OpenBSD rc Script Example

Avatar
Brian Shumate
  • Updated

The following provides an example rc script and configuration guidance for starting Vault under recent versions of OpenBSD.

Example rc Script

The following is a reasonable reference point for an example startup script, /etc/rc.d/vault:


#!/bin/ksh

daemon="/usr/local/bin/vault"

. /etc/rc.d/rc.subr

rc_start() {
        ${rcexec} "${daemon} ${daemon_flags} 2>&1 | logger -t vault &"
}

rc_cmd $1

The only significant deviation here from a standard rc script example is to add a custom rc_start() statement that includes some log handling arguments for Vault’s mode of logging, which do not properly function when added to vault_flags in the rc configuration.

This configuration will cause Vault to emit its logs to the system log and as a result, they’ll be included in the output of /var/log/messages:


Sep 18 00:50:04 openbsd-63 vault: ==> Vault server configuration:
Sep 18 00:50:04 openbsd-63 vault: 
Sep 18 00:50:04 openbsd-63 vault:                      Cgo: disabled
Sep 18 00:50:04 openbsd-63 vault:               Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", tls: "disabled")
Sep 18 00:50:04 openbsd-63 vault:                Log Level: info
Sep 18 00:50:04 openbsd-63 vault:                    Mlock: supported: true, enabled: true
Sep 18 00:50:04 openbsd-63 vault:                  Storage: file
Sep 18 00:50:04 openbsd-63 vault:                  Version: Vault v0.10.3
Sep 18 00:50:04 openbsd-63 vault:              Version Sha: c69ae68faf2bf7fc1d78e3ec62655696a07454c7
Sep 18 00:50:04 openbsd-63 vault: 
Sep 18 00:50:04 openbsd-63 vault: ==> Vault server started! Log data will stream in below:
Sep 18 00:50:04 openbsd-63 vault: 
Sep 18 00:50:08 openbsd-63 vault: 2018-09-18T00:50:08.998Z [INFO ] core: security barrier not initialized
Sep 18 00:50:19 openbsd-63 vault: 2018-09-18T00:50:19.847Z [INFO ] core: security barrier not initialized
Sep 18 00:50:19 openbsd-63 vault: 2018-09-18T00:50:19.852Z [INFO ] core: security barrier initialized: shares=1 threshold=1
Sep 18 00:50:19 openbsd-63 vault: 2018-09-18T00:50:19.856Z [INFO ] core: post-unseal setup starting
Sep 18 00:50:19 openbsd-63 vault: 2018-09-18T00:50:19.876Z [INFO ] core: loaded wrapping token key
Sep 18 00:50:19 openbsd-63 vault: 2018-09-18T00:50:19.876Z [INFO ] core: successfully setup plugin catalog: plugin-directory=
Sep 18 00:50:19 openbsd-63 vault: 2018-09-18T00:50:19.876Z [INFO ] core: no mounts; adding default mount table
Sep 18 00:50:19 openbsd-63 vault: 2018-09-18T00:50:19.878Z [INFO ] core: successfully mounted backend: type=kv path=secret/
Sep 18 00:50:19 openbsd-63 vault: 2018-09-18T00:50:19.878Z [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
Sep 18 00:50:19 openbsd-63 vault: 2018-09-18T00:50:19.878Z [INFO ] core: successfully mounted backend: type=system path=sys/
Sep 18 00:50:19 openbsd-63 vault: 2018-09-18T00:50:19.878Z [INFO ] core: successfully mounted backend: type=identity path=identity/
Sep 18 00:50:19 openbsd-63 vault: 2018-09-18T00:50:19.884Z [INFO ] core: restoring leases
Sep 18 00:50:19 openbsd-63 vault: 2018-09-18T00:50:19.885Z [INFO ] rollback: starting rollback manager
Sep 18 00:50:19 openbsd-63 vault: 2018-09-18T00:50:19.886Z [INFO ] identity: entities restored
Sep 18 00:50:19 openbsd-63 vault: 2018-09-18T00:50:19.886Z [INFO ] identity: groups restored
Sep 18 00:50:19 openbsd-63 vault: 2018-09-18T00:50:19.886Z [INFO ] core: post-unseal setup complete
Sep 18 00:50:19 openbsd-63 vault: 2018-09-18T00:50:19.890Z [INFO ] core: root token generated
Sep 18 00:50:19 openbsd-63 vault: 2018-09-18T00:50:19.890Z [INFO ] core: pre-seal teardown starting
Sep 18 00:50:19 openbsd-63 vault: 2018-09-18T00:50:19.890Z [INFO ] core: cluster listeners not running
Sep 18 00:50:19 openbsd-63 vault: 2018-09-18T00:50:19.890Z [INFO ] expiration: lease restore complete
Sep 18 00:50:19 openbsd-63 vault: 2018-09-18T00:50:19.906Z [INFO ] rollback: stopping rollback manager
Sep 18 00:50:19 openbsd-63 vault: 2018-09-18T00:50:19.906Z [INFO ] core: pre-seal teardown complete
Sep 18 00:50:30 openbsd-63 vault: 2018-09-18T00:50:30.226Z [INFO ] core: vault is unsealed

These log entries demonstrate successful Vault server startup, initialization, and unsealing. This mode of operation involves a bit of a workaround. See also GitHub #2497.

You can substitute the use of logger for outputting to a static log file as well, with a rc_start() that’s more along these lines:

rc_start() {
        ${rcexec} "${daemon} ${daemon_flags} >> /var/log/vault.log 2>&1 &"
}

This will continuously append to the file /var/log/vault.log instead of using syslog. Note that when operating like this, you’ll need to configure log rotation if desired.

