保管库代理模板不呈现消息缺少依赖项:vault.write
Vault Agent Template doesn't render with message missing dependency: vault.write
在 systemctl 下 运行 时,Vault 代理 v1.4.2 服务无法呈现模板和创建文件。
但是相同的模板渲染按预期使用保险库代理服务中使用的命令工作
/opt/vault/bin/vault agent -config /opt/vault/config/default.hcl -log-level=info
所以看起来OS systemctl 无法按照直接执行的方式执行命令。
cat /etc/systemd/system/vault.service
[Unit]
Description=\"HashiCorp Vault Agent\"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/opt/vault/config/default.hcl
[Service]
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/opt/vault/bin/vault agent -config /opt/vault/config/default.hcl -log-level=debug
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitIntervalSec=60
StartLimitBurst=3
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
journalctl -u vault
[DEBUG] (runner) running initial templates
[DEBUG] (runner) initiating run
[DEBUG] (runner) checking template 749c1d765e84e3e67f9dbb98ec983bf1
[DEBUG] (runner) missing data for 1 dependencies
**[DEBUG] (runner) missing dependency: vault.write(pki_int/test/issue/com -> 02a1cc85)**
[DEBUG] (runner) add used dependency vault.write(pki_int/test/issue/com -> 02a1cc85) to missing since isLeader but do not have a watcher
[DEBUG] (runner) was not watching 1 dependencies
[DEBUG] (watcher) adding vault.write(pki_int/test/issue/com -> 02a1cc85)
[DEBUG] (runner) checking template 43304cf2b8e3710476a7972b03a7544e
[DEBUG] (runner) missing data for 1 dependencies
[DEBUG] (runner) missing dependency: vault.write(pki_int/test/issue/com -> 02a1cc85)
[DEBUG] (runner) missing data for 1 dependencies
[DEBUG] (runner) checking template ca2b67db58c83f0e184663098bcb74b8
[DEBUG] (runner) rendering "(dynamic)" => "/tmp/abc.test"
[INFO] (runner) rendered "(dynamic)" => "/tmp/abc.test"
[DEBUG] (runner) diffing and updating dependencies
[DEBUG] (runner) watching 1 dependencies
[INFO] auth.handler: renewed auth token
[DEBUG] Found certificate and set lease duration to 150 seconds
[DEBUG] (runner) receiving dependency vault.write(pki_int/test/issue/com -> 02a1cc85)
[DEBUG] (runner) initiating run
[DEBUG] (runner) checking template 749c1d765e84e3e67f9dbb98ec983bf1
[DEBUG] (runner) rendering "/opt/vault/templates/test.cert.tpl" => "/tmp/test.cert.pem"
[INFO] (runner) rendered "/opt/vault/templates/test.cert.tpl" => "/tmp/test.cert.pem"
[DEBUG] (runner) checking template 43304cf2b8e3710476a7972b03a7544e
[DEBUG] (runner) rendering "/opt/vault/templates/test.key.tpl" => "/tmp/test.key.pem"
[INFO] (runner) rendered "/opt/vault/templates/test.key.tpl" => "/tmp/test.key.pem"
[DEBUG] (runner) checking template ca2b67db58c83f0e184663098bcb74b8
[DEBUG] (runner) rendering "(dynamic)" => "/tmp/abc.test"
[DEBUG] (runner) diffing and updating dependencies
[DEBUG] (runner) vault.write(pki_int/test/issue/com -> 02a1cc85) is still needed
[DEBUG] (runner) watching 1 dependencies
[DEBUG] (runner) all templates rendered
模板
test-cert.tpl
{{- /* test.abc.com.cert.tpl */ -}}
{{ with secret "pki_int/test/issue/abc.com" "common_name=test.abc.com" "ttl=2m" }}
{{ .Data.certificate }}
