Vault on OSX
• Mark Eschbach
Feels like I’ve got too many secrets to store everywhere. It would be really nice if I could store secrets on my laptop, and also develop on my laptop. Time to find out how to configure Vault with the SystemD equivilent of OSX: LaunchD. Although it just occured to me I could probably use a shell script when I start Terminal to check if the port is bound and start Vault if it’s not. That is definitely the hackier solution.
So! On to Apple’s documentation on the subject. So at first read it looks like I’ll need to create a
plist file which contains a specific set of keys as documented in this table. I dobut Vault offers a inetd compatabile interface. I’m going to venture a guess per-user services should be installed in
~/Library/LaunchDaemons/ based on plists going in
/System/Library/LaunchDaemons/ for the system. Well, maybe
~/Library/LaunchAgents becuase the other directory doesn’t exist. Steam has an interesting script talking about cleaning in that directory. I wonder what it does.
Anyway, back to figuring out what the
plist is specifiying. After reviewing some existing files it looks like I might want to take a look at the keys
ProgramArguments to specify what to launch. Interestingly they don’t specify the
Program key as required. I wonder what the default program is. Turns out you have to RTFM with
man launchd.plist. The
Program key is optional but will be
execv‘ed if it’s supplied. If it’s missing it will consume the first argument to
ProgramArguments. There certianly are a lot of keys with the statement asking you to remove the key but doesn’t provide a description of what it did. It would be a tragedy if you needed the functionality. Well this is the first time I’ve ever been forced to read a man page by Apple.
I think the next major risk point to drive out is if Vault supports the LaunchD socket activation. Okay, maybe less of a risk and more efficient. According to this random Puppet script, no. Time to keep digging though. Doesn’t look like it after reading several websites.
A theorectical file would be placed at
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>io.vaultproject.daemon.dev</string> <key>ProgramArguments</key> <array> <string>/Users/malory/.srv/vault</string> <string>server</string> <string>-config</string> <string>/Users/malory/.srv/vault.dev.hcl</string> </array> </dict> </plist>
So this really begs the question of why I want to do this. I could always just use the KeyChain on OSX. I’m sure there are plenty of bindings for it in different languages despite it being one of the bigger pains I’ve had to work with under the Darwin family. A lot of it feels like there is an DB type interactions I’m unaware of. Anyway, I think for now I’ll stick to launching Vault by hand when I need.