Vaultering.
So there I was; trying to install Vaultier on a dedicated CentOS machine. Turns out there is only a docker installation, an installation script for Ubuntu and manual install. And for the latter it’s only for Ubuntu (or Debian). Tough luck.
But how hard can it be to install this in CentOS? Next to impossible. The software shipped in the default repositories (and epel) are too old to actually get it to work (without compiling a lot on my own, but that would break the nice updates). And updates are a must on a server that handles sensitive data.
So I took the next best thing: Fedora 24 Server. Even that turned out to be ugly; but in the end it worked. Here is how I did it.
Getting your hands dirty.
I’ll assume you have a Fedora 24 Server installed already and are logged in as root. Let’s get cracking. First off disable selinux.
echo "SELINUX=disabled" > /etc/selinux/config
Don’t reboot just yet; update the system fully (even if you just installed (read: especially if you just installed it.)):
dnf update -y
Ok good. Reboot your server at this point to get rid of selinux and let the new libs and bins kick in. Next, install some software needed by vaultier:
dnf install -y postgresql postgresql-contrib postgresql-devel nginx supervisor uwsgi python python-virtualenv python-devel redhat-rpm-config postgresql-server uwsgi-plugin-python uwsgi-logger-file dnf groupinstall -y "Development tools"
With the software installed, create the new environment for vaultier:
mkdir -p /opt/vaultier useradd -d /opt/vaultier -M vaultier cd /opt/vaultier virtualenv venv source /opt/vaultier/venv/bin/activate pip install vaultier
The last step will fail half-way due to some version mismatches. We need to fix that at this point, edit the file /opt/vaultier/venv/lib/python2.7/site-packages/Vaultier-0.7.5-py2.7.egg-info/requires.txt to match this:
BeautifulSoup==3.2.1 Django==1.6 South==1.0.2 argparse==1.2.1 cssutils==1.0 django-appconf==0.6 django-extensions==1.2.5 django-filter==0.7 djangorestframework==2.3.12 flup==1.0.2 html2text==3.200.3 jsonfield==0.9.20 psycopg2==2.5.1 pycrypto==2.6.1 pynliner==0.5.0 six==1.9 wsgiref==0.1.2 raven==5.0.0 pytz==2014.7 celery==3.1.9 requests==2.3.0 python-dateutil==2.2 logan==0.5.10 iso8601==0.1.10
Still with me? Good, re-run the previously failed command:
pip install vaultier
That should leave you with vautlier installed. Let’s create a basic configuration:
export PYTHONPATH="${PYTHONPATH}:/opt/vaultier/venv/lib/python2.7/site-packages/vaultier" vaultier init
The newly created configuration resides at /opt/vaultier/vaultier_conf.py, edit it to fit your needs. All done? Database time. The second command will ask you for a database user name, database name and password. Leave the first two at vaultier, Remember the password you supply.
vaultier check postgresql-setup --initdb echo "host vaultier vaultier 127.0.0.1/32 trust" > /var/lib/pgsql/data/pg_hba.conf systemctl start postgresql systemctl enable - postgrespostgresql
Now create a postgresql user, password and database, replacing the password from the 4th command from the one you gave vaultier above:
su - postgres psql create database vaultier; CREATE USER vaultier WITH PASSWORD 'insertpasswordhere'; GRANT ALL PRIVILEGES ON DATABASE "vaultier" to vaultier; exit
For testing purposes, disable the firewall for now:
systemctl stop firewalld systemctl disable firewalld
Vaultier is nearly done, final check:
vaultier check
that command should be totally quiet, if not, fix any error (and retrace our steps). Check that teh DB connection is valid:
vaultier dbshell
If you get a shell, all is working. In case of error: Be sure to have the exact same passwords you gave the init command as well as while creating the databases! If all went well fill the database with initial data:
