1

I'm try to run vault instance on aws and when i want to run command: vault operator init -key-shares=5 -key-threshold=3 -format json on Ansible role and i have error code :

fatal: [vault]: FAILED! => {"changed": true, "cmd": "vault operator init -key-shares=5 -key-threshold=3 -format json", "delta": "0:00:00.054870", "end": "2021-12-12 14:30:50.956504", "msg": "non-zero return code", "rc": 2, "start": "2021-12-12 14:30:50.901634", "stderr": "Error initializing: Put \"http://127.0.0.1:8200/v1/sys/init\": dial tcp 127.0.0.1:8200: connect: connection refused", "stderr_lines": ["Error initializing: Put \"http://127.0.0.1:8200/v1/sys/init\": dial tcp 127.0.0.1:8200: connect: connection refused"], "stdout": "", "stdout_lines": []}

When i'm on my vault server and when i do service vault status, i have this result :

vault.service - a tool for managing secrets
   Loaded: loaded (/etc/systemd/system/vault.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sun 2021-12-12 14:19:47 UTC; 6min ago
     Docs: https://vaultproject.io/docs/
  Process: 5152 ExecStart=/usr/local/bin/vault server -config=/etc/vault.hcl (code=exited, status=213/SECUREBITS)
 Main PID: 5152 (code=exited, status=213/SECUREBITS)

Dec 12 14:19:47 ip-172-31-37-194 systemd[1]: Started a tool for managing secrets.
Dec 12 14:19:47 ip-172-31-37-194 systemd[5152]: vault.service: Failed to set process secure bits: Operation not perm
Dec 12 14:19:47 ip-172-31-37-194 systemd[5152]: vault.service: Failed at step SECUREBITS spawning /usr/local/bin/vau
Dec 12 14:19:47 ip-172-31-37-194 systemd[1]: vault.service: Main process exited, code=exited, status=213/SECUREBITS
Dec 12 14:19:47 ip-172-31-37-194 systemd[1]: vault.service: Failed with result 'exit-code'.

There'is my 2 config files : vault.hcl :

disable_mlock = true

listener "tcp" {
  address     = "http://{{ listener_address }}"
  tls_disable = 1
}
backend "file" {
        path = "/var/lib/vault"
}

my vault.service :

[Unit]
Description=a tool for managing secrets
Documentation=https://vaultproject.io/docs/
After=network.target
ConditionFileNotEmpty=/etc/vault.hcl

[Service]
User=vault
Group=vault
ExecStart=/usr/local/bin/vault server -config=/etc/vault.hcl
ExecReload=/usr/local/bin/kill --signal HUP $MAINPID
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
SecureBits=keep-caps
NoNewPrivileges=yes
KillSignal=SIGINT

[Install]
WantedBy=multi-user.target

I didn't find anything yet who could unlock this situation, if someone have an idea.

The Nurse
  • 23
  • 2
  • 6
  • Did the search you ran for existing issues show you [this GitHub comment](https://github.com/hashicorp/vault/issues/5944#issuecomment-482083128), claiming that `Capabilities=` was removed in favor of `AmbientCapabilities=`? – mdaniel Dec 13 '21 at 05:29
  • I still have the same message : ```fatal: [vault]: FAILED! => {"changed": true, "cmd": "vault operator init -key-shares=5 -key-threshold=3 -format json", "delta": "0:00:00.057969", "end": "2021-12-13 16:25:14.703307", "msg": "non-zero return code", "rc": 2, "start": "2021-12-13 16:25:14.645338", "stderr": "Error initializing: Put \"http://127.0.0.1:8200/v1/sys/init\": dial tcp 127.0.0.1:8200: connect: connection refused", "stderr_lines": ["Error initializing: Put \"http://127.0.0.1:8200/v1/sys/init\": dial tcp 127.0.0.1:8200: connect: connection refused"], "stdout": "", "stdout_lines": []}``` – The Nurse Dec 13 '21 at 16:26
  • 1
    (a) please don't use comments for technical content; instead [edit your question](https://stackoverflow.com/posts/70324591/edit) and update it as you learn more (b) fine, I appreciate it's still not listening, but did you fix the `SECUREBITS` exit status or not? – mdaniel Dec 13 '21 at 17:00

0 Answers0