Vault upgrade from 1.6.0 to 1.8.4 - check and set error

Vault
1

Hi everybody.
I tried to upgrade from 1.6.0 to 1.8.4 in a test server and I got an issue when I checked some basic functionalities.
O.S.: Centos7
HA = disabled
storage_type = file

Error

After the upgrade I tried to create a new secret inside an engine kv2. When I click on save it returns the error

“Error
check-and-set parameter did not match the current version”

When I click on cancel and return to the main folder the new secret is actually displayed.

The weird thing is that sometimes the error comes and other times it doesn’t.
The last time that I run some test It didn’t give me any error, but it bothers me to not know why something this could happen.

Steps to reproduce on a test server:

  • Download file vault_1.6.0_linux_amd64.zip
  • unzip vault_1.6.0_linux_amd64.zipin /usr/local/bin/
  • creation vault service and vault user
  • Create a vault conf file with the following config:

ui = true

storage "file" {
	path = "/mnt/vault"
}

listener "tcp" {
	address = "192.168.56.104:8200"
	tls_disable = 1
}
        
listener "tcp" {
	address = "127.0.0.1:8200"
	tls_disable = 1
}

Inizializate vault

  • Create a backup user and upload its policies.

  • Restore data from a production server (we have a python script that check the data from a production server and save them to a restore.sh file as command. Restore.sh is executed from cli and when executed it will restore data.

Until here no problem. I tested the restore and it works fine

Upgrade

  • stop vault service
  • download vault_1.8.4_linux_amd64.zip
  • unzip vault_1.8.4_linux_amd64.zip and move its content inside /usr/local/bin
  • start vault service

Login and try to create a new secret.

Any suggestions?

2

Why are you doing a restore? Just running Vault 1.8.4(5 is the latest) it should upgrade the integrated storage datastore.

3

I did a restore of the data from the production server into the test server. To replicate the same condition.
I’ll detail a little bit better in the main post. :wink:

4

Okay. If you’re using a simple file storage, just copy the file across, no need to backup/restore. Use file again in 1.8 and then when you’re happy with the upgrade you can migrate to integrated storage.

5

Thanks for your reply.
Just one more question. How this is related with the error displayed?

“Error
check-and-set parameter did not match the current version”
6

My guess is your backup script is not backing up or restoring the proper metadata for each of your secrets. Hence why I suggested copying the whole file, rather than using an unknown custom script.

1 Like
7

Aram, thank you.
The issue was caused by a bad policy.

Your intuition helped me to find the issue.