Vault

Overview

This is a flavour containing the vault security storage platform.

You can e.g. store certificates, passwords etc to be used with the nomad-server pot flavour on this site.

The flavour expects a local consul agent instance to be available that it can connect to (see configuration below). You can e.g. use the consul pot flavour on this site to run consul. If no consul instance is available at first, make sure it’s up within an hour and the certificate renewal process will restart consul. You can also connect to this host and service consul restart manually.

pro tip

Start vault cluster with the IP addresses of consul servers, which aren’t live. Then start loki instance. Then start a consul cluster. Restart consul on vault and loki instances or wait for first certificate renewal after an hour.

Installation

Unseal node

  • [unseal node] Create a ZFS data set on the parent system beforehand:
    zfs create -o mountpoint=/mnt/vaultunseal zroot/vaultunseal
  • Create your local jail from the image or the flavour files.
  • Mount in the ZFS data set you created:
    pot mount-in -p <jailname> -m /mnt -d /mnt/vaultunseal
  • Optionally export the ports after creating the jail:
    pot export-ports -p <jailname> -e 8200:8200
  • Adjust to your environment:
    sudo pot set-env -p <jailname> -E DATACENTER=<datacentername> -E NODENAME=<nodename> -E IP=<IP address of this vault node> -E VAULTTYPE=unseal

Vault leader

  • [cluster node] Create a ZFS data set on the parent system beforehand:
    zfs create -o mountpoint=/mnt/vaultdata zroot/vaultdata
  • Create your local jail from the image or the flavour files.
  • Mount in the ZFS data set you created:
    pot mount-in -p <jailname> -m /mnt -d /mnt/vaultdata
  • Optionally export the ports after creating the jail:
    pot export-ports -p <jailname> -e 8200:8200
  • Adjust to your environment:
    sudo pot set-env -p <jailname> -E DATACENTER=<datacentername> -E NODENAME=<nodename> \
    -E IP=<IP address of this vault node> -E VAULTTYPE=leader \
    -E UNSEALIP=<unseal vault IP> -E UNSEALTOKEN=<wrapped token generated on unseal node> \
    -E CONSULSERVERS=<correctly-quoted-array-consul-IPs> \
    -E SFTPUSER=<username> -E SFTPNETWORK="<list of comma-space separated IP addresses>" \
    -E GOSSIPKEY=<32 byte Base64 key from consul keygen> [-E REMOTELOG=<remote syslog IP>]
    

The SFTPUSER parameter is used to create a user with SSH private keys, where you will need to export the private key to the host systems for follower nodes.

The SFTPNETWORK parameter is a list of IP addresses in comma_space format ( “10.0.0.1, 10.0.0.2, 10.0.0.3”) to pre-generate 2h SSL certificates for, for initial vault logins by follower nodes and other images making use of vault.

The CONSULSERVERS parameter defines the consul server instances, and must be set as CONSULSERVERS='"10.0.0.2"' or CONSULSERVERS='"10.0.0.2", "10.0.0.3", "10.0.0.4"' or CONSULSERVERS='"10.0.0.2", "10.0.0.3", "10.0.0.4", "10.0.0.5", "10.0.0.6"'

The GOSSIPKEY parameter is the gossip encryption key for consul agent. We’re using a default key if you do not set the parameter, do not use the default key for production encryption, instead provide your own.

The REMOTELOG parameter is the IP address of a remote syslog server to send logs to, such as for the loki flavour on this site.

Important: the leader boot can take a while with certificate generation. Let it complete before adding followers.

Once booted you will need to run ./cli-vault-auto-login.sh for a login token to use on follower nodes, and export /home/certuser/.ssh/id_rsa to a file to import to follower nodes and other types of pot images.

To re-generate the temporary certificates for the array of initial IP addresses, run ./gen-temp-certs.sh.

To generate a single certificate for an IP address, run ./single-temp-cert.sh <IP address>, for example: ./single-temp-cert.sh 10.0.0.1.

You will need to generate new temporary certificates if two hours have passed since setting up the vault leader.

Vault follower

  • [cluster node] Create a ZFS data set on the parent system beforehand:
    zfs create -o mountpoint=/mnt/vaultdata zroot/vaultdata
  • Create your local jail from the image or the flavour files.
  • Mount in the ZFS data set you created:
    pot mount-in -p <jailname> -m /mnt -d /mnt/vaultdata
  • Copy in the SSH private key for the user on the Vault leader:
    pot copy-in -p <jailname> -s /root/sshkey -d /root/sshkey
  • Optionally export the ports after creating the jail:
    pot export-ports -p <jailname> -e 8200:8200
  • Adjust to your environment:
    sudo pot set-env -p <jailname> -E DATACENTER=<datacentername> -E NODENAME=<nodename> \
    -E IP=<IP address of this vault node> -E VAULTTYPE=follower \
    -E UNSEALIP=<unseal vault node> -E UNSEALTOKEN=<wrapped token generated on unseal node> -E VAULTLEADER=<IP> -E LEADERTOKEN=<token>
    -E CONSULSERVERS=<correctly-quoted-array-consul-IPs> \
    -E SFTPUSER=certuser -E GOSSIPKEY=<32 byte Base64 key from consul keygen> [-E REMOTELOG=<remote syslog IP>]
    

The SFTPUSER parameter is used on the follower node to login to the vault leader, to get temporary certificates for a further login.

The SFTPNETWORK parameter is only used by the Vault leader node.

The CONSULSERVERS parameter defines the consul server instances, and must be set as CONSULSERVERS='"10.0.0.2"' or CONSULSERVERS='"10.0.0.2", "10.0.0.3", "10.0.0.4"' or CONSULSERVERS='"10.0.0.2", "10.0.0.3", "10.0.0.4", "10.0.0.5", "10.0.0.6"'

The GOSSIPKEY parameter is the gossip encryption key for consul agent. We’re using a default key if you do not set the parameter, do not use the default key for production encryption, instead provide your own.

The REMOTELOG parameter is the IP address of a remote syslog server to send logs to, such as for the loki flavour on this site.

Architecture

  • vault-unseal: is initialized and unsealed. The root token creates a transit key that enables the other Vaults auto-unseal. This Vault server is not a part of the cluster.
  • vault-clone-1: is initialized and unsealed automatically with the passed in wrapped unseal key. Joins raft cluster after unsealing, sets up PKI and generates a bunch of temporary certificates.
  • vault-clone-2: is initialized and unsealed automatically with the passed in NEW wrapped unseal key. Joins raft cluster after unsealing, sets up PKI. Needs to have SSH key from vault leader.
  • vault-clone-n+: is initialized and unsealed automatically with the passed in NEW wrapped unseal key. Joins raft cluster after unsealing, sets up PKI. Needs to have SSH key from vault leader.

Usage

vault is then running on port 8200 of your jail IP address.

Unseal Node

(This stage of development of the pot image doesn’t yet include HTTPS on the unseal node. Please include the parameter -address=http://<IP>:8200 to any vault commands```)

This vault instance exists to generate unseal keys. It must first be initialised. Please save this information securely.

$ pot term vault-unseal
$ vault operator init -address=http://<IP>:8200

Unseal Key 1: key1
Unseal Key 2: key2
Unseal Key 3: key3
Unseal Key 4: key4
Unseal Key 5: key5

Initial Root Token: s.token

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

$ vault operator unseal -address=http://<IP>:8200 "key1"
$ vault operator unseal -address=http://<IP>:8200 "key2"
$ vault operator unseal -address=http://<IP>:8200 "key3"

$ vault login -address=http://<IP>:8200

(using Initial Root Token)

$ ./setup-autounseal.sh
Success! Enabled the file audit device at: file/
Success! Enabled the transit secrets engine at: transit/
Success! Data written to: transit/keys/autounseal
Success! Uploaded policy: autounseal

$ ./issue-unseal.sh
Key                              Value
---                              -----
wrapping_token:                  s.newtoken
wrapping_accessor:               REDACTED
wrapping_token_ttl:              24h
wrapping_token_creation_time:    2021-05-29 13:52:13.743971005 +0000 UTC
wrapping_token_creation_path:    auth/token/create
wrapped_accessor:                REDACTED

This new token s.newtoken can be used to unseal the cluster nodes. A new token must be generated for each node in the vault cluster.

Important note

If the unseal node is restarted you will need to unseal and login again. Shut down your vault cluster first, starting with followers, then leader. Start unseal node, unseal and login, then start leader and followers.

You did save the keys and login token right?

Cluster leader node using raft storage

To unseal a cluster leader, make use of a wrapped key generated on the unseal node. Pass it in with -E UNSEALTOKEN=<wrapped token>

Once running, you can login and run the script /root/cli-vault-auto-login.sh to automatically login to vault in the CLI and return a token for use in additional vault instances, in addition to an unseal token.

To generate a token for PKI, run pot term vault-clone and then /root/issue-pki-token.sh.

To run other vault commands pass in the extra parameters -address=https://<IP-being-queried>:8200 and one of:

  • -tls-skip-verify to skip verifying the certificate; or
  • -ca-cert=/mnt/certs/combinedca.pem to verify with the CA certificate obtained (if everything working)

Example vault command with parameters

vault status -address=https://10.0.0.3:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
vault operator raft list-peers -address=https://10.0.0.3:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
vault operator raft autopilot state -address=https://10.0.0.3:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem

Cluster follower follower using raft storage

To unseal a cluster follower, make use of a wrapped key generated on the unseal node. Pass it in with -E UNSEALTOKEN=<wrapped token>

A leader node should already exist, and must be passed in with the parameter -E VAULTLEADER=<IP>.

A leader token is also required and must be passed in with the parameter -E LEADERTOKEN=<login token from unsealed leader>. You can get this token from /root/cli-vault-auto-login.sh on the leader.

The SSH key created for the SFTPUSER on the Vault leader needs to be made available during pot setup of the follower node.

The cluster node will be automatically unsealed and join the cluster. It will automatically retrieve a temporary certificate with 2h TTL from the Vault leader via SFTP, and use this to perform a client-tls-validated login to vault, to retrieve proper certificates with a longer TTL of 24h.

Repeat for all additional nodes in the vault cluster.

To run other vault commands pass in the extra parameters -address=https://<IP-being-queried>:8200 and -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem to verify with the CA certificate obtained (if everything working)

Example vault command with parameters

vault status -address=https://10.0.0.3:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
vault operator raft list-peers -address=https://10.0.0.3:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
vault operator raft autopilot state -address=https://10.0.0.3:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem

Default cluster usage

This cluster will generate, issue, renew certificates.

Other example cluster usage

This cluster can be used as a kv store.

vault secrets enable -address=https://<IP>:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem -path=kv kv-v2
vault kv -address=https://<IP>:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem put kv/testkey webapp=TESTKEY
vault kv -address=https://<IP>:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem get kv/testkey

Getting Started

How To Use The Ready-Made Image

FreeBSD 13.0:
pot import -p vault-amd64-13_0 -t 2.1.5 -U https://potluck.honeyguide.net/vault

FreeBSD 12.2:
pot import -p vault-amd64-12_2 -t 2.1.5 -U https://potluck.honeyguide.net/vault

If you don’t want to use the default pot bridged network configuration but instead need an individual network setup (e.g. assign a host IP address), after importing it you can simply clone the jail like that (em0 is the host network adapter in this example):
pot clone -P vault-amd64-13_0 -p my-cloned-jail -N alias -i "em0|10.10.10.10"

Note: Some images might require specific network configuration, double check the Overview-chapter at the top.

