Skip to content
This repository has been archived by the owner on Jan 25, 2023. It is now read-only.

Commit

Permalink
Merge pull request #142 from edtan/systemd
Browse files Browse the repository at this point in the history
Switch from supervisord to systemd
  • Loading branch information
Etiene authored Apr 3, 2019
2 parents 217ec72 + d660539 commit df75973
Show file tree
Hide file tree
Showing 15 changed files with 155 additions and 290 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ To deploy the Vault cluster:

If you are just experimenting with this Module, you may find it more convenient to use one of our official public AMIs:
- [Latest Ubuntu 16 AMIs](https://github.com/hashicorp/terraform-aws-vault/tree/master/_docs/ubuntu16-ami-list.md).
- [Latest Amazon Linux AMIs](https://github.com/hashicorp/terraform-aws-vault/tree/master/_docs/amazon-linux-ami-list.md).
- [Latest Amazon Linux 2 AMIs](https://github.com/hashicorp/terraform-aws-vault/tree/master/_docs/amazon-linux-ami-list.md).

**WARNING! Do NOT use these AMIs in your production setup. In production, you should build your own AMIs in your
own AWS account.**
Expand Down
2 changes: 1 addition & 1 deletion examples/vault-auto-unseal/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ even if you immediately delete it.
1. Ssh to an instance in the vault cluster and run `vault operator init` to initialize
the cluster, then `vault status` to check that it is unsealed. If you ssh to a
different node in the cluster, you might have to restart Vault first with
`sudo supervisorctl restart vault` so it will rejoin the cluster and unseal.
`sudo systemctl restart vault.service` so it will rejoin the cluster and unseal.
To avoid doing that, you can start your cluster with initially just one node and
start the server, then change the `vault_cluster_size` variable back to 3 and and
run `terraform apply again`. The new nodes will join the cluster already unsealed
Expand Down
2 changes: 1 addition & 1 deletion examples/vault-consul-ami/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ from the Consul AWS Module with [Packer](https://www.packer.io/) to create [Amaz
(AMIs)](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html) that have Vault and Consul installed on top of:

1. Ubuntu 16.04
1. Amazon Linux
1. Amazon Linux 2

You can use this AMI to deploy a [Vault cluster](https://www.vaultproject.io/) by using the [vault-cluster
module](https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/vault-cluster). This Vault cluster will use Consul as its storage backend, so you can also use the
Expand Down
24 changes: 15 additions & 9 deletions examples/vault-consul-ami/vault-consul.json
Original file line number Diff line number Diff line change
Expand Up @@ -32,17 +32,17 @@
},
"ssh_username": "ubuntu"
},{
"ami_name": "vault-consul-amazon-linux-{{isotime | clean_ami_name}}-{{uuid}}",
"ami_description": "An Amazon Linux AMI that has Vault and Consul installed.",
"ami_name": "vault-consul-amazon-linux-2-{{isotime | clean_ami_name}}-{{uuid}}",
"ami_description": "An Amazon Linux 2 AMI that has Vault and Consul installed.",
"instance_type": "t2.micro",
"name": "amazon-linux-ami",
"name": "amazon-linux-2-ami",
"region": "{{user `aws_region`}}",
"type": "amazon-ebs",
"source_ami_filter": {
"filters": {
"virtualization-type": "hvm",
"architecture": "x86_64",
"name": "*amzn-ami-hvm-*",
"name": "*amzn2-ami-hvm-*",
"block-device-mapping.volume-type": "gp2",
"root-device-type": "ebs"
},
Expand Down Expand Up @@ -87,7 +87,7 @@
},{
"type": "shell",
"inline": [
"if [ '{{user `install_auth_signing_script`}}' = 'true' ]; then",
"if [[ '{{user `install_auth_signing_script`}}' == 'true' ]]; then",
"sudo mv /tmp/sign-request.py /opt/vault/scripts/",
"else",
"sudo rm /tmp/sign-request.py",
Expand All @@ -99,23 +99,29 @@
"sudo chmod -R 600 /opt/vault/tls",
"sudo chmod 700 /opt/vault/tls",
"sudo /tmp/terraform-aws-vault/modules/update-certificate-store/update-certificate-store --cert-file-path /opt/vault/tls/ca.crt.pem"
]
],
"inline_shebang": "/bin/bash -e"
},{
"type": "shell",
"inline": [
"sudo apt-get install -y git",
"if [ '{{user `install_auth_signing_script`}}' = 'true' ]; then",
"if [[ '{{user `install_auth_signing_script`}}' == 'true' ]]; then",
"sudo apt-get install -y python-pip",
"LC_ALL=C && sudo pip install boto3",
"fi"
],
"inline_shebang": "/bin/bash -e",
"only": ["ubuntu16-ami"]
},{
"type": "shell",
"inline": [
"sudo yum install -y git"
"sudo yum install -y git",
"if [[ '{{user `install_auth_signing_script`}}' == 'true' ]]; then",
"sudo yum install -y python2-pip",
"LC_ALL=C && sudo pip install boto3",
"fi"
],
"only": ["amazon-linux-ami"]
"only": ["amazon-linux-2-ami"]
},{
"type": "shell",
"inline": [
Expand Down
17 changes: 9 additions & 8 deletions modules/install-vault/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ This folder contains a script for installing Vault and its dependencies. You can
This script has been tested on the following operating systems:

* Ubuntu 16.04
* Amazon Linux
* Amazon Linux 2

There is a good chance it will work on other flavors of Debian, CentOS, and RHEL as well.

