Hashicorp Vault-シークレット(パスワード、APIキーなど)を管理するためのオープンソースツール、
Vaultは、高可用性(HA)モードで動作して、複数のVaultサーバーを実行することで中断から保護できます。Vaultは通常、計算要件ではなく、VaultバックエンドのI / O制限によって制約されます。Consulなどの一部のサーバーストレージモジュールは、Vaultが高可用性構成で動作できるようにする追加の調整機能を提供しますが、その他のモジュールは、より信頼性の高いバックアップおよび復元プロセスを提供します。
高可用性モードで動作している場合、Vaultサーバーにはスタンバイとアクティブの2つの追加状態があります。Vaultクラスターでは、1つのインスタンスのみがアクティブになり、すべての要求(読み取りと書き込み)が処理され、すべてのスタンバイノードが要求をアクティブノードに転送します。
. 0.11, . Performance Standby Nodes Vault Enterprise Premium, Vault Enterprise Pro . . .
Vault Highly Available (HA). , , , .
25
Vault , Vault Consul.
, — Vault HA, :
· 2 Vault: 1 1
· 3- Consul
:
:
1. Consul
2. Consul
3. Consul Vault
4. Vault
5. Vault
Vault Consul; Enterprise.
1. Consul
Consul IP-, :
consul_s1: 10.1.42.101
consul_s2: 10.1.42.102
consul_s3: 10.1.42.103
Consul /usr/local/bin/consul
, , .
, Consul:
{ "server": true, "node_name": "$NODE_NAME", "datacenter": "dc1", "data_dir": "$CONSUL_DATA_PATH", "bind_addr": "0.0.0.0", "client_addr": "0.0.0.0", "advertise_addr": "$ADVERTISE_ADDR", "bootstrap_expect": 3, "retry_join": ["$JOIN1", "$JOIN2", "$JOIN3"], "ui": true, "log_level": "DEBUG", "enable_syslog": true, "acl_enforce_version_8": false }
, , . Consul :
- $NODE_NAME — ;
consul_s1
,consul_s2
consul_s3
. - $CONSUL_DATA_PATH: Consul; , Consul.
- $ADVERTISE_ADDR: , Consul .
0.0.0.0
; IP- Consul10.1.42.101
,10.1.42.102
10.1.42.103
. - $JOIN1, $JOIN2, $JOIN3:
retry_join
; ,10.1.42.101
,10.1.42.102
10.1.42.103
.
, - ("ui": true
), Consul DEBUG ("log_level": "DEBUG"
). acl_enforce_version_8
false
, ACL . , ACL Consul ACL.
Vault /usr/local/etc/consul/client_agent.json
.
consul_s1.json
{ "server": true, "node_name": "consul_s1", "datacenter": "dc1", "data_dir": "/var/consul/data", "bind_addr": "0.0.0.0", "client_addr": "0.0.0.0", "advertise_addr": "10.1.42.101", "bootstrap_expect": 3, "retry_join": ["10.1.42.101", "10.1.42.102", "10.1.42.103"], "ui": true, "log_level": "DEBUG", "enable_syslog": true, "acl_enforce_version_8": false }
consul_s2.json
{ "server": true, "node_name": "consul_s2", "datacenter": "dc1", "data_dir": "/var/consul/data", "bind_addr": "0.0.0.0", "client_addr": "0.0.0.0", "advertise_addr": "10.1.42.102", "bootstrap_expect": 3, "retry_join": ["10.1.42.101", "10.1.42.102", "10.1.42.103"], "ui": true, "log_level": "DEBUG", "enable_syslog": true, "acl_enforce_version_8": false }
consul_s3.json
{ "server": true, "node_name": "consul_s3", "datacenter": "dc1", "data_dir": "/var/consul/data", "bind_addr": "0.0.0.0", "client_addr": "0.0.0.0", "advertise_addr": "10.1.42.103", "bootstrap_expect": 3, "retry_join": ["10.1.42.101", "10.1.42.102", "10.1.42.103"], "ui": true, "log_level": "DEBUG", "enable_syslog": true, "acl_enforce_version_8": false }
systemd
Consul , Consul ; systemd
Linux, , , systemd unit:
### BEGIN INIT INFO # Provides: consul # Required-Start: $local_fs $remote_fs # Required-Stop: $local_fs $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Consul agent # Description: Consul service discovery framework ### END INIT INFO [Unit] Description=Consul server agent Requires=network-online.target After=network-online.target [Service] User=consul Group=consul PIDFile=/var/run/consul/consul.pid PermissionsStartOnly=true ExecStartPre=-/bin/mkdir -p /var/run/consul ExecStartPre=/bin/chown -R consul:consul /var/run/consul ExecStart=/usr/local/bin/consul agent \ -config-file=/usr/local/etc/consul/client_agent.json \ -pid-file=/var/run/consul/consul.pid ExecReload=/bin/kill -HUP $MAINPID KillMode=process KillSignal=SIGTERM Restart=on-failure RestartSec=42s [Install] WantedBy=multi-user.target
, , . . –
- config-file
- pid-file
(, /etc/systemd/system/consul.service
), systemctl daemon-reload
, Consul .
