Automated snapshots - mkdir raft-backup: permission denied"


according to Vault HA Cluster with Integrated Storage | Vault - HashiCorp Learn we tried to setup an automated backup (vault 1.6.1):

[renner@server ~]$ vault write sys/storage/raft/snapshot-auto/config/daily interval="30s" retain=30      path_prefix="raft-backup" storage_type="local" local_max_space=1073741824

[renner@server ~]$ vault read sys/storage/raft/snapshot-auto/config/daily
Key                Value
---                -----
file_prefix        vault-snapshot
interval           30
local_max_space    1073741824
path_prefix        raft-backup
retain             30
storage_type       local

But now we don’t know where vault wants to write the snapshot files. We see …

[root@server vault]# systemctl status vault
 vault.service - "HashiCorp Vault - A tool for managing secrets"
   Loaded: loaded (/usr/lib/systemd/system/vault.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2021-03-11 11:13:51 CET; 2 weeks 4 days ago
 Main PID: 17127 (vault)
   CGroup: /system.slice/vault.service
           └─17127 /usr/bin/vault server -config=/etc/vault.d/vault.hcl

Mar 29 14:09:32 server vault[17127]: 2021-03-29T14:09:32.974+0200 [ERROR] core.snapshotmgr.daily: snapshot failure: name=daily error="failed to create "raft-backup": mkdir raft-backup: permission denied"
Mar 29 14:09:32 server vault[17127]: 2021-03-29T14:09:32.980+0200 [INFO]  core.snapshotmgr.daily: taking auto snapshot

Even with a litte help from strace we can not find out in which directory this raft-backup may be created.

Thanks in advance for every hint.

Hi @MichaelRenner,

I suggest you provide a fully-qualified path_prefix. Probably Vault should return an error if the user provides a path_prefix that doesn’t start with a / (or whatever the path separator is on the local OS) when storage_type=local.

Moin @ncabatoff ,

thanks for this hint. It’s working like a charm.