FS#63783 - [vault] Systemd Slicing

Attached to Project: Community Packages
Opened by brent saner (sanerb) - Monday, 16 September 2019, 09:09 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:07 GMT
Task Type Feature Request
Category Packages
Status Closed
Assigned To Christian Rebischke (Shibumi)
Tim (bastelfreak)
Justin Kromlinger (hashworks)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

Just a sidenote:

* This package is behind upstream version; it is marked as out-of-date 12 days ago (current upstream is 1.2.2, [community] is 1.2.0)
* The default config shipped seems to be outdated. It still works, but e.g. "backend" should be "storage", and the URL in the comment (https://vaultproject.io/docs/config/) should instead be https://www.vaultproject.io/docs/configuration/ (I can create a separate task for this if desired.)

That aside, I recommend either modifying or copying (recommended) the vault.service file to vault@.service, with some minor changes (both for consistency with other packages - /usr/bin vs. /bin - and to enable slicing). Patch attached. Apply it with `patch -o vault\@.service < path/to/vault.service.patch`.
   vault.service.patch (0.5 KiB)
This task depends upon

Closed by  Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:07 GMT
Reason for closing:  Moved
Additional comments about closing:  https://gitlab.archlinux.org/archlinux/p ackaging/packages/vault/issues/1
Comment by Christian Rebischke (Shibumi) - Saturday, 16 November 2019, 11:45 GMT
Hi,
thanks for your patch. I am going to apply it as soon I have fixed the current build process for it.
This is also the reason why we are 2 versions behind of upstream.

Sadly we get 0 support from hashicorp for building it our own.
Comment by loqs (loqs) - Saturday, 11 January 2020, 21:00 GMT
I was able to build the package by switching to external tools instead of govendor.
I have not done any testing beyond building the package.

First PKGBUILD is for go-bindata-assetfs:
Applied patch to go-bindata-assetfs for https://github.com/elazarl/go-bindata-assetfs/issues/33

Second PKGBUILD is for vault:
Switched to Arch packages for go-bindata go-bindata-assetfs gox goimports and removed unneeded python make depends.
Updated version to 1.3.1
Revert commit causing https://github.com/hashicorp/vault/issues/7475
   PKGBUILD (1.5 KiB)
   PKGBUILD (2.4 KiB)
Comment by Christian Rebischke (Shibumi) - Monday, 13 January 2020, 18:30 GMT
Thanks a lot loqs. I would like to mention you as contributor, are you willing to post your mail? Or is "# contributor: loqs" good enough for you?

Comment by Christian Rebischke (Shibumi) - Monday, 13 January 2020, 19:04 GMT
Sorry loqs, but vault is still not working. The UI shows just a link to "/" and no ui on localhost:8200/ui/ :S
Comment by Christian Rebischke (Shibumi) - Tuesday, 14 January 2020, 20:01 GMT
Hi, so I've managed to fix vault.

Now back to your bug report:

1.I will change the default configuration for vault

2. About the systemd service file: I would actually prefer that upstream manages the systemd service file. I always thought that you should just have one vault running, why do you need systemd slicing?
Comment by brent saner (sanerb) - Tuesday, 14 January 2020, 20:59 GMT
Upstream does not provide a systemd service file at all (https://github.com/hashicorp/vault/blob/843ab288d4719d317342c5de38051b2643926a66/website/source/guides/operations/deployment-guide.html.md#configure-systemd), which is why it's a source included in this package (but I don't need to tell you this, it being your own package). Knowing Hashicorp, they are very unlikely to bother distributing a systemd service file.

As for why, one can ask the same philosophical question of why the mariadb package has slicing for mysqld, or uwsgi when it offers vassal, etc. It facilitates running completely separate instances on the same host, which - Vault being a security-oriented program - is a good idea as it allows segregation of runtime instead of relying on in-software ACL. Best practices.
Comment by Toolybird (Toolybird) - Friday, 28 April 2023, 22:39 GMT
There seems to be a service file provided by upstream these days...but no idea if it's suitable or not.

.release/linux/package/usr/lib/systemd/system/vault.service
Comment by Buggy McBugFace (bugbot) - Tuesday, 08 August 2023, 19:11 GMT
This is an automated comment as this bug is open for more then 2 years. Please reply if you still experience this bug otherwise this issue will be closed after 1 month.

Loading...