Vault 1.4.1 HA with Raft on RHEL8

Folks,

I’m having a very hard time getting vault 1.4.1 to stand up against the raft storage backend on RHEL8.1 Before I get into the details around the many different iterations I’ve attempted over the last few days, I was wondering if anyone has successfully built the reference architecture (5 node cluster) on RHEL 8?

Thanks.

Alan

Just curious , what could be specific to RHEL8 (vs. say RHEL7) that could be affecting anything.
It might be helpful to look at the server config (with sensitive info removed).
Maybe SELinux ? or firewall? (I am guessing as I dunno what issues you are hitting)

1 Like

Sorry to be so vague, but the hope is that 10 people say yes we are running the reference architecture on RHEL8. I’m not a fan of getting too deep in the weeds before I know which patch of weeds is the right one . . . but I get that I am asking a question without much background.

I’ve cycled through about 10 iterations of vault configurations, but the server is our standard build (minimal with security customization). I’ve disabled firewalld and selinux and have been able to get the raft cluster to form, but it fails shortly thereafter claiming that it can’t find the raft configuration.

I am a noob when it comes to vault/raft, so I’m probably missing something obvious, but I’d like to be sure that others have had success, before I dig in much deeper. A better question would be has anyone had success deploying 1.4.1 with TLS against the raft storage backend?

Thanks for your response.

So it looks like I have a 5 node raft cluster up and running and it appears to be stable (at least for the last 30 minutes). FWIW, here is the configuration that seemed to stick on RHEL8.1 with selinux and firewalld disabled (I’ll add firewalld back after I’m sure were up and good):

ui = true

listener “tcp” {
address = “gvllc436a.dolgen.net:8200
cluster_addr = “gvllc436a.dolgen.net:8201
tls_cert_file = “/etc/pki/tls/certs/vault-test.pem”
tls_key_file = “/etc/pki/tls/private/vault-test.key”
log_level = “debug”
}

cluster_addr = “https://gvllc436a.dolgen.net:8201
api_addr = “https://gvllc436a.dolgen.net:8200

storage “raft” {
path = “/var/local/vault/”
node_id = “node1”
retry_join {
leader_api_addr = “https://gvllc436a.dolgen.net:8200
}
retry_join {
leader_api_addr = “https://gvllc436b.dolgen.net:8200
}
retry_join {
leader_api_addr = “https://gvllc436c.dolgen.net:8200
}
retry_join {
leader_api_addr = “https://gvllc436d.dolgen.net:8200
}
retry_join {
leader_api_addr = “https://gvllc436e.dolgen.net:8200
}

}

Thanks for your help, moving on to failure testing.

Hey eahatch, can you share a few details about which addresses where listed in your certificate? Im struggling to identify relevant addresses for the certificate.

Kind regards

Sorry, I was out last week.

I have each node listed as an SAN (subject alternative name) in the certificate and am using the same certificate on each node.

Hope that helps.

1 Like