Install Hashicorp Vault, either a package or a binary.
Home Page: https://robertdebock.nl/
License: Apache License 2.0
modifications on template config.hcl to support tls on listeners. in this step only configure cert and key files if tls_disable == 0. Previously, copy both files to server before role execution.
Why is this feature required?
Its, important for security concerns.
Please consider sponsoring me.
unseal vault follower is not idempotent.
ansible-role-vault/tasks/follower.yml
Line 19 in c168dea
# TODO: join follower to leader is not idempotent.
- name: join follower to leader
command: vault operator raft join -tls-skip-verify http://{{ vault_leader }}:8200
changed_when: no
register: vault_join_member_to_leader
until:
- vault_join_member_to_leader is succeeded
retries: 5
environment:
VAULT_ADDR: "{{ vault_api_addr }}"
# TODO: unseal vault follower is not idempotent.
- name: unseal vault follower
command: vault operator unseal {{ item }}
changed_when: no
environment:
VAULT_ADDR: "{{ vault_api_addr }}"
loop: "{{ vault_init_output.unseal_keys_b64 }}"
loop_control:
label: "hidden"
no_log: yes
- name: restart vault followers
service:
ndex 4cd0208..ab9e241 100644
++ b/templates/config.hcl.j2252c3cda5128e8a93da874432334cd56f79c81e2
join follower to leader is not idempotent.
ansible-role-vault/tasks/follower.yml
Line 8 in c168dea
enabled: true
# TODO: join follower to leader is not idempotent.
- name: join follower to leader
command: vault operator raft join -tls-skip-verify http://{{ vault_leader }}:8200
changed_when: no
register: vault_join_member_to_leader
until:
- vault_join_member_to_leader is succeeded
retries: 5
environment:
VAULT_ADDR: "{{ vault_api_addr }}"
# TODO: unseal vault follower is not idempotent.
- name: unseal vault follower
command: vault operator unseal {{ item }}
changed_when: no
environment:
VAULT_ADDR: "{{ vault_api_addr }}"
loop: "{{ vault_init_output.unseal_keys_b64 }}"
loop_control:
label: "hidden"
no_log: yes
- name: restart vault followers
service:
ndex 4cd0208..ab9e241 100644
++ b/templates/config.hcl.j271cc820cf5d9e1a67dad4d1faedbeb36123f052f
Hi there,
getting this error on a AWS EC2 instance with Ubuntu focal installed:
TASK [robertdebock.vault : initialize vault on leader] *************************
fatal: [vault_instance]: FAILED! => {"changed": true, "cmd": ["vault", "operator", "init", "-key-shares=5", "-key-threshold=3", "-format=yaml"], "delta": "0:00:00.049334", "end": "2022-10-15 19:31:51.442021", "msg": "non-zero return code", "rc": 2, "start": "2022-10-15 19:31:51.392687", "stderr": "Error initializing: Error making API request.\n\nURL: PUT http://127.0.0.1:8200/v1/sys/init\nCode: 400. Errors:\n\n* parameters recovery_shares,recovery_threshold not applicable to seal type shamir", "stderr_lines": ["Error initializing: Error making API request.", "", "URL: PUT http://127.0.0.1:8200/v1/sys/init", "Code: 400. Errors:", "", "* parameters recovery_shares,recovery_threshold not applicable to seal type shamir"], "stdout": "", "stdout_lines": []}
Playbook is nothing especially complex:
- hosts: all
become: true
become_method: sudo
tasks:
- name: Include System Variables
ansible.builtin.include_vars:
dir: '../vars'
- name: Insert Proxy Environment
ansible.builtin.lineinfile:
dest: "/etc/environment"
state: present
create: 'yes'
regexp: "^{{ item.key }}="
line: "{{ item.key }}={{ item.value }}"
loop: "{{ proxy_env }}"
- name: Create vault group
ansible.builtin.group:
name: 'vault'
state: present
- name: Create vault user
ansible.builtin.user:
name: 'vault'
group: 'vault'
shell: '/bin/bash'
state: present
- name: Include Role Vault
ansible.builtin.include_role:
name: '{{ outer_item }}'
loop:
- 'robertdebock.bootstrap'
- 'robertdebock.core_dependencies'
- 'robertdebock.hashicorp'
loop_control:
loop_var: outer_item
- name: Include Role Vault
ansible.builtin.include_role:
name: 'robertdebock.vault'
vars:
vault_disable_clustering: "true"
vault_log_level: "debug"
Introduce a variable where the user of the role can select a leader.