Expand Down Expand Up @@ -61,7 +61,6 @@ The `install-vault` script does the following:
1. [Creates a user and folders for Vault](#create-a-user-and-folders-for-vault)
1. [Installs Vault binaries and scripts](#install-vault-binaries-and-scripts)
1. [Configures mlock](#configure-mlock)
1. [Installs supervisord](#install-supervisord)
1. [Follow-up tasks](#follow-up-tasks)


Expand Down Expand Up @@ -94,12 +93,6 @@ Gives Vault permissions to make the `mlock` (memory lock) syscall. This syscall
Vault's memory to disk. For more info, see: https://www.vaultproject.io/docs/configuration/#disable_mlock.


### Installs supervisord

Installs [supervisord](http://supervisord.org/). We use it as a cross-platform supervisor to ensure Vault is started
whenever the system boots and restarted if the Vault process crashes.


### Follow-up tasks

After the `install-vault` script finishes running, you may wish to do the following:
Expand All @@ -111,6 +104,14 @@ After the `install-vault` script finishes running, you may wish to do the follow



## Dependencies

The install script assumes that `systemd` is already installed. We use it as a cross-platform supervisor to ensure Vault is started
whenever the system boots and restarted if the Vault process crashes. Additionally, it is used to store all logs which can be accessed
using `journalctl`.



## Why use Git to install this code?

We needed an easy way to install these scripts that satisfied a number of requirements, including working on a variety
Expand Down
63 changes: 2 additions & 61 deletions modules/install-vault/install-vault
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
# operating systems:
#
# 1. Ubuntu 16.04
# 2. Amazon Linux
# 2. Amazon Linux 2

set -e

Expand All @@ -15,16 +15,13 @@ readonly DOWNLOAD_PACKAGE_PATH="/tmp/vault.zip"
readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
readonly SYSTEM_BIN_DIR="/usr/local/bin"

readonly SUPERVISOR_DIR="/etc/supervisor"
readonly SUPERVISOR_CONF_DIR="$SUPERVISOR_DIR/conf.d"

readonly SCRIPT_NAME="$(basename "$0")"

function print_usage {
echo
echo "Usage: install-vault [OPTIONS]"
echo
echo "This script can be used to install Vault and its dependencies. This script has been tested with Ubuntu 16.04 and Amazon Linux."
echo "This script can be used to install Vault and its dependencies. This script has been tested with Ubuntu 16.04 and Amazon Linux 2."
echo
echo "Options:"
echo
Expand Down Expand Up @@ -108,59 +105,6 @@ function retry {
exit $exit_status
}

# Install steps are based on: http://unix.stackexchange.com/a/291098/215969
function install_supervisord_debian {
sudo apt-get install -y supervisor
sudo update-rc.d supervisor defaults

create_supervisor_config
sudo systemctl enable supervisor
}


function two_way_symlink() {
local src="$1"
local dest="$2"

if [[ ! -f "$dest" ]] && [[ ! -f "$src" ]]; then
echo "Missing source '$src' AND destination '$dest' exiting..."
exit -5
fi

if [[ ! -f "$dest" ]]; then
## Destination isn't there point it to source
sudo ln -s $src $dest
elif [[ ! -f "$src" ]]; then
## Source file was missing, point to destination. Should ONLY do so if it doesn't already exist (e.g. hadn't already been dual linked)
sudo ln -s $dest $src
fi


}


# Install steps are based on: http://stackoverflow.com/a/31576473/483528
function install_supervisord_amazon_linux {
sudo pip install supervisor

# On Amazon Linux, /usr/local/bin is not in PATH for the root user, so we add symlinks to /usr/bin, which is in PATH
two_way_symlink "/usr/bin/supervisorctl" "/usr/local/bin/supervisorctl"
two_way_symlink "/usr/bin/supervisord" "/usr/local/bin/supervisord"

sudo cp "$SCRIPT_DIR/supervisor-initd-script.sh" "/etc/init.d/supervisor"
sudo chmod a+x /etc/init.d/supervisor
sudo mkdir -p /var/log/supervisor

create_supervisor_config
sudo chkconfig --add supervisor
sudo chkconfig supervisor on
}

function create_supervisor_config {
sudo mkdir -p "$SUPERVISOR_CONF_DIR"
sudo cp "$SCRIPT_DIR/supervisord.conf" "$SUPERVISOR_DIR/supervisord.conf"
}

function has_yum {
[[ -n "$(command -v yum)" ]]
}
Expand All @@ -175,11 +119,9 @@ function install_dependencies {
if $(has_apt_get); then
sudo apt-get update -y
sudo apt-get install -y awscli curl unzip jq
install_supervisord_debian
elif $(has_yum); then
sudo yum update -y
sudo yum install -y awscli curl unzip jq
install_supervisord_amazon_linux
else
log_error "Could not find apt-get or yum. Cannot install dependencies on this OS."
exit 1
Expand Down Expand Up @@ -211,7 +153,6 @@ function create_vault_install_paths {
sudo mkdir -p "$path/bin"
sudo mkdir -p "$path/config"
sudo mkdir -p "$path/data"
sudo mkdir -p "$path/log"
sudo mkdir -p "$path/tls"
sudo mkdir -p "$path/scripts"
sudo chmod 755 "$path"
Expand Down
116 changes: 0 additions & 116 deletions modules/install-vault/supervisor-initd-script.sh

This file was deleted.

Loading

0 comments on commit df75973

Please sign in to comment.