Error restoring Vault backup

poleary · June 13, 2022, 4:05pm

Hello, I am attempting to restore a vault backup snap file to a newly created vault instance to validate the backup files are intact and working as expected.

I am running into an issue where the manually create snap file will not restore over a fresh vault instance.

Details:
Vault Validation instance info:
Key Value

Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.6.2
Storage Type raft

Vault Backup source instance:
/ $ vault status
Key Value

Recovery Seal Type shamir
Initialized true
Sealed false
Total Recovery Shares 5
Threshold 3
Version 1.6.2
Storage Type raft

All vault instances run on k8s 1.19.15 infrastructure. One note, we use auto unseal for our clusters that are generating the backups. I am not sure if this would cause an issue with a fresh basic cluster used to validate the snap file.

When I copy the snap file generated using the following command:

vault operator raft snapshot save vault-snapshot-date +%F.snap

to the fresh vault instance and attempt a restore with this command:

vault operator raft snapshot restore -force vault-snapshot-2022-06-08.snap

I get the following error in vault:

Error installing the snapshot: Error making API request.

URL: POST https://127.0.0.1:8200/v1/sys/storage/raft/snapshot-force
Code: 500. Errors:

1 error occurred:
- failed to read snapshot file: failed to read or write snapshot data: unexpected EOF

Of note, I am able to restore a much older snap file created prior to us moving to an auto unseal TSE model.

I am wondering is there is a way to test the snap file being created and what would likely cause the error seen above.

All k8s nodes run on CentOS7, kubelet 1.19.15, docker.

maxb · June 13, 2022, 4:13pm

Are you restoring the snapshot to the active cluster node? I have reported a bug, that misleading errors happen if you attempt snapshot operations on a follower node: `vault operator raft snapshot save` and `restore` fail to handle redirection to the active node · Issue #15258 · hashicorp/vault · GitHub

You have mentioned that your source cluster uses auto-unseal. This means the cluster where you restore a backup must also be configured with access to the same auto-unseal key.

poleary · June 13, 2022, 4:18pm

the node is the active node attempting to do the restore. HA mode is active for the node.

OK, so if I understand, using auto-unsealed backups would require the fresh instance to also access the TSE from the original cluster.

Is there a process for this type of restoration? Would I simply need to migrate the new fresh instance over to the TSE and then attempt a restore of the snap file? Any help on the process to restore and auto-unsealed backup would be very much appreciated. I think the basic backup/restore docs do not deal with this.

maxb · June 13, 2022, 4:29pm

What’s TSE?

I’m not familiar with that acronym.

poleary · June 13, 2022, 4:30pm

shoot, I am sorry transit secret engine, might be an inhouse term for the auto unseal instance.

maxb · June 13, 2022, 4:34pm

Yes, you would need to migrate to (or just destroy the temporary cluster and start afresh using) the production auto unseal method, to make restoring the snapshot work.

poleary · June 13, 2022, 4:41pm

Thank you, i will give that a try. Appreciate your time and responses.

Topic		Replies	Views
Vault unseal issue: "raft is already initialized" Vault k8s , raft , vault	5	570	January 29, 2024
Raft storage snapshot no longer works if transit token is changed Vault	5	1258	December 8, 2021
How to restore raft snapshot (from a vault with AWS KMS auto-unseal) on a fresh vault server Vault	4	1094	August 11, 2022
Raft snapshot restore issue Vault	6	1445	May 17, 2022
Performing restore from snapshot invalidates existing auto-unseal recovery keys Vault	2	299	June 22, 2023

Error restoring Vault backup

Related topics