ansible-role-vault/tasks/main.yml
Line 31 in 6fe0b75
- restart vault
- name: select leader
set_fact:
vault_leader: "{{ inventory_hostname }}"
run_once: yes
# TODO: Introduce a variable where the user of the role can select a leader.
- name: show vault_leader
debug:
msg: "{{ vault_leader }}"
- name: configure leader
block:
- name: start vault leader
service:
name: vault
state: started
enabled: true
- name: check status of vault leader
command: vault status -format=yaml
environment:
VAULT_ADDR: "http://127.0.0.1:8200"545e8c3906328f16f951627cea04d96554882fd2
When using a binary installation method with this role and changing the vault_data_directory
to something else then "/opt/" the execution will fail, due to static definition of the TLS path in binary.yaml and vault.hcl
---
- name: Install hashicorp vault via roles
hosts: pikvm
pre_tasks:
- ansible.builtin.shell: rw
roles:
- role: robertdebock.bootstrap
- role: robertdebock.core_dependencies
- role: robertdebock.hashicorp
- role: ansible-role-vault
vars:
- vault_type: oss
- vault_architecture: "arm"
- ansible_architecture: "arm"
- vault_version: "1.13.1"
- vault_package_release: "1"
- vault_installation_method: "binary"
- vault_download_path: "/vault/vault-{{ vault_version }}"
- vault_path: "/vault"
- vault_user: vault
- vault_group: vault
- vault_user_shell: /bin/false
- vault_data_directory: "/vault"[nix-shell:~/vault]$ ag /opt/
roles/ansible-role-vault/files/vault.hcl
9: path = "/opt/vault/data"
26: tls_cert_file = "/opt/vault/tls/tls.crt"
27: tls_key_file = "/opt/vault/tls/tls.key"
roles/ansible-role-vault-fixed-vault-path-setting/files/vault.hcl
9: path = "/opt/vault/data"
26: tls_cert_file = "/opt/vault/tls/tls.crt"
27: tls_key_file = "/opt/vault/tls/tls.key"
/opt/vault/ with {{ vault_data_directory }} and create a jinja template for the vault.hcl fileNAME="Arch Linux ARM"
PRETTY_NAME="Arch Linux ARM"
ID=archarm
ID_LIKE=arch
BUILD_ID=rolling
ANSI_COLOR="38;2;23;147;209"
HOME_URL="https://archlinuxarm.org/"
DOCUMENTATION_URL="https://archlinuxarm.org/wiki"
SUPPORT_URL="https://archlinuxarm.org/forum"
BUG_REPORT_URL="https://github.com/archlinuxarm/PKGBUILDs/issues"
LOGO=archlinux-logo
ansible [core 2.14.0]
config file = /home/.../vault/ansible.cfg
configured module search path = ['/home/.../.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /nix/store/dbmlg0iq0b4w7s5nm8is0n56g2d95r4r-python3.10-ansible-core-2.14.0/lib/python3.10/site-packages/ansible
ansible collection location = /home/.../.ansible/collections:/usr/share/ansible/collections
executable location = /nix/store/dbmlg0iq0b4w7s5nm8is0n56g2d95r4r-python3.10-ansible-core-2.14.0/bin/ansible
python version = 3.10.9 (main, Dec 6 2022, 18:44:57) [GCC 11.3.0] (/nix/store/al6g1zbk8li6p8mcyp0h60d08jaahf8c-python3-3.10.9/bin/python3.10)
jinja version = 3.1.2
libyaml = True
NAME="Arch Linux ARM"
PRETTY_NAME="Arch Linux ARM"
ID=archarm
ID_LIKE=arch
BUILD_ID=rolling
ANSI_COLOR="38;2;23;147;209"
HOME_URL="https://archlinuxarm.org/"
DOCUMENTATION_URL="https://archlinuxarm.org/wiki"
SUPPORT_URL="https://archlinuxarm.org/forum"
BUG_REPORT_URL="https://github.com/archlinuxarm/PKGBUILDs/issues"
LOGO=archlinux-logo
Despite this little issue, your role worked out of the box and was clear to apply, so thank you very much for your work.