Alternatively: Create a Jail With This Flavour Yourself

1. Create Flavour Files

Save all files and directories from https://github.com/hny-gd/potluck/tree/master/vault to /usr/local/etc/pot/flavours/

2. Create Jail From Flavour

Run
pot create -b <FreeBSD Version> -p <jailname> -t single -N public-bridge -f fbsd-update

with your FreeBSD version (e.g. 12.1) and the name your jail should get.

Note: Some images might require specific network configuration, double check the Overview-chapter at the top.

Version History

2.1.5

  • Adding metrics pki to be used by loki, grafana, prometheus, node_exporter

2.1.4

  • Fixing missing pipes in cook scripts from TTL changes

2.1.3

  • Setting ATTL and BTTL variables for consul templates to pass in as TTL value where BTTL must be longer

2.1.2

  • Setting a variable for consul templates to pass in a TTL

2.1.1

  • Updating for postgres-patroni certificates

2.1

  • Setting version numbers to sync with ini for potman

2.0.47

  • Complete image revamp

2.0.46

  • Setting stricter permissions on key.pem

2.0.45

  • Further adjustments from diff output of improved cook script

2.0.44

  • Fix audit.log location in unseal image. Adjust consul sysrc parameters.

2.0.43

  • Consul fixes

2.0.42

  • Typo escaping variable in temporary certificates script

2.0.41

  • Fixup to generate temporary certificates script

2.0.40

  • Security updates and improvements to strategic delay approach using Michael’s new cook script

2.0.39

  • Parameter adjustment to remove unnecessary variable checks from vault type

2.0.38

  • Bug-fix on gossip key

2.0.37

  • Implementing mandatory variables

2.0.36

  • Improving temporary certificate generation to use list of IPs passed in, single-tem–cert script

2.0.35

  • Updating consul agent to tls-client-validation

2.0.34

  • Switch to using jo to generate json files for vault certificate payload.json. Minor fixes.

2.0.33

  • Minor fixes to script to remove duplication. Added admin script to re-generate temp certificates.

2.0.32

  • Implementing solution to force always-on client tls validation temporary short-lived certificates and keys via sftp

2.0.31

  • Vault client TLS verification improvements and bug fixes, certificate validation as step

2.0.30

  • Vault TLS verification working, with initial leader login ignoring tls-validation and leader having it as optional

2.0.29

  • Turning off consul tls verification

2.0.28

  • Turning off flow-control in syslog-ng, setting 120s time_reopen, and reducing log-fifo parameter

2.0.27

  • Automation scripts and pki improvements. tls-verify doesn’t work, syslog-ng with verification slows things down, raft cluster may be slow or not work

2.0.26

  • Clearing syslog-ng /dev/console entries to remove log spam

2.0.25

  • Updating syslog-ng and standardised cert.pem key.pem ca.pem

2.0.24

  • Implementing syslog-ng with tls for remote logging

2.0.23

  • Switched to quarterly package sources

2.0.22

  • Optional remote syslog capability added

2.0.21

  • Node-exporter TLS

2.0.20

  • Telemetry improvements

2.0.19

  • Fixing cron job for cert rotation

2.0.18

  • Using pkg vault

2.0.17

  • Improvements for consul

2.0.16

  • Added missing role, fixing rotation scripts

2.0.15

  • Fixes to vault policy permissions, fixing typos in docs, longer sleep timers to avoid occassional lockup

2.0.14

  • New and improved git-lite build process from sparse package source

2.0.13

  • Using /mnt for vault AND template and certificate store. Requires a mount-in dataset for persistence. Using latest vault from port sources instead of package version.

2.0.12

  • Follower generate certificates for self, reload with TLS

2.0.11

  • Generate certificates for self, reload with TLS

2.0.10

  • Enabling audit.log, split to case statement for three server types unseal, leader, cluster

2.0.9

  • More adjustments to vault policies

2.0.8

  • Adjustments for policy and CA

2.0.7

  • Removed autostart from vault file

2.0.6

  • Vault login and setup raft cluster for PKI and self-signed CA

2.0.5

  • Fixups for raft storage cluster with automatic unseal based on wrapped token

2.0.4

  • Unseal or cluster type with raft storage, along with persistent mount-in dataset at /mnt

2.0.3

  • Adjusting parameters for node-exporter service

2.0.2

  • Adding prometheus node_exporter and setting up as consul service

2.0.1

  • Updated to use pre-generated consul encryption key for gossip, planning for TLS

2.0

  • Updated to use local consul agent and a consul cluster for data store

1.0.1

  • Rebuild for FreeBSD 13 & new packages

1.0

  • initiate file

These images were built on Sun Oct 10 11:56:11 UTC 2021

Manual Image Download Links

vault-amd64-13_0_2.1.5.xz ( 488.803 MB )
vault-amd64-13_0_2.1.5.xz.skein ( 0.250977 KB )

vault-amd64-12_2_2.1.5.xz ( 424.948 MB )
vault-amd64-12_2_2.1.5.xz.skein ( 0.250977 KB )

Jenkins Pot Creation Logs

vault-amd64-13_0_2.1.5:


vault/vault:
copy-in -s /usr/local/etc/pot/flavours/vault.d/syslog-ng.conf -d /root
copy-in -s /usr/local/etc/pot/flavours/vault.d/local -d /root/.pot_local
vault/vault.sh:
#!/bin/sh

# Based on POTLUCK TEMPLATE v3.0
# Altered by Michael Gmelin
#
# EDIT THE FOLLOWING FOR NEW FLAVOUR:
# 1. RUNS_IN_NOMAD - true or false
# 2. If RUNS_IN_NOMAD is false, can delete the <flavour>+4 file, else
#    make sure pot create command doesn't include it
# 3. Create a matching <flavour> file with this <flavour>.sh file that
#    contains the copy-in commands for the config files from <flavour>.d/
#    Remember that the package directories don't exist yet, so likely copy
#    to /root
# 4. Adjust package installation between BEGIN & END PACKAGE SETUP
# 5. Adjust jail configuration script generation between BEGIN & END COOK
#    Configure the config files that have been copied in where necessary

# Set this to true if this jail flavour is to be created as a nomad (i.e. blocking) jail.
# You can then query it in the cook script generation below and the script is installed
# appropriately at the end of this script
RUNS_IN_NOMAD=false

# set the cook log path/filename
COOKLOG=/var/log/cook.log

# check if cooklog exists, create it if not
if [ ! -e $COOKLOG ]
then
    echo "Creating $COOKLOG" | tee -a $COOKLOG
else
    echo "WARNING $COOKLOG already exists"  | tee -a $COOKLOG
fi
date >> $COOKLOG

# -------------------- COMMON ---------------

STEPCOUNT=0
step() {
  STEPCOUNT=$(("$STEPCOUNT" + 1))
  STEP="$*"
  echo "Step $STEPCOUNT: $STEP" | tee -a $COOKLOG
}

exit_ok() {
  trap - EXIT
  exit 0
}

FAILED=" failed"
exit_error() {
  STEP="$*"
  FAILED=""
  exit 1
}

set -e
trap 'echo ERROR: $STEP$FAILED | (>&2 tee -a $COOKLOG)' EXIT

# -------------- BEGIN PACKAGE SETUP -------------

step "Bootstrap package repo"
mkdir -p /usr/local/etc/pkg/repos
# shellcheck disable=SC2016
# we need latest for vault 1.7.3
#echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest" }' \
echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/quarterly" }' \
  >/usr/local/etc/pkg/repos/FreeBSD.conf
ASSUME_ALWAYS_YES=yes pkg bootstrap

step "Touch /etc/rc.conf"
touch /etc/rc.conf

# this is important, otherwise running /etc/rc from cook will
# overwrite the IP address set in tinirc
step "Remove ifconfig_epair0b from config"
# shellcheck disable=SC2015
sysrc -cq ifconfig_epair0b && sysrc -x ifconfig_epair0b || true

step "Disable sendmail"
service sendmail onedisable

step "Disable sshd"
service sshd onedisable || true

step "Create /usr/local/etc/rc.d"
mkdir -p /usr/local/etc/rc.d

# we need consul for consul agent
step "Install package consul"
pkg install -y consul

step "Install package sudo"
pkg install -y sudo

step "Install package node_exporter"
pkg install -y node_exporter

step "Install package jq"
pkg install -y jq

step "Install package jo"
pkg install -y jo

step "Install package curl"
pkg install -y curl

step "Install package openssl"
pkg install -y openssl

step "Install package syslog-ng"
pkg install -y syslog-ng

step "Install package vault"
pkg install -y vault

step "Add vault user to daemon class"
pw usermod vault -G daemon

step "Install package consul-template"
pkg install -y consul-template

step "Clean package installation"
pkg autoremove -y
pkg clean -y

# -------------- END PACKAGE SETUP -------------

#
# Create configurations
#

#
# Now generate the run command script "cook"
# It configures the system on the first run by creating the config file(s)
# On subsequent runs, it only starts sleeps (if nomad-jail) or simply exits
#

# this runs when image boots

# ----------------- BEGIN COOK ------------------

step "Clean cook artifacts"
rm -rf /usr/local/bin/cook /usr/local/share/cook

step "Install pot local"
tar -C /root/.pot_local -cf - . | tar -C /usr/local -xf -
rm -rf /root/.pot_local

step "Set file ownership on cook scripts"
chown -R root:wheel /usr/local/bin/cook /usr/local/share/cook
chmod 755 /usr/local/share/cook/bin/*

# ----------------- END COOK ------------------


# ---------- NO NEED TO EDIT BELOW ------------

step "Make cook script executable"
if [ -e /usr/local/bin/cook ]
then
    echo "setting executable bit on /usr/local/bin/cook" | tee -a $COOKLOG
    chmod u+x /usr/local/bin/cook
else
    exit_error "there is no /usr/local/bin/cook to make executable"
fi

#
# There are two ways of running a pot jail: "Normal", non-blocking mode and
# "Nomad", i.e. blocking mode (the pot start command does not return until
# the jail is stopped).
# For the normal mode, we create a /usr/local/etc/rc.d script that starts
# the "cook" script generated above each time, for the "Nomad" mode, the cook
# script is started by pot (configuration through flavour file), therefore
# we do not need to do anything here.
#

# Create rc.d script for "normal" mode:
step "Create rc.d script to start cook"
echo "creating rc.d script to start cook" | tee -a $COOKLOG

# shellcheck disable=SC2016
echo '#!/bin/sh
#
# PROVIDE: cook
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
. /etc/rc.subr
name="cook"
rcvar="cook_enable"
load_rc_config $name
: ${cook_enable:="NO"}
: ${cook_env:=""}
command="/usr/local/bin/cook"
command_args=""
run_rc_command "$1"
' > /usr/local/etc/rc.d/cook

step "Make rc.d script to start cook executable"
if [ -e /usr/local/etc/rc.d/cook ]
then
  echo "Setting executable bit on cook rc file" | tee -a $COOKLOG
  chmod u+x /usr/local/etc/rc.d/cook
else
  exit_error "/usr/local/etc/rc.d/cook does not exist"
fi

if [ "$RUNS_IN_NOMAD" != "true" ]
then
  step "Enable cook service"
  # This is a non-nomad (non-blocking) jail, so we need to make sure the script
  # gets started when the jail is started:
  # Otherwise, /usr/local/bin/cook will be set as start script by the pot flavour
  echo "enabling cook" | tee -a $COOKLOG
  service cook enable
fi

