Installing Vaultier under Fedora

Vaultering.

So there I was; trying to install Vaultier on a dedicated CentOS machine. Turns out there is only a docker installation, an installation script for Ubuntu and manual install. And for the latter it’s only for Ubuntu (or Debian). Tough luck.

But how hard can it be to install this in CentOS? Next to impossible. The software shipped in the default repositories (and epel) are too old to actually get it to work (without compiling a lot on my own, but that would break the nice updates). And updates are a must on a server that handles sensitive data.

So I took the next best thing: Fedora 24 Server. Even that turned out to be ugly; but in the end it worked. Here is how I did it.

Getting your hands dirty.

I’ll assume you have a Fedora 24 Server installed already and are logged in as root. Let’s get cracking. First off disable selinux.

echo "SELINUX=disabled" > /etc/selinux/config

Don’t reboot just yet; update the system fully (even if you just installed (read: especially if you just installed it.)):

dnf update -y

Ok good. Reboot your server at this point to get rid of selinux and let the new libs and bins kick in. Next, install some software needed by vaultier:

dnf install -y postgresql postgresql-contrib postgresql-devel nginx supervisor uwsgi python python-virtualenv python-devel redhat-rpm-config postgresql-server uwsgi-plugin-python uwsgi-logger-file
dnf groupinstall -y "Development tools"

With the software installed, create the new environment for vaultier:

mkdir -p /opt/vaultier
useradd -d /opt/vaultier -M vaultier
cd /opt/vaultier
virtualenv venv
source /opt/vaultier/venv/bin/activate
pip install vaultier

The last step will fail half-way due to some version mismatches. We need to fix that at this point, edit the file /opt/vaultier/venv/lib/python2.7/site-packages/Vaultier-0.7.5-py2.7.egg-info/requires.txt to match this:

BeautifulSoup==3.2.1
Django==1.6
South==1.0.2
argparse==1.2.1
cssutils==1.0
django-appconf==0.6
django-extensions==1.2.5
django-filter==0.7
djangorestframework==2.3.12
flup==1.0.2
html2text==3.200.3
jsonfield==0.9.20
psycopg2==2.5.1
pycrypto==2.6.1
pynliner==0.5.0
six==1.9
wsgiref==0.1.2
raven==5.0.0
pytz==2014.7
celery==3.1.9
requests==2.3.0
python-dateutil==2.2
logan==0.5.10
iso8601==0.1.10

Still with me? Good, re-run the previously failed command:

pip install vaultier

That should leave you with vautlier installed. Let’s create a basic configuration:

export PYTHONPATH="${PYTHONPATH}:/opt/vaultier/venv/lib/python2.7/site-packages/vaultier"
vaultier init

The newly created configuration resides at /opt/vaultier/vaultier_conf.py, edit it to fit your needs. All done? Database time. The second command will ask you for a database user name, database name and password. Leave the first two at vaultier, Remember the password you supply.

vaultier check
postgresql-setup --initdb
echo "host vaultier vaultier 127.0.0.1/32 trust" > /var/lib/pgsql/data/pg_hba.conf
systemctl start postgresql
systemctl enable - postgrespostgresql

Now create a postgresql user, password and database, replacing the password from the 4th command from the one you gave vaultier above:

su - postgres
psql
create database vaultier;
CREATE USER vaultier WITH PASSWORD 'insertpasswordhere';
GRANT ALL PRIVILEGES ON DATABASE "vaultier" to vaultier;
exit

For testing purposes, disable the firewall for now:

systemctl stop firewalld
systemctl disable firewalld

Vaultier is nearly done, final check:

vaultier check

that command should be totally quiet, if not, fix any error (and retrace our steps). Check that teh DB connection is valid:

vaultier dbshell

If you get a shell, all is working. In case of error: Be sure to have the exact same passwords you gave the init command as well as while creating the databases! If all went well fill the database with initial data:

vaultier setup

and try a startup:

vaultier runserver

No errors: awesome, vaultier is working. Now let’s edit the /etc/uwsgi.ini file, delete all content, add this:

[uwsgi]
pidfile = /run/uwsgi/uwsgi.pid
plugins = python
master = true
processes = 1
threads = 1
workers=4
max-requests=1000
chdir=/opt/vaultier
module=vaultier.wsgi:application
home=/opt/vaultier/venv
pythonpath=/opt/vaultier
pythonpath=/opt/vaultier/venv/lib/python2.7/site-packages/vaultier/
env=DJANGO_SETTINGS_MODULE=vaultier_conf
vacuum=true
no-orphans=true
uid=vaultier
gid=vaultier
chmod-socket = 664
chown-socket=nginx:nginx
socket=/var/run/vaultier.socket
listen=50
logto = /opt/vaultier/logs/vaultier.log

