:

```
curl -X GET 'http://127.0.0.1:8500/v1/health/service/vault?pretty' && echo;
[
    {
        "Node": {
            "Node": "vm1",
            "Address": "127.0.0.1",
            "TaggedAddresses": {
                "wan": "127.0.0.1"
            },
            "CreateIndex": 3,
            "ModifyIndex": 20
        },
        "Service": {
            "ID": "vault:127.0.0.1:8200",
            "Service": "vault",
            "Tags": [
                "active"
            ],
            "Address": "127.0.0.1",
            "Port": 8200,
            "EnableTagOverride": false,
            "CreateIndex": 17,
            "ModifyIndex": 20
        },
        "Checks": [
            {
                "Node": "vm1",
                "CheckID": "serfHealth",
                "Name": "Serf Health Status",
                "Status": "passing",
                "Notes": "",
                "Output": "Agent alive and reachable",
                "ServiceID": "",
                "ServiceName": "",
                "CreateIndex": 3,
                "ModifyIndex": 3
            },
            {
                "Node": "vm1",
                "CheckID": "vault-sealed-check",
                "Name": "Vault Sealed Status",
                "Status": "passing",
                "Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
                "Output": "",
                "ServiceID": "vault:127.0.0.1:8200",
                "ServiceName": "vault",
                "CreateIndex": 19,
                "ModifyIndex": 19
            }
        ]
    }
]
```

Healthy/standby:

```
[snip]
        "Service": {
            "ID": "vault:127.0.0.2:8200",
            "Service": "vault",
            "Tags": [
                "standby"
            ],
            "Address": "127.0.0.2",
            "Port": 8200,
            "EnableTagOverride": false,
            "CreateIndex": 17,
            "ModifyIndex": 20
        },
        "Checks": [
            {
                "Node": "vm2",
                "CheckID": "serfHealth",
                "Name": "Serf Health Status",
                "Status": "passing",
                "Notes": "",
                "Output": "Agent alive and reachable",
                "ServiceID": "",
                "ServiceName": "",
                "CreateIndex": 3,
                "ModifyIndex": 3
            },
            {
                "Node": "vm2",
                "CheckID": "vault-sealed-check",
                "Name": "Vault Sealed Status",
                "Status": "passing",
                "Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
                "Output": "",
                "ServiceID": "vault:127.0.0.2:8200",
                "ServiceName": "vault",
                "CreateIndex": 19,
                "ModifyIndex": 19
            }
        ]
    }
]
```

Sealed:

```
        "Checks": [
            {
                "Node": "vm2",
                "CheckID": "serfHealth",
                "Name": "Serf Health Status",
                "Status": "passing",
                "Notes": "",
                "Output": "Agent alive and reachable",
                "ServiceID": "",
                "ServiceName": "",
                "CreateIndex": 3,
                "ModifyIndex": 3
            },
            {
                "Node": "vm2",
                "CheckID": "vault-sealed-check",
                "Name": "Vault Sealed Status",
                "Status": "critical",
                "Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
                "Output": "Vault Sealed",
                "ServiceID": "vault:127.0.0.2:8200",
                "ServiceName": "vault",
                "CreateIndex": 19,
                "ModifyIndex": 38
            }
        ]
```
2016-04-25 18:01:13 -07:00
Sean Chittenden 230b59f34c Stub out service discovery functionality
Hook asynchronous notifications into Core to change the status of vault based on its active/standby, and sealed/unsealed status.
2016-04-25 18:00:54 -07:00
Sean Chittenden 0c23acb818 Comment nits 2016-04-25 18:00:54 -07:00
Sean Chittenden 069d9cf021 Fix SIGINT handling.
No signal handler was setup to receive SIGINT.  I didn't investigate to
see if signal(2) mask was setup (ala `SIG_IGN`) or if sigprocmask(2) is
being used, but in either case, the correct behavior is to capture and
treat SIGINT the same as SIGTERM.  At some point in the future these two
signals may affect the running process differently, but we will clarify
that difference in the future.
2016-04-15 10:03:22 -07:00
Jeff Mitchell 119238149b Add Finalize method to seal. 2016-04-14 20:37:34 +00:00
Jeff Mitchell a4ff72841e Check for seal status when initing and change logic order to avoid defer 2016-04-14 01:13:59 +00:00
Sean Chittenden 58846f8eac Reinstall the mlockall(2) command
Requested by: jefferai
2016-04-05 13:58:26 -07:00
Sean Chittenden 47c3202811 Unconditionally warn on systems w/o mlock support
If someone begins using Vault on Windows in dev mode, always hint so that this isn't a surprise when they get to production.
