Add command to inspect vault snapshots #23457

elliesterner · 2023-10-03T12:22:49Z

Pulled logic extensively from consul snapshot inspector.

Note: we are only verifying the unsealed sha sum, and not the sealed sum.

Example:

$ vault operator raft snapshot inspect -details -depth 2 complete.snap
 ID           bolt-snapshot
 Size         449106
 Index        592
 Term         3
 Version      1


 Key Name                                          Count      Size
 ----                                              ----       ----
 sys/token                                         365        173.2KB
 sys/expire                                        181        246KB
 logical/4424d327-7320-7eed-6955-7cf9554ab30e      7          6.2KB
 auth/ba6064c0-7b95-c9ab-42b5-59139a68d169         5          1.7KB
 sys/policy                                        3          3.2KB
 core/cluster                                      2          236B
 auth/55812375-d035-ee8c-bd40-40af00c21de6         1          462B
 core/audit                                        1          104B
 core/auth                                         1          540B
 core/hsm                                          1          112B
 core/index-header-hmac-key                        1          99B
 core/keyring                                      1          320B
 core/leader                                       1          1.5KB
 core/local-audit                                  1          110B
 core/local-auth                                   1          108B
 core/local-mounts                                 1          357B
 core/lock                                         1          49B
 core/master                                       1          163B
 core/mounts                                       1          495B
 core/raft                                         1          1.6KB
 core/seal-config                                  1          136B
 core/shamir-kek                                   1          84B
 core/versions                                     1          167B
 core/wrapping                                     1          560B
 ----                                              ----
 Total Size                                                437.5KB

vercel · 2023-10-03T12:22:53Z

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment

Name	Status	Preview	Comments	Updated (UTC)
vault	⬜️ Ignored (Inspect)	Visit Preview		Oct 4, 2023 4:49pm

github-actions · 2023-10-03T12:43:07Z

Build Results:
All builds succeeded! ✅

command/operator_raft_snapshot_inspect.go

github-actions · 2023-10-03T12:47:44Z

CI Results:
All Go tests succeeded! ✅

command/operator_raft_snapshot_inspect.go

command/test-fixtures/test.snap

jasonodonnell · 2023-10-03T15:28:04Z

In your example above I see there are flags available but the helper description makes no mention of them:

[~] vault operator raft snapshot inspect -h
Usage: vault operator raft snapshot inspect <snapshot_file>

	Inspects a snapshot file.

	$ vault operator raft snapshot inspect raft.snap

command/operator_raft_snapshot_inspect.go

changelog/23457.txt

command/operator_raft_snapshot_inspect.go

elliesterner · 2023-10-04T11:15:48Z

In your example above I see there are flags available but the helper description makes no mention of them:
[~] vault operator raft snapshot inspect -h
Usage: vault operator raft snapshot inspect <snapshot_file>

	Inspects a snapshot file.

	$ vault operator raft snapshot inspect raft.snap

thank you!! I fixed this :)

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

command/operator_raft_snapshot_inspect.go

ncabatoff · 2023-10-31T17:52:40Z

command/operator_raft_snapshot_inspect.go

+	return snapshotInfo, metadata, nil
+}
+
+const (


These consts can go away now right?

tsaarni · 2023-12-04T13:06:11Z

Hi @elliesterner, @jasonodonnell, @ncabatoff It seems that backports of this PR (among some others) brought BUSL license to MPL branches 1.13.x and 1.14.x.

Has there been any discussion how to solve the license conflict?

mladlow · 2024-03-11T21:51:42Z

changelog/23457.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+cli/snapshot: Add CLI tool to inspect Vault snapshots


@elliesterner next time please use the correct new feature formatting for new features in the changelog.

To add some more clarification - this should use the "Feature Name" we'd use in the release notes, and should try to communicate to the user why they would want to learn more about this brand new feature we're introducing in Vault 1.16.

Thanks @mladlow . I thought I had corrected this here?

@elliesterner I see the PR, thanks! I think the correction didn't get merged to the 1.16 release branch, so on the 1.16 release branch it still has the original text. It's still being generated with this text. I added the backport label to the PR you linked. Could you please help ensure the 1.16 backport PR merges?

oops, yes will fix. Thank you!

github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Oct 3, 2023

elliesterner added this to the 1.15.1 milestone Oct 3, 2023

elliesterner requested a review from jasonodonnell October 3, 2023 12:23

github-advanced-security bot found potential problems Oct 3, 2023

View reviewed changes

command/operator_raft_snapshot_inspect.go Fixed Show fixed Hide fixed

command/operator_raft_snapshot_inspect.go Fixed Show fixed Hide fixed