From 44aaee6628fa572b5d856e6d6e0a532fb47b2570 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20K=C3=BChne?= Date: Tue, 6 Jun 2017 17:20:44 +0200 Subject: [PATCH 1/2] Add ability to run server as non root --- pillar.example | 2 ++ vault/defaults.yaml | 2 ++ vault/files/vault_systemd.service.jinja | 2 ++ vault/init.sls | 8 +++++++- 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/pillar.example b/pillar.example index 4e67e56..15ba3a0 100644 --- a/pillar.example +++ b/pillar.example @@ -14,3 +14,5 @@ vault: dev_mode: true service: type: upstart + user: root + group: root diff --git a/vault/defaults.yaml b/vault/defaults.yaml index 5dc73dc..9039a96 100644 --- a/vault/defaults.yaml +++ b/vault/defaults.yaml @@ -15,3 +15,5 @@ vault: dev_mode: true service: type: systemd + user: root + group: root diff --git a/vault/files/vault_systemd.service.jinja b/vault/files/vault_systemd.service.jinja index 7042a30..a6417b7 100644 --- a/vault/files/vault_systemd.service.jinja +++ b/vault/files/vault_systemd.service.jinja @@ -8,3 +8,5 @@ After=network-online.target consul.service EnvironmentFile=-/etc/sysconfig/vault Restart=on-failure ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %} -config="/etc/vault/config/server.hcl"{% endif %} +User={{ vault.user }} +Group={{ vault.group }} diff --git a/vault/init.sls b/vault/init.sls index 045d200..a6943fd 100644 --- a/vault/init.sls +++ b/vault/init.sls @@ -13,8 +13,14 @@ download vault: install vault: cmd.run: - - name: unzip /tmp/vault.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault + - name: unzip /tmp/vault.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault - require: - cmd: download vault - pkg: unzip - unless: test -e /usr/local/bin/vault + +vault set cap mlock: + cmd.run: + - name: "setcap cap_ipc_lock=+ep /usr/local/bin/vault" + - watch: + - cmd: install vault From 09cec65355dd9615eef4c557a89b329fa79d722d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20K=C3=BChne?= Date: Tue, 6 Jun 2017 17:54:57 +0200 Subject: [PATCH 2/2] watch => onchanges --- vault/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vault/init.sls b/vault/init.sls index a6943fd..6e4958d 100644 --- a/vault/init.sls +++ b/vault/init.sls @@ -22,5 +22,5 @@ install vault: vault set cap mlock: cmd.run: - name: "setcap cap_ipc_lock=+ep /usr/local/bin/vault" - - watch: + - onchanges: - cmd: install vault