Vault Install Script
This folder contains a script for installing Vault and its dependencies. You can use this script, along with the run-vault script it installs, to create a Vault Google Image that can be deployed in Google Cloud across a Managed Instance Group using the vault-cluster module.
This script has been tested on the following operating systems:
- Ubuntu 16.04
- Ubuntu 18.04
There is a good chance it will work on other flavors of Debian as well.
To install Vault, use
git to clone this repository at a specific tag (see the releases page
for all available tags) and run the
git clone --branch <VERSION> https://github.com/hashicorp/terraform-google-vault.git terraform-google-vault/modules/install-vault/install-vault --version 0.5.4
install-vault script will install Vault, its dependencies, and the run-vault script.
You can then run the
run-vault script when the server is booting to start Vault.
We recommend running the
install-vault script as part of a Packer template to create a
Vault Google Image (see the vault-consul-image example for sample code). You can then deploy the Image across a Managed Instance Group using the
vault-cluster module (see the vault-cluster-public and
vault-cluster-private examples for fully-working sample code).
Command line Arguments
install-vault script accepts the following arguments:
version VERSION: Install Vault version VERSION. Required.
path DIR: Install Vault into folder DIR. Optional.
user USER: The install dirs will be owned by user USER. Optional.
install-vault --version 0.8.2
How it works
install-vault script does the following:
- Create a user and folders for Vault
- Install Vault binaries and scripts
- Configure mlock
- Install supervisord
- Follow-up tasks
Create a user and folders for Vault
Create an OS user named
vault. Create the following folders, all owned by user
/opt/vault: base directory for Vault data (configurable via the
/opt/vault/bin: directory for Vault binaries.
/opt/vault/data: directory where the Vault agent can store state.
/opt/vault/config: directory where the Vault agent looks up configuration.
/opt/vault/log: directory where the Vault agent will store log files.
/opt/vault/tls: directory where the Vault will look for TLS certs.
Install Vault binaries and scripts
Install the following:
vault: Download the Vault zip file from the downloads page (the version number is configurable via the
--versionargument), and extract the
/opt/vault/bin. Add a symlink to the
run-vault: Copy the run-vault script into
Give Vault permissions to make the
mlock (memory lock) syscall. This syscall is used to prevent the OS from swapping
Vault's memory to disk. For more info, see: https://www.vaultproject.io/docs/configuration/#disable_mlock.
Install supervisord. We use it as a cross-platform supervisor to ensure Vault is started whenever the system boots and restarted if the Vault process crashes.
install-vault script finishes running, you may wish to do the following:
- If you have custom Vault config (
.hcl) files, you may want to copy them into the config directory (default:
/usr/local/binisn't already part of
PATH, you should add it so you can run the
vaultcommand without specifying the full path.
Why use Git to install this code?
We needed an easy way to install these scripts that satisfied a number of requirements, including working on a variety
of operating systems and supported versioning. Our current solution is to use
git, but this may change in the future.
See Package Managers for
a full discussion of the requirements, trade-offs, and why we picked