# -------------------- DONE ---------------
exit_ok

vault/vault+1:
vault/vault+1.sh:

vault/vault+2:
vault/vault+2.sh:

vault/vault+3:
vault/vault+3.sh:

vault/vault+4:
vault/vault+4.sh:
Password:===>  Creating a new pot
===>  pot name : vault-amd64-13_0
===>  type : single
===>  base : 13.0
===>  pot_base :
===>  level : 0
===>  network-type : public-bridge
===>  network-stack: ipv4
===>  ip : 10.192.0.3
===>  bridge :
===>  dns : inherit
===>  flavours : fbsd-update vault vault+1 vault+2 vault+3 vault+4
===>  Fetching FreeBSD 13.0
===>  Extract the tarball
=====>  Flavour: fbsd-update
=====>  Starting vault-amd64-13_0 pot for the initial bootstrap
=====>  mount /mnt/data/pot/jails/vault-amd64-13_0/m/tmp
defaultrouter: NO -> 10.192.0.1
===>  Starting the pot vault-amd64-13_0
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	inet 127.0.0.1 netmask 0xff000000
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:a3:78:d4:d1:0b
	inet 10.192.0.3 netmask 0xffc00000 broadcast 10.255.255.255
	groups: epair
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Updating /var/run/os-release done.
Creating and/or trimming log files.
Clearing /tmp (X related).
Updating motd:.
Starting syslogd.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.

Sun Oct 10 11:41:58 UTC 2021
/usr/local/etc/pot/flavours/fbsd-update.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/tmp/fbsd-update.sh
=====>  Executing fbsd-update script on vault-amd64-13_0
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching public key from update1.freebsd.org... done.
Fetching metadata signature for 13.0-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 24 patches.....10....20.. done.
Applying patches... done.
Fetching 6 files... ... done.
The following files will be added as part of updating to
13.0-RELEASE-p4:
/usr/include/c++/v1/barrier
/usr/include/c++/v1/concepts
/usr/include/c++/v1/execution
/usr/include/c++/v1/latch
/usr/include/c++/v1/numbers
/usr/include/c++/v1/semaphore
/usr/include/c++/v1/tr1/barrier
/usr/include/c++/v1/tr1/concepts
/usr/include/c++/v1/tr1/execution
/usr/include/c++/v1/tr1/latch
/usr/include/c++/v1/tr1/numbers
/usr/include/c++/v1/tr1/semaphore
The following files will be updated as part of updating to
13.0-RELEASE-p4:
/bin/freebsd-version
/lib/libcasper.so.1
/lib/libcrypto.so.111
/rescue/[
/rescue/bectl
/rescue/bsdlabel
/rescue/bunzip2
/rescue/bzcat
/rescue/bzip2
/rescue/camcontrol
/rescue/cat
/rescue/ccdconfig
/rescue/chflags
/rescue/chgrp
/rescue/chio
/rescue/chmod
/rescue/chown
/rescue/chroot
/rescue/clri
/rescue/cp
/rescue/csh
/rescue/date
/rescue/dd
/rescue/devfs
/rescue/df
/rescue/dhclient
/rescue/disklabel
/rescue/dmesg
/rescue/dump
/rescue/dumpfs
/rescue/dumpon
/rescue/echo
/rescue/ed
/rescue/ex
/rescue/expr
/rescue/fastboot
/rescue/fasthalt
/rescue/fdisk
/rescue/fsck
/rescue/fsck_4.2bsd
/rescue/fsck_ffs
/rescue/fsck_msdosfs
/rescue/fsck_ufs
/rescue/fsdb
/rescue/fsirand
/rescue/gbde
/rescue/geom
/rescue/getfacl
/rescue/glabel
/rescue/gpart
/rescue/groups
/rescue/gunzip
/rescue/gzcat
/rescue/gzip
/rescue/halt
/rescue/head
/rescue/hostname
/rescue/id
/rescue/ifconfig
/rescue/init
/rescue/ipf
/rescue/iscsictl
/rescue/iscsid
/rescue/kenv
/rescue/kill
/rescue/kldconfig
/rescue/kldload
/rescue/kldstat
/rescue/kldunload
/rescue/ldconfig
/rescue/less
/rescue/link
/rescue/ln
/rescue/ls
/rescue/lzcat
/rescue/lzma
/rescue/md5
/rescue/mdconfig
/rescue/mdmfs
/rescue/mkdir
/rescue/mknod
/rescue/more
/rescue/mount
/rescue/mount_cd9660
/rescue/mount_msdosfs
/rescue/mount_nfs
/rescue/mount_nullfs
/rescue/mount_udf
/rescue/mount_unionfs
/rescue/mt
/rescue/mv
/rescue/nc
/rescue/newfs
/rescue/newfs_msdos
/rescue/nos-tun
/rescue/pgrep
/rescue/ping
/rescue/ping6
/rescue/pkill
/rescue/poweroff
/rescue/ps
/rescue/pwd
/rescue/rcorder
/rescue/rdump
/rescue/realpath
/rescue/reboot
/rescue/red
/rescue/rescue
/rescue/restore
/rescue/rm
/rescue/rmdir
/rescue/route
/rescue/routed
/rescue/rrestore
/rescue/rtquery
/rescue/rtsol
/rescue/savecore
/rescue/sed
/rescue/setfacl
/rescue/sh
/rescue/shutdown
/rescue/sleep
/rescue/spppcontrol
/rescue/stty
/rescue/swapon
/rescue/sync
/rescue/sysctl
/rescue/tail
/rescue/tar
/rescue/tcsh
/rescue/tee
/rescue/test
/rescue/tunefs
/rescue/umount
/rescue/unlink
/rescue/unlzma
/rescue/unxz
/rescue/unzstd
/rescue/vi
/rescue/whoami
/rescue/xz
/rescue/xzcat
/rescue/zcat
/rescue/zdb
/rescue/zfs
/rescue/zpool
/rescue/zstd
/rescue/zstdcat
/rescue/zstdmt
/sbin/ggatec
/usr/bin/bc
/usr/bin/dc
/usr/bin/openssl
/usr/include/openssl/opensslv.h
/usr/lib/libcrypto.a
/usr/lib/libcrypto_p.a
/usr/lib/libfetch.a
/usr/lib/libfetch.so.6
/usr/lib/libfetch_p.a
/usr/lib/libradius.a
/usr/lib/libradius.so.4
/usr/lib/libradius_p.a
/usr/lib/libssl.a
/usr/lib/libssl.so.111
/usr/lib/libssl_p.a
/usr/sbin/bhyve
/usr/sbin/hostapd
/usr/sbin/ntp-keygen
/usr/sbin/wpa_cli
/usr/sbin/wpa_supplicant
Installing updates...Scanning //usr/share/certs/blacklisted for certificates...
Scanning //usr/share/certs/trusted for certificates...
 done.
=====>  Stop the pot vault-amd64-13_0
=====>  Remove epair0[a|b] network interfaces
=====>  unmount /mnt/data/pot/jails/vault-amd64-13_0/m/tmp
=====>  unmount /mnt/data/pot/jails/vault-amd64-13_0/m/dev
=====>  Flavour: vault
=====>  Executing vault pot commands on vault-amd64-13_0
=====>  mount /mnt/data/pot/jails/vault-amd64-13_0/m/tmp
/usr/local/etc/pot/flavours/vault.d/syslog-ng.conf -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/syslog-ng.conf
=====>  Source /usr/local/etc/pot/flavours/vault.d/syslog-ng.conf copied in the pot vault-amd64-13_0
=====>  unmount /mnt/data/pot/jails/vault-amd64-13_0/m/tmp
=====>  /mnt/data/pot/jails/vault-amd64-13_0/m/dev is already unmounted
=====>  mount /mnt/data/pot/jails/vault-amd64-13_0/m/tmp
/usr/local/etc/pot/flavours/vault.d/local -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local
/usr/local/etc/pot/flavours/vault.d/local/share -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share
/usr/local/etc/pot/flavours/vault.d/local/share/cook -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/unseal-autounseal-policy.hcl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/unseal-autounseal-policy.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-consul-agent.hcl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/cluster-consul-agent.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/unseal-tls-policy.hcl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/unseal-tls-policy.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-agent.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/cluster-agent.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-tls-policy.hcl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/cluster-tls-policy.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/consul-tls-policy.hcl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/consul-tls-policy.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-consul-ca.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/cluster-consul-ca.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-unseal-ca.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/cluster-unseal-ca.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-consul-agent.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/cluster-consul-agent.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/metrics.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/metrics.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-consul-template-consul.hcl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/cluster-consul-template-consul.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-unseal-client.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/cluster-unseal-client.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/consul-agent.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/consul-agent.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/nomad-tls-policy.hcl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/nomad-tls-policy.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/unseal-agent.key.tpl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/unseal-agent.key.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-consul-template-metrics.hcl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/cluster-consul-template-metrics.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/unseal-consul-template.hcl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/unseal-consul-template.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-vault-bootstrap.hcl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/cluster-vault-bootstrap.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/postgres-tls-policy.hcl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/postgres-tls-policy.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/consul-ca.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/consul-ca.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/unseal-ca.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/unseal-ca.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/metrics-tls-policy.hcl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/metrics-tls-policy.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-agent.key.tpl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/cluster-agent.key.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/metrics-ca.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/metrics-ca.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-consul-agent.key.tpl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/cluster-consul-agent.key.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/metrics.key.tpl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/metrics.key.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-ca.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/cluster-ca.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-vault.hcl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/cluster-vault.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-unseal-client.key.tpl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/cluster-unseal-client.key.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-consul-template-unseal.hcl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/cluster-consul-template-unseal.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/consul-agent.key.tpl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/consul-agent.key.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/unseal-vault.hcl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/unseal-vault.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/unseal-vault-bootstrap.hcl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/unseal-vault-bootstrap.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-consul-template.hcl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/cluster-consul-template.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/unseal-agent.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/templates/unseal-agent.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/unseal-vault-status.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/unseal-vault-status.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/unseal-issue-unseal-credentials.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/unseal-issue-unseal-credentials.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-reload-vault.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-reload-vault.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-reload-consul.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-reload-consul.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-unwrap-unseal-credentials.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-unwrap-unseal-credentials.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-issue-metrics-credentials.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-issue-metrics-credentials.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-vault.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-vault.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-setup-cluster-pki.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-setup-cluster-pki.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/reload-metrics.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/reload-metrics.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-issue-cluster-credentials.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-issue-cluster-credentials.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-init-vault-consul.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-init-vault-consul.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-issue-postgres-credentials.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-issue-postgres-credentials.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-setup-postgres-pki.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-setup-postgres-pki.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-setup-metrics-pki.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-setup-metrics-pki.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-enable-vault-tls.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-enable-vault-tls.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-vault-status.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-vault-status.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/unseal-reload-vault.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/unseal-reload-vault.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-reload-vault-unseal.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-reload-vault-unseal.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-configure-vault.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-configure-vault.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-issue-nomad-credentials.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-issue-nomad-credentials.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/unseal-setup-autounseal.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/unseal-setup-autounseal.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/unseal-start-consul-template.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/unseal-start-consul-template.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-raft-status.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-raft-status.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/unseal-configure-vault.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/unseal-configure-vault.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-init-vault-leader.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-init-vault-leader.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-issue-consul-credentials.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-issue-consul-credentials.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/unseal-vault.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/unseal-vault.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-configure-consul.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-configure-consul.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/unwrap-metrics-credentials.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/unwrap-metrics-credentials.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/unseal-setup-unseal-pki.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/unseal-setup-unseal-pki.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-setup-consul-pki.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-setup-consul-pki.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/configure-metrics.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/configure-metrics.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-setup-local-unbound.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-setup-local-unbound.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-setup-nomad-pki.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-setup-nomad-pki.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/configure-node-exporter.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/configure-node-exporter.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-join-vault-cluster.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/share/cook/bin/cluster-join-vault-cluster.sh
/usr/local/etc/pot/flavours/vault.d/local/bin -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/bin
/usr/local/etc/pot/flavours/vault.d/local/bin/cook -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/bin/cook
/usr/local/etc/pot/flavours/vault.d/local/bin/.cook.swp -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/.pot_local/bin/.cook.swp
=====>  Source /usr/local/etc/pot/flavours/vault.d/local copied in the pot vault-amd64-13_0
=====>  unmount /mnt/data/pot/jails/vault-amd64-13_0/m/tmp
=====>  /mnt/data/pot/jails/vault-amd64-13_0/m/dev is already unmounted
=====>  Starting vault-amd64-13_0 pot for the initial bootstrap
=====>  mount /mnt/data/pot/jails/vault-amd64-13_0/m/tmp
defaultrouter: 10.192.0.1 -> 10.192.0.1
===>  Starting the pot vault-amd64-13_0
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	inet 127.0.0.1 netmask 0xff000000
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:ef:b4:50:d7:0b
	inet 10.192.0.3 netmask 0xffc00000 broadcast 10.255.255.255
	groups: epair
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Updating /var/run/os-release done.
Creating and/or trimming log files.
Clearing /tmp (X related).
Updating motd:.
Starting syslogd.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.

