Merge pull request #9 from MatthiasKuehneEllerhold/run_server_as_non_root

Let the server run as non root
This commit is contained in:
myoung34 2017-08-08 06:54:09 -05:00 committed by GitHub
commit d001bea057
4 changed files with 13 additions and 1 deletions

View file

@ -14,3 +14,5 @@ vault:
dev_mode: true dev_mode: true
service: service:
type: upstart type: upstart
user: root
group: root

View file

@ -15,3 +15,5 @@ vault:
dev_mode: true dev_mode: true
service: service:
type: systemd type: systemd
user: root
group: root

View file

@ -8,3 +8,5 @@ After=network-online.target consul.service
EnvironmentFile=-/etc/sysconfig/vault EnvironmentFile=-/etc/sysconfig/vault
Restart=on-failure Restart=on-failure
ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %} -config="/etc/vault/config/server.hcl"{% endif %} ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %} -config="/etc/vault/config/server.hcl"{% endif %}
User={{ vault.user }}
Group={{ vault.group }}

View file

@ -13,8 +13,14 @@ download vault:
install vault: install vault:
cmd.run: cmd.run:
- name: unzip /tmp/vault.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault - name: unzip /tmp/vault.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault
- require: - require:
- cmd: download vault - cmd: download vault
- pkg: unzip - pkg: unzip
- unless: test -e /usr/local/bin/vault - unless: test -e /usr/local/bin/vault
vault set cap mlock:
cmd.run:
- name: "setcap cap_ipc_lock=+ep /usr/local/bin/vault"
- onchanges:
- cmd: install vault