2. Consul
, , data_dir
, Consul :
$ sudo systemctl start consul $ sudo systemctl status consul ● consul.service - Consul server agent Loaded: loaded (/etc/systemd/system/consul.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2018-03-19 17:33:14 UTC; 24h ago Main PID: 2068 (consul) Tasks: 13 Memory: 13.6M CPU: 0m 52.784s CGroup: /system.slice/consul.service └─2068 /usr/local/bin/consul agent -config-file=/usr/local/etc/consul/client_agent.json -pid-file=/var/run/consul/consul.pid
Consul, Consul:
$consul members Node Address Status Type Build Protocol DC Segment consul_s1 10.1.42.101:8301 alive server 1.0.6 2 dc1 <all> consul_s2 10.1.42.102:8301 alive server 1.0.6 2 dc1 <all> consul_s3 10.1.42.103:8301 alive server 1.0.6 2 dc1 <all>
, 3 ; , , :
$consul operator raft list-peers Node ID Address State Voter RaftProtocol consul_s2 536b721f-645d-544a-c10d-85c2ca24e4e4 10.1.42.102:8300 follower true 3 consul_s1 e10ba554-a4f9-6a8c-f662-81c8bb2a04f5 10.1.42.101:8300 follower true 3 consul_s3 56370ec8-da25-e7dc-dfc6-bf5f27978a7a 10.1.42.103:8300 leader true 3
, consul_s3
. Vault.
3. Consul Vault
Vault Consul Vault . Consul , Vault .
Consul
Consul , Consul Vault, Consul , HA ( ).
Consul , Vault, Consul, client_address
, Vault .
Consul:
{ "server": false, "datacenter": "dc1", "node_name": "$NODE_NAME", "data_dir": "$CONSUL_DATA_PATH", "bind_addr": "$BIND_ADDR", "client_addr": "127.0.0.1", "retry_join": ["$JOIN1", "$JOIN2", "$JOIN3"], "log_level": "DEBUG", "enable_syslog": true, "acl_enforce_version_8": false }
, 1, Consul :
- $NODE_NAME — ;
consul_c1
consul_c2
. - $CONSUL_DATA_PATH: Consul; , Consul.
- $BIND_ADDR: , , Consul ,
0.0.0.0
; IP- Vault10.1.42.201
10.1.42.202
. - $JOIN1, $JOIN2, $JOIN3:
retry_join
; ,10.1.42.101
,10.1.42.102
10.1.42.103
.
Vault /usr/local/etc/consul/client_agent.json
.
consul_c1.json
{ "server": false, "datacenter": "dc1", "node_name": "consul_c1", "data_dir": "/var/consul/data", "bind_addr": "10.1.42.201", "client_addr": "127.0.0.1", "retry_join": ["10.1.42.101", "10.1.42.102", "10.1.42.103"], "log_level": "DEBUG", "enable_syslog": true, "acl_enforce_version_8": false }
consul_c2.json
{ "server": false, "datacenter": "dc1", "node_name": "consul_c2", "data_dir": "/var/consul/data", "bind_addr": "10.1.42.202", "client_addr": "127.0.0.1", "retry_join": ["10.1.42.101", "10.1.42.102", "10.1.42.103"], "log_level": "DEBUG", "enable_syslog": true, "acl_enforce_version_8": false }
systemd Consul
Consul , Consul Vault. systemd
:
### BEGIN INIT INFO # Provides: consul # Required-Start: $local_fs $remote_fs # Required-Stop: $local_fs $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Consul agent # Description: Consul service discovery framework ### END INIT INFO [Unit] Description=Consul client agent Requires=network-online.target After=network-online.target [Service] User=consul Group=consul PIDFile=/var/run/consul/consul.pid PermissionsStartOnly=true ExecStartPre=-/bin/mkdir -p /var/run/consul ExecStartPre=/bin/chown -R consul:consul /var/run/consul ExecStart=/usr/local/bin/consul agent \ -config-file=/usr/local/etc/consul/client_agent.json \ -pid-file=/var/run/consul/consul.pid ExecReload=/bin/kill -HUP $MAINPID KillMode=process KillSignal=SIGTERM Restart=on-failure RestartSec=42s [Install] WantedBy=multi-user.target
:
- -config-file
- -pid-file
(, /etc/systemd/system/consul.service
), systemctl daemon-reload
, Consul Vault.