Sun Oct 10 11:42:40 UTC 2021
/usr/local/etc/pot/flavours/vault.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/tmp/vault.sh
=====>  Executing vault script on vault-amd64-13_0
Creating /var/log/cook.log
Step 1: Bootstrap package repo
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] Installing pkg-1.17.2...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] Extracting pkg-1.17.2: .......... done
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:13:amd64/quarterly, please wait...
Step 2: Touch /etc/rc.conf
Step 3: Remove ifconfig_epair0b from config
Step 4: Disable sendmail
sendmail disabled in /etc/rc.conf
sendmail_submit disabled in /etc/rc.conf
sendmail_msp_queue disabled in /etc/rc.conf
Step 5: Disable sshd
sshd disabled in /etc/rc.conf
Step 6: Create /usr/local/etc/rc.d
Step 7: Install package consul
Updating FreeBSD repository catalogue...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] Fetching meta.conf: . done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] Fetching packagesite.pkg: .......... done
Processing entries: .......... done
FreeBSD repository update completed. 31163 packages processed.
All repositories are up to date.
Updating database digests format: . done
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	consul: 1.9.9

Number of packages to be installed: 1

The process will require 78 MiB more space.
26 MiB to be downloaded.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching consul-1.9.9.pkg: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Installing consul-1.9.9...
===> Creating groups.
Creating group 'consul' with gid '469'.
===> Creating users
Creating user 'consul' with uid '469'.
===> Creating homedir(s)
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting consul-1.9.9: ..... done
Step 8: Install package sudo
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	gettext-runtime: 0.21
	indexinfo: 0.3.1
	sudo: 1.9.8p2

Number of packages to be installed: 3

The process will require 7 MiB more space.
2 MiB to be downloaded.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/3] Fetching sudo-1.9.8p2.pkg: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/3] Fetching gettext-runtime-0.21.pkg: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/3] Fetching indexinfo-0.3.1.pkg: . done
Checking integrity... done (0 conflicting)
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/3] Installing indexinfo-0.3.1...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/3] Extracting indexinfo-0.3.1: .... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/3] Installing gettext-runtime-0.21...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/3] Extracting gettext-runtime-0.21: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/3] Installing sudo-1.9.8p2...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/3] Extracting sudo-1.9.8p2: .......... done
Step 9: Install package node_exporter
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	node_exporter: 1.2.2

Number of packages to be installed: 1

The process will require 11 MiB more space.
3 MiB to be downloaded.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching node_exporter-1.2.2.pkg: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Installing node_exporter-1.2.2...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting node_exporter-1.2.2: .......... done
=====
Message from node_exporter-1.2.2:

--
If upgrading from a version of node_exporter <0.15.0 you'll need to update any
custom command line flags that you may have set as it now requires a
double-dash (--flag) instead of a single dash (-flag).
The collector flags in 0.15.0 have now been replaced with individual boolean
flags and the -collector.procfs` and -collector.sysfs` flags have been renamed
to --path.procfs and --path.sysfs respectively.
Step 10: Install package jq
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	jq: 1.6
	oniguruma: 6.9.7.1

Number of packages to be installed: 2

The process will require 2 MiB more space.
500 KiB to be downloaded.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/2] Fetching jq-1.6.pkg: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/2] Fetching oniguruma-6.9.7.1.pkg: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/2] Installing oniguruma-6.9.7.1...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/2] Extracting oniguruma-6.9.7.1: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/2] Installing jq-1.6...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/2] Extracting jq-1.6: .......... done
Step 11: Install package jo
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	jo: 1.4

Number of packages to be installed: 1

19 KiB to be downloaded.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching jo-1.4.pkg: ... done
Checking integrity... done (0 conflicting)
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Installing jo-1.4...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting jo-1.4: ...... done
Step 12: Install package curl
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 4 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	ca_root_nss: 3.69_1
	curl: 7.79.1
	libnghttp2: 1.44.0
	libssh2: 1.9.0_3,3

Number of packages to be installed: 4

The process will require 6 MiB more space.
2 MiB to be downloaded.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/4] Fetching curl-7.79.1.pkg: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/4] Fetching libnghttp2-1.44.0.pkg: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/4] Fetching libssh2-1.9.0_3,3.pkg: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [4/4] Fetching ca_root_nss-3.69_1.pkg: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/4] Installing libnghttp2-1.44.0...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/4] Extracting libnghttp2-1.44.0: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/4] Installing libssh2-1.9.0_3,3...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/4] Extracting libssh2-1.9.0_3,3: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/4] Installing ca_root_nss-3.69_1...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/4] Extracting ca_root_nss-3.69_1: ........ done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [4/4] Installing curl-7.79.1...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [4/4] Extracting curl-7.79.1: .......... done
=====
Message from ca_root_nss-3.69_1:

--
FreeBSD does not, and can not warrant that the certification authorities
whose certificates are included in this package have in any way been
audited for trustworthiness or RFC 3647 compliance.

Assessment and verification of trust is the complete responsibility of the
system administrator.


This package installs symlinks to support root certificates discovery by
default for software that uses OpenSSL.

This enables SSL Certificate Verification by client software without manual
intervention.

If you prefer to do this manually, replace the following symlinks with
either an empty file or your site-local certificate bundle.

  * /etc/ssl/cert.pem
  * /usr/local/etc/ssl/cert.pem
  * /usr/local/openssl/cert.pem
Step 13: Install package openssl
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	openssl: 1.1.1l,1

Number of packages to be installed: 1

The process will require 14 MiB more space.
4 MiB to be downloaded.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching openssl-1.1.1l,1.pkg: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Installing openssl-1.1.1l,1...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting openssl-1.1.1l,1: .......... done
Step 14: Install package syslog-ng
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 11 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	e2fsprogs-libuuid: 1.46.4
	glib: 2.70.0_1,2
	json-c: 0.15_1
	libffi: 3.3_1
	libiconv: 1.16
	libxml2: 2.9.12
	mpdecimal: 2.5.1
	pcre: 8.45
	python38: 3.8.12
	readline: 8.1.1
	syslog-ng: 3.34.1

Number of packages to be installed: 11

The process will require 160 MiB more space.
25 MiB to be downloaded.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/11] Fetching syslog-ng-3.34.1.pkg: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/11] Fetching e2fsprogs-libuuid-1.46.4.pkg: ..... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/11] Fetching pcre-8.45.pkg: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [4/11] Fetching json-c-0.15_1.pkg: ........ done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [5/11] Fetching glib-2.70.0_1,2.pkg: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [6/11] Fetching libxml2-2.9.12.pkg: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [7/11] Fetching python38-3.8.12.pkg: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [8/11] Fetching mpdecimal-2.5.1.pkg: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [9/11] Fetching readline-8.1.1.pkg: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [10/11] Fetching libffi-3.3_1.pkg: ..... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [11/11] Fetching libiconv-1.16.pkg: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/11] Installing mpdecimal-2.5.1...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/11] Extracting mpdecimal-2.5.1: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/11] Installing readline-8.1.1...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/11] Extracting readline-8.1.1: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/11] Installing libffi-3.3_1...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/11] Extracting libffi-3.3_1: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [4/11] Installing pcre-8.45...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [4/11] Extracting pcre-8.45: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [5/11] Installing libxml2-2.9.12...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [5/11] Extracting libxml2-2.9.12: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [6/11] Installing python38-3.8.12...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [6/11] Extracting python38-3.8.12: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [7/11] Installing libiconv-1.16...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [7/11] Extracting libiconv-1.16: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [8/11] Installing e2fsprogs-libuuid-1.46.4...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [8/11] Extracting e2fsprogs-libuuid-1.46.4: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [9/11] Installing json-c-0.15_1...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [9/11] Extracting json-c-0.15_1: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [10/11] Installing glib-2.70.0_1,2...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [10/11] Extracting glib-2.70.0_1,2: .......... done
No schema files found: doing nothing.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [11/11] Installing syslog-ng-3.34.1...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [11/11] Extracting syslog-ng-3.34.1: .......... done
=====
Message from python38-3.8.12:

--
Note that some standard Python modules are provided as separate ports
as they require additional dependencies. They are available as:

py38-gdbm       databases/py-gdbm@py38
py38-sqlite3    databases/py-sqlite3@py38
py38-tkinter    x11-toolkits/py-tkinter@py38
=====
Message from syslog-ng-3.34.1:

--
syslog-ng is now installed!  To replace FreeBSD's standard syslogd
(/usr/sbin/syslogd), complete these steps:

1. Create a configuration file named /usr/local/etc/syslog-ng.conf
   (a sample named syslog-ng.conf.sample has been included in
   /usr/local/etc). Note that this is a change in 2.0.2
   version, previous ones put the config file in
   /usr/local/etc/syslog-ng/syslog-ng.conf, so if this is an update
   move that file in the right place

2. Configure syslog-ng to start automatically by adding the following
   to /etc/rc.conf:

        syslog_ng_enable="YES"

3. Prevent the standard FreeBSD syslogd from starting automatically by
   adding a line to the end of your /etc/rc.conf file that reads:

        syslogd_enable="NO"

4. Shut down the standard FreeBSD syslogd:

     kill `cat /var/run/syslog.pid`

5. Start syslog-ng:

     /usr/local/etc/rc.d/syslog-ng start
Step 15: Install package vault
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	vault: 1.8.2

Number of packages to be installed: 1

The process will require 156 MiB more space.
49 MiB to be downloaded.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching vault-1.8.2.pkg: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Installing vault-1.8.2...
===> Creating groups.
Creating group 'vault' with gid '471'.
===> Creating users
Creating user 'vault' with uid '471'.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting vault-1.8.2: ..... done
=====
Message from vault-1.8.2:

--
The vault user created by the vault package is now a member of the daemon
class, which will allow it to use mlock() when started by the rc script. This
will not be reflected in systems where the user already exists. Please add the
vault user to the daemon class manually by running:

pw usermod -L daemon -n vault

or delete the user and reinstall the package.

