search

hashicorp / go-plugin

Golang plugin system over RPC.
Mozilla Public License 2.0
5.25k stars 450 forks source link

Permissions issue starting plugin and unhelpful error message #149

Closed onetwopunch closed 4 years ago

onetwopunch commented 4 years ago

I've been working with a custom Vault plugin and keep running into this error that I've traced back here:

Unrecognized remote plugin message:

This usually means that the plugin is either invalid or simply
needs to be recompiled to support the latest protocol.

I'm not sure if this is a Vault thing or something I'm missing but simply put I have a Vault systemd service that is running as a new user vault which owns all the config files as well as the plugin directory and executable. This works fine until I want to use my plugin. I can register the plugin just fine, but then when I try to configure it, I get the above error. The weird thing is that when I update the systemd service file to run as root, everything works perfectly.

For context, here is the systemd service file I'm trying to use.

[Unit]
Description="HashiCorp Vault"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault.d/config.hcl

[Service]
User=vault
Group=vault
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=yes
SecureBits=keep-caps
StandardError=syslog
StandardOutput=syslog
SyslogIdentifier=vault
AmbientCapabilities=CAP_IPC_LOCK
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
EnvironmentFile=/etc/vault.d/vault.env
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/config.hcl $VAULT_ARGS
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30

[Install]
WantedBy=multi-user.target

Obviously I don't want to run Vault as root, but I still want to use this plugin. Can someone help me understand what linux permissions or capabilities I'd need to use a plugin in production as a non-root user?

At the very least I think this deserves looking into from an error point of view since the error message is probably hiding some underlying permissions error if I can run this as root but not as an unprivileged user.

onetwopunch commented 4 years ago

Figured it out. Turns out that both the vault executable and the plugin need to have cap_ipc_lock set even if systemd specifes keep-caps. To fix this I simply did:

/sbin/setcap cap_ipc_lock=+ep /etc/vault.d/plugins/my-vault-plugin

I think this edge case should be added to the Vault docs so I'll go ahead and add an issue there to track it.