Пока не удалось запустить от непривилегированного пользователя, ибо CapabilityBoundingSet=CAP_IPC_LOCK кажется игнорируется. WIP.

Создадим директории и расставим права

useradd vault --system -d /var/lib/vault -m -s /bin/false
mkdir /var/log/vault
mkdir /var/run/vault
mkdir /etc/vault
touch /etc/vault/config.hcl
chown vault: /etc/vault/config.hcl
chown -hR vault: /var/log/vault/
chmod 640 /etc/vault/config.hcl
chmod 2775 /var/run/vault/

Слегка настраиваем Vault

По адресу /etc/vault/config.hcl размещаем что-то типа:

storage "file" {
    path = "/var/lib/vault"
}
listener "tcp" {
    address = "0.0.0.0:8200"
    tls_disable = 1
}

Скачиваем и устанавливаем сам Vault

cd /usr/src
wget https://releases.hashicorp.com/vault/0.7.0/vault_0.7.0_linux_amd64.zip
unzip vault_0.7.0_linux_amd64.zip
mv ./vault /usr/bin/vault

Пишем конфиг автозапуска

Создаём конфиг по адресу: /lib/systemd/system/vault.service:

[Unit]
Description=Vault service
Requires=basic.target network.target
After=basic.target network.target

[Service]
TimeoutStopSec=0
PrivateDevices=yes
PrivateTmp=yes
ProtectSystem=full
ProtectHome=read-only
NoNewPrivileges=yes
#SecureBits=keep-caps
#keep-caps keep-caps-locked no-setuid-fixup no-setuid-fixup-locked noroot noroot-locked

WorkingDirectory=/etc/vault
ReadWriteDirectories=/etc/vault
ReadWriteDirectories=/var/lib/vault
ReadWriteDirectories=/var/log/vault
ReadWriteDirectories=/var/run/vault

CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_IPC_LOCK

ExecStart=/usr/bin/vault server -config=/etc/vault/config.hcl
KillSignal=SIGINT
Restart=on-failure
StartLimitInterval=60s
StartLimitBurst=3

User=vault
Group=vault

[Install]
WantedBy=multi-user.target
Alias=vault.service

Добавляем в автозапуск:

systemctl enable vault.service

Запускаем

service vault stop;systemctl daemon-reload; service vault start;sleep 0.4; tail -n50 /var/log/syslog;sleep 0.3;ps -A | grep vault
night-crawler
Просмотров: 227
blog comments powered by Disqus