For development purposes, can I run the keywhiz server and keywhiz-fs client on my mac?

[daniel9x]

I have the keywhiz server running locally, and now trying to get the keywhiz-fs client mounted to it so I can get a better understanding as to how this all works and how we might be able to use it for our current solution. I'm getting this error when trying to mount however:

mlockall() not implemented on this system panic: open client.crt: no such file or directory

goroutine 1 [running]: panic(0x446d980, 0xc8200f2090) /usr/local/Cellar/go/1.6/libexec/src/runtime/panic.go:464 +0x3e6 main.panicOnError(0x4cbb5d8, 0xc8200f2090) /Users/dsgrant/git/src/keywhiz-fs/main.go:163 +0x4b main.NewClient(0x453cdf0, 0xa, 0x453ce00, 0xa, 0x453c870, 0xa, 0xc820084600, 0x4a817c800, 0x4612000, 0x7fff5fbffb44, ...) /Users/dsgrant/git/src/keywhiz-fs/client.go:83 +0x207 main.main() /Users/dsgrant/git/src/keywhiz-fs/main.go:76 +0x671

[csstaub]

The key line here is: open client.crt: no such file or directory. You need to specify a path to a valid client certificate. There's one for testing in fixtures/client.pem.

[csstaub]

Indeed, all of the certificates/keys in the fixtures directory should be compatible with the development keys in the keywhiz repo, as long as you run keywhiz in development mode on localhost. You'll also have to FUSE for OSX. Most of us run keywhiz-fs on Macs for development actually.

[daniel9x]

UPDATE

I'm so close! I think. I have the server up and running and (possibly) worked through the cert issues but now I'm getting this:

lits-dgrant:keywhiz-fs dsgrant$ ./keywhiz-fs --cert="/Users/dsgrant/git/src/keywhiz-fs/fixtures/client.pem" --ca="/Users/dsgrant/git/src/keywhiz-fs/fixtures/client.pem" --key="/Users/dsgrant/git/src/keywhiz-fs/fixtures/client.pem" https://localhost:4444 /Users/dsgrant/secrets WARN kwfs_main[/Users/dsgrant/secrets]: 2016/04/17 17:06:24 mlockall() not implemented on this system 2016/04/17 17:06:24 Error resolving uid for keywhiz: user: unknown user keywhiz ERROR kwfsclient[/Users/dsgrant/secrets]: 2016/04/17 17:06:24 Error retrieving secret ..: Get https://localhost:4444/secret/._.: x509: certificate signed by unknown authority ERROR kwfsclient[/Users/dsgrant/secrets]: 2016/04/17 17:06:24 Error retrieving secret ..: Get https://localhost:4444/secret/._.: x509: certificate signed by unknown authority ERROR kwfsclient[/Users/dsgrant/secrets]: 2016/04/17 17:06:24 Error retrieving secret ..: Get https://localhost:4444/secret/._.: x509: certificate signed by unknown authority ERROR kwfsclient[/Users/dsgrant/secrets]: 2016/04/17 17:06:24 Error retrieving secret ..: Get https://localhost:4444/secret/._.: x509: certificate signed by unknown authority ERROR kwfsclient[/Users/dsgrant/secrets]: 2016/04/17 17:06:43 Error retrieving secret ..: Get https://localhost:4444/secret/._.: x509: certificate signed by unknown authority ERROR kwfs_client[/Users/dsgrant/secrets]: 2016/04/17 17:06:43 Error retrieving secret .DS_Store: Get https://localhost:4444/secret/.DS_Store: x509: certificate signed by unknown authority ERROR kwfs_client[/Users/dsgrant/secrets]: 2016/04/17 17:06:43 Error retrieving secret .DS_Store: Get https://localhost:4444/secret/.DS_Store: x509: certificate signed by unknown authority ERROR kwfs_client[/Users/dsgrant/secrets]: 2016/04/17 17:06:43 Error retrieving secret .DS_Store: Get https://localhost:4444/secret/.DS_Store: x509: certificate signed by unknown authority ERROR kwfs_client[/Users/dsgrant/secrets]: 2016/04/17 17:06:43 Error retrieving secret .DS_Store: Get https://localhost:4444/secret/.DS_Store: x509: certificate signed by unknown authority ERROR kwfsclient[/Users/dsgrant/secrets]: 2016/04/17 17:06:44 Error retrieving secret ..: Get https://localhost:4444/secret/._.: x509: certificate signed by unknown authority ERROR kwfsclient[/Users/dsgrant/secrets]: 2016/04/17 17:06:44 Error retrieving secret ..: Get https://localhost:4444/secret/._.: x509: certificate signed by unknown authority ERROR kwfsclient[/Users/dsgrant/secrets]: 2016/04/17 17:06:48 Error retrieving secret ..: Get https://localhost:4444/secret/._.: x509: certificate signed by unknown authority ERROR kwfsclient[/Users/dsgrant/secrets]: 2016/04/17 17:06:48 Error retrieving secret ..: Get https://localhost:4444/secret/._.: x509: certificate signed by unknown authority ERROR kwfsclient[/Users/dsgrant/secrets]: 2016/04/17 17:06:53 Error retrieving secret ..: Get https://localhost:4444/secret/._.: x509: certificate signed by unknown authority ERROR kwfsclient[/Users/dsgrant/secrets]: 2016/04/17 17:06:53 Error retrieving secret ..: Get https://localhost:4444/secret/._.: x509: certificate signed by unknown authority

