This is a continuation from my previous two posts (Part Zero and Part One) about the need to have automated way of storing and pull LUKS keys for my servers.
In this post, we are going to setup the Vault servers.
I will preface this by saying, i really would not recommend using this setup in production without some major reworking. The internal comms are currently not using TLS for starters. That will be added very shortly, but at the moment this was more a proof of concept.
Setting up the Vault Servers
The configuration of the vault servers is done in 2 parts. First you need to install consul to run as an agent (rather than a server) to communicate with the consul cluster we setup previously. Then you need to install the vault server itself.
Setting up the Consul Agent
This is a very similar process to setting up the Consul servers, just with a change in the config.json.
Grab consul:
1
wget https://releases.hashicorp.com/consul/1.6.1/consul_1.6.1_linux_amd64.zip
Unzip it:
1
unzip consul_1.6.1_linux_amd64.zip
Move it to /usr/local/bin
1
mv consul /usr/local/bin/
Set the owner to root;
1
chown root:root /usr/local/bin/consul
Create the required directories:
1
2
mkdir /etc/consul
mkdir -p /var/consul/data
Now we need to create the consul client config, open the following file in your favourite text editor ‘vim /etc/consul/client.json’
1
vim /etc/consul/client.json
Enter in the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
{
"server": false,
"datacenter": "Haynet",
"node_name": "vault1",
"data_dir": "/var/consul/data",
"bind_addr": "192.168.0.194",
"client_addr": "127.0.0.1",
"retry_join": ["192.168.0.191", "192.168.0.193", "192.168.0.72"],
"encrypt": "SAME KEY FROM SERVER SECTION",
"log_level": "DEBUG",
"enable_syslog": true,
"acl_enforce_version_8": false
}
You will need to set the ‘encrypt’ key to the same that you set in the Consul server setup above.
You will also need to set the bind_addr to the IP of the server and the ‘retry join’ to the IP’s of you consul servers.
Do this on both Vault servers, but change the ‘node_name’.
We are going to have consul run as its own user now. So lets add a consul system user:
1
useradd --system --home /etc/consul.d --shell /bin/false consul
Now we need to set the correct permissions on one of the directories we created:
1
chown consul:consul /var/consul -R
Next we need to create the service file to start the consul agent.
In your favourite text editor open the following file: /etc/systemd/system/consul-agent.service
and enter the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[Unit]
Description=Consul client agent
Requires=network-online.target
After=network-online.target
[Service]
User=consul
Group=consul
PIDFile=/var/run/consul/consul.pid
PermissionsStartOnly=true
ExecStartPre=-/bin/mkdir -p /var/run/consul
ExecStartPre=/bin/chown -R consul:consul /var/run/consul
ExecStart=/usr/local/bin/consul agent \
-config-file=/etc/consul/client.json \
-pid-file=/var/run/consul/consul.pid
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
KillSignal=SIGTERM
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
Finally lets get the agent started:
1
2
3
systemctl daemon-reload
systemctl enable consul-agent
systemctl start consul-agent
If you check back on your Consul UI, you should see the new hosts added on there.
Setting up Vault on the Vault servers
Now we need to setup vault on these servers. The process is very similar to the consul setup.
Grab the vault binary:
1
wget https://releases.hashicorp.com/vault/1.2.3/vault_1.2.3_linux_amd64.zip
Unzip it:
1
unzip vault_1.2.3_linux_amd64.zip
Move it to /usr/local/bin:
1
mv vault /usr/local/bin/
Check it works:
1
2
3
4
5
6
7
8
9
10
[root@vault1 ~]# vault -h
Usage: vault <command> [args]
Common commands:
read Read data and retrieves secrets
write Write data, configuration, and secrets
delete Delete secrets and configuration
list List data or secrets
......
Now create the required directories:
1
2
mkdir /etc/vault
mkdir /var/log/vault
Create the following file and open it with you favourite text editor:
1
vim /etc/vault/config.json
And enter in the following details:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
"listener": [{
"tcp": {
"address" : "0.0.0.0:8200",
"tls_disable" : 1
}
}],
"api_addr": "http://192.168.0.194:8200",
"storage": {
"consul" : {
"address" : "127.0.0.1:8500",
"path": "vault"
}
},
"max_lease_ttl": "10h",
"default_lease_ttl": "10h",
"ui":true
}
Remember to change the api_addr
Now to create the service file, create and open the following file in your favourite text editor
1
vim /etc/systemd/system/vault.service
and enter in the following details:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[Unit]
Description=vault service
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault/config.json
[Service]
EnvironmentFile=-/etc/sysconfig/vault
Environment=GOMAXPROCS=2
Restart=on-failure
ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.json
StandardOutput=/var/log/vault/output.log
StandardError=/var/log/vault/error.log
LimitMEMLOCK=infinity
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGTERM
[Install]
WantedBy=multi-user.target
We are also going to need to open a bunch of firewall rules (some of these may not be needed – but for the purpose of this POC i have added all the consul ports and the vault port:
1
2
3
4
5
6
7
8
9
10
11
12
firewall-cmd --permanent --add-port=8200/tcp
firewall-cmd --permanent --add-port=8201/tcp
firewall-cmd --permanent --add-port=8300/tcp
firewall-cmd --permanent --add-port=8301/tcp
firewall-cmd --permanent --add-port=8301/udp
firewall-cmd --permanent --add-port=8302/tcp
firewall-cmd --permanent --add-port=8302/udp
firewall-cmd --permanent --add-port=8400/tcp
firewall-cmd --permanent --add-port=8500/tcp
firewall-cmd --permanent --add-port=8600/tcp
firewall-cmd --permanent --add-port=8600/udp
firewall-cmd --reload
Finally, lets get vault started:
1
2
3
systemctl daemon-reload
systemctl enable vault
systemctl start vault
Its worth checking that vault has come up, first run the following to add the vauld address environment variable:
1
echo "export VAULT_ADDR=http://192.168.0.194:8200" >> ~/.bashrc
Then run the following to confirm vault is up
1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@vault1 ~]# vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.2.3
Cluster Name vault-cluster-e093bfc5
Cluster ID b3f75720-44b7-a057-bf58-d80e4d54932d
HA Enabled true
HA Cluster https://192.168.0.194:8201
HA Mode active
Note: Your output will be different, the above is with vaul unsealed.
That is it for the installation. Now its onto configuring Vault.
Head over to the next section to configure vault.