You may also need to increase memorylocked for the daemon class in
/etc/rc.conf to more than 1024M (the default) or more:

vault_limits_mlock="2048M"

Or to disable mlock, add:

disable_mlock = 1

to /usr/local/etc/vault.hcl
Step 16: Add vault user to daemon class
Step 17: Install package consul-template
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	consul-template: 0.27.0

Number of packages to be installed: 1

The process will require 10 MiB more space.
3 MiB to be downloaded.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching consul-template-0.27.0.pkg: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Installing consul-template-0.27.0...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting consul-template-0.27.0: ..... done
Step 18: Clean package installation
Checking integrity... done (0 conflicting)
Nothing to do.
Nothing to do.
Step 19: Clean cook artifacts
Step 20: Install pot local
Step 21: Set file ownership on cook scripts
Step 22: Make cook script executable
setting executable bit on /usr/local/bin/cook
Step 23: Create rc.d script to start cook
creating rc.d script to start cook
Step 24: Make rc.d script to start cook executable
Setting executable bit on cook rc file
Step 25: Enable cook service
enabling cook
cook enabled in /etc/rc.conf
=====>  Stop the pot vault-amd64-13_0
=====>  Remove epair0[a|b] network interfaces
=====>  unmount /mnt/data/pot/jails/vault-amd64-13_0/m/tmp
=====>  unmount /mnt/data/pot/jails/vault-amd64-13_0/m/dev
=====>  Flavour: vault+1
=====>  Executing vault+1 pot commands on vault-amd64-13_0
=====>  No shell script available for the flavour vault+1
=====>  Flavour: vault+2
=====>  Executing vault+2 pot commands on vault-amd64-13_0
=====>  No shell script available for the flavour vault+2
=====>  Flavour: vault+3
=====>  Executing vault+3 pot commands on vault-amd64-13_0
=====>  No shell script available for the flavour vault+3
=====>  Flavour: vault+4
=====>  Executing vault+4 pot commands on vault-amd64-13_0
=====>  No shell script available for the flavour vault+4

vault-amd64-12_2_2.1.5:


vault/vault:
copy-in -s /usr/local/etc/pot/flavours/vault.d/syslog-ng.conf -d /root
copy-in -s /usr/local/etc/pot/flavours/vault.d/local -d /root/.pot_local
vault/vault.sh:
#!/bin/sh

# Based on POTLUCK TEMPLATE v3.0
# Altered by Michael Gmelin
#
# EDIT THE FOLLOWING FOR NEW FLAVOUR:
# 1. RUNS_IN_NOMAD - true or false
# 2. If RUNS_IN_NOMAD is false, can delete the <flavour>+4 file, else
#    make sure pot create command doesn't include it
# 3. Create a matching <flavour> file with this <flavour>.sh file that
#    contains the copy-in commands for the config files from <flavour>.d/
#    Remember that the package directories don't exist yet, so likely copy
#    to /root
# 4. Adjust package installation between BEGIN & END PACKAGE SETUP
# 5. Adjust jail configuration script generation between BEGIN & END COOK
#    Configure the config files that have been copied in where necessary

# Set this to true if this jail flavour is to be created as a nomad (i.e. blocking) jail.
# You can then query it in the cook script generation below and the script is installed
# appropriately at the end of this script
RUNS_IN_NOMAD=false

# set the cook log path/filename
COOKLOG=/var/log/cook.log

# check if cooklog exists, create it if not
if [ ! -e $COOKLOG ]
then
    echo "Creating $COOKLOG" | tee -a $COOKLOG
else
    echo "WARNING $COOKLOG already exists"  | tee -a $COOKLOG
fi
date >> $COOKLOG

# -------------------- COMMON ---------------

STEPCOUNT=0
step() {
  STEPCOUNT=$(("$STEPCOUNT" + 1))
  STEP="$*"
  echo "Step $STEPCOUNT: $STEP" | tee -a $COOKLOG
}

exit_ok() {
  trap - EXIT
  exit 0
}

FAILED=" failed"
exit_error() {
  STEP="$*"
  FAILED=""
  exit 1
}

set -e
trap 'echo ERROR: $STEP$FAILED | (>&2 tee -a $COOKLOG)' EXIT

# -------------- BEGIN PACKAGE SETUP -------------

step "Bootstrap package repo"
mkdir -p /usr/local/etc/pkg/repos
# shellcheck disable=SC2016
# we need latest for vault 1.7.3
#echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest" }' \
echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/quarterly" }' \
  >/usr/local/etc/pkg/repos/FreeBSD.conf
ASSUME_ALWAYS_YES=yes pkg bootstrap

step "Touch /etc/rc.conf"
touch /etc/rc.conf

# this is important, otherwise running /etc/rc from cook will
# overwrite the IP address set in tinirc
step "Remove ifconfig_epair0b from config"
# shellcheck disable=SC2015
sysrc -cq ifconfig_epair0b && sysrc -x ifconfig_epair0b || true

step "Disable sendmail"
service sendmail onedisable

step "Disable sshd"
service sshd onedisable || true

step "Create /usr/local/etc/rc.d"
mkdir -p /usr/local/etc/rc.d

# we need consul for consul agent
step "Install package consul"
pkg install -y consul

step "Install package sudo"
pkg install -y sudo

step "Install package node_exporter"
pkg install -y node_exporter

step "Install package jq"
pkg install -y jq

step "Install package jo"
pkg install -y jo

step "Install package curl"
pkg install -y curl

step "Install package openssl"
pkg install -y openssl

step "Install package syslog-ng"
pkg install -y syslog-ng

step "Install package vault"
pkg install -y vault

step "Add vault user to daemon class"
pw usermod vault -G daemon

step "Install package consul-template"
pkg install -y consul-template

step "Clean package installation"
pkg autoremove -y
pkg clean -y

# -------------- END PACKAGE SETUP -------------

#
# Create configurations
#

#
# Now generate the run command script "cook"
# It configures the system on the first run by creating the config file(s)
# On subsequent runs, it only starts sleeps (if nomad-jail) or simply exits
#

# this runs when image boots

# ----------------- BEGIN COOK ------------------

step "Clean cook artifacts"
rm -rf /usr/local/bin/cook /usr/local/share/cook

step "Install pot local"
tar -C /root/.pot_local -cf - . | tar -C /usr/local -xf -
rm -rf /root/.pot_local

step "Set file ownership on cook scripts"
chown -R root:wheel /usr/local/bin/cook /usr/local/share/cook
chmod 755 /usr/local/share/cook/bin/*

# ----------------- END COOK ------------------


# ---------- NO NEED TO EDIT BELOW ------------

step "Make cook script executable"
if [ -e /usr/local/bin/cook ]
then
    echo "setting executable bit on /usr/local/bin/cook" | tee -a $COOKLOG
    chmod u+x /usr/local/bin/cook
else
    exit_error "there is no /usr/local/bin/cook to make executable"
fi

#
# There are two ways of running a pot jail: "Normal", non-blocking mode and
# "Nomad", i.e. blocking mode (the pot start command does not return until
# the jail is stopped).
# For the normal mode, we create a /usr/local/etc/rc.d script that starts
# the "cook" script generated above each time, for the "Nomad" mode, the cook
# script is started by pot (configuration through flavour file), therefore
# we do not need to do anything here.
#

# Create rc.d script for "normal" mode:
step "Create rc.d script to start cook"
echo "creating rc.d script to start cook" | tee -a $COOKLOG

# shellcheck disable=SC2016
echo '#!/bin/sh
#
# PROVIDE: cook
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
. /etc/rc.subr
name="cook"
rcvar="cook_enable"
load_rc_config $name
: ${cook_enable:="NO"}
: ${cook_env:=""}
command="/usr/local/bin/cook"
command_args=""
run_rc_command "$1"
' > /usr/local/etc/rc.d/cook

step "Make rc.d script to start cook executable"
if [ -e /usr/local/etc/rc.d/cook ]
then
  echo "Setting executable bit on cook rc file" | tee -a $COOKLOG
  chmod u+x /usr/local/etc/rc.d/cook
else
  exit_error "/usr/local/etc/rc.d/cook does not exist"
fi

if [ "$RUNS_IN_NOMAD" != "true" ]
then
  step "Enable cook service"
  # This is a non-nomad (non-blocking) jail, so we need to make sure the script
  # gets started when the jail is started:
  # Otherwise, /usr/local/bin/cook will be set as start script by the pot flavour
  echo "enabling cook" | tee -a $COOKLOG
  service cook enable
fi

# -------------------- DONE ---------------
exit_ok

vault/vault+1:
vault/vault+1.sh:

vault/vault+2:
vault/vault+2.sh:

vault/vault+3:
vault/vault+3.sh:

vault/vault+4:
vault/vault+4.sh:
Password:===>  Creating a new pot
===>  pot name : vault-amd64-12_2
===>  type : single
===>  base : 12.2
===>  pot_base :
===>  level : 0
===>  network-type : public-bridge
===>  network-stack: ipv4
===>  ip : 10.192.0.4
===>  bridge :
===>  dns : inherit
===>  flavours : fbsd-update vault vault+1 vault+2 vault+3 vault+4
===>  Fetching FreeBSD 12.2
===>  Extract the tarball
=====>  Flavour: fbsd-update
=====>  Starting vault-amd64-12_2 pot for the initial bootstrap
=====>  mount /mnt/data/pot/jails/vault-amd64-12_2/m/tmp
defaultrouter: NO -> 10.192.0.1
===>  Starting the pot vault-amd64-12_2
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	inet 127.0.0.1 netmask 0xff000000
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:c7:de:01:c7:0b
	inet 10.192.0.4 netmask 0xffc00000 broadcast 10.255.255.255
	groups: epair
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Generating host.conf.
Creating and/or trimming log files.
Starting syslogd.
Clearing /tmp (X related).
Updating motd:.
Updating /var/run/os-release done.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.