I'm trying to write IaC using terraform, ansible to setup vault cluster.
I found that playbook errors, playbook run 2 of 3 passes are successful, 1 is not successful.
make provision
. config.sh
ssh-add $PVT_KEY
Identity added: /home/lindenvalley/.ssh/id_ed25519 (lindenvalley@worker)
ANSIBLE_HOST_KEY_CHECKING=False ANSIBLE_ROLES_PATH=~/git/ansible/roles ansible-playbook -i inventory playbooks/vault.yaml
PLAY [Provision server] ********************************************************************************************************************
TASK [Wait before cloudinit is finished] ***************************************************************************************************
ok: [vault-mhsmxqiqxmfs]
ok: [vault-oiaqvsajgslo]
ok: [vault-gbkylfpknrvp]
PLAY [prepare] *****************************************************************************************************************************
TASK [Gathering Facts] *********************************************************************************************************************
ok: [vault-mhsmxqiqxmfs]
ok: [vault-oiaqvsajgslo]
ok: [vault-gbkylfpknrvp]
TASK [robertdebock.core_dependencies : install packages] ***********************************************************************************
changed: [vault-gbkylfpknrvp]
changed: [vault-oiaqvsajgslo]
changed: [vault-mhsmxqiqxmfs]
TASK [robertdebock.core_dependencies : try to install pip packages] ************************************************************************
changed: [vault-gbkylfpknrvp]
changed: [vault-mhsmxqiqxmfs]
changed: [vault-oiaqvsajgslo]
TASK [robertdebock.core_dependencies : flush handlers] *************************************************************************************
RUNNING HANDLER [robertdebock.core_dependencies : gather facts] ****************************************************************************
ok: [vault-gbkylfpknrvp]
ok: [vault-mhsmxqiqxmfs]
ok: [vault-oiaqvsajgslo]
TASK [robertdebock.hashicorp : test if hashicorp_installation_method is set correctly] *****************************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.hashicorp : test if hashicorp_products is set correctly] ****************************************************************
skipping: [vault-gbkylfpknrvp]
TASK [robertdebock.hashicorp : test if item in hashicorp_products is set correctly (package)] **********************************************
skipping: [vault-gbkylfpknrvp]
TASK [robertdebock.hashicorp : test if item in hashicorp_products is set correctly (manual)] ***********************************************
skipping: [vault-gbkylfpknrvp]
TASK [robertdebock.hashicorp : install repository for RedHat] ******************************************************************************
skipping: [vault-gbkylfpknrvp]
skipping: [vault-mhsmxqiqxmfs]
skipping: [vault-oiaqvsajgslo]
TASK [robertdebock.hashicorp : install apt key for Debian] *********************************************************************************
changed: [vault-gbkylfpknrvp]
changed: [vault-mhsmxqiqxmfs]
changed: [vault-oiaqvsajgslo]
TASK [robertdebock.hashicorp : install repository for Debian] ******************************************************************************
changed: [vault-oiaqvsajgslo]
changed: [vault-gbkylfpknrvp]
changed: [vault-mhsmxqiqxmfs]
TASK [robertdebock.hashicorp : install hashicorp product using package] ********************************************************************
skipping: [vault-gbkylfpknrvp]
skipping: [vault-mhsmxqiqxmfs]
skipping: [vault-oiaqvsajgslo]
TASK [robertdebock.hashicorp : install hashicorp product manually] *************************************************************************
skipping: [vault-gbkylfpknrvp]
skipping: [vault-mhsmxqiqxmfs]
skipping: [vault-oiaqvsajgslo]
TASK [Update /etc/hosts] *******************************************************************************************************************
changed: [vault-gbkylfpknrvp]
changed: [vault-oiaqvsajgslo]