{{ .Data.issuing_ca }}{{ end }}
test-key.tpl
{{ with secret "pki_int/test/issue/abc.com" "common_name=test.abc.com" "ttl=2m" }}
{{ .Data.private_key }}{{ end }}
{{- /* test.abc.com.key.tpl */ -}}
test.tpl
{{ with secret "pki_int/test/issue/abc.com" "common_name=test.abc.com" "ttl=2m" }}
{{ .Data.private_key }}{{ end }}
abc123
To Reproduce
Steps to reproduce the behavior:
Run systemctl restart vault
Run journalctl -u vault
See error
Expected behavior
I expected it to create the following files with certs
/tmp/test.cert.pem
/tmp/test.key.pem
/tmp/abc.test"
环境:
Vault 服务器版本(使用 vault 状态检索):1.4.2
Vault CLI 版本(使用 vault 版本检索):v1.4.2
服务器运行System/Architecture:Red Hat Enterprise Linux服务器版本 7.8 (Maipo)]
Vault 代理配置文件:
cat /opt/vault/config/default.hcl
pid_file = "/opt/vault/data/vault-pid"
vault {
address = "https://xxxxxxxxx:443"
}
auto_auth {
method "aws" {
mount_path = "auth/aws"
config = {
type = "iam"
role = "test-iam-role"
}
}
sink "file" {
config = {
path = "/opt/vault/data/vault-token"
}
}
}
template {
source = "/opt/vault/templates/test.cert.tpl"
destination = "/tmp/test.cert.pem"
perms = "0600"
}
template {
source = "/opt/vault/templates/test.key.tpl"
destination = "/tmp/test.key.pem"
perms = "0600"
}
template {
contents = "testabc"
destination = "/tmp/abc.test"
}
其他上下文
我已经屏蔽了数据以删除原始域的引用,所以如果有任何不匹配请考虑。
我设法通过将证书文件的位置从“/tmp”更改为“/opt/vault/certs”解决了这个问题,并解决了这个问题。
您共享的 systemd 配置设置了 PrivateTmp=yes,这将使写入 tmp 的文件仅对 Vault 可见,对其他进程不可见(参见 systemd docs)。删除此值将允许您写入 tmp 并让其他进程读取输出。
附带说明一下,这看起来像是为 Vault 服务器而不是 Vault 代理设计的 systemd 配置 - 这可能就是它被如此锁定的原因。
在 systemctl 下 运行 时,Vault 代理 v1.4.2 服务无法呈现模板和创建文件。
但是相同的模板渲染按预期使用保险库代理服务中使用的命令工作
/opt/vault/bin/vault agent -config /opt/vault/config/default.hcl -log-level=info
所以看起来OS systemctl 无法按照直接执行的方式执行命令。
cat /etc/systemd/system/vault.service
[Unit]
Description=\"HashiCorp Vault Agent\"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/opt/vault/config/default.hcl
[Service]
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/opt/vault/bin/vault agent -config /opt/vault/config/default.hcl -log-level=debug
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitIntervalSec=60
StartLimitBurst=3
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
journalctl -u vault
[DEBUG] (runner) running initial templates
[DEBUG] (runner) initiating run
[DEBUG] (runner) checking template 749c1d765e84e3e67f9dbb98ec983bf1
[DEBUG] (runner) missing data for 1 dependencies
**[DEBUG] (runner) missing dependency: vault.write(pki_int/test/issue/com -> 02a1cc85)**
[DEBUG] (runner) add used dependency vault.write(pki_int/test/issue/com -> 02a1cc85) to missing since isLeader but do not have a watcher
[DEBUG] (runner) was not watching 1 dependencies
[DEBUG] (watcher) adding vault.write(pki_int/test/issue/com -> 02a1cc85)
[DEBUG] (runner) checking template 43304cf2b8e3710476a7972b03a7544e
[DEBUG] (runner) missing data for 1 dependencies
[DEBUG] (runner) missing dependency: vault.write(pki_int/test/issue/com -> 02a1cc85)
[DEBUG] (runner) missing data for 1 dependencies
