Comments (5)
Update: The "task running too long" error message in the VGM error log is incorrect (maybe a cut-and-paste issue) but the real error is returned in the JSON body of the /token request. We're seeing this:
Response from VGM: {"status":"Unsealed","ok":false,"error":"400: permission denied"}
And in the Vault logs a second or two before, this:
2016/10/20 21:05:07 [INFO] expire: revoked 'auth/token/create/7e416e9759a9a353685eccf099b9b33375bcd4fe'
EDIT:
One more thing. We're running two VGM instances for HA. One of them (the one that is handing out tokens successfully) has this in the logs every hour:
2016/10/20 20:44:54 Renewing token with ttl of 1h0m0s.
2016/10/20 20:44:54 Renewed token with ttl of 1h0m0s.
But the one that is returning errors has token renewal for the first 2 hours of running, but then stops - and exactly one hour after the last token renewal, the errors start showing up.
from vault-gatekeeper.
My initial guess is the token you provided to vault doesn't have the right permissions in order to create tokens. Are you providing the same token to both instances? I'm not 100% sure, but it could be that a renewal on one machine is invalidating the token on another. (Sorry for the slow response)
from vault-gatekeeper.
We've been running it in our environment with just one VGM instance (to rule out the very scenario that you mentioned). Just a few minutes ago, I saw this error in the VGM log:
2016/10/25 19:57:39 Failed to lookup token. Not starting renewal watcher. Error: Get https://vault-sandbox.XXX.com/v1/auth/token/lookup-self: dial tcp: i/o timeout
I haven't seen that every time, but I'm wondering if there's some sort of issue with our networking environment.
Having said that, do you think it would be worth sealing the VGM instance in a case like this? Since not restarting the renewal watcher will guarantee an unusable instance.
from vault-gatekeeper.
That would make sense. If I have this right
- We try to renew a token
- It fails due to a network error
- We miss the window for renewing the token
- We should seal the instance here as the token could not be renewed.
from vault-gatekeeper.
That would be great.
from vault-gatekeeper.
Related Issues (20)
- Adding image id for verification of task being launched HOT 1
- Enhancement request: Support dynamic policy names HOT 1
- New Release tag? HOT 7
- Enhancement request: Allow tokens to be non-renewable
- Fix for renewable configurable policy addition with nested policies HOT 1
- Travis tests failing
- Enhancement request: Support for AppRole Auth Method HOT 1
- Unclear roles pattern matching HOT 6
- --vault-kv-version not applied HOT 2
- Token renewal should be retried on failure HOT 2
- Policy Struct changed HOT 2
- Question on building/installing gatekeeper-cli HOT 2
- namespace support? HOT 2
- Not working with VaultServer
- Unseal failed with the 'approle' method.
- {"unsealed":true,"error":"The role requested does not exist."} HOT 3
- Mesos 1.8+ no longer supports the state.json endpoint HOT 2
- Support wildcard inside task name or a more robust (regexp?) matching HOT 3
- Unseal fails with self-signed cert HOT 3
- Only the first AppRole on the roles list is used for authentication HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-gatekeeper.