changed: [vault-mhsmxqiqxmfs]
PLAY [Assemble Vault cluster] **************************************************************************************************************
TASK [Gathering Facts] *********************************************************************************************************************
ok: [vault-oiaqvsajgslo]
ok: [vault-gbkylfpknrvp]
ok: [vault-mhsmxqiqxmfs]
TASK [robertdebock.vault : test if vault_owner is set correctly] ***************************************************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.vault : test if vault_group is set correctly] ***************************************************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.vault : test if vault_disable_clustering is set correctly] **************************************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.vault : test if vault_cluster_addr is set correctly] ********************************************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.vault : test if vault_api_addr is set correctly] ************************************************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.vault : test if vault_plugin_directory is set correctly] ****************************************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.vault : test if vault_storages is set correctly] ************************************************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.vault : test if item in vault_storages is set correctly] ****************************************************************
ok: [vault-gbkylfpknrvp -> localhost] => (item=raft)
TASK [robertdebock.vault : test if vault_listeners is set correctly] ***********************************************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.vault : test if item in vault_listeners is set correctly] ***************************************************************
ok: [vault-gbkylfpknrvp -> localhost] => (item=tcp)
ok: [vault-gbkylfpknrvp -> localhost] => (item=tcp)
TASK [robertdebock.vault : test if item in vault_listeners is set correctly when tls_disable is yes] ***************************************
skipping: [vault-gbkylfpknrvp] => (item=tcp)
skipping: [vault-gbkylfpknrvp] => (item=tcp)
TASK [robertdebock.vault : test if vault_ui is set correctly] ******************************************************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.vault : test if vault_key_shares is set correctly] **********************************************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.vault : test if vault_key_threshold is set correctly] *******************************************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.vault : test if vault_key_shares and vault_key_threshold are set correctly] *********************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.vault : test if vault_show_unseal_information is set correctly] *********************************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.vault : test if vault_unseal_keys is set correctly] *********************************************************************
skipping: [vault-gbkylfpknrvp]
TASK [robertdebock.vault : test if vault_disable_mlock is set correctly] *******************************************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.vault : test if vault_make_backup is set correctly] *********************************************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.vault : test if vault_backup_path is set correctly] *********************************************************************
skipping: [vault-gbkylfpknrvp]
TASK [robertdebock.vault : test if vault_namespace is set correctly] ***********************************************************************
skipping: [vault-gbkylfpknrvp]
TASK [robertdebock.vault : test if vault_kv_secrets is set correctly] **********************************************************************
