Hi,
While initializing master keys in vault, it is giving “failed to initilize barrier: failed to persist keyring : mkdir /etc/vault.d/vault-data/core : read-only file system”.
Is there a way to fix this issue, and how to use "Encrypt root token with PGP.
Appreciate your help in advance.
As the error is saying the filesystem that is being used for /etc/vault.d/vault-data/core is in read-only mode. This is either on purpose (as per the details in /etc/fstab) or an indication of possible file system issues (possible corruption errors will switch a filesystem to read-only to prevent further damage).
Either way you need to resolve that - either make that mount read/write or choose a different (non read-only) mount to store the Vault data.
Thanks Stuart for the reply. I have moved to different location and provided chmod -R 777 to that folder, now I am getting “core: barrier reports initialized but no seal configuration found”. Below is vault.hcl I have where I see seal is missing. Can you please share me the right seal configuration if you have. Appreciate your help in advance.
#vault.hcl :
listener “tcp” {
address = “0.0.0.0:8200”
tls_disable = 1
}
telemetry {
disable_hostname = true
}
storage “file” {
path = “/usr/testvault/vault-data”
}
ui = true
If this is a new cluster with no data, then you have something in /usr/testvault/vault-data … remove the content, restart the server and initialize it.
Thanks Aram. But if I delete vault-data folder, after initialization it is failing again : “failed to initialize barrier: failed to persist keyring: mkdir /usr/testvault/vault-data/core: read-only file system”. When I create folders and file, it will repeat the same issue.
This is new cluster no data inside it.
You can’t get around the error by doing a work around, the PVC must be available as a read-write.
If you run mount, it should confirm whether that disk/filesystem is mounted in rw or ro mode
There is no mount there, it is using file system.
Please let me know if chmod -R 766 will work for this folder.
This issue was fixed now. Issue with the data folder which I created in /opt/vault with chown vault:vault vault access.
I am seeing the same issue with a brand new install of Ubuntu20.04
This is our config file and we fail with read-only filesystem errors (i have tested with standard permissions, and chown’d the filesystem to 1777 as well root:root / vault:vault – no luck)
disable_mlock = true
ui = true
listener “tcp” {
address = “127.0.0.1:8200”
tls_disable = “true”
}
storage “file” {
path = “/usr/local/share/vault”
}
This is not in google cloud or aws, this is in our own datacenter, and is not a container. This is a virtulal machine and /usr/local/share is writable by all the other apps.
Mike never posted, but I will post here since I ended up here and didn’t find the answer. It was very difficult to find due to systemd having too many generic answers and due to “read-only file system” having too many hits due to hardware issues (not even copilot could help me):
the service directory for vault: /etc/systemd/system/vault.service.d/ has a file called rwpaths.conf , by default, it only has /etc/vault.d/, so if you need to write to another directory, it needs to be specified in that file.
Furthermore, if that new directory happens to be owned by another user and vault only has access due to supplemental groups, then they need to be added to agent.conf:
SupplementaryGroups=OTHERGROUPS