반응형
CentOS 7에서 HashiCorp Vault를 설치하는 방법
Vault Release
https://releases.hashicorp.com/vault/
prerequirement
yum -y -q install curl unzip openssh openssh-server openssh-clients
yum -y -q install epel-release
yum -y -q install sshpass
Vault 설치
export VAULT_VERSION=1.3.4
cd /usr/local/src/
curl -fsSLO https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
curl -fsSLO https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS
grep "vault_${VAULT_VERSION}_linux_amd64.zip" vault_${VAULT_VERSION}_SHA256SUMS | sha256sum -c -
$ grep "vault_${VAULT_VERSION}_linux_amd64.zip" vault_${VAULT_VERSION}_SHA256SUMS | sha256sum -c -
vault_1.3.4_linux_amd64.zip: 성공
unzip -q vault_${VAULT_VERSION}_linux_amd64.zip
cp vault /usr/local/bin/
which vault
$ which vault
/usr/local/bin/vault
$ vault --version
Vault v1.3.4
Vault 데이터 디렉토리 생성
mkdir -p /app/vault/data
Vault 환경 설정 파일 생성
cat > /app/vault/config.hcl <<EOF
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = true # don't do this in production - always use TLS in prod
}
storage "file" {
path = "/app/vault/data"
}
disable_mlock = true # don't do this in production either
# ^ setting this to true allows leaking of sensitive data to disk/swap
# we're doing it here to avoid running the process as root
# or modifying any system tunables
EOF
Vault 실행 및 초기화
Vault를 실행하고 초기화해야 합니다.
vault server -config=/app/vault/config.hcl
Vault 서버를 개발용 모드로 실행할 수 있습니다.
vault server -dev
$ vault server -dev
==> Vault server configuration:
Api Address: http://127.0.0.1:8200
Cgo: disabled
Cluster Address: https://127.0.0.1:8201
Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level: info
Mlock: supported: true, enabled: false
Recovery Mode: false
Storage: inmem
Version: Vault v1.3.4
WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.
You may need to set the following environment variable:
$ export VAULT_ADDR='http://127.0.0.1:8200'
The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.
Unseal Key: z/zNZCzwvD2vzWpZn7fLWCTYDCnkexYSfcnZI8P2+g4=
Root Token: s.F2bOWngShzH0oehzHbacWBJN
Development mode should NOT be used in production installations!
==> Vault server started! Log data will stream in below:
2020-03-21T11:22:16.897+0900 [INFO] proxy environment: http_proxy= https_proxy= no_proxy=
2020-03-21T11:22:16.898+0900 [WARN] no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set
2020-03-21T11:22:16.907+0900 [ERROR] core: no seal config found, can't determine if legacy or new-style shamir
2020-03-21T11:22:16.907+0900 [ERROR] core: no seal config found, can't determine if legacy or new-style shamir
2020-03-21T11:22:16.907+0900 [INFO] core: security barrier not initialized
listen port
ss -nlpt | grep vault
$ ss -nlpt | grep vault
LISTEN 0 128 *:8200 *:* users:(("vault",pid=26974,fd=5))
환경 변수 설정
export VAULT_ADDR=http://127.0.0.1:8200
Vault 상태 확인
vault status
Vault 초기화 및 언락
Vault를 초기화하고 언락 키를 안전한 곳에 저장합니다.
vault operator init
Vault 초기화 후에 생성된 루트 토큰 및 언락 키를 안전한 장소에 보관하십시오.
Vault에 대한 인증 및 비밀 엔진 설정
Vault를 사용하기 위해 인증 및 비밀 엔진을 활성화합니다. 예를 들어, 토큰 인증을 활성화하고 키/값(KV) 비밀 엔진을 활성화하는 방법은 다음과 같습니다.
vault auth enable token
vault secrets enable kv
Vault 사용
Vault를 사용하여 비밀을 저장하고 가져오는 등의 작업을 수행할 수 있습니다.
728x90
반응형
'리눅스' 카테고리의 다른 글
killall 명령어 (0) | 2020.05.13 |
---|---|
CentOS 7에서 OpenSSL을 직접 컴파일하고 설치하는 방법 (1) | 2020.04.21 |
우분투에서 호스트 이름(Hostname)을 변경하는 방법 (0) | 2020.02.12 |
CentOS 7 locale(로케일) 에러 해결 (0) | 2019.12.30 |
hostnamectl 명령어 (0) | 2019.12.30 |