And start it up:

mkdir /var/log/vaultier
systemctl start uwsgi
systemctl enable uwsgi

check the logfile /opt/vaultier/logs/vaultier.log for startup messages. No errors: Your setup is working. Final step is to get nginx running with our setup. I won’t handhold you through nginx here- that’s pretty straighforward. The essential configuration for the vhost is:

server {
    listen              443 ssl;
    server_name         passwords.alpha-labs.net;
    ssl_certificate     /path/to/your/.crt;
    ssl_certificate_key /path/to/your/.key;
    ssl_dhparam         /path/to/your/.crt;

    location / {
      include    uwsgi_params;
      uwsgi_pass unix:/var/run/vaultier.socket;
    }

    location /static {
      alias /opt/vaultier/venv/lib/python2.7/site-packages/vaultier/vaultier/static/;
    }

    location /media {
      alias /opt/vaultier/venv/lib/python2.7/site-packages/vaultier/vaultier/media/;
    }
}

This should net you with an up and running Vaultier installation that auto-starts after a reboot.

Conclusion

I not only uninstalled vaultier right after, I disposed of the VM. Don’t get me wrong; vaultier is a nice thought, but without any(!) Browser integration you have to copy&paste each password by hand. There is no option to change the language. Installing -and by extension upgrading- is a mess.

This is, at its current implementation, not a piece of software I will trust my passwords with.

It was a fun ride, tho.

Christian

Touched base with Linux back in 1995, got hooked up on it ever since. I am using Linux for both private and office for two decades. Working as a System Administrator at a medium sized hosting company I get in touch with all kinds of trouble. All of which can be solved with Linux. In my blog I am sharing solutions to problems that I had to search for myself in hope that someone else out there might find them useful.

6 thoughts on “Installing Vaultier under Fedora

  1. Hello, i want install vaultier on centos 7 but after this tutorial i have an error :
    /config/config.js error 500 :
    [pid: 11591|app: 0|req: 7/33] 172.21.19.95 () {40 vars in 718 bytes} [Fri Sep 2 08:39:45 2016] GET / => generated 741 bytes in 3 msecs (HTTP/1.1 200) 1 headers in 59 bytes (1 switches on core 0)
    [pid: 11592|app: 0|req: 22/34] 172.21.19.95 () {40 vars in 691 bytes} [Fri Sep 2 08:39:45 2016] GET /config/config.js => generated 27 bytes in 8 msecs (HTTP/1.1 500) 1 headers in 63 bytes (1 switches on core 0)
    [pid: 11591|app: 0|req: 8/35] 172.21.19.95 () {42 vars in 740 bytes} [Fri Sep 2 08:39:46 2016] GET / => generated 741 bytes in 4 msecs (HTTP/1.1 200) 1 headers in 59 bytes (1 switches on core 0)
    [pid: 11594|app: 0|req: 2/36] 172.21.19.95 () {42 vars in 740 bytes} [Fri Sep 2 08:39:46 2016] GET / => generated 741 bytes in 4 msecs (HTTP/1.1 200) 1 headers in 59 bytes (1 switches on core 0)
    [pid: 11593|app: 0|req: 5/37] 172.21.19.95 () {42 vars in 740 bytes} [Fri Sep 2 08:39:46 2016] GET / => generated 741 bytes in 4 msecs (HTTP/1.1 200) 1 headers in 59 bytes (1 switches on core 0)
    [pid: 11592|app: 0|req: 23/38] 172.21.19.95 () {42 vars in 740 bytes} [Fri Sep 2 08:39:46 2016] GET / => generated 741 bytes in 3 msecs (HTTP/1.1 200) 1 headers in 59 bytes (1 switches on core 0)
    [pid: 11591|app: 0|req: 9/39] 172.21.19.95 () {42 vars in 713 bytes} [Fri Sep 2 08:39:46 2016] GET /config/config.js => generated 27 bytes in 9 msecs (HTTP/1.1 500) 1 headers in 63 bytes (1 switches on core 0)
    Raven is not configured (logging is disabled). Please see the documentation for more information.
    [pid: 11594|app: 0|req: 3/40] 172.21.19.95 () {42 vars in 713 bytes} [Fri Sep 2 08:39:47 2016] GET /config/config.js => generated 27 bytes in 17 msecs (HTTP/1.1 500) 1 headers in 63 bytes (1 switches on core 0)

