From 7549070cfae4a3e1c8e2229b47d79eeb335c4325 Mon Sep 17 00:00:00 2001 From: Brian Kassouf Date: Tue, 21 Jul 2020 10:59:07 -0700 Subject: [PATCH] raft: Fix some snapshot restore issues (#9533) * raft: Remove double read lock * Reload TLS keyring after reloading the barrier keys --- physical/raft/raft.go | 2 -- vault/raft.go | 12 ++++++------ 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/physical/raft/raft.go b/physical/raft/raft.go index d5fc5cf177..a3277c79ab 100644 --- a/physical/raft/raft.go +++ b/physical/raft/raft.go @@ -956,9 +956,7 @@ func (b *RaftBackend) RestoreSnapshot(ctx context.Context, metadata raft.Snapsho }, } - b.l.RLock() err := b.applyLog(ctx, command) - b.l.RUnlock() // Do a best-effort attempt to let the standbys apply the restoreCallbackOp // before we continue. diff --git a/vault/raft.go b/vault/raft.go index efa05b7ac4..cd3bee3aee 100644 --- a/vault/raft.go +++ b/vault/raft.go @@ -632,12 +632,6 @@ func (c *Core) raftSnapshotRestoreCallback(grabLock bool, sealNode bool) func(co // Purge the cache so we make sure we are operating on fresh data c.physicalCache.Purge(ctx) - // Refresh the raft TLS keys - if err := c.checkRaftTLSKeyUpgrades(ctx); err != nil { - c.logger.Info("failed to perform TLS key upgrades, sealing", "error", err) - return err - } - // Reload the keyring in case it changed. If this fails it's likely // we've changed master keys. err := c.performKeyUpgrades(ctx) @@ -675,6 +669,12 @@ func (c *Core) raftSnapshotRestoreCallback(grabLock bool, sealNode bool) func(co } } + // Refresh the raft TLS keys + if err := c.checkRaftTLSKeyUpgrades(ctx); err != nil { + c.logger.Info("failed to perform TLS key upgrades, sealing", "error", err) + return err + } + return nil } }