Installing the Oracle Client for the Oracle Plugin

[EvanMAmstutz]

I am trying to install the Oracle Client via init containers so I can use the Oracle database plugin. Without it I get the following

vault write database/config/my-oracle-database plugin_name=oracle-database-plugin connection_url="{{username}}/{{password}}@//oracle.url:1521/database" allowed_roles="*" username="" password=""
Error writing data to database/config/my-oracle-database: Error making API request.

URL: PUT https://<host>/v1/database/config/my-oracle-database
Code: 400. Errors:

* error creating database object: fork/exec /usr/local/libexec/vault/oracle: no such file or directory

The extraInitContainers in my values.yaml looks like this

extraInitContainers: 
  - name: oracle
    image: "alpine"
    command: [sh, -c]
    args:
      - cd /tmp &&
        wget https://releases.hashicorp.com/vault-plugin-database-oracle/0.2.1/vault-plugin-database-oracle_0.2.1_linux_amd64.zip -O oracle.zip &&
        unzip oracle.zip &&
        mv vault-plugin-database-oracle /usr/local/libexec/vault/oracle &&
        chmod +x /usr/local/libexec/vault/oracle &&
        mkdir /opt/oracle && 
        cd /opt/oracle &&
        wget https://download.oracle.com/otn_software/linux/instantclient/19800/instantclient-basic-linux.x64-19.8.0.0.0dbru.zip?xd_co_f=6ef738b0-f1fe-446f-8068-727ddce848ab -O oracle-client.zip && 
        ls -al /opt/oracle &&
        unzip oracle-client.zip &&
        rm oracle-client.zip &&
        chmod +x /opt/oracle/instantclient_19_8/ 
    volumeMounts:
      - name: plugins
        mountPath: /usr/local/libexec/vault
      - name: oracle-client
        mountPath: /opt

After downloading the client and installing it in /opt/oracle, I get the following errors when trying to access all of the libraries needed for the Oracle plugin

ldd /usr/local/libexec/vault/oracle 
        /lib64/ld-linux-x86-64.so.2 (0x7f8929aea000)
        libclntsh.so.19.1 => /opt/oracle/instantclient_19_8/libclntsh.so.19.1 (0x7f8925a20000)
        libpthread.so.0 => /lib64/ld-linux-x86-64.so.2 (0x7f8929aea000)
        libc.so.6 => /lib64/ld-linux-x86-64.so.2 (0x7f8929aea000)
        libnnz19.so => /opt/oracle/instantclient_19_8/libnnz19.so (0x7f89252d6000)
        libdl.so.2 => /lib64/ld-linux-x86-64.so.2 (0x7f8929aea000)
        libm.so.6 => /lib64/ld-linux-x86-64.so.2 (0x7f8929aea000)
Error loading shared library libnsl.so.1: No such file or directory (needed by /opt/oracle/instantclient_19_8/libclntsh.so.19.1)
        librt.so.1 => /lib64/ld-linux-x86-64.so.2 (0x7f8929aea000)
Error loading shared library libaio.so.1: No such file or directory (needed by /opt/oracle/instantclient_19_8/libclntsh.so.19.1)
Error loading shared library libresolv.so.2: No such file or directory (needed by /opt/oracle/instantclient_19_8/libclntsh.so.19.1)
Error loading shared library ld-linux-x86-64.so.2: No such file or directory (needed by /opt/oracle/instantclient_19_8/libclntsh.so.19.1)
        libclntshcore.so.19.1 => /opt/oracle/instantclient_19_8/libclntshcore.so.19.1 (0x7f8924d35000)
Error loading shared library ld-linux-x86-64.so.2: No such file or directory (needed by /opt/oracle/instantclient_19_8/libnnz19.so)
Error loading shared library libnsl.so.1: No such file or directory (needed by /opt/oracle/instantclient_19_8/libclntshcore.so.19.1)
Error loading shared library libaio.so.1: No such file or directory (needed by /opt/oracle/instantclient_19_8/libclntshcore.so.19.1)
Error loading shared library libresolv.so.2: No such file or directory (needed by /opt/oracle/instantclient_19_8/libclntshcore.so.19.1)
Error loading shared library ld-linux-x86-64.so.2: No such file or directory (needed by /opt/oracle/instantclient_19_8/libclntshcore.so.19.1)
Error relocating /opt/oracle/instantclient_19_8/libclntsh.so.19.1: canonicalize_file_name: symbol not found
Error relocating /opt/oracle/instantclient_19_8/libclntsh.so.19.1: __dn_expand: symbol not found
Error relocating /opt/oracle/instantclient_19_8/libclntsh.so.19.1: getcontext: symbol not found
Error relocating /opt/oracle/instantclient_19_8/libclntsh.so.19.1: __res_nsearch: symbol not found
Error relocating /opt/oracle/instantclient_19_8/libclntsh.so.19.1: bindresvport: symbol not found
Error relocating /opt/oracle/instantclient_19_8/libclntsh.so.19.1: __dn_skipname: symbol not found
Error relocating /opt/oracle/instantclient_19_8/libclntsh.so.19.1: __finite: symbol not found
Error relocating /opt/oracle/instantclient_19_8/libclntsh.so.19.1: __res_nclose: symbol not found
Error relocating /opt/oracle/instantclient_19_8/libclntsh.so.19.1: __res_ninit: symbol not found

