[draft] 우분투에서 HashiCorp Vault와 Boundary를 설치하고 기본 설정을 구성하는 방법

우분투에서 HashiCorp Vault와 Boundary를 설치하고 기본 설정을 구성하는 방법

필수 패키지 설치

sudo apt update
sudo apt install -y wget unzip curl gnupg software-properties-common

1. PostgreSQL 설치

sudo apt install -y postgresql

psql --version

$ psql --version
psql (PostgreSQL) 14.13 (Ubuntu 14.13-0ubuntu0.22.04.1)

SSL 인증서 생성

---

기본 "snakeoil" SSL 인증서를 생성합니다.

sudo make-ssl-cert generate-default-snakeoil --force-overwrite

---

 

PostgreSQL 서비스 시작 및 부팅 시 자동 시작 설정

sudo systemctl enable --now postgresql

PostgreSQL 서비스 재시작

sudo systemctl restart postgresql

PostgreSQL 서비스 상태 확인

sudo systemctl status postgresql

SQL 쿼리로 버전 정보 확인

sudo -u postgres psql

postgres=# select version();
                                                                version                                                                 
----------------------------------------------------------------------------------------------------------------------------------------
 PostgreSQL 14.13 (Ubuntu 14.13-0ubuntu0.22.04.1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, 64-bit
(1 row)

HashiCorp GPG 키 및 저장소 추가

wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" \
    | sudo tee /etc/apt/sources.list.d/hashicorp.list

2. HashiCorp Vault 설치 및 설정

Vault 설치

sudo apt update
sudo apt install -y vault
vault version

Vault 설정 파일 구성

sudo tee /etc/vault.d/vault.hcl > /dev/null <<EOF
ui = true

storage "file" {
  path = "/opt/vault/data"
}

# HTTP listener
listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = 1
}
EOF

Vault 서비스 시작 및 확인

sudo systemctl enable --now vault
sudo systemctl restart vault
sudo systemctl status vault

Vault 서비스 로그 확인

sudo journalctl -xeu vault
sudo journalctl -u vault -b

Vault 환경 변수 설정

export VAULT_ADDR=http://127.0.0.1:8200

Vault 초기화 및 토큰 설정

vault operator init
export VAULT_TOKEN="hvs.QitiB8zCFG8VIs4nL6CIntBw"

Vault UI 접속

http://192.168.0.111:8200

3. HashiCorp Boundary 설치 및 설정

Boundary 구성하고 PostgreSQL을 백엔드 데이터베이스로 사용하는 방법입니다.

 

Boundary 설치

sudo apt update
sudo apt install -y boundary
boundary version

boundary -version

$ boundary version

Version information:
  Build Date:          2024-10-10T15:04:49Z
  Git Revision:        2e3fdb718cb5ed20017b124deb6f438310b9dd0f
  Version Number:      0.18.0

개발 모드(Dev Mode) 시작

boundary dev -api-listen-address=0.0.0.0:9200 &

• Boundary UI 로그인 정보
  • Id : admin
  • Password : password

PostgreSQL 데이터베이스 설정

데이터베이스와 사용자 생성 PostgreSQL에서 Boundary 전용 데이터베이스와 사용자를 생성합니다.

sudo -u postgres psql

CREATE DATABASE boundary_db;
CREATE USER boundary_user WITH ENCRYPTED PASSWORD 'boundary_password';
GRANT ALL PRIVILEGES ON DATABASE boundary_db TO boundary_user;

PostgreSQL 외부 접근 허용

vim /etc/postgresql/<version>/main/pg_hba.conf

sudo tee -a /etc/postgresql/14/main/pg_hba.conf > /dev/null <<EOF
host    all             all             192.168.0.111/32       md5
EOF

Boundary 설정 파일 구성

sudo vim /etc/boundary.d/boundary.hcl

sudo tee /etc/boundary.d/boundary.hcl > /dev/null <<EOF
# Disable memory lock
disable_mlock = true

# Controller configuration
controller {
  name = "demo-controller-1"
  description = "A controller for a demo!"

  database {
      url = "postgresql://boundary_user:boundary_password@localhost:5432/boundary_db?sslmode=disable"
  }
}