vaultier setup
and try a startup:
vaultier runserver
No errors: awesome, vaultier is working. Now let’s edit the /etc/uwsgi.ini file, delete all content, add this:
[uwsgi] pidfile = /run/uwsgi/uwsgi.pid plugins = python master = true processes = 1 threads = 1 workers=4 max-requests=1000 chdir=/opt/vaultier module=vaultier.wsgi:application home=/opt/vaultier/venv pythonpath=/opt/vaultier pythonpath=/opt/vaultier/venv/lib/python2.7/site-packages/vaultier/ env=DJANGO_SETTINGS_MODULE=vaultier_conf vacuum=true no-orphans=true uid=vaultier gid=vaultier chmod-socket = 664 chown-socket=nginx:nginx socket=/var/run/vaultier.socket listen=50 logto = /opt/vaultier/logs/vaultier.log
And start it up:
mkdir /var/log/vaultier systemctl start uwsgi systemctl enable uwsgi
check the logfile /opt/vaultier/logs/vaultier.log for startup messages. No errors: Your setup is working. Final step is to get nginx running with our setup. I won’t handhold you through nginx here- that’s pretty straighforward. The essential configuration for the vhost is:
server { listen 443 ssl; server_name passwords.alpha-labs.net; ssl_certificate /path/to/your/.crt; ssl_certificate_key /path/to/your/.key; ssl_dhparam /path/to/your/.crt; location / { include uwsgi_params; uwsgi_pass unix:/var/run/vaultier.socket; } location /static { alias /opt/vaultier/venv/lib/python2.7/site-packages/vaultier/vaultier/static/; } location /media { alias /opt/vaultier/venv/lib/python2.7/site-packages/vaultier/vaultier/media/; } }
This should net you with an up and running Vaultier installation that auto-starts after a reboot.
Conclusion
I not only uninstalled vaultier right after, I disposed of the VM. Don’t get me wrong; vaultier is a nice thought, but without any(!) Browser integration you have to copy&paste each password by hand. There is no option to change the language. Installing -and by extension upgrading- is a mess.
This is, at its current implementation, not a piece of software I will trust my passwords with.
It was a fun ride, tho.
Hello, i want install vaultier on centos 7 but after this tutorial i have an error :
/config/config.js error 500 :
[pid: 11591|app: 0|req: 7/33] 172.21.19.95 () {40 vars in 718 bytes} [Fri Sep 2 08:39:45 2016] GET / => generated 741 bytes in 3 msecs (HTTP/1.1 200) 1 headers in 59 bytes (1 switches on core 0)
[pid: 11592|app: 0|req: 22/34] 172.21.19.95 () {40 vars in 691 bytes} [Fri Sep 2 08:39:45 2016] GET /config/config.js => generated 27 bytes in 8 msecs (HTTP/1.1 500) 1 headers in 63 bytes (1 switches on core 0)
[pid: 11591|app: 0|req: 8/35] 172.21.19.95 () {42 vars in 740 bytes} [Fri Sep 2 08:39:46 2016] GET / => generated 741 bytes in 4 msecs (HTTP/1.1 200) 1 headers in 59 bytes (1 switches on core 0)
[pid: 11594|app: 0|req: 2/36] 172.21.19.95 () {42 vars in 740 bytes} [Fri Sep 2 08:39:46 2016] GET / => generated 741 bytes in 4 msecs (HTTP/1.1 200) 1 headers in 59 bytes (1 switches on core 0)
[pid: 11593|app: 0|req: 5/37] 172.21.19.95 () {42 vars in 740 bytes} [Fri Sep 2 08:39:46 2016] GET / => generated 741 bytes in 4 msecs (HTTP/1.1 200) 1 headers in 59 bytes (1 switches on core 0)
[pid: 11592|app: 0|req: 23/38] 172.21.19.95 () {42 vars in 740 bytes} [Fri Sep 2 08:39:46 2016] GET / => generated 741 bytes in 3 msecs (HTTP/1.1 200) 1 headers in 59 bytes (1 switches on core 0)
[pid: 11591|app: 0|req: 9/39] 172.21.19.95 () {42 vars in 713 bytes} [Fri Sep 2 08:39:46 2016] GET /config/config.js => generated 27 bytes in 9 msecs (HTTP/1.1 500) 1 headers in 63 bytes (1 switches on core 0)
Raven is not configured (logging is disabled). Please see the documentation for more information.
