I’m trying to get Vault configured with an Apparmor profile on Ubuntu 20.04 and seem to be getting stuck with permissions to /run/systemd/notify, which is getting permission denied in the systemed logs for the Vault unit. I have an Apparmor profile for Vault set to complain mode, and toggling that back off is the only way I can get Vault to start. My apparmor profile looks like this (I added in /run/systemd/notify manually, that never showed up in the logs.
# Last Modified: Thu Sep 29 13:45:55 2022
abi <abi/3.0>,
include <tunables/global>
/usr/bin/vault {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/ssl_certs>
/etc/hosts r,
/etc/nsswitch.conf r,
/proc/sys/net/core/somaxconn r,
/run/systemd/resolve/stub-resolv.conf r,
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
/usr/bin/vault mr,
owner /etc/vault.d/vault.hcl r,
owner /home/*/.cache/snowflake/ocsp_response_cache.json rw,
owner /opt/vault/data/raft/raft.db rwk,
owner /opt/vault/data/raft/snapshots/ r,
owner /opt/vault/data/vault.db rwk,
owner /opt/vault/tls/tls.crt r,
owner /opt/vault/tls/tls.key r,
/run/systemd/notify rw,
}
The errors I am seeing look like this [ERROR] error notifying systemd: error="dial unixgram /run/systemd/notify: connect: permission denied" If I comment out the ‘type=notify’ line in the systemd unit, or disable the Apparmor profile, I am able to start the service. Ideally I would like to leave the type as notify, and figure out a way to make this work with Apparmor. I also tried adding in the AppArmorProfile line to my systemd unit, but that appears to fail for another reason: systemd[108558]: vault.service: Failed to prepare AppArmor profile change to /etc/apparmor.d/usr.bin.vault: No such file or directory. The file does indeed exist, but is owned by root with 600 permissions. Changing to 640 and 750 did not seem to help.
My systemd unit looks like this:
[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault.d/vault.hcl
StartLimitIntervalSec=60
StartLimitBurst=3
[Service]
#AppArmorProfile=/etc/apparmor.d/usr.bin.vault
Type=notify
NotifyAccess=all
EnvironmentFile=/etc/vault.d/vault.env
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/bin/vault server -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
LimitNOFILE=65536
LimitMEMLOCK=infinity
[Install]
WantedBy=multi-user.target
I guess I have 2 questions:
- Is there anything obvious causing Apparmor to block access to
/run/systemd/notify, or anyone else out there running Vault with Apparmor that would care to share their profile? - Is there anything special that needs to be done for systemd services that use Apparmor. Is a separate profile required for the systemd unit than the binary? I couldn’t find any documentation on this despite my best efforts. ( I figure this is more of a general Linux question than a Vault one, but I thought I’d include it just incase someone has some insight).
Thanks!