Error creating database object: invalid database version

[Michal-Kucera]

Hello.

I'd love to use your plugin side by side with Redis in version 6-alpine, Vault in version 1.9.4 with Postgres as data storage, and spring-cloud-vault with Multiple Databases approach.

Yet, I've made it only until plugin initialization, which returns 400 HTTP error code and the following response:

michal@michal:~/code/monitoring/vault/plugin$  docker exec -it monitoring_vault_1 vault write database/config/transaction-service \
  plugin_name="redis-database-plugin" \
  host="redis" \
  port=6379 \
  username="redis" \
  password="changeit" \
  allowed_roles="transaction-service"
Error writing data to database/config/transaction-service: Error making API request.

URL: PUT http://vault:8200/v1/database/config/transaction-service
Code: 400. Errors:

* error creating database object: invalid database version: 2 errors occurred:
        * fork/exec /config/plugin/redis-database-plugin: no such file or directory
        * fork/exec /config/plugin/redis-database-plugin: no such file or directory

Vault docker log:

2022-03-24T15:39:32.705Z [INFO]  secrets.database.database_4ffbc22d.redis-database-plugin: configuring client automatic mTLS

The aforementioned file is accessible from my docker environment:

michal@michal:~/code/monitoring/vault/plugin$ docker exec -it monitoring_vault_1 ls -l /config/plugin/redis-database-plugin
-rwxrwxr-x    1 1000     vault     14686652 Mar 24 15:49 /config/plugin/redis-database-plugin

Thus I'm wondering if this is happening due to an issue on my side or perhaps this plugin is not compatible with either Vault 1.9.4 or Redis 6.

Cheers!
Michal

[fhitchen]

Hi Michal, What is your vault config setting for the plugin directory? What was your command to register the plugin? I just tried it out with vault 1.10 and I am seeing errors, but I think that is because my redis cluster is broken. I'll fix my cluster later and let you know. regards, Francis.

…

On Thu, Mar 24, 2022 at 11:57 AM Michal Kucera ***@***.***> wrote: Hello. I'd love to use your plugin side by side with Vault in version 1.9.4 <https://hub.docker.com/layers/vault/library/vault/1.9.4/images/sha256-2f69ca64144ed051fce5c56662275638018ccc8abdca36c081c7d8d13c6e5eef?context=explore> with Postgres as data storage, and spring-cloud-vault with Multiple Databases <https://docs.spring.io/spring-cloud-vault/docs/3.1.0/reference/html/#vault.config.backends.databases> approach. Yet, I've made it only until plugin initialization <https://github.com/fhitchen/vault-plugin-database-redis#standalone-redis-server>, which returns 400 HTTP error code and the following response: ***@***.***:~/code/monitoring/vault/plugin$ docker exec -it monitoring_vault_1 vault write database/config/transaction-service \ plugin_name="redis-database-plugin" \ host="redis" \ port=6379 \ username="redis" \ password="changeit" \ allowed_roles="transaction-service" Error writing data to database/config/transaction-service: Error making API request. URL: PUT http://vault:8200/v1/database/config/transaction-service Code: 400. Errors: * error creating database object: invalid database version: 2 errors occurred: * fork/exec /config/plugin/redis-database-plugin: no such file or directory * fork/exec /config/plugin/redis-database-plugin: no such file or directory The aforementioned file is accessible from my docker environment: ***@***.***:~/code/monitoring/vault/plugin$ docker exec -it monitoring_vault_1 ls -l /config/plugin/redis-database-plugin -rwxrwxr-x 1 1000 vault 14686652 Mar 24 15:49 /config/plugin/redis-database-plugin Thus I'm wondering if this is happening due to an issue on my side or perhaps this plugin is not compatible with Vault 1.9.4. Cheers! Michal — Reply to this email directly, view it on GitHub <https://github.com/fhitchen/vault-plugin-database-redis/issues/1>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABML24CFJLA7AK3HHJQEYPDVBSNF3ANCNFSM5RRWL7JA> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[fhitchen]

Michal, Just to confirm, I got my redis cluster up and running and with the latest vault 1.10, it was able to initialize the plugin and write and read roles. Can you exec into the docker container and run # ldd /config/plugin/redis-database-plugin and see if there are any errors with symbols not found or something like that? Regards, Francis.

…

On Thu, Mar 24, 2022 at 1:08 PM Francis Hitchens ***@***.***> wrote: Hi Michal, What is your vault config setting for the plugin directory? What was your command to register the plugin? I just tried it out with vault 1.10 and I am seeing errors, but I think that is because my redis cluster is broken. I'll fix my cluster later and let you know. regards, Francis. On Thu, Mar 24, 2022 at 11:57 AM Michal Kucera ***@***.***> wrote: > Hello. > > I'd love to use your plugin side by side with Vault in version 1.9.4 > <https://hub.docker.com/layers/vault/library/vault/1.9.4/images/sha256-2f69ca64144ed051fce5c56662275638018ccc8abdca36c081c7d8d13c6e5eef?context=explore> > with Postgres as data storage, and spring-cloud-vault with Multiple > Databases > <https://docs.spring.io/spring-cloud-vault/docs/3.1.0/reference/html/#vault.config.backends.databases> > approach. > > Yet, I've made it only until plugin initialization > <https://github.com/fhitchen/vault-plugin-database-redis#standalone-redis-server>, > which returns 400 HTTP error code and the following response: > > ***@***.***:~/code/monitoring/vault/plugin$ docker exec -it monitoring_vault_1 vault write database/config/transaction-service \ > plugin_name="redis-database-plugin" \ > host="redis" \ > port=6379 \ > username="redis" \ > password="changeit" \ > allowed_roles="transaction-service" > Error writing data to database/config/transaction-service: Error making API request. > > URL: PUT http://vault:8200/v1/database/config/transaction-service > Code: 400. Errors: > > * error creating database object: invalid database version: 2 errors occurred: > * fork/exec /config/plugin/redis-database-plugin: no such file or directory > * fork/exec /config/plugin/redis-database-plugin: no such file or directory > > The aforementioned file is accessible from my docker environment: > > ***@***.***:~/code/monitoring/vault/plugin$ docker exec -it monitoring_vault_1 ls -l /config/plugin/redis-database-plugin > -rwxrwxr-x 1 1000 vault 14686652 Mar 24 15:49 /config/plugin/redis-database-plugin > > Thus I'm wondering if this is happening due to an issue on my side or > perhaps this plugin is not compatible with Vault 1.9.4. > > Cheers! > Michal > > — > Reply to this email directly, view it on GitHub > <https://github.com/fhitchen/vault-plugin-database-redis/issues/1>, or > unsubscribe > <https://github.com/notifications/unsubscribe-auth/ABML24CFJLA7AK3HHJQEYPDVBSNF3ANCNFSM5RRWL7JA> > . > You are receiving this because you are subscribed to this thread.Message > ID: ***@***.***> >