Sun Oct 10 11:49:12 UTC 2021
/usr/local/etc/pot/flavours/fbsd-update.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/tmp/fbsd-update.sh
=====>  Executing fbsd-update script on vault-amd64-12_2
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching public key from update1.freebsd.org... done.
Fetching metadata signature for 12.2-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 88 patches.....10....20....30....40....50....60....70....80.... done.
Applying patches... done.
Fetching 1 files...  done.
The following files will be removed as part of updating to
12.2-RELEASE-p10:
/etc/ssl/certs/2c543cd1.0
/etc/ssl/certs/2e4eed3c.0
/etc/ssl/certs/480720ec.0
/etc/ssl/certs/7d0b38bd.0
/etc/ssl/certs/8867006a.0
/etc/ssl/certs/ad088e1d.0
/etc/ssl/certs/b204d74a.0
/etc/ssl/certs/ba89ed3b.0
/etc/ssl/certs/c089bbbd.0
/etc/ssl/certs/e2799e36.0
/usr/share/certs/trusted/GeoTrust_Global_CA.pem
/usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority.pem
/usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority_-_G3.pem
/usr/share/certs/trusted/GeoTrust_Universal_CA.pem
/usr/share/certs/trusted/GeoTrust_Universal_CA_2.pem
/usr/share/certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
/usr/share/certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
/usr/share/certs/trusted/thawte_Primary_Root_CA.pem
/usr/share/certs/trusted/thawte_Primary_Root_CA_-_G2.pem
/usr/share/certs/trusted/thawte_Primary_Root_CA_-_G3.pem
The following files will be added as part of updating to
12.2-RELEASE-p10:
/etc/ssl/blacklisted/2c543cd1.0
/etc/ssl/blacklisted/2e4eed3c.0
/etc/ssl/blacklisted/480720ec.0
/etc/ssl/blacklisted/7d0b38bd.0
/etc/ssl/blacklisted/8867006a.0
/etc/ssl/blacklisted/ad088e1d.0
/etc/ssl/blacklisted/b204d74a.0
/etc/ssl/blacklisted/ba89ed3b.0
/etc/ssl/blacklisted/c089bbbd.0
/etc/ssl/blacklisted/e2799e36.0
/etc/ssl/certs/3fb36b73.0
/usr/share/certs/blacklisted/GeoTrust_Global_CA.pem
/usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority.pem
/usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority_-_G3.pem
/usr/share/certs/blacklisted/GeoTrust_Universal_CA.pem
/usr/share/certs/blacklisted/GeoTrust_Universal_CA_2.pem
/usr/share/certs/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
/usr/share/certs/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
/usr/share/certs/blacklisted/thawte_Primary_Root_CA.pem
/usr/share/certs/blacklisted/thawte_Primary_Root_CA_-_G2.pem
/usr/share/certs/blacklisted/thawte_Primary_Root_CA_-_G3.pem
/usr/share/certs/trusted/NAVER_Global_Root_Certification_Authority.pem
The following files will be updated as part of updating to
12.2-RELEASE-p10:
/bin/freebsd-version
/lib/libcasper.so.1
/lib/libcrypto.so.111
/lib/libzfs.so.3
/lib/libzfs_core.so.2
/lib/libzpool.so.2
/rescue/[
/rescue/bectl
/rescue/bsdlabel
/rescue/bunzip2
/rescue/bzcat
/rescue/bzip2
/rescue/camcontrol
/rescue/cat
/rescue/ccdconfig
/rescue/chflags
/rescue/chgrp
/rescue/chio
/rescue/chmod
/rescue/chown
/rescue/chroot
/rescue/clri
/rescue/cp
/rescue/csh
/rescue/date
/rescue/dd
/rescue/devfs
/rescue/df
/rescue/dhclient
/rescue/disklabel
/rescue/dmesg
/rescue/dump
/rescue/dumpfs
/rescue/dumpon
/rescue/echo
/rescue/ed
/rescue/ex
/rescue/expr
/rescue/fastboot
/rescue/fasthalt
/rescue/fdisk
/rescue/fsck
/rescue/fsck_4.2bsd
/rescue/fsck_ffs
/rescue/fsck_msdosfs
/rescue/fsck_ufs
/rescue/fsdb
/rescue/fsirand
/rescue/gbde
/rescue/geom
/rescue/getfacl
/rescue/glabel
/rescue/gpart
/rescue/groups
/rescue/gunzip
/rescue/gzcat
/rescue/gzip
/rescue/halt
/rescue/head
/rescue/hostname
/rescue/id
/rescue/ifconfig
/rescue/init
/rescue/ipf
/rescue/iscsictl
/rescue/iscsid
/rescue/kenv
/rescue/kill
/rescue/kldconfig
/rescue/kldload
/rescue/kldstat
/rescue/kldunload
/rescue/ldconfig
/rescue/less
/rescue/link
/rescue/ln
/rescue/ls
/rescue/lzcat
/rescue/lzma
/rescue/md5
/rescue/mdconfig
/rescue/mdmfs
/rescue/mkdir
/rescue/mknod
/rescue/more
/rescue/mount
/rescue/mount_cd9660
/rescue/mount_msdosfs
/rescue/mount_nfs
/rescue/mount_nullfs
/rescue/mount_udf
/rescue/mount_unionfs
/rescue/mt
/rescue/mv
/rescue/nc
/rescue/newfs
/rescue/newfs_msdos
/rescue/nos-tun
/rescue/pgrep
/rescue/ping
/rescue/ping6
/rescue/pkill
/rescue/poweroff
/rescue/ps
/rescue/pwd
/rescue/rcorder
/rescue/rdump
/rescue/realpath
/rescue/reboot
/rescue/red
/rescue/rescue
/rescue/restore
/rescue/rm
/rescue/rmdir
/rescue/route
/rescue/routed
/rescue/rrestore
/rescue/rtquery
/rescue/rtsol
/rescue/savecore
/rescue/sed
/rescue/setfacl
/rescue/sh
/rescue/shutdown
/rescue/sleep
/rescue/spppcontrol
/rescue/stty
/rescue/swapon
/rescue/sync
/rescue/sysctl
/rescue/tail
/rescue/tar
/rescue/tcsh
/rescue/tee
/rescue/test
/rescue/tunefs
/rescue/umount
/rescue/unlink
/rescue/unlzma
/rescue/unxz
/rescue/unzstd
/rescue/vi
/rescue/whoami
/rescue/xz
/rescue/xzcat
/rescue/zcat
/rescue/zdb
/rescue/zfs
/rescue/zpool
/rescue/zstd
/rescue/zstdcat
/rescue/zstdmt
/sbin/ggatec
/sbin/ipfw
/sbin/rtsol
/sbin/zpool
/usr/bin/lldb
/usr/bin/openssl
/usr/bin/zinject
/usr/bin/ztest
/usr/include/net/if_var.h
/usr/include/openssl/asn1err.h
/usr/include/openssl/evperr.h
/usr/include/openssl/opensslv.h
/usr/include/sys/filedesc.h
/usr/include/sys/jail.h
/usr/lib/libcrypto.a
/usr/lib/libcrypto_p.a
/usr/lib/libfetch.a
/usr/lib/libfetch.so.6
/usr/lib/libfetch_p.a
/usr/lib/libpam.a
/usr/lib/libradius.a
/usr/lib/libradius.so.4
/usr/lib/libradius_p.a
/usr/lib/libssl.a
/usr/lib/libssl.so.111
/usr/lib/libssl_p.a
/usr/lib/libzfs.a
/usr/lib/libzfs_core.a
/usr/lib/libzfs_core_p.a
/usr/lib/libzfs_p.a
/usr/lib/libzpool.a
/usr/lib/pam_login_access.so.6
/usr/sbin/bhyve
/usr/sbin/freebsd-update
/usr/sbin/hostapd
/usr/sbin/ntp-keygen
/usr/sbin/rtsold
/usr/sbin/wpa_cli
/usr/sbin/wpa_supplicant
/usr/sbin/zdb
/usr/sbin/zfsd
/usr/sbin/zhack
/usr/share/man/man2/jail.2.gz
/usr/share/man/man2/jail_attach.2.gz
/usr/share/man/man2/jail_get.2.gz
/usr/share/man/man2/jail_remove.2.gz
/usr/share/man/man2/jail_set.2.gz
/usr/share/zoneinfo/Africa/Accra
/usr/share/zoneinfo/Africa/Addis_Ababa
/usr/share/zoneinfo/Africa/Algiers
/usr/share/zoneinfo/Africa/Asmara
/usr/share/zoneinfo/Africa/Asmera
/usr/share/zoneinfo/Africa/Bangui
/usr/share/zoneinfo/Africa/Brazzaville
/usr/share/zoneinfo/Africa/Casablanca
/usr/share/zoneinfo/Africa/Dar_es_Salaam
/usr/share/zoneinfo/Africa/Djibouti
/usr/share/zoneinfo/Africa/Douala
/usr/share/zoneinfo/Africa/El_Aaiun
/usr/share/zoneinfo/Africa/Juba
/usr/share/zoneinfo/Africa/Kampala
/usr/share/zoneinfo/Africa/Kinshasa
/usr/share/zoneinfo/Africa/Lagos
/usr/share/zoneinfo/Africa/Libreville
/usr/share/zoneinfo/Africa/Luanda
/usr/share/zoneinfo/Africa/Malabo
/usr/share/zoneinfo/Africa/Mogadishu
/usr/share/zoneinfo/Africa/Nairobi
/usr/share/zoneinfo/Africa/Niamey
/usr/share/zoneinfo/Africa/Porto-Novo
/usr/share/zoneinfo/America/Belize
/usr/share/zoneinfo/America/Dawson
/usr/share/zoneinfo/America/Grand_Turk
/usr/share/zoneinfo/America/Nassau
/usr/share/zoneinfo/America/Whitehorse
/usr/share/zoneinfo/Antarctica/Casey
/usr/share/zoneinfo/Antarctica/Macquarie
/usr/share/zoneinfo/Asia/Gaza
/usr/share/zoneinfo/Asia/Hebron
/usr/share/zoneinfo/Asia/Jerusalem
/usr/share/zoneinfo/Asia/Tel_Aviv
/usr/share/zoneinfo/Atlantic/Bermuda
/usr/share/zoneinfo/Australia/ACT
/usr/share/zoneinfo/Australia/Adelaide
/usr/share/zoneinfo/Australia/Brisbane
/usr/share/zoneinfo/Australia/Broken_Hill
/usr/share/zoneinfo/Australia/Canberra
/usr/share/zoneinfo/Australia/Currie
/usr/share/zoneinfo/Australia/Darwin
/usr/share/zoneinfo/Australia/Eucla
/usr/share/zoneinfo/Australia/Hobart
/usr/share/zoneinfo/Australia/Lindeman
/usr/share/zoneinfo/Australia/Melbourne
/usr/share/zoneinfo/Australia/NSW
/usr/share/zoneinfo/Australia/North
/usr/share/zoneinfo/Australia/Perth
/usr/share/zoneinfo/Australia/Queensland
/usr/share/zoneinfo/Australia/South
/usr/share/zoneinfo/Australia/Sydney
/usr/share/zoneinfo/Australia/Tasmania
/usr/share/zoneinfo/Australia/Victoria
/usr/share/zoneinfo/Australia/West
/usr/share/zoneinfo/Australia/Yancowinna
/usr/share/zoneinfo/Canada/Yukon
/usr/share/zoneinfo/Europe/Budapest
/usr/share/zoneinfo/Europe/Monaco
/usr/share/zoneinfo/Europe/Paris
/usr/share/zoneinfo/Europe/Volgograd
/usr/share/zoneinfo/Indian/Antananarivo
/usr/share/zoneinfo/Indian/Comoro
/usr/share/zoneinfo/Indian/Mahe
/usr/share/zoneinfo/Indian/Mayotte
/usr/share/zoneinfo/Israel
/usr/share/zoneinfo/Pacific/Efate
/usr/share/zoneinfo/Pacific/Fiji
/usr/share/zoneinfo/zone.tab
/usr/share/zoneinfo/zone1970.tab
Installing updates...Scanning //usr/share/certs/blacklisted for certificates...
Scanning //usr/share/certs/trusted for certificates...
 done.
=====>  Stop the pot vault-amd64-12_2
=====>  Remove epair0[a|b] network interfaces
=====>  unmount /mnt/data/pot/jails/vault-amd64-12_2/m/tmp
=====>  unmount /mnt/data/pot/jails/vault-amd64-12_2/m/dev
=====>  Flavour: vault
=====>  Executing vault pot commands on vault-amd64-12_2
=====>  mount /mnt/data/pot/jails/vault-amd64-12_2/m/tmp
/usr/local/etc/pot/flavours/vault.d/syslog-ng.conf -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/syslog-ng.conf
=====>  Source /usr/local/etc/pot/flavours/vault.d/syslog-ng.conf copied in the pot vault-amd64-12_2
=====>  unmount /mnt/data/pot/jails/vault-amd64-12_2/m/tmp
=====>  /mnt/data/pot/jails/vault-amd64-12_2/m/dev is already unmounted
=====>  mount /mnt/data/pot/jails/vault-amd64-12_2/m/tmp
/usr/local/etc/pot/flavours/vault.d/local -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local
/usr/local/etc/pot/flavours/vault.d/local/share -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share
/usr/local/etc/pot/flavours/vault.d/local/share/cook -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/unseal-autounseal-policy.hcl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/unseal-autounseal-policy.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-consul-agent.hcl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/cluster-consul-agent.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/unseal-tls-policy.hcl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/unseal-tls-policy.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-agent.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/cluster-agent.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-tls-policy.hcl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/cluster-tls-policy.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/consul-tls-policy.hcl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/consul-tls-policy.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-consul-ca.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/cluster-consul-ca.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-unseal-ca.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/cluster-unseal-ca.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-consul-agent.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/cluster-consul-agent.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/metrics.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/metrics.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-consul-template-consul.hcl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/cluster-consul-template-consul.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-unseal-client.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/cluster-unseal-client.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/consul-agent.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/consul-agent.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/nomad-tls-policy.hcl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/nomad-tls-policy.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/unseal-agent.key.tpl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/unseal-agent.key.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-consul-template-metrics.hcl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/cluster-consul-template-metrics.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/unseal-consul-template.hcl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/unseal-consul-template.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-vault-bootstrap.hcl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/cluster-vault-bootstrap.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/postgres-tls-policy.hcl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/postgres-tls-policy.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/consul-ca.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/consul-ca.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/unseal-ca.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/unseal-ca.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/metrics-tls-policy.hcl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/metrics-tls-policy.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-agent.key.tpl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/cluster-agent.key.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/metrics-ca.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/metrics-ca.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-consul-agent.key.tpl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/cluster-consul-agent.key.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/metrics.key.tpl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/metrics.key.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-ca.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/cluster-ca.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-vault.hcl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/cluster-vault.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-unseal-client.key.tpl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/cluster-unseal-client.key.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-consul-template-unseal.hcl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/cluster-consul-template-unseal.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/consul-agent.key.tpl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/consul-agent.key.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/unseal-vault.hcl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/unseal-vault.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/unseal-vault-bootstrap.hcl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/unseal-vault-bootstrap.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/cluster-consul-template.hcl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/cluster-consul-template.hcl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/templates/unseal-agent.crt.tpl.in -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/templates/unseal-agent.crt.tpl.in
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/unseal-vault-status.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/unseal-vault-status.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/unseal-issue-unseal-credentials.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/unseal-issue-unseal-credentials.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-reload-vault.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-reload-vault.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-reload-consul.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-reload-consul.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-unwrap-unseal-credentials.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-unwrap-unseal-credentials.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-issue-metrics-credentials.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-issue-metrics-credentials.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-vault.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-vault.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-setup-cluster-pki.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-setup-cluster-pki.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/reload-metrics.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/reload-metrics.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-issue-cluster-credentials.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-issue-cluster-credentials.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-init-vault-consul.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-init-vault-consul.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-issue-postgres-credentials.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-issue-postgres-credentials.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-setup-postgres-pki.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-setup-postgres-pki.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-setup-metrics-pki.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-setup-metrics-pki.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-enable-vault-tls.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-enable-vault-tls.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-vault-status.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-vault-status.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/unseal-reload-vault.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/unseal-reload-vault.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-reload-vault-unseal.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-reload-vault-unseal.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-configure-vault.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-configure-vault.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-issue-nomad-credentials.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-issue-nomad-credentials.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/unseal-setup-autounseal.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/unseal-setup-autounseal.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/unseal-start-consul-template.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/unseal-start-consul-template.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-raft-status.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-raft-status.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/unseal-configure-vault.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/unseal-configure-vault.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-init-vault-leader.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-init-vault-leader.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-issue-consul-credentials.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-issue-consul-credentials.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/unseal-vault.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/unseal-vault.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-configure-consul.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-configure-consul.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/unwrap-metrics-credentials.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/unwrap-metrics-credentials.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/unseal-setup-unseal-pki.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/unseal-setup-unseal-pki.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-setup-consul-pki.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-setup-consul-pki.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/configure-metrics.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/configure-metrics.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-setup-local-unbound.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-setup-local-unbound.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-setup-nomad-pki.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-setup-nomad-pki.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/configure-node-exporter.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/configure-node-exporter.sh
/usr/local/etc/pot/flavours/vault.d/local/share/cook/bin/cluster-join-vault-cluster.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/share/cook/bin/cluster-join-vault-cluster.sh
/usr/local/etc/pot/flavours/vault.d/local/bin -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/bin
/usr/local/etc/pot/flavours/vault.d/local/bin/cook -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/bin/cook
/usr/local/etc/pot/flavours/vault.d/local/bin/.cook.swp -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/.pot_local/bin/.cook.swp
=====>  Source /usr/local/etc/pot/flavours/vault.d/local copied in the pot vault-amd64-12_2
=====>  unmount /mnt/data/pot/jails/vault-amd64-12_2/m/tmp
=====>  /mnt/data/pot/jails/vault-amd64-12_2/m/dev is already unmounted
=====>  Starting vault-amd64-12_2 pot for the initial bootstrap
=====>  mount /mnt/data/pot/jails/vault-amd64-12_2/m/tmp
defaultrouter: 10.192.0.1 -> 10.192.0.1
===>  Starting the pot vault-amd64-12_2
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	inet 127.0.0.1 netmask 0xff000000
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:e5:3a:0b:64:0b
	inet 10.192.0.4 netmask 0xffc00000 broadcast 10.255.255.255
	groups: epair
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Creating and/or trimming log files.
Starting syslogd.
Clearing /tmp (X related).
Updating motd:.
Updating /var/run/os-release done.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.

