Add ability to run server as non root

This commit is contained in:
Matthias Kühne 2017-06-06 17:20:44 +02:00
parent a984cbc8c4
commit 44aaee6628
4 changed files with 13 additions and 1 deletions

View file

@ -14,3 +14,5 @@ vault:
dev_mode: true dev_mode: true
service: service:
type: upstart type: upstart
user: root
group: root

View file

@ -15,3 +15,5 @@ vault:
dev_mode: true dev_mode: true
service: service:
type: systemd type: systemd
user: root
group: root

View file

@ -8,3 +8,5 @@ After=network-online.target consul.service
EnvironmentFile=-/etc/sysconfig/vault EnvironmentFile=-/etc/sysconfig/vault
Restart=on-failure Restart=on-failure
ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %} -config="/etc/vault/config/server.hcl"{% endif %} ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %} -config="/etc/vault/config/server.hcl"{% endif %}
User={{ vault.user }}
Group={{ vault.group }}

View file

@ -13,8 +13,14 @@ download vault:
install vault: install vault:
cmd.run: cmd.run:
- name: unzip /tmp/vault.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault - name: unzip /tmp/vault.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault
- require: - require:
- cmd: download vault - cmd: download vault
- pkg: unzip - pkg: unzip
- unless: test -e /usr/local/bin/vault - unless: test -e /usr/local/bin/vault
vault set cap mlock:
cmd.run:
- name: "setcap cap_ipc_lock=+ep /usr/local/bin/vault"
- watch:
- cmd: install vault