2016-04-05 12:32:53 -07:00
Jeff Mitchell 9102b994aa Sync some seal stuff 2016-04-04 13:46:33 -04:00
Jeff Mitchell afae46feb7 SealInterface 2016-04-04 10:44:22 -04:00
Jeff Mitchell b0888e8af1 Remove config from Meta; it's only used right now with the token helper. 2016-04-01 16:02:18 -04:00
Jeff Mitchell a137081241 Move token helper out of meta 2016-04-01 14:23:15 -04:00
Jeff Mitchell 133d9c1008 Move meta into its own package 2016-04-01 13:16:05 -04:00
Jeff Mitchell 1be69ae235 Sort infokeys on startup and add more padding 2016-03-30 12:31:47 -04:00
Pradeep Chhetri 6d7cbc890d Fix Typo 2016-03-18 14:06:49 +00:00
Jeff Mitchell 0e3764832a Add test for listener reloading, and update website docs. 2016-03-14 14:05:47 -04:00
Jeff Mitchell b3218d26d6 Properly scope config objects for reloading 2016-03-14 11:18:02 -04:00
Jeff Mitchell 84af6ec8ac Don't generate an ID; use address for the ID. Generally speaking we'll need to sane against what's in the config 2016-03-11 17:28:03 -05:00
Jeff Mitchell 9ce1be3b00 For not shutdown triggered... 2016-03-11 17:01:26 -05:00
Jeff Mitchell d75ce9de9b Retool to have reloading logic run in command/server 2016-03-11 16:47:03 -05:00
Jeff Mitchell baf0763b3c Add reload capability for Vault listener certs. No tests (other than
manual) yet, and no documentation yet.
2016-03-11 14:05:52 -05:00
Jeff Mitchell 0998e1cdf9 Update help text exporting dev mode listen address.
Ping #1160
2016-03-03 18:10:14 -05:00
Jeff Mitchell 69c853fd2f Add the ability to specify dev mode address via CLI flag and envvar.
Fixes #1160
2016-03-03 10:48:52 -05:00
Jeff Mitchell 750b33c51b Add ability to control dev root token id with
VAULT_DEV_ROOT_TOKEN_ID env var, and change the CLI flag to match.

Ping #1160
2016-03-03 10:24:44 -05:00
Jeff Mitchell 8011148fb5 Allow specifying an initial root token ID in dev mode.
Ping #1160
2016-03-02 12:03:26 -05:00
Ryan Hileman 1e65c4a01f don't panic when config directory is empty 2016-02-12 16:40:19 -08:00
Jeff Mitchell 7e0d4bef3e Add test for HA availability to command/server 2016-02-02 17:47:02 -05:00
Jeff Mitchell a2bb51e7de remove unneeded assignment 2016-02-02 15:11:35 -05:00
Jeff Mitchell a5bf677bb3 Ensure that we fall back to Backend if HABackend is not specified. 2016-02-02 15:09:58 -05:00
James Tancock 5d7537ff85 Docs typo in server command 2016-01-28 08:26:49 +00:00
Jeff Mitchell c642feebe2 Remove some outdated comments 2015-12-30 21:00:27 -05:00
Wim e8e492f574 Fix ipv6 address advertisement 2015-12-22 21:40:36 +01:00
Jeff Mitchell 5017907785 Move telemetry metrics up to fix one possible race, but deeper problems in go-metrics can't be solved with this 2015-12-17 16:38:17 -05:00
Jeff Mitchell db7a2083bf Allow setting the advertise address via an environment variable.
Fixes #581
2015-12-14 21:22:55 -05:00
Jeff Mitchell 1e653442cd Ensure advertise address detection runs without a specified HA backend
Ping #840
2015-12-14 21:13:27 -05:00
Jeff Mitchell 7ce8aff906 Address review feedback 2015-12-14 17:58:30 -05:00
Jeff Mitchell ced0835574 Allow separate HA physical backend.
With no separate backend specified, HA will be attempted on the normal
physical backend.

Fixes #395.
2015-12-14 07:59:58 -05:00
Jeff Mitchell 75f1c1e40c Print version on startup.