skipping: [vault-gbkylfpknrvp]
TASK [robertdebock.vault : test if item vault_kv_secrets is set correctly] *****************************************************************
skipping: [vault-gbkylfpknrvp]
TASK [robertdebock.vault : test if item.cas vault_kv_secrets is set correctly] *************************************************************
skipping: [vault-gbkylfpknrvp]
TASK [robertdebock.vault : test if vault_kv_max_versions is set correctly] *****************************************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.vault : test if vault_kv_cas_required is set correctly] *****************************************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.vault : test if vault_kv_delete_version_after is set correctly] *********************************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.vault : test if vault_license is set correctly] *************************************************************************
skipping: [vault-gbkylfpknrvp]
TASK [robertdebock.vault : test if vault_log_level is set correctly] ***********************************************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.vault : test if vault_max_lease_ttl is set correctly] *******************************************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.vault : test if vault_default_lease_ttl is set correctly] ***************************************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.vault : test if vault_transit is set correctly] *************************************************************************
skipping: [vault-gbkylfpknrvp]
TASK [robertdebock.vault : test if vault_disable_cache is set correctly] *******************************************************************
skipping: [vault-gbkylfpknrvp]
TASK [robertdebock.vault : test if vault_disable_clustering is "true" for raft] ************************************************************
skipping: [vault-gbkylfpknrvp]
TASK [robertdebock.vault : test if vault_store_root_token is set correctly] ****************************************************************
ok: [vault-gbkylfpknrvp -> localhost]
TASK [robertdebock.vault : run shared tasks] ***********************************************************************************************
included: /home/lindenvalley/git/ansible/roles/robertdebock.vault/tasks/shared.yml for vault-gbkylfpknrvp, vault-mhsmxqiqxmfs, vault-oiaqvsajgslo
TASK [robertdebock.vault : install vault] **************************************************************************************************
changed: [vault-oiaqvsajgslo]
changed: [vault-mhsmxqiqxmfs]
changed: [vault-gbkylfpknrvp]
TASK [robertdebock.vault : create vault storage path] **************************************************************************************
changed: [vault-gbkylfpknrvp] => (item=/vault/data)
changed: [vault-oiaqvsajgslo] => (item=/vault/data)
changed: [vault-mhsmxqiqxmfs] => (item=/vault/data)
TASK [robertdebock.vault : make plugin directory] ******************************************************************************************
changed: [vault-gbkylfpknrvp]
changed: [vault-oiaqvsajgslo]
changed: [vault-mhsmxqiqxmfs]
TASK [robertdebock.vault : select leader if vault_leader is unset] *************************************************************************
skipping: [vault-gbkylfpknrvp]
TASK [robertdebock.vault : create /etc/vault.d] ********************************************************************************************
ok: [vault-mhsmxqiqxmfs]
ok: [vault-gbkylfpknrvp]
ok: [vault-oiaqvsajgslo]
TASK [robertdebock.vault : place /etc/vaultd.d/config.hcl] *********************************************************************************
changed: [vault-oiaqvsajgslo]
changed: [vault-mhsmxqiqxmfs]
changed: [vault-gbkylfpknrvp]
TASK [robertdebock.vault : place vault license] ********************************************************************************************
