Don't copy HA lock file during migration

command/operator_migrate.go

@@ -16,6 +16,7 @@ import (
 	"github.com/hashicorp/vault/command/server"
 	"github.com/hashicorp/vault/helper/logging"
 	"github.com/hashicorp/vault/physical"
+	"github.com/hashicorp/vault/vault"
 	"github.com/mitchellh/cli"
 	"github.com/pkg/errors"
 	"github.com/posener/complete"
@@ -196,7 +197,7 @@ func (c *OperatorMigrateCommand) migrate(config *migratorConfig) error {
 // migrateAll copies all keys in lexicographic order.
 func (c *OperatorMigrateCommand) migrateAll(ctx context.Context, from physical.Backend, to physical.Backend) error {
 	return dfsScan(ctx, from, func(ctx context.Context, path string) error {
-		if path < c.flagStart || path == migrationLock {
+		if path < c.flagStart || path == migrationLock || path == vault.CoreLockPath {
 			return nil
 		}
 

command/operator_migrate_test.go

@@ -20,6 +20,7 @@ import (
 	"github.com/hashicorp/vault/helper/base62"
 	"github.com/hashicorp/vault/helper/testhelpers"
 	"github.com/hashicorp/vault/physical"
+	"github.com/hashicorp/vault/vault"
 )
 
 func init() {
@@ -262,6 +263,10 @@ func generateData() map[string][]byte {
 		result[strings.Join(segments, "/")] = data
 	}
 
+	// Add special keys that should be excluded from migration
+	result[migrationLock] = []byte{}
+	result[vault.CoreLockPath] = []byte{}
+
 	return result
 }
 
@@ -286,6 +291,14 @@ func compareStoredData(s physical.Backend, ref map[string][]byte, start string)
 		if err != nil {
 			return err
 		}
+
+		if k == migrationLock || k == vault.CoreLockPath {
+			if entry == nil {
+				continue
+			}
+			return fmt.Errorf("key found that should have been excluded: %s", k)
+		}
+
 		if k >= start {
 			if entry == nil {
 				return fmt.Errorf("key not found: %s", k)

vault/core.go

@@ -37,9 +37,9 @@ import (
 )
 
 const (
-	// coreLockPath is the path used to acquire a coordinating lock
+	// CoreLockPath is the path used to acquire a coordinating lock
 	// for a highly-available deploy.
-	coreLockPath = "core/lock"
+	CoreLockPath = "core/lock"
 
 	// The poison pill is used as a check during certain scenarios to indicate
 	// to standby nodes that they should seal

vault/ha.go

@@ -91,7 +91,7 @@ func (c *Core) Leader() (isLeader bool, leaderAddr, clusterAddr string, err erro
 	}
 
 	// Initialize a lock
-	lock, err := c.ha.LockWith(coreLockPath, "read")
+	lock, err := c.ha.LockWith(CoreLockPath, "read")
 	if err != nil {
 		c.stateLock.RUnlock()
 		return false, "", "", err
@@ -392,7 +392,7 @@ func (c *Core) waitForLeadership(newLeaderCh chan func(), manualStepDownCh, stop
 			c.logger.Error("failed to generate uuid", "error", err)
 			return
 		}
-		lock, err := c.ha.LockWith(coreLockPath, uuid)
+		lock, err := c.ha.LockWith(CoreLockPath, uuid)
 		if err != nil {
 			c.logger.Error("failed to create lock", "error", err)
 			return