[fhitchen]

Michal,
I pulled the docker image you used vault:1.9.4 and copied the plugin to it and ran the ldd command.

tmp # ldd redis-database-plugin 
        /lib64/ld-linux-x86-64.so.2 (0x7f0f12bc8000)
        libpthread.so.0 => /lib64/ld-linux-x86-64.so.2 (0x7f0f12bc8000)
        libc.so.6 => /lib64/ld-linux-x86-64.so.2 (0x7f0f12bc8000)
Error relocating redis-database-plugin: __vfprintf_chk: symbol not found
Error relocating redis-database-plugin: __fprintf_chk: symbol not found

The two errors for missing symbols are because the vault image is using alpine linux which uses a different glibc implementation I think.

Try linking the plugin statically like so
$ CGO_ENABLED=0 go build -ldflags='-extldflags=-static' -o ./cmd/redis-database-plugin/redis-database-plugin ./cmd/redis-database-plugin/
This should produce a statically linked plugin which will run in an Alpine container.
To check that it is statically linked $ ldd cmd/redis-database-plugin/redis-database-plugin not a dynamic executable

[Michal-Kucera]

Hi Francis,

Indeed it was an issue with symbol not found:

michal@michal:~/code/monitoring/vault/plugin$ docker exec -it monitoring_vault_1  ldd /config/plugin/redis-database-plugin
        /lib64/ld-linux-x86-64.so.2 (0x7f9ff8a71000)
        libc.so.6 => /lib64/ld-linux-x86-64.so.2 (0x7f9ff8a71000)
Error relocating /config/plugin/redis-database-plugin: __vfprintf_chk: symbol not found
Error relocating /config/plugin/redis-database-plugin: __fprintf_chk: symbol not found

After re-building the plugin with CGO_ENABLED=0 go build -ldflags='-extldflags=-static' -o redis-database-plugin ./cmd/redis-database-plugin/ these errors have disappeared:

michal@michal:~/code/monitoring/vault/plugin$ docker exec -it monitoring_vault_1  ldd /config/plugin/redis-database-plugin
/lib/ld-musl-x86_64.so.1: /config/plugin/redis-database-plugin: Not a valid dynamic program

On top of this, I was able to use Dynamic Role Creation side by side with Spring Cloud Vault.

Thanks so much for your guidance, if you don't mind, I'd like to push a PR with spring-cloud-vault integration section in README.md, so it could help others as well.

Regards,
Michal

[fhitchen]

Michal, Sure, that would be good to include in the README.md, please go ahead. Regards, Francis.

…

On Fri, Mar 25, 2022 at 5:10 AM Michal Kucera ***@***.***> wrote: Hi Francis, Indeed it was an issue with symbol not found: ***@***.***:~/code/monitoring/vault/plugin$ docker exec -it monitoring_vault_1 ldd /config/plugin/redis-database-plugin /lib64/ld-linux-x86-64.so.2 (0x7f9ff8a71000) libc.so.6 => /lib64/ld-linux-x86-64.so.2 (0x7f9ff8a71000) Error relocating /config/plugin/redis-database-plugin: __vfprintf_chk: symbol not found Error relocating /config/plugin/redis-database-plugin: __fprintf_chk: symbol not found After re-building the plugin with CGO_ENABLED=0 go build -ldflags='-extldflags=-static' -o redis-database-plugin ./cmd/redis-database-plugin/ these errors have disappeared: ***@***.***:~/code/monitoring/vault/plugin$ docker exec -it monitoring_vault_1 ldd /config/plugin/redis-database-plugin /lib/ld-musl-x86_64.so.1: /config/plugin/redis-database-plugin: Not a valid dynamic program On top of this, I was able to use Dynamic Role Creation <https://github.com/fhitchen/vault-plugin-database-redis#dynamic-role-creation> side by side with Spring Cloud Vault. Thanks so much for your guidance, if you don't mind, I'd like to push a PR with spring-cloud-vault integration section in README.md, so it could help others as well. Regards, Michal — Reply to this email directly, view it on GitHub <https://github.com/fhitchen/vault-plugin-database-redis/issues/1#issuecomment-1078865723>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABML24AEQTEDSR7ZVOZMHKTVBWGKHANCNFSM5RRWL7JA> . You are receiving this because you commented.Message ID: ***@***.***>