skipping: [vault-gbkylfpknrvp]
skipping: [vault-mhsmxqiqxmfs]
skipping: [vault-oiaqvsajgslo]
TASK [robertdebock.vault : start vault] ****************************************************************************************************
changed: [vault-gbkylfpknrvp]
changed: [vault-mhsmxqiqxmfs]
changed: [vault-oiaqvsajgslo]
TASK [robertdebock.vault : check status of vault] ******************************************************************************************
ok: [vault-mhsmxqiqxmfs]
ok: [vault-oiaqvsajgslo]
ok: [vault-gbkylfpknrvp]
TASK [robertdebock.vault : save vault_status] **********************************************************************************************
ok: [vault-gbkylfpknrvp]
ok: [vault-mhsmxqiqxmfs]
ok: [vault-oiaqvsajgslo]
TASK [robertdebock.vault : safe VAULT_ADDR /etc/environment] *******************************************************************************
changed: [vault-mhsmxqiqxmfs]
changed: [vault-oiaqvsajgslo]
changed: [vault-gbkylfpknrvp]
TASK [robertdebock.vault : run leader tasks] ***********************************************************************************************
included: /home/lindenvalley/git/ansible/roles/robertdebock.vault/tasks/leader.yml for vault-gbkylfpknrvp, vault-mhsmxqiqxmfs, vault-oiaqvsajgslo
TASK [robertdebock.vault : initialize vault on leader] *************************************************************************************
changed: [vault-gbkylfpknrvp]
TASK [robertdebock.vault : save vault_init_output for leader] ******************************************************************************
ok: [vault-gbkylfpknrvp]
TASK [robertdebock.vault : show unseal keys for leader] ************************************************************************************
ok: [vault-gbkylfpknrvp] => {
"msg": [
"ZVOlGJXBPI0zN3845ncd/hU05fevreXtp4BDQmACiZZx",
"FDYxqeRl6xamHS7hSQglvQ8sngwm06n60s0n2a4w9XRn",
"zHVIUF6OdM4O8TtPXndMWz6RGAIp9oyxyW7QIpaCg3MR",
"RLH+tIXXJsE9PETNsvJXv/nlZ9iLtYKNnBRLkhYkToIy",
"lylefZkM5HqqVXohEkju3fTdIsAiojQ6EQGo5KSMUNmx"
]
}
TASK [robertdebock.vault : show root token for leader] *************************************************************************************
ok: [vault-gbkylfpknrvp] => {
"msg": "s.gEjGr9UgabjHzK7JcvRbebzx"
}
TASK [robertdebock.vault : save login token to /root/.vault-token] *************************************************************************
changed: [vault-gbkylfpknrvp]
TASK [robertdebock.vault : unseal vault leader] ********************************************************************************************
changed: [vault-gbkylfpknrvp] => (item=None)
changed: [vault-gbkylfpknrvp] => (item=None)
changed: [vault-gbkylfpknrvp] => (item=None)
changed: [vault-gbkylfpknrvp] => (item=None)
changed: [vault-gbkylfpknrvp] => (item=None)
changed: [vault-gbkylfpknrvp]
TASK [robertdebock.vault : make a snapshot] ************************************************************************************************
skipping: [vault-gbkylfpknrvp]
skipping: [vault-mhsmxqiqxmfs]
skipping: [vault-oiaqvsajgslo]
TASK [robertdebock.vault : run follower tasks] *********************************************************************************************
included: /home/lindenvalley/git/ansible/roles/robertdebock.vault/tasks/follower.yml for vault-gbkylfpknrvp, vault-mhsmxqiqxmfs, vault-oiaqvsajgslo
TASK [robertdebock.vault : join follower to leader] ****************************************************************************************
ok: [vault-gbkylfpknrvp]
FAILED - RETRYING: join follower to leader (5 retries left).
FAILED - RETRYING: join follower to leader (5 retries left).
FAILED - RETRYING: join follower to leader (4 retries left).
FAILED - RETRYING: join follower to leader (4 retries left).
ok: [vault-mhsmxqiqxmfs]
ok: [vault-oiaqvsajgslo]
TASK [robertdebock.vault : unseal vault follower] ******************************************************************************************
ok: [vault-gbkylfpknrvp] => (item=None)
