Installing Vaultier under Fedora

Vaultering.

So there I was; trying to install Vaultier on a dedicated CentOS machine. Turns out there is only a docker installation, an installation script for Ubuntu and manual install. And for the latter it’s only for Ubuntu (or Debian). Tough luck.

But how hard can it be to install this in CentOS? Next to impossible. The software shipped in the default repositories (and epel) are too old to actually get it to work (without compiling a lot on my own, but that would break the nice updates). And updates are a must on a server that handles sensitive data.

So I took the next best thing: Fedora 24 Server. Even that turned out to be ugly; but in the end it worked. Here is how I did it.

Getting your hands dirty.

I’ll assume you have a Fedora 24 Server installed already and are logged in as root. Let’s get cracking. First off disable selinux.

echo "SELINUX=disabled" > /etc/selinux/config

Don’t reboot just yet; update the system fully (even if you just installed (read: especially if you just installed it.)):

dnf update -y

Ok good. Reboot your server at this point to get rid of selinux and let the new libs and bins kick in. Next, install some software needed by vaultier:

dnf install -y postgresql postgresql-contrib postgresql-devel nginx supervisor uwsgi python python-virtualenv python-devel redhat-rpm-config postgresql-server uwsgi-plugin-python uwsgi-logger-file
dnf groupinstall -y "Development tools"

With the software installed, create the new environment for vaultier:

mkdir -p /opt/vaultier
useradd -d /opt/vaultier -M vaultier
cd /opt/vaultier
virtualenv venv
source /opt/vaultier/venv/bin/activate
pip install vaultier

The last step will fail half-way due to some version mismatches. We need to fix that at this point, edit the file /opt/vaultier/venv/lib/python2.7/site-packages/Vaultier-0.7.5-py2.7.egg-info/requires.txt to match this:

BeautifulSoup==3.2.1
Django==1.6
South==1.0.2
argparse==1.2.1
cssutils==1.0
django-appconf==0.6
django-extensions==1.2.5
django-filter==0.7
djangorestframework==2.3.12
flup==1.0.2
html2text==3.200.3
jsonfield==0.9.20
psycopg2==2.5.1
pycrypto==2.6.1
pynliner==0.5.0
six==1.9
wsgiref==0.1.2
raven==5.0.0
pytz==2014.7
celery==3.1.9
requests==2.3.0
python-dateutil==2.2
logan==0.5.10
iso8601==0.1.10

Still with me? Good, re-run the previously failed command:

pip install vaultier

That should leave you with vautlier installed. Let’s create a basic configuration:

export PYTHONPATH="${PYTHONPATH}:/opt/vaultier/venv/lib/python2.7/site-packages/vaultier"
vaultier init

The newly created configuration resides at /opt/vaultier/vaultier_conf.py, edit it to fit your needs. All done? Database time. The second command will ask you for a database user name, database name and password. Leave the first two at vaultier, Remember the password you supply.

vaultier check
postgresql-setup --initdb
echo "host vaultier vaultier 127.0.0.1/32 trust" > /var/lib/pgsql/data/pg_hba.conf
systemctl start postgresql
systemctl enable - postgrespostgresql

Now create a postgresql user, password and database, replacing the password from the 4th command from the one you gave vaultier above:

su - postgres
psql
create database vaultier;
CREATE USER vaultier WITH PASSWORD 'insertpasswordhere';
GRANT ALL PRIVILEGES ON DATABASE "vaultier" to vaultier;
exit

For testing purposes, disable the firewall for now:

systemctl stop firewalld
systemctl disable firewalld

Vaultier is nearly done, final check:

vaultier check

that command should be totally quiet, if not, fix any error (and retrace our steps). Check that teh DB connection is valid:

vaultier dbshell

If you get a shell, all is working. In case of error: Be sure to have the exact same passwords you gave the init command as well as while creating the databases! If all went well fill the database with initial data:

vaultier setup

and try a startup:

vaultier runserver

No errors: awesome, vaultier is working. Now let’s edit the /etc/uwsgi.ini file, delete all content, add this:

[uwsgi]
pidfile = /run/uwsgi/uwsgi.pid
plugins = python
master = true
processes = 1
threads = 1
workers=4
max-requests=1000
chdir=/opt/vaultier
module=vaultier.wsgi:application
home=/opt/vaultier/venv
pythonpath=/opt/vaultier
pythonpath=/opt/vaultier/venv/lib/python2.7/site-packages/vaultier/
env=DJANGO_SETTINGS_MODULE=vaultier_conf
vacuum=true
no-orphans=true
uid=vaultier
gid=vaultier
chmod-socket = 664
chown-socket=nginx:nginx
socket=/var/run/vaultier.socket
listen=50
logto = /opt/vaultier/logs/vaultier.log

And start it up:

mkdir /var/log/vaultier
systemctl start uwsgi
systemctl enable uwsgi

check the logfile /opt/vaultier/logs/vaultier.log for startup messages. No errors: Your setup is working. Final step is to get nginx running with our setup. I won’t handhold you through nginx here- that’s pretty straighforward. The essential configuration for the vhost is:

server {
    listen              443 ssl;
    server_name         passwords.alpha-labs.net;
    ssl_certificate     /path/to/your/.crt;
    ssl_certificate_key /path/to/your/.key;
    ssl_dhparam         /path/to/your/.crt;

    location / {
      include    uwsgi_params;
      uwsgi_pass unix:/var/run/vaultier.socket;
    }

    location /static {
      alias /opt/vaultier/venv/lib/python2.7/site-packages/vaultier/vaultier/static/;
    }

    location /media {
      alias /opt/vaultier/venv/lib/python2.7/site-packages/vaultier/vaultier/media/;
    }
}

This should net you with an up and running Vaultier installation that auto-starts after a reboot.

Conclusion

I not only uninstalled vaultier right after, I disposed of the VM. Don’t get me wrong; vaultier is a nice thought, but without any(!) Browser integration you have to copy&paste each password by hand. There is no option to change the language. Installing -and by extension upgrading- is a mess.

This is, at its current implementation, not a piece of software I will trust my passwords with.

It was a fun ride, tho.