Consul , , , data_dir
, Consul :
$ sudo systemctl start consul $ sudo systemctl status consul ● consul.service - Consul client agent Loaded: loaded (/etc/systemd/system/consul.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2018-03-20 19:36:49 UTC; 6s ago Main PID: 23758 (consul) Tasks: 11 Memory: 9.8M CPU: 571ms CGroup: /system.slice/consul.service └─23758 /usr/local/bin/consul agent -config-file=/usr/local/etc/consul/client_agent.json -pid-file=/var/run/consul/consul.pid
Consul Consul:
$consul members Node Address Status Type Build Protocol DC Segment consul_s1 10.1.42.101:8301 alive server 1.0.6 2 dc1 <all> consul_s2 10.1.42.102:8301 alive server 1.0.6 2 dc1 <all> consul_s3 10.1.42.103:8301 alive server 1.0.6 2 dc1 <all> consul_c1 10.1.42.201:8301 alive client 1.0.6 2 arus <default> consul_c2 10.1.42.202:8301 alive client 1.0.6 2 arus <default>
3 Consul 2 Consul . Vault.
4. Vault
, Consul, 3- 2- Vault, Vault , Vault HA.
Vault IP-, :
- vault_s1: 10.1.42.201
- vault_s2: 10.1.42.202
:
, Vault /usr/local/bin/vault
.
Vault
listener "tcp" { address = "0.0.0.0:8200" cluster_address = "0.0.0.0:8201" tls_disable = "true" } storage "consul" { address = "127.0.0.1:8500" path = "vault/" } api_addr = "$API_ADDR" cluster_addr = "$CLUSTER_ADDR"
tcp
-:
address
("127.0.0.1:8200") — , .cluster_address
("127.0.0.1:8201") — -. , . , , Vault , TCP - .
(, , Vault ).
Vault (api_addr
cluster_addr
). Consul Vault, Consul Vault. (, Vault ).
, Vault ( ). Client Redirection, .
, , . Vault :
- $API_ADDR: ( URL) Vault .
VAULT_API_ADDR
. , URL-, . http://10.1.42.201:8200 http://10.1.42.202:8200 . - $CLUSTER_ADDR: Vault .
VAULT_CLUSTER_ADDR
. URL,api_addr
. https://10.1.42.201:8201 https://10.1.42.202:8201 .
, (https) ; TLS / .
vault_s1.hcl
listener "tcp" { address = "0.0.0.0:8200" cluster_address = "10.1.42.201:8201" tls_disable = "true" } storage "consul" { address = "127.0.0.1:8500" path = "vault/" } api_addr = "http://10.1.42.201:8200" cluster_addr = "https://10.1.42.201:8201"
vault_s2.hcl
listener "tcp" { address = "0.0.0.0:8200" cluster_address = "10.1.42.202:8201" tls_disable = "true" } storage "consul" { address = "127.0.0.1:8500" path = "vault/" } api_addr = "http://10.1.42.202:8200" cluster_addr = "https://10.1.42.202:8201"
systemd Vault
Vault . Vault . systemd
:
### BEGIN INIT INFO # Provides: vault # Required-Start: $local_fs $remote_fs # Required-Stop: $local_fs $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Vault server # Description: Vault secret management tool ### END INIT INFO [Unit] Description=Vault secret management tool Requires=network-online.target After=network-online.target [Service] User=vault Group=vault PIDFile=/var/run/vault/vault.pid ExecStart=/usr/local/bin/vault server -config=/etc/vault/vault_server.hcl -log-level=debug ExecReload=/bin/kill -HUP $MAINPID KillMode=process KillSignal=SIGTERM Restart=on-failure RestartSec=42s LimitMEMLOCK=infinity [Install] WantedBy=multi-user.target
, , . .
- -config
- -log-level
, , /etc/systemd/system/vault.service
, systemctl daemon-reload
, Vault .
5. Vault
Vault :
$ sudo systemctl start vault $ sudo systemctl status vault ● vault.service - Vault secret management tool Loaded: loaded (/etc/systemd/system/vault.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2018-03-20 20:42:10 UTC; 42s ago Main PID: 2080 (vault) Tasks: 12 Memory: 71.7M CPU: 50s CGroup: /system.slice/vault.service └─2080 /usr/local/bin/vault server -config=/home/ubuntu/vault_nano/config/vault_server.hcl -log-level=debu
, Vault .
Vault:
$ vault status Key Value --- ----- Seal Type shamir Sealed false Total Shares 5 Threshold 3 Version 0.9.5 Cluster Name vault Cluster ID 0ee91bd1-55ec-c84f-3c1d-dcc7f4f644a8 HA Enabled true HA Cluster https://10.1.42.201:8201 HA Mode active
Vault:
vault status Key Value --- ----- Seal Type shamir Sealed false Total Shares 5 Threshold 3 Version 0.9.5 Cluster Name vaultron Cluster ID 0ee91bd1-55ec-c84f-3c1d-dcc7f4f644a8 HA Enabled true HA Cluster https://10.1.42.201:8201 HA Mode standby Active Node Address: http://10.1.42.201:8200
Vault (HA), Vault . , (sudo systemctl stop vault
), , .
「読んでセキュリティの強化を本番環境でのセキュリティを強化するためにVaultを展開するためのベストプラクティスについて学ぶために」。