우분투에서 HashiCorp Boundary를 설치하고 설정하는 방법

우분투에서 HashiCorp Boundary를 설치하고 설정하는 방법

Boundary는 SSH, RDP와 같은 원격 접근에 대한 보안을 강화하고 접근 제어를 중앙에서 관리하는 솔루션입니다.

필수 패키지 설치

sudo apt update
sudo apt install -y wget unzip curl gnupg software-properties-common

1. PostgreSQL 설치

sudo apt install postgresql
psql --version

$ psql --version
psql (PostgreSQL) 14.13 (Ubuntu 14.13-0ubuntu0.22.04.1)

SSL 인증서 생성

---

기본 "snakeoil" SSL 인증서를 생성합니다.

sudo make-ssl-cert generate-default-snakeoil --force-overwrite

PostgreSQL 재설치

sudo apt-get remove -y --purge postgresql*

sudo apt autoremove -y

sudo apt-get install postgresql

---

PostgreSQL 설정 파일

sudo vim /etc/postgresql/$(ls /etc/postgresql)/main/postgresql.conf

PostgreSQL 서비스 시작 및 확인

sudo systemctl enable --now postgresql
sudo systemctl restart postgresql
sudo systemctl status postgresql

PostgreSQL 서비스 로그 확인

sudo journalctl -xeu postgresql
sudo journalctl -u postgresql -b

2. Boundary 설치

컨트롤러 및 워커 노드를 구성하고 PostgreSQL을 백엔드 데이터베이스로 사용하는 방법입니다.

HashiCorp APT 저장소 추가

curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" \
    | sudo tee /etc/apt/sources.list.d/hashicorp.list

Boundary 설치

sudo apt update
sudo apt install -y boundary
boundary version

$ boundary version

Version information:
  Build Date:          2024-10-10T15:04:49Z
  Git Revision:        2e3fdb718cb5ed20017b124deb6f438310b9dd0f
  Version Number:      0.18.0

개발 모드(Dev Mode) 시작

boundary dev -api-listen-address=0.0.0.0:9200 &

• Boundary UI 로그인 정보
  • Id : admin
  • Password : password

3. PostgreSQL 데이터베이스 설정

데이터베이스와 사용자 생성 PostgreSQL에서 Boundary 전용 데이터베이스와 사용자를 생성합니다.

sudo -u postgres psql

CREATE DATABASE boundary_db;
CREATE USER boundary_user WITH ENCRYPTED PASSWORD 'boundary_password';
GRANT ALL PRIVILEGES ON DATABASE boundary_db TO boundary_user;

PostgreSQL 외부 접근 허용

vim /etc/postgresql/<version>/main/pg_hba.conf

sudo tee -a /etc/postgresql/$(ls /etc/postgresql)/main/pg_hba.conf > /dev/null <<EOF
host    all             all             192.168.10.111/32       md5
EOF

4. Boundary 설정 파일 구성

boundary 구성 파일(boundary.hcl)을 작성하여 Boundary의 동작을 정의합니다.

sudo vim /etc/boundary.d/boundary.hcl

sudo tee /etc/boundary.d/boundary.hcl > /dev/null <<EOF
# Disable memory lock
disable_mlock = true

# Controller configuration
controller {
  name = "demo-controller-1"
  description = "A controller for a demo!"

  database {
      url = "postgresql://boundary_user:boundary_password@localhost:5432/boundary_db?sslmode=disable"
  }
}

# API listener
listener "tcp" {
  address = "0.0.0.0:9200"
  purpose = "api"
  tls_disable = true
}

# Data-plane listener (worker coordination)
listener "tcp" {
  address = "0.0.0.0:9201"
  purpose = "cluster"
}

# Root KMS
kms "aead" {
  purpose = "root"
  aead_type = "aes-gcm"
  key = "s130azffe4XVK4KBxm+cUi8FF5rFF7uyqbBut6kUrv0="
  key_id = "global_root"
}

# Worker authorization KMS
kms "aead" {
  purpose = "worker-auth"
  aead_type = "aes-gcm"
  key = "OXtfM9KOz6JRofbqqHf5xT4wfEPhEZISViEGMk64fxE="
  key_id = "global_worker-auth"
}

# Recovery KMS
kms "aead" {
  purpose = "recovery"
  aead_type = "aes-gcm"
  key = "OXtfM9KOz6JRofbqqHf5xT4wfEPhEZISViEGMk64fxE="
  key_id = "global_recovery"
}
EOF

Boundary 데이터베이스 초기화

boundary database init -config /etc/boundary.d/boundary.hcl

boundary database init -config /etc/boundary.d/boundary.hcl > ~/init_boundary.txt

---

Migrations successfully run.
Global-scope KMS keys successfully created.

Initial login role information:
  Name:      Login Grants
  Role ID:   r_8EIlX5b9Ab

Initial authenticated user role information:
  Name:      Authenticated User Grants
  Role ID:   r_XAGvJbir7w

Initial auth information:
  Auth Method ID:     ampw_iQSWaJhlN4
  Auth Method Name:   Generated global scope initial password auth method
  Login Name:         admin
  Password:           eXAhHe1qs4bPDzxwVofo
  Scope ID:           global
  User ID:            u_Oj6Mu0LBLl
  User Name:          admin

Initial org scope information:
  Name:       Generated org scope
  Scope ID:   o_fLcg8HqvEI
  Type:       org

Initial project scope information:
  Name:       Generated project scope
  Scope ID:   p_EAtg6J8abv
  Type:       project

Initial host resources information:
  Host Catalog ID:     hcst_SIPsi31fay
  Host Catalog Name:   Generated host catalog
  Host ID:             hst_4tmSi5fMi3
  Host Name:           Generated host
  Host Set ID:         hsst_Uqb4jmBTCn
  Host Set Name:       Generated host set
  Scope ID:            p_EAtg6J8abv
  Type:                static

Initial target information:
  Default Port:               22
  Name:                       Generated target with a direct address
  Scope ID:                   p_EAtg6J8abv
  Session Connection Limit:   -1
  Session Max Seconds:        28800
  Target ID:                  ttcp_C9ZvoAXlGB
  Type:                       tcp

Initial target information:
  Default Port:               22
  Name:                       Generated target using host sources
  Scope ID:                   p_EAtg6J8abv
  Session Connection Limit:   -1
  Session Max Seconds:        28800
  Target ID:                  ttcp_NcdKJq3ydG
  Type:                       tcp

---

Boundary 서비스 시작 및 확인

sudo systemctl enable --now boundary
sudo systemctl restart boundary
sudo systemctl status boundary

Boundary 서비스 로그 확인

sudo journalctl -xeu boundary
sudo journalctl -u boundary -b

Boundary UI 접속

http://192.168.0.111:9200

• 로그인 정보
  • Login Name : admin
  • Password : eXAhHe1qs4bPDzxwVofo

Boundary를 통해 안전하게 대상 서버에 SSH 연결을 할 수 있습니다.

 

sudo tee -a /etc/postgresql/$(ls /etc/postgresql)/main/pg_hba.conf > /dev/null <<EOF 호스트 모두 모두 192.168.10.111/32 md5 EOF