HashiCorp Vault
If anyone is interested the repo is here https://github.com/euanmcgregor/vault-cloudron
It is working, I am just looking at LDAP integration just now.
@ultraviolet Thanks! I have added mlock capability for 5.4 in https://git.cloudron.io/cloudron/box/-/commit/84f41e08cfbd3eb4dd5ac2d0e949b6a6d724f1c7
For now (until 5.4) is out, I guess you can disable mlock using
? (Atleast as per https://github.com/hashicorp/docker-vault/issues/24) -
@ultraviolet Thanks! I have added mlock capability for 5.4 in https://git.cloudron.io/cloudron/box/-/commit/84f41e08cfbd3eb4dd5ac2d0e949b6a6d724f1c7
For now (until 5.4) is out, I guess you can disable mlock using
? (Atleast as per https://github.com/hashicorp/docker-vault/issues/24) -
@ultraviolet It seems we need to make another 5.3 release because of some issues. So, maybe I can put this in 5.3 as well. Let me see.
@girish awesome. I can see that the change is in 5.3 and I have just upgraded. Made a small change but it is still throwing the error, my manifest file shows this now:
{ "id": "com.vault.cloudron", "version": "0.1.0", "minBoxVersion": "5.3.0", "healthCheckPath": "/", "httpPort": 8200, "addons": { "localstorage": {}, "ldap": {} }, "capabilities": [ "mlock" ], "manifestVersion": 2 }
Not sure if I am missing something here?
pretty much yeah, the services won't start and the logs will show an error message
pretty much yeah, the services won't start and the logs will show an error message
@ultraviolet I think I got a littler closer to a working state. Currently restarting since my Cloudron wanted a reboot after the last update.
edit: hmm, no. this is what is logged:
Jun 29 20:54:05 2020-06-29 18:54:05,044 INFO spawned: 'vault' with pid 12 Jun 29 20:54:05 Error initializing core: Failed to lock memory: cannot allocate memory Jun 29 20:54:05 Jun 29 20:54:05 This usually means that the mlock syscall is not available. Jun 29 20:54:05 Vault uses mlock to prevent memory from being swapped to Jun 29 20:54:05 disk. This requires root privileges as well as a machine Jun 29 20:54:05 that supports mlock. Please enable mlock on your system or Jun 29 20:54:05 disable Vault from using it. To disable Vault from using it, Jun 29 20:54:05 set the `disable_mlock` configuration option in your configuration Jun 29 20:54:05 file. Jun 29 20:54:05 2020-06-29 18:54:05,115 INFO exited: vault (exit status 1; not expected) Jun 29 20:54:06 2020-06-29 18:54:06,118 INFO spawned: 'vault' with pid 23
@ultraviolet I think I got a littler closer to a working state. Currently restarting since my Cloudron wanted a reboot after the last update.
edit: hmm, no. this is what is logged:
Jun 29 20:54:05 2020-06-29 18:54:05,044 INFO spawned: 'vault' with pid 12 Jun 29 20:54:05 Error initializing core: Failed to lock memory: cannot allocate memory Jun 29 20:54:05 Jun 29 20:54:05 This usually means that the mlock syscall is not available. Jun 29 20:54:05 Vault uses mlock to prevent memory from being swapped to Jun 29 20:54:05 disk. This requires root privileges as well as a machine Jun 29 20:54:05 that supports mlock. Please enable mlock on your system or Jun 29 20:54:05 disable Vault from using it. To disable Vault from using it, Jun 29 20:54:05 set the `disable_mlock` configuration option in your configuration Jun 29 20:54:05 file. Jun 29 20:54:05 2020-06-29 18:54:05,115 INFO exited: vault (exit status 1; not expected) Jun 29 20:54:06 2020-06-29 18:54:06,118 INFO spawned: 'vault' with pid 23
@ultraviolet yes, that is the workaround I am using at the moment as well.
@ultraviolet do you have ldap working already?
You had the ldap script missing (not added with
git add
) so I tried my own, but even after config has completed I cannot login and only getAuthentication failed: ldap operation failed: unable to retrieve user bind DN
@ultraviolet do you have ldap working already?
You had the ldap script missing (not added with
git add
) so I tried my own, but even after config has completed I cannot login and only getAuthentication failed: ldap operation failed: unable to retrieve user bind DN
@fbartels I did try to get ldap going, the issue doing it automatically during install is you need to unseal and login to the vault before you can enable the LDAP. Which is hard when the login info is in a text file I am sure it is possible but my knowledge is a bit limited on that, plus it might not be idempotent.
When I tried it manually it gave me that exact error I am still checking to see what the issue might be but I have kind of drawn a blank at the moment. Will take a fresh look later this week when I get a bit of time.
@ultraviolet https://github.com/euanmcgregor/vault-cloudron/pull/2 fixes the mlock issue
@ultraviolet https://github.com/euanmcgregor/vault-cloudron/pull/2 fixes the mlock issue
thanks both, I have never had a pull request before!! I am just looking at them now.
@fbartels I did try to get ldap going, the issue doing it automatically during install is you need to unseal and login to the vault before you can enable the LDAP. Which is hard when the login info is in a text file I am sure it is possible but my knowledge is a bit limited on that, plus it might not be idempotent.
When I tried it manually it gave me that exact error I am still checking to see what the issue might be but I have kind of drawn a blank at the moment. Will take a fresh look later this week when I get a bit of time.
@ultraviolet I managed to get ldap login working. In the end I needed to change the lookup attribute (it weird that you can configure a search filter for groups, but not for users).
Change is in https://github.com/euanmcgregor/vault-cloudron/pull/4
Edit: OIDC login is not yet working btw.
@ultraviolet I managed to get ldap login working. In the end I needed to change the lookup attribute (it weird that you can configure a search filter for groups, but not for users).
Change is in https://github.com/euanmcgregor/vault-cloudron/pull/4
Edit: OIDC login is not yet working btw.
@fbartels awesome stuff on the LDAP.
I have made a few more tweaks with permissions and I have merged your request too. I have also removed the initial init for the vault. It is now done via the GUI which I like better because there are no keys being added to the container plus the user experience is a bit nicer. I have still kept the logic in in case someone wants to automate it.