Local rc Configuration

Here is an example of the service configuration entries for /etc/rc.conf.local:

vault_flags="server -config=/etc/vault"
vault_user="vault"

Here, we are instructing Vault to operate as a server and to load its configuration from HCL files found in the /etc/vault directory.

We’re also instructing the rc subsystem to execute the vault process as the user vault, which should be an existing user or replaced with your preferred user. You should avoid running Vault as the root user in production.

You could add additional startup flags here as well. For example, here’s how to instruct Vault to log at TRACE level:

vault_flags="server -config=/etc/vault -log-level=trace"

The Log Level value of trace will be reflected in the next Vault startup:


Sep 18 01:40:51 openbsd-63 vault:                Log Level: trace
Sep 18 01:40:51 openbsd-63 vault:                    Mlock: supported: true, enabled: true
Sep 18 01:40:51 openbsd-63 vault:                  Storage: file
Sep 18 01:40:51 openbsd-63 vault:                  Version: Vault v0.10.3
Sep 18 01:40:51 openbsd-63 vault:              Version Sha: c69ae68faf2bf7fc1d78e3ec62655696a07454c7
Sep 18 01:40:51 openbsd-63 vault: 
Sep 18 01:40:51 openbsd-63 vault: ==> Vault server started! Log data will stream in below:
Sep 18 01:40:51 openbsd-63 vault: 
Sep 18 01:40:51 openbsd-63 vault: 2018-09-18T01:40:51.906Z [DEBUG] storage.cache: creating LRU cache: size=0
Sep 18 01:40:51 openbsd-63 vault: 2018-09-18T01:40:51.918Z [DEBUG] cluster listener addresses synthesized: cluster_addresses=[0.0.0.0:8201]
Sep 18 01:41:19 openbsd-63 vault: 2018-09-18T01:41:19.879Z [INFO ] core: vault is unsealed
Sep 18 01:41:19 openbsd-63 vault: 2018-09-18T01:41:19.879Z [INFO ] core: post-unseal setup starting
Sep 18 01:41:19 openbsd-63 vault: 2018-09-18T01:41:19.879Z [DEBUG] core: clearing forwarding clients
Sep 18 01:41:19 openbsd-63 vault: 2018-09-18T01:41:19.879Z [DEBUG] core: done clearing forwarding clients
Sep 18 01:41:19 openbsd-63 vault: 2018-09-18T01:41:19.880Z [INFO ] core: loaded wrapping token key
Sep 18 01:41:19 openbsd-63 vault: 2018-09-18T01:41:19.880Z [INFO ] core: successfully setup plugin catalog: plugin-directory=
Sep 18 01:41:19 openbsd-63 vault: 2018-09-18T01:41:19.881Z [INFO ] core: successfully mounted backend: type=kv path=secret/
Sep 18 01:41:19 openbsd-63 vault: 2018-09-18T01:41:19.881Z [INFO ] core: successfully mounted backend: type=system path=sys/
Sep 18 01:41:19 openbsd-63 vault: 2018-09-18T01:41:19.882Z [INFO ] core: successfully mounted backend: type=identity path=identity/
Sep 18 01:41:19 openbsd-63 vault: 2018-09-18T01:41:19.882Z [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
Sep 18 01:41:19 openbsd-63 vault: 2018-09-18T01:41:19.884Z [INFO ] core: restoring leases
Sep 18 01:41:19 openbsd-63 vault: 2018-09-18T01:41:19.884Z [DEBUG] identity: loading entities
Sep 18 01:41:19 openbsd-63 vault: 2018-09-18T01:41:19.884Z [DEBUG] identity: entities collected: num_existing=0
Sep 18 01:41:19 openbsd-63 vault: 2018-09-18T01:41:19.885Z [INFO ] rollback: starting rollback manager
Sep 18 01:41:19 openbsd-63 vault: 2018-09-18T01:41:19.885Z [DEBUG] expiration: collecting leases
Sep 18 01:41:19 openbsd-63 vault: 2018-09-18T01:41:19.885Z [DEBUG] expiration: leases collected: num_existing=0
Sep 18 01:41:19 openbsd-63 vault: 2018-09-18T01:41:19.886Z [INFO ] identity: entities restored
Sep 18 01:41:19 openbsd-63 vault: 2018-09-18T01:41:19.886Z [DEBUG] identity: identity loading groups
Sep 18 01:41:19 openbsd-63 vault: 2018-09-18T01:41:19.886Z [DEBUG] identity: groups collected: num_existing=0
Sep 18 01:41:19 openbsd-63 vault: 2018-09-18T01:41:19.886Z [INFO ] identity: groups restored
Sep 18 01:41:19 openbsd-63 vault: 2018-09-18T01:41:19.886Z [INFO ] core: post-unseal setup complete
Sep 18 01:41:19 openbsd-63 vault: 2018-09-18T01:41:19.887Z [INFO ] expiration: lease restore complete

Note also that some DEBUG level messages are now appearing as well.

Starting, Stopping & Reloading

Once you’ve installed the rc script and configured it, you can start, stop or reload Vault with rcctl:

$ doas rcctl start vault
vault(ok)
$ doas rcctl stop vault
vault(ok)
$ doas rcctl reload vault
vault(ok)

Resources

  1. vault server Command
  2. Configuration
  3. rc.conf.local manual page
  4. rc.d manual page
  5. rc.subr manual page
  6. rcctl manual page

Articles in this section

See more

Related articles