HashiCorp Vault

Reply to HashiCorp Vault on Mon, 06 Jul 2020 20:32:42 GMT

girish — Mon, 06 Jul 2020 20:32:42 GMT

I have now published this as unstable! Thanks @ultraviolet . The repo is at https://git.cloudron.io/cloudron/vault-app and you should have push access already. I am writing tests before marking it as stable.

Reply to HashiCorp Vault on Tue, 30 Jun 2020 19:22:05 GMT

ultraviolet — Tue, 30 Jun 2020 19:22:05 GMT

@girish License has been added to the repo.

Reply to HashiCorp Vault on Tue, 30 Jun 2020 19:04:21 GMT

girish — Tue, 30 Jun 2020 19:04:21 GMT

I will add the LDAP notes to the docs then.

Reply to HashiCorp Vault on Tue, 30 Jun 2020 19:03:16 GMT

ultraviolet — Tue, 30 Jun 2020 19:03:16 GMT

@girish sweet. I will do that no problem. The LDAP has to be done manually as the vault needs to be init'd and unsealed so you would need to execute the script manually.

Reply to HashiCorp Vault on Tue, 30 Jun 2020 18:35:59 GMT

girish — Tue, 30 Jun 2020 18:35:59 GMT

@ultraviolet I think it will be a great addition to the store. Are you able to add a license file to the package? Like https://git.cloudron.io/cloudron/pixelfed-app/-/blob/master/LICENSE (MIT). You can change copyright to be yours.

Once you do that, I can fix it up and get it published.

@fbartels @ultraviolet How does the LDAP login work ? I don't see ldap-config.sh called from anywhere.

Reply to HashiCorp Vault on Tue, 30 Jun 2020 18:27:34 GMT

ultraviolet — Tue, 30 Jun 2020 18:27:34 GMT

Sorted, I think I have been running it for most of the day testing some stuff. Not sure if this is app store worthy but it interesting to learn about.
Thanks for your help @fbartels and @girish

Reply to HashiCorp Vault on Tue, 30 Jun 2020 11:37:45 GMT

ultraviolet — Tue, 30 Jun 2020 11:37:45 GMT

@fbartels awesome stuff on the LDAP.

I have made a few more tweaks with permissions and I have merged your request too. I have also removed the initial init for the vault. It is now done via the GUI which I like better because there are no keys being added to the container plus the user experience is a bit nicer. I have still kept the logic in in case someone wants to automate it.

Reply to HashiCorp Vault on Tue, 30 Jun 2020 10:46:39 GMT

fbartels — Tue, 30 Jun 2020 10:46:39 GMT

@ultraviolet I managed to get ldap login working. In the end I needed to change the lookup attribute (it weird that you can configure a search filter for groups, but not for users).

Change is in https://github.com/euanmcgregor/vault-cloudron/pull/4

Edit: OIDC login is not yet working btw.

Reply to HashiCorp Vault on Tue, 30 Jun 2020 07:22:30 GMT

ultraviolet — Tue, 30 Jun 2020 07:22:30 GMT

thanks both, I have never had a pull request before!! I am just looking at them now.

Reply to HashiCorp Vault on Tue, 30 Jun 2020 05:30:09 GMT

girish — Tue, 30 Jun 2020 05:30:09 GMT

We can probably remove the supervisor use entirely and just use gosu exec cloudron:cloudron but maybe it's there for a reason

Reply to HashiCorp Vault on Tue, 30 Jun 2020 05:25:50 GMT

fbartels — Tue, 30 Jun 2020 05:25:50 GMT

@girish ah, yes of course. You need to set the capability on the binary to make use of it (as non root).

Reply to HashiCorp Vault on Tue, 30 Jun 2020 05:14:32 GMT

girish — Tue, 30 Jun 2020 05:14:32 GMT

@ultraviolet https://github.com/euanmcgregor/vault-cloudron/pull/2 fixes the mlock issue

Reply to HashiCorp Vault on Tue, 30 Jun 2020 04:40:37 GMT

girish — Tue, 30 Jun 2020 04:40:37 GMT

I can reproduce it. The container definitely has the IPC_LOCK caps, maybe it needs something more. Investigating

Reply to HashiCorp Vault on Mon, 29 Jun 2020 21:45:34 GMT

ultraviolet — Mon, 29 Jun 2020 21:45:34 GMT

@fbartels I did try to get ldap going, the issue doing it automatically during install is you need to unseal and login to the vault before you can enable the LDAP. Which is hard when the login info is in a text file I am sure it is possible but my knowledge is a bit limited on that, plus it might not be idempotent.

