search
Home

vhsm debug

Learn to debug vHSM server by starting a process that collects and probes information for a specific duration.

The debug command starts a process that monitors a vHSM server, collecting and probing information for a specified duration. This helps operators retrieve and share consistent diagnostic information about the server state.

circle-info

Note: The command honors the same authentication variables as the base command, including the token stored from a previous login or the environment variables VAULT_TOKEN and VAULT_ADDR. The permissions granted by the token determine the extent of information collected.

If the command is interrupted, the collected data is persisted to an output directory.

hashtag
Permissions

The ability to fetch debug data depends on the provided token. Some targets, such as server-status, query unauthenticated endpoints, while others require ACL permissions.

hashtag
Required Policy for Full Debugging

path "auth/token/lookup-self" {
  capabilities = ["read"]
}

path "sys/pprof/*" {
  capabilities = ["read"]
}

path "sys/config/state/sanitized" {
  capabilities = ["read"]
}

path "sys/monitor" {
  capabilities = ["read"]
}

path "sys/host-info" {
  capabilities = ["read"]
}

path "sys/in-flight-req" {
  capabilities = ["read"]
}

hashtag
Examples

hashtag
Start debug with default settings:

hashtag
Run debug for 1 minute, with custom intervals and no compression:

hashtag
Capture only specific targets:

hashtag
Output

hashtag
Command Options

Flag

Type

Default Value

Description

-compress

bool

true

Toggles compression of the output package.

-duration

int or string

2m

Duration for which the command runs.

-interval

int or string

30s

Interval for collecting profiling data and server state.

-log-format

string

standard

Log format for log target (standard or json).

-metrics-interval

int or string

10s

Interval for collecting metrics data.

-output

string

Auto-generated filename

Specifies output path for the debug package.

-target

string

all targets

Specifies targets to capture (can be used multiple times).

hashtag
Capture Targets

The -target flag can be used multiple times to specify which information to capture. By default, all available targets are collected.

Target
Description

config

Sanitized version of the configuration state.

host

Information about the server instance, including CPU, memory, and disk.

metrics

Telemetry information.

pprof

Runtime profiling data, including heap, CPU, goroutine, and trace profiling.

replication-status

Replication status.

server-status

Health and seal status.

Note:

  • The config, host, metrics, and pprof targets are only queried on active and performance standby nodes.

  • The host target is unavailable on OpenBSD due to system library limitations.

hashtag
Output Layout

The collected data is stored in a structured directory format. Profiling data is captured at each interval in separate files, while other targets store data as JSON arrays.

hashtag
Example Directory Structure

Previousvhsm auditNextvhsm version

Last updated

Was this helpful?