ok: [vault-mhsmxqiqxmfs] => (item=None)
ok: [vault-oiaqvsajgslo] => (item=None)
ok: [vault-gbkylfpknrvp] => (item=None)
ok: [vault-mhsmxqiqxmfs] => (item=None)
ok: [vault-oiaqvsajgslo] => (item=None)
ok: [vault-gbkylfpknrvp] => (item=None)
failed: [vault-oiaqvsajgslo] (item=None) => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}
failed: [vault-mhsmxqiqxmfs] (item=None) => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}
ok: [vault-gbkylfpknrvp] => (item=None)
ok: [vault-oiaqvsajgslo] => (item=None)
ok: [vault-mhsmxqiqxmfs] => (item=None)
ok: [vault-gbkylfpknrvp] => (item=None)
ok: [vault-gbkylfpknrvp]
ok: [vault-oiaqvsajgslo] => (item=None)
fatal: [vault-oiaqvsajgslo]: FAILED! => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}
[vault-oiaqvsajgslo] TASK: robertdebock.vault : unseal vault follower (debug)> ok: [vault-mhsmxqiqxmfs] => (item=None)
p
***SyntaxError:SyntaxError('unexpected EOF while parsing', ('<string>', 0, 0, ''))
[vault-oiaqvsajgslo] TASK: robertdebock.vault : unseal vault follower (debug)> h
Documented commands (type help <topic>):
========================================
EOF c continue h help p pprint q quit r redo u update_task
[vault-oiaqvsajgslo] TASK: robertdebock.vault : unseal vault follower (debug)> c
fatal: [vault-mhsmxqiqxmfs]: FAILED! => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}
[vault-mhsmxqiqxmfs] TASK: robertdebock.vault : unseal vault follower (debug)> p
***SyntaxError:SyntaxError('unexpected EOF while parsing', ('<string>', 0, 0, ''))
[vault-mhsmxqiqxmfs] TASK: robertdebock.vault : unseal vault follower (debug)> c
NO MORE HOSTS LEFT *************************************************************************************************************************
PLAY RECAP *********************************************************************************************************************************
vault-gbkylfpknrvp : ok=54 changed=14 unreachable=0 failed=0 skipped=20 rescued=0 ignored=0
vault-mhsmxqiqxmfs : ok=22 changed=11 unreachable=0 failed=1 skipped=5 rescued=0 ignored=0
vault-oiaqvsajgslo : ok=22 changed=11 unreachable=0 failed=1 skipped=5 rescued=0 ignored=0
make: *** [Makefile:24: provision] Error 2
Please paste the playbook you are using. (Consider requirements.yml and
optionally the command you've invoked.)
---
# File: site.yml - Example Consul site playbook
- name: Provision server
hosts: all
remote_user: nartykaly
gather_facts: False
no_log: false
tasks:
- name: Wait before cloudinit is finished
wait_for:
path: /var/lib/cloud/instance/boot-finished
- name: prepare
hosts: vault_instances
become: true
become_method: sudo
roles:
- role: robertdebock.core_dependencies
- role: robertdebock.hashicorp
tasks:
- name: Update /etc/hosts
blockinfile:
path: /etc/hosts
block: |
{% for host in groups['all'] %}
{{ hostvars[host].ansible_host }} {{ host }}
{% endfor %}
- name: Assemble Vault cluster
hosts: vault_instances
any_errors_fatal: true
become: true
become_user: root
gather_facts: true
debugger: on_failed
roles:
- robertdebock.vault
vars:
vault_show_unseal_information: yes
vault_store_root_token: yes
vault_make_backup: no
vault_leader: "{{ hostvars[groups['vault_instances'][0]].ansible_host }}"
vault_listeners:
- name: tcp
address: "127.0.0.1:8200"
cluster_address: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:8201"
tls_disable: "true"
- name: tcp
address: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:8200"
cluster_address: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:8201"
tls_disable: "true"
vault_log_level: "debug"
vault_disable_clustering: "false"
vault_api_addr: "http://{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:8200"
Show at least the error, possible related output, maybe just all the output.
failed to look up user vault when hashicorp_installation_method: manual
---
- name: prepare
hosts: vault_raft_servers
become: true
become_method: sudo
pre_tasks:
- name: Update apt cache.