When I tried it manually it gave me that exact error I am still checking to see what the issue might be but I have kind of drawn a blank at the moment. Will take a fresh look later this week when I get a bit of time.

Reply to HashiCorp Vault on Mon, 29 Jun 2020 19:49:23 GMT

fbartels — Mon, 29 Jun 2020 19:49:23 GMT

@ultraviolet do you have ldap working already?

You had the ldap script missing (not added with git add) so I tried my own, but even after config has completed I cannot login and only get Authentication failed: ldap operation failed: unable to retrieve user bind DN

Reply to HashiCorp Vault on Mon, 29 Jun 2020 19:35:49 GMT

ultraviolet — Mon, 29 Jun 2020 19:35:49 GMT

@fbartels cool will wait and see what @girish finds.

Reply to HashiCorp Vault on Mon, 29 Jun 2020 19:04:36 GMT

fbartels — Mon, 29 Jun 2020 19:04:36 GMT

@ultraviolet yes, that is the workaround I am using at the moment as well.

Reply to HashiCorp Vault on Mon, 29 Jun 2020 19:02:53 GMT

ultraviolet — Mon, 29 Jun 2020 19:02:53 GMT

@fbartels if you change the variable disable_mlock in the start.sh to true it should start but the new capability will negate this.

Reply to HashiCorp Vault on Mon, 29 Jun 2020 18:56:04 GMT

fbartels — Mon, 29 Jun 2020 18:56:04 GMT

@ultraviolet I think I got a littler closer to a working state. Currently restarting since my Cloudron wanted a reboot after the last update.

https://github.com/euanmcgregor/vault-cloudron/pull/1

edit: hmm, no. this is what is logged:

Jun 29 20:54:05 2020-06-29 18:54:05,044 INFO spawned: 'vault' with pid 12
Jun 29 20:54:05 Error initializing core: Failed to lock memory: cannot allocate memory
Jun 29 20:54:05
Jun 29 20:54:05 This usually means that the mlock syscall is not available.
Jun 29 20:54:05 Vault uses mlock to prevent memory from being swapped to
Jun 29 20:54:05 disk. This requires root privileges as well as a machine
Jun 29 20:54:05 that supports mlock. Please enable mlock on your system or
Jun 29 20:54:05 disable Vault from using it. To disable Vault from using it,
Jun 29 20:54:05 set the `disable_mlock` configuration option in your configuration
Jun 29 20:54:05 file.
Jun 29 20:54:05 2020-06-29 18:54:05,115 INFO exited: vault (exit status 1; not expected)
Jun 29 20:54:06 2020-06-29 18:54:06,118 INFO spawned: 'vault' with pid 23

Reply to HashiCorp Vault on Mon, 29 Jun 2020 17:27:34 GMT

ultraviolet — Mon, 29 Jun 2020 17:27:34 GMT

pretty much yeah, the services won't start and the logs will show an error message

Reply to HashiCorp Vault on Mon, 29 Jun 2020 16:35:00 GMT

girish — Mon, 29 Jun 2020 16:35:00 GMT

@ultraviolet Let me test it out and get back. How should I test this? Just build the app and install it and it will fail ?

Reply to HashiCorp Vault on Mon, 29 Jun 2020 15:24:24 GMT

ultraviolet — Mon, 29 Jun 2020 15:24:24 GMT

@girish awesome. I can see that the change is in 5.3 and I have just upgraded. Made a small change but it is still throwing the error, my manifest file shows this now:


{
  "id": "com.vault.cloudron",
  "version": "0.1.0",
  "minBoxVersion": "5.3.0",
  "healthCheckPath": "/",
  "httpPort": 8200,
  "addons": {
    "localstorage": {},
    "ldap": {}
  },
  "capabilities": [
    "mlock"
  ],
  "manifestVersion": 2
}

Not sure if I am missing something here?

Reply to HashiCorp Vault on Fri, 26 Jun 2020 17:24:48 GMT

girish — Fri, 26 Jun 2020 17:24:48 GMT

@ultraviolet It seems we need to make another 5.3 release because of some issues. So, maybe I can put this in 5.3 as well. Let me see.

Reply to HashiCorp Vault on Fri, 26 Jun 2020 16:55:59 GMT

ultraviolet — Fri, 26 Jun 2020 16:55:59 GMT

@girish that is awesome stuff. I have disabled mlock in the config to get to get it going, once 5.4 is out I will adjust the manifest file.

Just working on LDAP integration!