    and in the file nginx-error.log :
    2016/09/02 10:39:26 [error] 11636#0: *48 directory index of “/opt/vaultier/venv/lib/python2.7/site-packages/vaultier/vaultier/static//” is forbidden, client: 172.21.19.95, server: srvXXX, request: “GET /static/ HTTP/1.1”, host: “srvXXX”
    2016/09/02 10:39:26 [error] 11636#0: *48 directory index of “/opt/vaultier/venv/lib/python2.7/site-packages/vaultier/vaultier/static//” is forbidden, client: 172.21.19.95, server: srvXXX, request: “GET /static/ HTTP/1.1”, host: “srvXXX”
    2016/09/02 10:40:55 [error] 11636#0: *80 open() “/opt/vaultier/venv/lib/python2.7/site-packages/vaultier/vaultier/static//vaultier/bower_components/ember/ember.js” failed (2: No such file or directory), client: 172.21.19.95, server: srvXXX, request: “GET /static/vaultier/bower_components/ember/ember.js HTTP/1.1”, host: “srvXXX”

    I activate this :
    cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mynginx
    semodule -i mynginx.pp

    But i have an internal error 500 ..

    1. [crit] 10077#0: *1 connect() to unix:/var/run/vaultier.socket failed (13: Permission denied) while connecting to upstream, client: 172.21.19.95, server: srvXXX, request: “GET / HTTP/1.1”, upstream: “uwsgi://unix:/var/run/vaultier.socket:”, host: “srvXXX”
      2016/09/02 10:12:26 [crit] 10077#0: *1 connect() to unix:/var/run/vaultier.socket failed (13: Permission denied) while connecting to upstream, client: 172.21.19.95, server: srvXXX, request: “GET /favicon.ico HTTP/1.1”, upstream: “uwsgi://unix:/var/run/vaultier.socket:”, host: “srvXXX”, referrer: “http://srvXXX/”

      1. I disable the selinux, reboot the serveur but no effect :
        Google Chrome F12 error :
        GET https://srvXXX/config/config.js 500 (INTERNAL SERVER ERROR)
        ember.js:13720’webkitIndexedDB’ is deprecated. Please use ‘indexedDB’ instead.

        ine the vaultier.log file (uwsgi) :

        [pid: 688|app: 0|req: 1/12] 172.21.19.95 () {42 vars in 708 bytes} [Fri Sep 2 12:53:44 2016] GET /config/config.js => generated 0 bytes in 1153 msecs (HTTP/1.1 500) 1 headers in 0 bytes (0 switches on core 0)
        [pid: 685|app: 0|req: 7/13] 172.21.19.95 () {42 vars in 734 bytes} [Fri Sep 2 12:53:58 2016] GET / => generated 741 bytes in 4 msecs (HTTP/1.1 200) 1 headers in 59 bytes (1 switches on core 0)
        [pid: 686|app: 0|req: 4/14] 172.21.19.95 () {42 vars in 708 bytes} [Fri Sep 2 12:53:58 2016] GET /config/config.js => generated 27 bytes in 7 msecs (HTTP/1.1 500) 1 headers in 63 bytes (1 switches on core 0)
        [pid: 687|app: 0|req: 3/15] 172.21.19.95 () {42 vars in 734 bytes} [Fri Sep 2 12:54:00 2016] GET / => generated 741 bytes in 25 msecs (HTTP/1.1 200) 1 headers in 59 bytes (1 switches on core 0)
        [pid: 685|app: 0|req: 8/16] 172.21.19.95 () {42 vars in 708 bytes} [Fri Sep 2 12:54:00 2016] GET /config/config.js => generated 27 bytes in 7 msecs (HTTP/1.1 500) 1 headers in 63 bytes (1 switches on core 0)

        1. Hey,

          Your issue is with nginx and uwsgi configuration. Double check that nginx runs as the same user/group as you set chown-socket in uwsgi config to. Also check that nginx can access said directory. Do a “sudo -u nginx bash” and try to cd into that directory.

          Your issue is permissions related; simple fix.

Leave a Reply

Your email address will not be published. Required fields are marked *