-
-
Save yunano/66caf8c5ed993bb2f4e3 to your computer and use it in GitHub Desktop.
| [Unit] | |
| Description=vault server | |
| Requires=network-online.target | |
| After=network-online.target consul.service | |
| [Service] | |
| EnvironmentFile=-/etc/sysconfig/vault | |
| Restart=on-failure | |
| ExecStart=/usr/local/sbin/vault server $OPTIONS -config=/etc/vault.d | |
| ExecStartPost=/bin/bash -c "for key in $KEYS; do /usr/local/sbin/vault unseal $CERT $key; done" | |
| [Install] | |
| WantedBy=multi-user.target |
can you share the setup of the EnvironmentFile (/etc/sysconfig/vault) ?
I could suggest, that best practice is to run vault under specific non-administrative user
Your unseal keys should never be variables in your environment. Unsealing is meant to be the one and only manual process. What you are doing is extremely unsafe. You may know this already, but just in case, the details are here: hashicorp/vault#72
Note: Unsealing makes the process of automating a Vault install difficult. Automated tools can easily install, configure, and start Vault, but unsealing it is a very manual process. We have plans in the future to make it easier. For the time being, the best method is to manually unseal multiple Vault servers in HA mode. Use a tool such as Consul to make sure you only query Vault servers that are unsealed.
Also, this file would not safely stop vault on shutdown.
This would be much safer...
ExecStop=/full/path/to/vault step-down
this has moved upstream
https://learn.hashicorp.com/vault/operations/ops-deployment-guide
Or you could use the official service file, provided by hashicorp: https://raw.githubusercontent.com/hashicorp/vault/v1.12.0/.release/linux/package/usr/lib/systemd/system/vault.service
vim /etc/systemd/system/multi-user.target.wants/vault.service
Environment="VAULT_ADDR=https://vlt-uat-app-02.intranet.ilanni.com:8200"
ExecStartPost=/usr/bin/vault operator unseal 2rMyAS1PzBtuGTc/ArxCnb6xdB
Thank you!