Fixes #765
2015-11-09 13:52:55 -05:00
Jeff Mitchell 7b25204a19 Fix cache disabling 2015-10-28 13:05:56 -04:00
voutasaurus 1da78942e8 Modifies documentation in output of vault server -dev
Environment variable setting is different in windows
2015-10-22 00:48:46 -07:00
hendrenj 0532682816 improve documentation for available log levels 2015-09-16 11:01:33 -06:00
Jeff Mitchell 3f45f3f41b Rename config lease_duration parameters to lease_ttl in line with current standardization efforts 2015-08-27 07:50:24 -07:00
Karl Gutwin 4bad987e58 PR review updates 2015-07-30 13:21:41 -04:00
Karl Gutwin 151ec72d00 Add configuration options for default lease duration and max lease duration. 2015-07-30 09:42:49 -04:00
Nate Brown 0ec0b41aa3 Telemetry object in config 2015-07-14 15:36:28 -07:00
Nate Brown d2c048d870 Disable hostname prefix for runtime telemetry 2015-07-13 13:17:57 -07:00
Armon Dadgar 7394c7bd8d command/server: fixing output weirdness 2015-06-18 13:48:18 -07:00
Armon Dadgar 6bc2b06de4 server: graceful shutdown for fast failover. Fixes #308 2015-06-17 18:24:56 -07:00
Seth Vargo 3a0e19cb4e Merge pull request #270 from sheldonh/no_export_vault_token
Don't recommend exporting VAULT_TOKEN
2015-06-01 11:52:40 -04:00
Steven De Coeyer 8155b3927e Add help info for -dev flag 2015-05-31 18:05:15 +02:00
Sheldon Hearn 6cda28f9e7 Don't recommend exporting VAULT_TOKEN
It's not needed by the dev server (which writes ~/.vault-token),
and breaks the Getting Started guide (e.g. #267).
2015-05-28 14:39:35 +02:00
Armon Dadgar a3ddd9ddb2 server: Minor copy change 2015-05-20 17:49:16 -07:00
David Wittman b04332f8fc Fail gracefully if a phys backend is not supplied 2015-05-18 22:55:12 -05:00
Seth Vargo 88d5d6a4c8 Use strconv.ParseBool 2015-05-15 16:41:30 -04:00
Seth Vargo a2831b0144 Explicitly check if tls_disable == 1 2015-05-15 16:39:30 -04:00
Seth Vargo bbddaff5c9 Make the VAULT_TOKEN and VAULT_ADDR copy-pastable in dev mode
This allows someone to quickly start a dev mode server and hit the ground
running without the need to copy-paste twice.
2015-05-07 18:32:40 -04:00
Armon Dadgar c76b59812e command/server: Attempt advertise address detection 2015-05-02 15:57:40 -07:00
Mitchell Hashimoto d29ada47eb command/server: disable mlock in dev mode 2015-04-28 15:11:39 -07:00
Mitchell Hashimoto 006d4fccfd command/server: allow disabling mlock 2015-04-28 15:09:30 -07:00
Mitchell Hashimoto 6898c60292 command/server: warning if no mlock 2015-04-28 15:04:40 -07:00
Matt Haggard 1346040c86 Update server.go
Did you mean "talking?"  Or something else?
2015-04-28 14:01:45 -06:00
Armon Dadgar ff352c32fe command/server: Catch error from core initialization. Fixes #42 2015-04-27 21:29:40 -07:00
Mitchell Hashimoto ee254a332e command/server: can set advertise addr 2015-04-17 12:56:31 -07:00
Mitchell Hashimoto 44b634c0d5 command/server: not HA possibilities when starting 2015-04-17 12:56:31 -07:00
Armon Dadgar f04d33b170 command/server: Enable telemetry. cc: @mitchellh 2015-04-14 18:44:09 -07:00
Mitchell Hashimoto 169666972a command/server: env var for dev mode 2015-04-06 10:28:17 -07:00
Mitchell Hashimoto 8bfa12297d builtin/audit: add file audit 2015-04-04 18:10:25 -07:00
Mitchell Hashimoto 929931175c command/server: log levels 2015-04-04 12:11:10 -07:00
Mitchell Hashimoto afc71d2a7b command/server: cleaner output 2015-04-04 12:06:41 -07:00
Mitchell Hashimoto cee51ddde9 command/server: support CredentialBackends 2015-04-01 15:48:13 -07:00
Mitchell Hashimoto 19283eb5f7 command/server: dev mode 2015-03-31 16:44:47 -07:00
Mitchell Hashimoto 86a6062ba2 main: enable AWS backend 2015-03-20 19:32:18 +01:00
Mitchell Hashimoto f71f29b801 command/server: initial working 2015-03-13 12:53:08 -07:00
Mitchell Hashimoto 86c7a4c155 command/server: load config from flags 2015-03-12 15:30:07 -07:00
Mitchell Hashimoto d88c20e293 command/server: add config loading 2015-03-12 15:21:11 -07:00