Is there a way to use init containers to install the Oracle client and have it be usable by the Oracle plugin?

[jasonodonnell]

Hmm, I don't think this is possible. The output above suggests statically linked files don't exist. This was probably compiled with CGO, which means the binary depends on glibc to work. The Vault container uses Alpine, which uses musl instead of glibc.

[EvanMAmstutz]

@jasonodonnell thanks for the response. The way I see it there are a few ways forward from here with the dynamic secrets for Oracle: 1) Run Vault on VMs as opposed to containers. 2) Pull the Vault container image and build a layer on top which adds the glibc (not even remotely ideal)

Can you see any other paths I could take? I am seeing why the Oracle plugin is the only one listed as "external" to Vault.

[jasonodonnell]

@EvanMAmstutz In the near future we're releasing Vault Universal Base Image (UBI) containers. These will have glibc and it should make this possible. I would keep a look out for those! The code has already been merged if you're interested in building and trying: https://github.com/hashicorp/docker-vault/tree/master/ubi but keep in mind that we haven't officially released these so support is limited.

[EvanMAmstutz]

@jasonodonnell great thanks. I will try that out!

[EvanMAmstutz]

@jasonodonnell I am now getting the following error

vault write --tls-skip-verify database/config/my-oracle-database plugin_name=oracle-database-plugin connection_url="{{username}}/{{password}}@//host:1521/<db>" allowed_roles="*" username="VAULT_SUPER_
USR" password="VAULTSUPERUSR"
Error writing data to database/config/my-oracle-database: Error making API request.

URL: PUT https://host/v1/database/config/my-oracle-database
Code: 400. Errors:

* error creating database object: Unrecognized remote plugin message:

This usually means that the plugin is either invalid or simply
needs to be recompiled to support the latest protocol.

Could this still be with the Oracle Instant Client or is it something else with the how the plugin is configured?

[jasonodonnell]

I'm assuming you registered the plugin with the catalog? This doc might help: https://support.hashicorp.com/hc/en-us/articles/360021245994-Enabling-Oracle-Database-Secrets-Engine.

It could still be missing packages:

Follow the InstantClient installation instructions for your version to properly install it, making sure that it has been added to the system library cache and that the libaio/libaio1 dependency package has also been installed.

[lawliet89]

Just wanted to chime in that a potential problem you might have faced might be related to TLS errors when the plugin tries to unwrap the token it was passed as documented here.

If you check Vault's logs/audit logs, you will see the actual errors. The errors I encountered were:

• You need to make sure the api_addr passed to the Vault server is one of the SAN in Vault's certificate. By default, this chart sets this to the Pod IP Address which might not be covered by your certificate. You will have to override server.ha.apiAddr to something else.

• You will have to make sure the plugin can actually find the CA that issued the certificate. You can point the plugin to the correct path for the CA using the "usual" VAULT_CACERT environment variable during your plugin registration by setting the env parameter.