Vault.db permission denied while starting vault

Hi ,

I have a Vault Instance with backend storage as a raft. Previously, it was file storage backend, but I have migrated to raft recently and the migration is happening only with sudo.

Now, I am trying to diagnose the vault server and can’t do it without the Sudo command. I thought that there was some problem with file permissions. I have changed all the vault files and directories to the user running vault, which is ubuntu. While starting the server, it’s showing

vault[166870]: Error initializing storage of type raft: failed to create fsm: failed to open bolt file: error checking raft FSM db file "/opt/vault/raft/vault.db": stat /opt/vault/raft/vault.db: permission denied

As per the documentation,

By default, Vault expects the config directory and files to be owned by the user running Vault. It also expects no write or execute permissions for group or others.

So, I have owned the files and directories to ubuntu and set the 700 for directories and 600 for files. Can someone help with this?

ls -l /opt/vault/raft

image763×80 3.28 KB

I have also modified the service file.

ls -l /opt/vault/

image734×95 3.32 KB

You are apparently starting Vault under systemd with various options restricting what it can do on the filesystem.

However you’ve only shown a screenshot of what looks like part of your systemd unit file.

• Show your entire systemd unit using systemctl cat vault
• Show a full recursive permission listing from namei -l /opt/vault/raft/vault.db
• Try launching the Vault server manually from a shell, as the ubuntu user, i.e. vault server -config=... to test whether systemd is or is not the source of the problem

I have figured out the problem. The service file isn’t reflecting the changes I have made, which making the vault still run as vault user. It’s working now after making changes in the right way. sudo systemctl edit --full <file>. Thanks for the response.