apt: update_cache=true cache_valid_time=600
when: ansible_os_family == 'Debian'
- name: Update /etc/hosts
blockinfile:
path: /etc/hosts
block: |
{% for host in groups['all'] %}
{{ hostvars[host].ansible_host }} {{ host }}
{% endfor %}
roles:
- role: robertdebock.core_dependencies
- role: robertdebock.hashicorp
hashicorp_installation_method: manual
hashicorp_products:
- name: vault
version: "1.9.4"
type: oss
- name: Assemble Vault cluster
hosts: vault_raft_servers
any_errors_fatal: true
become: true
become_user: root
gather_facts: true
debugger: on_failed
roles:
- robertdebock.vault
vars:
vault_show_unseal_information: yes
vault_install_package: no
vault_store_root_token: yes
vault_make_backup: no
vault_leader: "{{ hostvars[groups['vault_instances'][0]].ansible_host }}"
vault_listeners:
- name: tcp
address: "127.0.0.1:8200"
cluster_address: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:8201"
tls_disable: "true"
- name: tcp
address: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:8200"
cluster_address: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:8201"
tls_disable: "true"
vault_log_level: "debug"
vault_disable_clustering: "false"
vault_api_addr: "http://{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:8200"
vault_cluster_addr: "http://{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:8201"TASK [robertdebock.vault : create vault storage path] **********************************************************************************************************
Saturday 07 May 2022 22:40:10 +0600 (0:00:00.026) 0:00:18.880 **********
failed: [vault1] (item=/vault/data) => changed=false
ansible_loop_var: item
gid: 0
group: root
item:
name: raft
node_id: vault1
path: /vault/data
mode: '0755'
msg: 'chown failed: failed to look up user vault'
owner: root
path: /vault
size: 4096
state: directory
uid: 0
[vault1] TASK: robertdebock.vault : create vault storage path (debug)> failed: [vault0] (item=/vault/data) => changed=false
ansible_loop_var: item
gid: 0
group: root
item:
name: raft
node_id: vault0
path: /vault/data
mode: '0755'
msg: 'chown failed: failed to look up user vault'
owner: root
path: /vault
size: 4096
state: directory
uid: 0
failed: [vault2] (item=/vault/data) => changed=false
ansible_loop_var: item
gid: 0
group: root
item:
name: raft
node_id: vault2
path: /vault/data
mode: '0755'
msg: 'chown failed: failed to look up user vault'
owner: root
path: /vault
size: 4096
state: directory
uid: 0
cat /etc/os-release)NAME="Ubuntu"
VERSION="20.04 LTS (Focal Fossa)"
ansible --version)ansible [core 2.12.4]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3/dist-packages/ansible
ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.8.10 (default, Mar 15 2022, 12:22:08) [GCC 9.4.0]
jinja version = 3.1.2
libyaml = True
cat /etc/os-release)NAME="Ubuntu"
VERSION="20.04 LTS (Focal Fossa)"
Inventory
all:
children:
vault_raft_servers:
hosts:
vault0:
ansible_host: xxxxx
vault1:
ansible_host: xxxx
vault2:
ansible_host: xxxx
Check user and group
root@vault0:~# cat /etc/passwd | grep vault
root@vault0:~# cat /etc/group | grep vault
root@vault0:~#
/etc/environment
This file is specifically meant for system-wide environment variable settings. It is not a script file, but rather consists of assignment expressions, one per line.
System-wide environment variables
ansible-role-vault/tasks/shared.yml
Line 89 in e1e7fa9
The role this is dependent on (robertdebock.hashicorp) seems to create a config file under /etc/vault.d/vault.hcl where as this role creates and uses the config file /etc/vault/config.hcl. It might be cleaner to have one config file or at least have them under the same directory.
I would suggest taking a backup of /etc/vault.d/vault.hcl if it exists and overwriting it. I can send a pull request if you'd like to do it that way.
My playbook consists of:
---
- hosts: all
vars_files:
- vars/main.yml
roles:
- robertdebock.bootstrap
- robertdebock.hashicorp
- robertdebock.vaultMy vars/main.yml consists of:
---
bootstrap_user: vagrant
# robertdebock.hashicorp variables
hashicorp_products:
- vault
# robertdebock.vault variables
vault_storages:
- name: raft
path: /opt/vault/data
node_id: node1Show at least the error, possible related output, maybe just all the output.
Please consider sponsoring me.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.