How to run Hashicorp Vault as a service on CentOS in production

Question

I'm running the latest CentOS and I need Hashicorp Vault 1.6.3 to run as a service. I'm currently using the kv/secret background, so I can use

Vault kv put secret/test/hello foo=bar

In order to store secrets. When running vault as a server, it blocks. I need the Vault server to automatically start as a service whenever the server is rebooted, it really shouldn't be blocking if possible. It's been about three years since I've used Vault so I may just be dense here.

So I guess what I need to ask is:

1. How do I start Vault when my server reboots.

2. Should it be blocking and, if no, how do I prevent this?

Answer 1

Vault is both a service and a command line tool in the same binary. So you can keep using vault on the command line, and create a plain old Linux service for Vault to run. It will "block" over there, but that's what services are for.

Depending on where you are at now, you could start with Hashicorp's intructions to configure systemd to create a Vault service.

The service should look like this

[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault.d/vault.hcl
StartLimitIntervalSec=60
StartLimitBurst=3
[Service]
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=60
StartLimitIntervalSec=60
StartLimitBurst=3
LimitNOFILE=65536
LimitMEMLOCK=infinity
[Install]
WantedBy=multi-user.target

Answer 2

If under "it blocks" you mean, that the Vault is sealed, so you can configure auto-unseal on cloud platforms. Or just add auto-unsealing bash script for service startup, if you understand all the security's issues.