| #!/bin/sh |
| # Copyright (c) HashiCorp, Inc. |
| # SPDX-License-Identifier: MPL-2.0 |
| |
| set -e |
| |
| # Prevent core dumps |
| ulimit -c 0 |
| |
| # Allow setting VAULT_REDIRECT_ADDR and VAULT_CLUSTER_ADDR using an interface |
| # name instead of an IP address. The interface name is specified using |
| # VAULT_REDIRECT_INTERFACE and VAULT_CLUSTER_INTERFACE environment variables. If |
| # VAULT_*_ADDR is also set, the resulting URI will combine the protocol and port |
| # number with the IP of the named interface. |
| get_addr () { |
| local if_name=$1 |
| local uri_template=$2 |
| ip addr show dev $if_name | awk -v uri=$uri_template '/\s*inet\s/ { \ |
| ip=gensub(/(.+)\/.+/, "\\1", "g", $2); \ |
| print gensub(/^(.+:\/\/).+(:.+)$/, "\\1" ip "\\2", "g", uri); \ |
| exit}' |
| } |
| |
| if [ -n "$VAULT_REDIRECT_INTERFACE" ]; then |
| export VAULT_REDIRECT_ADDR=$(get_addr $VAULT_REDIRECT_INTERFACE ${VAULT_REDIRECT_ADDR:-"http://0.0.0.0:8200"}) |
| echo "Using $VAULT_REDIRECT_INTERFACE for VAULT_REDIRECT_ADDR: $VAULT_REDIRECT_ADDR" |
| fi |
| if [ -n "$VAULT_CLUSTER_INTERFACE" ]; then |
| export VAULT_CLUSTER_ADDR=$(get_addr $VAULT_CLUSTER_INTERFACE ${VAULT_CLUSTER_ADDR:-"https://0.0.0.0:8201"}) |
| echo "Using $VAULT_CLUSTER_INTERFACE for VAULT_CLUSTER_ADDR: $VAULT_CLUSTER_ADDR" |
| fi |
| |
| # VAULT_CONFIG_DIR isn't exposed as a volume but you can compose additional |
| # config files in there if you use this image as a base, or use |
| # VAULT_LOCAL_CONFIG below. |
| VAULT_CONFIG_DIR=/vault/config |
| |
| # You can also set the VAULT_LOCAL_CONFIG environment variable to pass some |
| # Vault configuration JSON without having to bind any volumes. |
| if [ -n "$VAULT_LOCAL_CONFIG" ]; then |
| echo "$VAULT_LOCAL_CONFIG" > "$VAULT_CONFIG_DIR/local.json" |
| fi |
| |
| # Due to OpenShift environment compatibility, we have to allow group write |
| # access to the Vault configuration. This requires us to disable the stricter |
| # file permissions checks introduced in Vault v1.11.0. |
| export VAULT_DISABLE_FILE_PERMISSIONS_CHECK=true |
| |
| # If the user is trying to run Vault directly with some arguments, then |
| # pass them to Vault. |
| if [ "${1:0:1}" = '-' ]; then |
| set -- vault "$@" |
| fi |
| |
| # Look for Vault subcommands. |
| if [ "$1" = 'server' ]; then |
| shift |
| set -- vault server \ |
| -config="$VAULT_CONFIG_DIR" \ |
| -dev-root-token-id="$VAULT_DEV_ROOT_TOKEN_ID" \ |
| -dev-listen-address="${VAULT_DEV_LISTEN_ADDRESS:-"0.0.0.0:8200"}" \ |
| "$@" |
| elif [ "$1" = 'version' ]; then |
| # This needs a special case because there's no help output. |
| set -- vault "$@" |
| elif vault --help "$1" 2>&1 | grep -q "vault $1"; then |
| # We can't use the return code to check for the existence of a subcommand, so |
| # we have to use grep to look for a pattern in the help output. |
| set -- vault "$@" |
| fi |
| |
| # If we are running Vault, make sure it executes as the proper user. |
| if [ "$1" = 'vault' ]; then |
| if [ -z "$SKIP_CHOWN" ]; then |
| # If the config dir is bind mounted then chown it |
| if [ "$(stat -c %u /vault/config)" != "$(id -u vault)" ]; then |
| chown -R vault:vault /vault/config || echo "Could not chown /vault/config (may not have appropriate permissions)" |
| fi |
| |
| # If the logs dir is bind mounted then chown it |
| if [ "$(stat -c %u /vault/logs)" != "$(id -u vault)" ]; then |
| chown -R vault:vault /vault/logs |
| fi |
| |
| # If the file dir is bind mounted then chown it |
| if [ "$(stat -c %u /vault/file)" != "$(id -u vault)" ]; then |
| chown -R vault:vault /vault/file |
| fi |
| fi |
| |
| if [ -z "$SKIP_SETCAP" ]; then |
| # Allow mlock to avoid swapping Vault memory to disk |
| setcap cap_ipc_lock=+ep $(readlink -f /bin/vault) |
| |
| # In the case vault has been started in a container without IPC_LOCK privileges |
| if ! vault -version 1>/dev/null 2>/dev/null; then |
| >&2 echo "Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --cap-add IPC_LOCK" |
| setcap cap_ipc_lock=-ep $(readlink -f /bin/vault) |
| fi |
| fi |
| fi |
| |
| # In case of Docker, where swap may be enabled, we |
| # still require mlocking to be available. So this script |
| # was executed as root to make this happen, however, |
| # we're now rerunning the entrypoint script as the Vault |
| # user but no longer need to run setup code for setcap |
| # or chowning directories (previously done on the first run). |
| if [[ "$(id -u)" == '0' ]] |
| then |
| export SKIP_CHOWN="true" |
| export SKIP_SETCAP="true" |
| exec su vault -p "$0" -- "$@" |
| else |
| exec "$@" |
| fi |