Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#78742 - [vault] unable to use its integrated 'Raft' storage due to strict vault.service package file.
Attached to Project:
Community Packages
Opened by Jared Johnstone (ipaq) - Thursday, 08 June 2023, 23:08 GMT
Last edited by Justin Kromlinger (hashworks) - Sunday, 11 June 2023, 15:16 GMT
Opened by Jared Johnstone (ipaq) - Thursday, 08 June 2023, 23:08 GMT
Last edited by Justin Kromlinger (hashworks) - Sunday, 11 June 2023, 15:16 GMT
|
DetailsDescription: Unable to use Hashicorp Vault's new Integrated Storage (Raft) Backend due to the packaged vault.service not only setting ProtectHome=read-only but also ProtectSystem=full preventing Vault from storing its data in its home directory, nor anywhere else (e.g. /etc/vault/).
Additional info: * package version(s) vault 1.13.2-1 * config and/or log files etc. NA - Issue resides in package contents (vault.service) * link to upstream bug report, if any NA - Issue is in our package Steps to reproduce: 1. Install vault 2. Create /etc/vault.hcl with the Raft storage method with Raft storage ``` storage "raft" { path = "./data" node_id = "node1" } ``` 3. Watch vault fail vaguely about a read only filesytem, but su'ing as the user and running it starts up fine. 4. Notice the contents of vault.service making it a read-only process despite needing to write its own storage in this mode. In the meantime the workaround is to add a patch in our IaC to comment out that protection. I can understand how it were initially used given Vault had to rely on external services for its secret object storage. But with raft, Vault can handle itself but needs write access to *something* (Preferably its home at /var/lib/vault). |
This task depends upon
Closed by Justin Kromlinger (hashworks)
Sunday, 11 June 2023, 15:16 GMT
Reason for closing: Works for me
Additional comments about closing: User error.
Sunday, 11 June 2023, 15:16 GMT
Reason for closing: Works for me
Additional comments about closing: User error.
FS#63783Note that the upstream provided .service file [1] (which we are not using...yet) also contains ProtectHome=read-only and ProtectSystem=full
[1] https://github.com/hashicorp/vault/blob/main/.release/linux/package/usr/lib/systemd/system/vault.service
However, I've adjusted the package to use the service file provided by upstream to avoid future confusion.