[pid: 11594|app: 0|req: 3/40] 172.21.19.95 () {42 vars in 713 bytes} [Fri Sep 2 08:39:47 2016] GET /config/config.js => generated 27 bytes in 17 msecs (HTTP/1.1 500) 1 headers in 63 bytes (1 switches on core 0)
and in the file nginx-error.log :
2016/09/02 10:39:26 [error] 11636#0: *48 directory index of “/opt/vaultier/venv/lib/python2.7/site-packages/vaultier/vaultier/static//” is forbidden, client: 172.21.19.95, server: srvXXX, request: “GET /static/ HTTP/1.1”, host: “srvXXX”
2016/09/02 10:39:26 [error] 11636#0: *48 directory index of “/opt/vaultier/venv/lib/python2.7/site-packages/vaultier/vaultier/static//” is forbidden, client: 172.21.19.95, server: srvXXX, request: “GET /static/ HTTP/1.1”, host: “srvXXX”
2016/09/02 10:40:55 [error] 11636#0: *80 open() “/opt/vaultier/venv/lib/python2.7/site-packages/vaultier/vaultier/static//vaultier/bower_components/ember/ember.js” failed (2: No such file or directory), client: 172.21.19.95, server: srvXXX, request: “GET /static/vaultier/bower_components/ember/ember.js HTTP/1.1”, host: “srvXXX”
I activate this :
cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mynginx
semodule -i mynginx.pp
But i have an internal error 500 ..
[crit] 10077#0: *1 connect() to unix:/var/run/vaultier.socket failed (13: Permission denied) while connecting to upstream, client: 172.21.19.95, server: srvXXX, request: “GET / HTTP/1.1”, upstream: “uwsgi://unix:/var/run/vaultier.socket:”, host: “srvXXX”
2016/09/02 10:12:26 [crit] 10077#0: *1 connect() to unix:/var/run/vaultier.socket failed (13: Permission denied) while connecting to upstream, client: 172.21.19.95, server: srvXXX, request: “GET /favicon.ico HTTP/1.1”, upstream: “uwsgi://unix:/var/run/vaultier.socket:”, host: “srvXXX”, referrer: “http://srvXXX/”
Just for kicks: Try disabling selinux for now and see if that solves your problem. If it does, you need to tweak selinux.
I disable the selinux, reboot the serveur but no effect :
Google Chrome F12 error :
GET https://srvXXX/config/config.js 500 (INTERNAL SERVER ERROR)
ember.js:13720’webkitIndexedDB’ is deprecated. Please use ‘indexedDB’ instead.
ine the vaultier.log file (uwsgi) :
[pid: 688|app: 0|req: 1/12] 172.21.19.95 () {42 vars in 708 bytes} [Fri Sep 2 12:53:44 2016] GET /config/config.js => generated 0 bytes in 1153 msecs (HTTP/1.1 500) 1 headers in 0 bytes (0 switches on core 0)
[pid: 685|app: 0|req: 7/13] 172.21.19.95 () {42 vars in 734 bytes} [Fri Sep 2 12:53:58 2016] GET / => generated 741 bytes in 4 msecs (HTTP/1.1 200) 1 headers in 59 bytes (1 switches on core 0)
[pid: 686|app: 0|req: 4/14] 172.21.19.95 () {42 vars in 708 bytes} [Fri Sep 2 12:53:58 2016] GET /config/config.js => generated 27 bytes in 7 msecs (HTTP/1.1 500) 1 headers in 63 bytes (1 switches on core 0)
[pid: 687|app: 0|req: 3/15] 172.21.19.95 () {42 vars in 734 bytes} [Fri Sep 2 12:54:00 2016] GET / => generated 741 bytes in 25 msecs (HTTP/1.1 200) 1 headers in 59 bytes (1 switches on core 0)
[pid: 685|app: 0|req: 8/16] 172.21.19.95 () {42 vars in 708 bytes} [Fri Sep 2 12:54:00 2016] GET /config/config.js => generated 27 bytes in 7 msecs (HTTP/1.1 500) 1 headers in 63 bytes (1 switches on core 0)
Hey,
Your issue is with nginx and uwsgi configuration. Double check that nginx runs as the same user/group as you set chown-socket in uwsgi config to. Also check that nginx can access said directory. Do a “sudo -u nginx bash” and try to cd into that directory.
Your issue is permissions related; simple fix.
I remake a new install it’s so so OK ! The mail function does not work … In the log file there is nothing ….