[DEBUG] (runner) checking template ca2b67db58c83f0e184663098bcb74b8
[DEBUG] (runner) rendering "(dynamic)" => "/tmp/abc.test"
[INFO] (runner) rendered "(dynamic)" => "/tmp/abc.test"
[DEBUG] (runner) diffing and updating dependencies
[DEBUG] (runner) watching 1 dependencies
[INFO] auth.handler: renewed auth token
[DEBUG] Found certificate and set lease duration to 150 seconds
[DEBUG] (runner) receiving dependency vault.write(pki_int/test/issue/com -> 02a1cc85)
[DEBUG] (runner) initiating run
[DEBUG] (runner) checking template 749c1d765e84e3e67f9dbb98ec983bf1
[DEBUG] (runner) rendering "/opt/vault/templates/test.cert.tpl" => "/tmp/test.cert.pem"
[INFO] (runner) rendered "/opt/vault/templates/test.cert.tpl" => "/tmp/test.cert.pem"
[DEBUG] (runner) checking template 43304cf2b8e3710476a7972b03a7544e
[DEBUG] (runner) rendering "/opt/vault/templates/test.key.tpl" => "/tmp/test.key.pem"
[INFO] (runner) rendered "/opt/vault/templates/test.key.tpl" => "/tmp/test.key.pem"
[DEBUG] (runner) checking template ca2b67db58c83f0e184663098bcb74b8
[DEBUG] (runner) rendering "(dynamic)" => "/tmp/abc.test"
[DEBUG] (runner) diffing and updating dependencies
[DEBUG] (runner) vault.write(pki_int/test/issue/com -> 02a1cc85) is still needed
[DEBUG] (runner) watching 1 dependencies
[DEBUG] (runner) all templates rendered
模板
test-cert.tpl
{{- /* test.abc.com.cert.tpl */ -}}
{{ with secret "pki_int/test/issue/abc.com" "common_name=test.abc.com" "ttl=2m" }}
{{ .Data.certificate }}
{{ .Data.issuing_ca }}{{ end }}
test-key.tpl
{{ with secret "pki_int/test/issue/abc.com" "common_name=test.abc.com" "ttl=2m" }}
{{ .Data.private_key }}{{ end }}
{{- /* test.abc.com.key.tpl */ -}}
test.tpl
{{ with secret "pki_int/test/issue/abc.com" "common_name=test.abc.com" "ttl=2m" }}
{{ .Data.private_key }}{{ end }}
abc123
To Reproduce
Steps to reproduce the behavior:
Run systemctl restart vault
Run journalctl -u vault
See error
Expected behavior
I expected it to create the following files with certs
/tmp/test.cert.pem
/tmp/test.key.pem
/tmp/abc.test"
环境:
Vault 服务器版本(使用 vault 状态检索):1.4.2
Vault CLI 版本(使用 vault 版本检索):v1.4.2
服务器运行System/Architecture:Red Hat Enterprise Linux服务器版本 7.8 (Maipo)]
Vault 代理配置文件:
cat /opt/vault/config/default.hcl
pid_file = "/opt/vault/data/vault-pid"
vault {
address = "https://xxxxxxxxx:443"
}
auto_auth {
method "aws" {
mount_path = "auth/aws"
config = {
type = "iam"
role = "test-iam-role"
}
}
sink "file" {
config = {
path = "/opt/vault/data/vault-token"
}
}
}
template {
source = "/opt/vault/templates/test.cert.tpl"
destination = "/tmp/test.cert.pem"
perms = "0600"
}
template {
source = "/opt/vault/templates/test.key.tpl"
destination = "/tmp/test.key.pem"
perms = "0600"
}
template {
contents = "testabc"
destination = "/tmp/abc.test"
}
其他上下文
我已经屏蔽了数据以删除原始域的引用,所以如果有任何不匹配请考虑。
我设法通过将证书文件的位置从“/tmp”更改为“/opt/vault/certs”解决了这个问题,并解决了这个问题。
您共享的 systemd 配置设置了 PrivateTmp=yes,这将使写入 tmp 的文件仅对 Vault 可见,对其他进程不可见(参见 systemd docs)。删除此值将允许您写入 tmp 并让其他进程读取输出。
附带说明一下,这看起来像是为 Vault 服务器而不是 Vault 代理设计的 systemd 配置 - 这可能就是它被如此锁定的原因。