Sun Oct 10 11:50:27 UTC 2021
/usr/local/etc/pot/flavours/vault.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/tmp/vault.sh
=====>  Executing vault script on vault-amd64-12_2
Creating /var/log/cook.log
Step 1: Bootstrap package repo
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] Installing pkg-1.16.3...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] Extracting pkg-1.16.3: .......... done
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:12:amd64/quarterly, please wait...
Step 2: Touch /etc/rc.conf
Step 3: Remove ifconfig_epair0b from config
Step 4: Disable sendmail
sendmail disabled in /etc/rc.conf
sendmail_submit disabled in /etc/rc.conf
sendmail_msp_queue disabled in /etc/rc.conf
Step 5: Disable sshd
sshd disabled in /etc/rc.conf
Step 6: Create /usr/local/etc/rc.d
Step 7: Install package consul
Updating FreeBSD repository catalogue...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] Fetching meta.conf: . done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] Fetching packagesite.txz: .......... done
Processing entries: .......... done
FreeBSD repository update completed. 30852 packages processed.
All repositories are up to date.
Updating database digests format: . done
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	consul: 1.9.9

Number of packages to be installed: 1

The process will require 77 MiB more space.
26 MiB to be downloaded.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching consul-1.9.9.txz: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Installing consul-1.9.9...
===> Creating groups.
Creating group 'consul' with gid '469'.
===> Creating users
Creating user 'consul' with uid '469'.
===> Creating homedir(s)
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting consul-1.9.9: ..... done
Step 8: Install package sudo
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	gettext-runtime: 0.21
	indexinfo: 0.3.1
	sudo: 1.9.8

Number of packages to be installed: 3

The process will require 7 MiB more space.
2 MiB to be downloaded.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/3] Fetching sudo-1.9.8.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/3] Fetching gettext-runtime-0.21.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/3] Fetching indexinfo-0.3.1.txz: . done
Checking integrity... done (0 conflicting)
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/3] Installing indexinfo-0.3.1...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/3] Extracting indexinfo-0.3.1: .... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/3] Installing gettext-runtime-0.21...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/3] Extracting gettext-runtime-0.21: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/3] Installing sudo-1.9.8...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/3] Extracting sudo-1.9.8: .......... done
Step 9: Install package node_exporter
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	node_exporter: 1.1.2

Number of packages to be installed: 1

The process will require 11 MiB more space.
3 MiB to be downloaded.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching node_exporter-1.1.2.txz: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Installing node_exporter-1.1.2...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting node_exporter-1.1.2: .......... done
=====
Message from node_exporter-1.1.2:

--
If upgrading from a version of node_exporter <0.15.0 you'll need to update any
custom command line flags that you may have set as it now requires a
double-dash (--flag) instead of a single dash (-flag).
The collector flags in 0.15.0 have now been replaced with individual boolean
flags and the -collector.procfs` and -collector.sysfs` flags have been renamed
to --path.procfs and --path.sysfs respectively.
Step 10: Install package jq
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	jq: 1.6
	oniguruma: 6.9.7.1

Number of packages to be installed: 2

The process will require 2 MiB more space.
497 KiB to be downloaded.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/2] Fetching jq-1.6.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/2] Fetching oniguruma-6.9.7.1.txz: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/2] Installing oniguruma-6.9.7.1...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/2] Extracting oniguruma-6.9.7.1: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/2] Installing jq-1.6...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/2] Extracting jq-1.6: .......... done
Step 11: Install package jo
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	jo: 1.4

Number of packages to be installed: 1

19 KiB to be downloaded.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching jo-1.4.txz: ... done
Checking integrity... done (0 conflicting)
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Installing jo-1.4...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting jo-1.4: ...... done
Step 12: Install package curl
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	ca_root_nss: 3.63
	curl: 7.78.0
	libnghttp2: 1.43.0

Number of packages to be installed: 3

The process will require 5 MiB more space.
2 MiB to be downloaded.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/3] Fetching curl-7.78.0.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/3] Fetching libnghttp2-1.43.0.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/3] Fetching ca_root_nss-3.63.txz: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/3] Installing libnghttp2-1.43.0...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/3] Extracting libnghttp2-1.43.0: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/3] Installing ca_root_nss-3.63...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/3] Extracting ca_root_nss-3.63: ........ done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/3] Installing curl-7.78.0...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/3] Extracting curl-7.78.0: .......... done
=====
Message from ca_root_nss-3.63:

--
FreeBSD does not, and can not warrant that the certification authorities
whose certificates are included in this package have in any way been
audited for trustworthiness or RFC 3647 compliance.