Also, not sure why I'm getting that error about the user. I modified the DBSeedCommand class to create the keywhiz user, so that's the current account user for the keywhiz server

[daniel9x]

Okay... guess I have it figured out. This is some pretty fancy stuff you guys developed. :)

./keywhiz-fs --cert="" --ca="/Users/dsgrant/git/src/keywhiz-fs/fixtures/cacert.crt" --key="/Users/dsgrant/git/src/keywhiz-fs/fixtures/client.pem" https://localhost:4444 /Users/dsgrant/secrets

ended up being the correct statement that worked.

[csstaub]

FYI, you can skip --cert="" since the client.pem file contains both cert/key and keywhiz-fs will load both if you pass --key=fixtures/client.pem.

[daniel9x]

@csstaub I actually found that I had to include that, else I would get the same error. Not sure why. Please see below.

lits-dgrant:keywhiz-fs dsgrant$ ./keywhiz-fs --cert="" --ca="/Users/dsgrant/git/src/keywhiz-fs/fixtures/cacert.crt" --key="/Users/dsgrant/git/src/keywhiz-fs/fixtures/client.pem" https://localhost:4444 /Users/dsgrant/secrets WARN kwfs_main[/Users/dsgrant/secrets]: 2016/04/18 10:08:05 mlockall() not implemented on this system 2016/04/18 10:08:05 Error resolving uid for keywhiz: user: unknown user keywhiz INFO kwfsclient[/Users/dsgrant/secrets]: 2016/04/18 10:08:05 GET /secret/.. 404 52.478046ms WARN kwfsclient[/Users/dsgrant/secrets]: 2016/04/18 10:08:05 Secret .. not found INFO kwfsclient[/Users/dsgrant/secrets]: 2016/04/18 10:08:05 GET /secret/.. 404 3.766ms WARN kwfsclient[/Users/dsgrant/secrets]: 2016/04/18 10:08:05 Secret .. not found INFO kwfsclient[/Users/dsgrant/secrets]: 2016/04/18 10:08:05 GET /secret/.. 404 2.655644ms WARN kwfsclient[/Users/dsgrant/secrets]: 2016/04/18 10:08:05 Secret .. not found INFO kwfsclient[/Users/dsgrant/secrets]: 2016/04/18 10:08:05 GET /secret/.. 404 3.518747ms WARN kwfsclient[/Users/dsgrant/secrets]: 2016/04/18 10:08:05 Secret .. not found INFO kwfsclient[/Users/dsgrant/secrets]: 2016/04/18 10:08:05 GET /secret/.. 404 2.759024ms WARN kwfsclient[/Users/dsgrant/secrets]: 2016/04/18 10:08:05 Secret .. not found ^CWARN kwfs_main[/Users/dsgrant/secrets]: 2016/04/18 10:08:08 Got signal interrupt, unmounting INFO kwfs_main[/Users/dsgrant/secrets]: 2016/04/18 10:08:08 Exiting lits-dgrant:keywhiz-fs dsgrant$ ./keywhiz-fs --cert="" --ca="/Users/dsgrant/git/src/keywhiz-fs/fixtures/cacert.crt" --key="/Users/dsgrant/git/src/keywhiz-fs/fixtures/client.pem" https://localhost:4444 /Users/dsgrant/secrets lits-dgrant:keywhiz-fs dsgrant$ ./keywhiz-fs --ca="/Users/dsgrant/git/src/keywhiz-fs/fixtures/cacert.crt" --key="/Users/dsgrant/git/src/keywhiz-fs/fixtures/client.pem" https://localhost:4444 /Users/dsgrant/secrets WARN kwfs_main[/Users/dsgrant/secrets]: 2016/04/18 10:08:36 mlockall() not implemented on this system panic: open client.crt: no such file or directory

goroutine 1 [running]: panic(0x446d980, 0xc8200fe000) /usr/local/Cellar/go/1.6/libexec/src/runtime/panic.go:464 +0x3e6 main.panicOnError(0x4cbb5d8, 0xc8200fe000) /Users/dsgrant/git/src/keywhiz-fs/main.go:163 +0x4b main.NewClient(0x453cdf0, 0xa, 0x7fff5fbffb96, 0x35, 0x7fff5fbffb5a, 0x35, 0xc820082600, 0x4a817c800, 0x4612000, 0x7fff5fbffbe3, ...) /Users/dsgrant/git/src/keywhiz-fs/client.go:83 +0x207 main.main() /Users/dsgrant/git/src/keywhiz-fs/main.go:76 +0x671

[csstaub]

Aha. That seems like a bug. We should make sure --cert="" isn't required here. Looks like it's related to switching from the built-in flags package to kingpin for flag parsing.

[mcpherrinm]

This is probably a regression from PR #45

[alokmenghrajani]

the --cert="" was my bad and fixed in https://github.com/square/keywhiz-fs/pull/48.

I would recommend you first build a stable release (see git tag) and switch to master if you run into a specific issue.