# API listener
listener "tcp" {
  address = "0.0.0.0:9200"
  purpose = "api"
  tls_disable = true
}

# Data-plane listener (worker coordination)
listener "tcp" {
  address = "0.0.0.0:9201"
  purpose = "cluster"
}

# Root KMS
kms "aead" {
  purpose = "root"
  aead_type = "aes-gcm"
  key = "sP1fnF5Xz85RrXyELHFeZg9Ad2qt4Z4bgNHVGtD6ung="
  key_id = "global_root"
}

# Worker authorization KMS
kms "aead" {
  purpose = "worker-auth"
  aead_type = "aes-gcm"
  key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
  key_id = "global_worker-auth"
}

# Recovery KMS
kms "aead" {
  purpose = "recovery"
  aead_type = "aes-gcm"
  key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
  key_id = "global_recovery"
}
EOF

Boundary 데이터베이스 초기화

boundary database init -config /etc/boundary.d/boundary.hcl

boundary database init -config /etc/boundary.d/boundary.hcl > ~/init_boundary.txt

---

Migrations successfully run.
Global-scope KMS keys successfully created.

Initial login role information:
  Name:      Login Grants
  Role ID:   r_8EIlX5b9Ab

Initial authenticated user role information:
  Name:      Authenticated User Grants
  Role ID:   r_XAGvJbir7w

Initial auth information:
  Auth Method ID:     ampw_iQSWaJhlN4
  Auth Method Name:   Generated global scope initial password auth method
  Login Name:         admin
  Password:           eXAhHe1qs4bPDzxwVofo
  Scope ID:           global
  User ID:            u_Oj6Mu0LBLl
  User Name:          admin

Initial org scope information:
  Name:       Generated org scope
  Scope ID:   o_fLcg8HqvEI
  Type:       org

Initial project scope information:
  Name:       Generated project scope
  Scope ID:   p_EAtg6J8abv
  Type:       project

Initial host resources information:
  Host Catalog ID:     hcst_SIPsi31fay
  Host Catalog Name:   Generated host catalog
  Host ID:             hst_4tmSi5fMi3
  Host Name:           Generated host
  Host Set ID:         hsst_Uqb4jmBTCn
  Host Set Name:       Generated host set
  Scope ID:            p_EAtg6J8abv
  Type:                static

Initial target information:
  Default Port:               22
  Name:                       Generated target with a direct address
  Scope ID:                   p_EAtg6J8abv
  Session Connection Limit:   -1
  Session Max Seconds:        28800
  Target ID:                  ttcp_C9ZvoAXlGB
  Type:                       tcp

Initial target information:
  Default Port:               22
  Name:                       Generated target using host sources
  Scope ID:                   p_EAtg6J8abv
  Session Connection Limit:   -1
  Session Max Seconds:        28800
  Target ID:                  ttcp_NcdKJq3ydG
  Type:                       tcp

---

Boundary 서비스 시작 및 확인

sudo systemctl enable --now boundary
sudo systemctl restart boundary
sudo systemctl status boundary

Boundary 서비스 로그 확인

sudo journalctl -xeu boundary
sudo journalctl -u boundary -b

Boundary UI 접속

http://192.168.0.111:9200

• 로그인 정보
  • Login Name : admin
  • Password : eXAhHe1qs4bPDzxwVofo

-작성중-

4. Boundary 로그인(인증 설정)

초기 관리 계정으로 Boundary에 로그인합니다.

boundary authenticate password -login-name=admin -password=<admin-password>

boundary authenticate password -auth-method-id=<auth-method-id> -login-name=admin -password=<admin-password>

5. 프로젝트와 호스트 생성

Boundary를 통해 접근할 리소스에 대한 프로젝트와 호스트 구성을 생성합니다.

프로젝트 생성

boundary scopes create-project -scope-id <org-scope-id> -name "my-project"

호스트 생성(SSH 대상)

boundary targets create-host -project-id <project-id> -address "<target-ip>" -port <target-port> -name "my-target"

8. Boundary를 통한 SSH 세션 시작

Boundary를 통해 SSH와 같은 세션을 시작할 수 있습니다.

boundary connect ssh -target-id <target-id>

boundary connect ssh -target-id <target-id> -username <ssh-username>

 

Boundary를 통해 안전하게 대상 서버에 SSH 연결을 할 수 있습니다.