Assessment and verification of trust is the complete responsibility of the
system administrator.


This package installs symlinks to support root certificates discovery by
default for software that uses OpenSSL.

This enables SSL Certificate Verification by client software without manual
intervention.

If you prefer to do this manually, replace the following symlinks with
either an empty file or your site-local certificate bundle.

  * /etc/ssl/cert.pem
  * /usr/local/etc/ssl/cert.pem
  * /usr/local/openssl/cert.pem
Step 13: Install package openssl
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	openssl: 1.1.1l,1

Number of packages to be installed: 1

The process will require 14 MiB more space.
4 MiB to be downloaded.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching openssl-1.1.1l,1.txz: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Installing openssl-1.1.1l,1...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting openssl-1.1.1l,1: .......... done
Step 14: Install package syslog-ng
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 11 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	e2fsprogs-libuuid: 1.46.4
	glib: 2.66.8,2
	json-c: 0.15_1
	libffi: 3.3_1
	libiconv: 1.16
	libxml2: 2.9.12
	mpdecimal: 2.5.1
	pcre: 8.45
	python38: 3.8.12
	readline: 8.1.1
	syslog-ng: 3.32.1

Number of packages to be installed: 11

The process will require 160 MiB more space.
24 MiB to be downloaded.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/11] Fetching syslog-ng-3.32.1.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/11] Fetching e2fsprogs-libuuid-1.46.4.txz: ..... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/11] Fetching pcre-8.45.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [4/11] Fetching json-c-0.15_1.txz: ........ done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [5/11] Fetching glib-2.66.8,2.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [6/11] Fetching libxml2-2.9.12.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [7/11] Fetching python38-3.8.12.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [8/11] Fetching mpdecimal-2.5.1.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [9/11] Fetching readline-8.1.1.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [10/11] Fetching libffi-3.3_1.txz: ..... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [11/11] Fetching libiconv-1.16.txz: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/11] Installing mpdecimal-2.5.1...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/11] Extracting mpdecimal-2.5.1: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/11] Installing readline-8.1.1...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/11] Extracting readline-8.1.1: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/11] Installing libffi-3.3_1...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/11] Extracting libffi-3.3_1: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [4/11] Installing pcre-8.45...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [4/11] Extracting pcre-8.45: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [5/11] Installing libxml2-2.9.12...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [5/11] Extracting libxml2-2.9.12: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [6/11] Installing python38-3.8.12...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [6/11] Extracting python38-3.8.12: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [7/11] Installing libiconv-1.16...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [7/11] Extracting libiconv-1.16: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [8/11] Installing e2fsprogs-libuuid-1.46.4...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [8/11] Extracting e2fsprogs-libuuid-1.46.4: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [9/11] Installing json-c-0.15_1...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [9/11] Extracting json-c-0.15_1: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [10/11] Installing glib-2.66.8,2...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [10/11] Extracting glib-2.66.8,2: .......... done
No schema files found: doing nothing.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [11/11] Installing syslog-ng-3.32.1...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [11/11] Extracting syslog-ng-3.32.1: .......... done
=====
Message from python38-3.8.12:

--
Note that some standard Python modules are provided as separate ports
as they require additional dependencies. They are available as:

py38-gdbm       databases/py-gdbm@py38
py38-sqlite3    databases/py-sqlite3@py38
py38-tkinter    x11-toolkits/py-tkinter@py38
=====
Message from syslog-ng-3.32.1:

--
syslog-ng is now installed!  To replace FreeBSD's standard syslogd
(/usr/sbin/syslogd), complete these steps:

1. Create a configuration file named /usr/local/etc/syslog-ng.conf
   (a sample named syslog-ng.conf.sample has been included in
   /usr/local/etc). Note that this is a change in 2.0.2
   version, previous ones put the config file in
   /usr/local/etc/syslog-ng/syslog-ng.conf, so if this is an update
   move that file in the right place

2. Configure syslog-ng to start automatically by adding the following
   to /etc/rc.conf:

        syslog_ng_enable="YES"

3. Prevent the standard FreeBSD syslogd from starting automatically by
   adding a line to the end of your /etc/rc.conf file that reads:

        syslogd_enable="NO"

4. Shut down the standard FreeBSD syslogd:

     kill `cat /var/run/syslog.pid`

5. Start syslog-ng:

     /usr/local/etc/rc.d/syslog-ng start
Step 15: Install package vault
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	vault: 1.7.3

Number of packages to be installed: 1

The process will require 149 MiB more space.
49 MiB to be downloaded.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching vault-1.7.3.txz: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Installing vault-1.7.3...
===> Creating groups.
Creating group 'vault' with gid '471'.
===> Creating users
Creating user 'vault' with uid '471'.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting vault-1.7.3: ..... done
=====
Message from vault-1.7.3:

--
The vault user created by the vault package is now a member of the daemon
class, which will allow it to use mlock() when started by the rc script. This
will not be reflected in systems where the user already exists. Please add the
vault user to the daemon class manually by running:

pw usermod -L daemon -n vault

or delete the user and reinstall the package.

You may also need to increase memorylocked for the daemon class in
/etc/login.conf to 1024M or more and run:

cap_mkdb /etc/login.conf

Or to disable mlock, add:

disable_mlock = 1

to /usr/local/etc/vault.hcl
Step 16: Add vault user to daemon class
Step 17: Install package consul-template
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	consul-template: 0.25.2

Number of packages to be installed: 1

The process will require 9 MiB more space.
3 MiB to be downloaded.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching consul-template-0.25.2.txz: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Installing consul-template-0.25.2...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting consul-template-0.25.2: ..... done
Step 18: Clean package installation
Checking integrity... done (0 conflicting)
Nothing to do.
The following package files will be deleted:
	/var/cache/pkg/python38-3.8.12.txz
	/var/cache/pkg/libiconv-1.16.txz
	/var/cache/pkg/oniguruma-6.9.7.1.txz
	/var/cache/pkg/json-c-0.15_1~80920d62dd.txz
	/var/cache/pkg/sudo-1.9.8~358f97760c.txz
	/var/cache/pkg/sudo-1.9.8.txz
	/var/cache/pkg/libffi-3.3_1.txz
	/var/cache/pkg/node_exporter-1.1.2~9e7a20f0f9.txz
	/var/cache/pkg/readline-8.1.1~258136255b.txz
	/var/cache/pkg/indexinfo-0.3.1~fec9f21a3f.txz
	/var/cache/pkg/consul-1.9.9.txz
	/var/cache/pkg/consul-1.9.9~85bedcc573.txz
	/var/cache/pkg/curl-7.78.0.txz
	/var/cache/pkg/libxml2-2.9.12~55c496f72a.txz
	/var/cache/pkg/syslog-ng-3.32.1~cfa0239c19.txz
	/var/cache/pkg/consul-template-0.25.2.txz
	/var/cache/pkg/oniguruma-6.9.7.1~1162468b1d.txz
	/var/cache/pkg/vault-1.7.3~7ee859c9d5.txz
	/var/cache/pkg/readline-8.1.1.txz
	/var/cache/pkg/gettext-runtime-0.21~c84f0d3292.txz
	/var/cache/pkg/glib-2.66.8,2~a5e5c0f5e0.txz
	/var/cache/pkg/e2fsprogs-libuuid-1.46.4.txz
	/var/cache/pkg/jq-1.6~45b767e25a.txz
	/var/cache/pkg/jo-1.4~4363996396.txz
	/var/cache/pkg/openssl-1.1.1l,1.txz
	/var/cache/pkg/e2fsprogs-libuuid-1.46.4~eef4eaace8.txz
	/var/cache/pkg/node_exporter-1.1.2.txz
	/var/cache/pkg/syslog-ng-3.32.1.txz
	/var/cache/pkg/ca_root_nss-3.63.txz
	/var/cache/pkg/ca_root_nss-3.63~ced63fe166.txz
	/var/cache/pkg/libffi-3.3_1~3dc699a29e.txz
	/var/cache/pkg/libxml2-2.9.12.txz
	/var/cache/pkg/consul-template-0.25.2~11c04f520f.txz
	/var/cache/pkg/libnghttp2-1.43.0.txz
	/var/cache/pkg/jq-1.6.txz
	/var/cache/pkg/openssl-1.1.1l,1~c48e403b85.txz
	/var/cache/pkg/mpdecimal-2.5.1~511d0c1748.txz
	/var/cache/pkg/json-c-0.15_1.txz
	/var/cache/pkg/gettext-runtime-0.21.txz
	/var/cache/pkg/curl-7.78.0~0aa53b2802.txz
	/var/cache/pkg/pcre-8.45~5bfe8c3224.txz
	/var/cache/pkg/mpdecimal-2.5.1.txz
	/var/cache/pkg/vault-1.7.3.txz
	/var/cache/pkg/indexinfo-0.3.1.txz
	/var/cache/pkg/jo-1.4.txz
	/var/cache/pkg/pcre-8.45.txz
	/var/cache/pkg/glib-2.66.8,2.txz
	/var/cache/pkg/libnghttp2-1.43.0~15507849d1.txz
	/var/cache/pkg/libiconv-1.16~bdd1f909b4.txz
	/var/cache/pkg/python38-3.8.12~52608d4e06.txz
The cleanup will free 113 MiB
Deleting files: .......... done
All done
Step 19: Clean cook artifacts
Step 20: Install pot local
Step 21: Set file ownership on cook scripts
Step 22: Make cook script executable
setting executable bit on /usr/local/bin/cook
Step 23: Create rc.d script to start cook
creating rc.d script to start cook
Step 24: Make rc.d script to start cook executable
Setting executable bit on cook rc file
Step 25: Enable cook service
enabling cook
cook enabled in /etc/rc.conf
=====>  Stop the pot vault-amd64-12_2
=====>  Remove epair0[a|b] network interfaces
=====>  unmount /mnt/data/pot/jails/vault-amd64-12_2/m/tmp
=====>  unmount /mnt/data/pot/jails/vault-amd64-12_2/m/dev
=====>  Flavour: vault+1
=====>  Executing vault+1 pot commands on vault-amd64-12_2
=====>  No shell script available for the flavour vault+1
=====>  Flavour: vault+2
=====>  Executing vault+2 pot commands on vault-amd64-12_2
=====>  No shell script available for the flavour vault+2
=====>  Flavour: vault+3
=====>  Executing vault+3 pot commands on vault-amd64-12_2
=====>  No shell script available for the flavour vault+3
=====>  Flavour: vault+4
=====>  Executing vault+4 pot commands on vault-amd64-12_2
=====>  No shell script available for the flavour vault+4

This site © Honeyguide Group (Pty) Ltd, all the hosted software their respective license owners 2020 - 2021 - Disclaimer