728x90
우분투에서 hashicorp vault를 설치하는 방법(installing vault)
테스트 환경
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04 LTS
Release: 22.04
Codename: jammy
vault 설치
APT 패키지 리스트 업데이트
sudo apt update
필요한 의존성 패키지 설치
sudo apt-get install -y software-properties-common
GPG 패키지 설치
sudo apt install -y gpg
HashiCorp GPG 키 추가(GPG key)
wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg >/dev/null
키의 지문(fingerprint) 확인
gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
$ gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
gpg: directory '/root/.gnupg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
/usr/share/keyrings/hashicorp-archive-keyring.gpg
-------------------------------------------------
pub rsa4096 2020-05-07 [SC]
E8A0 32E0 94D8 EB4E A189 D270 DA41 8C88 A321 9F7B
uid [ unknown] HashiCorp Security (HashiCorp Package Signing) <security+packaging@hashicorp.com>
sub rsa4096 2020-05-07 [E]
공식 HashiCorp Linux 저장소 추가
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
$ echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com jammy main
업데이트 및 설치
sudo apt update && sudo apt install -y vault
$ sudo apt update && sudo apt install vault
...
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
vault
0 upgraded, 1 newly installed, 0 to remove and 103 not upgraded.
Need to get 85.0 MB of archives.
After this operation, 214 MB of additional disk space will be used.
Get:1 https://apt.releases.hashicorp.com jammy/main amd64 vault amd64 1.12.2-1 [85.0 MB]
Fetched 85.0 MB in 3s (26.8 MB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package vault.
(Reading database ... 20109 files and directories currently installed.)
Preparing to unpack .../vault_1.12.2-1_amd64.deb ...
Unpacking vault (1.12.2-1) ...
Setting up vault (1.12.2-1) ...
Generating Vault TLS key and self-signed certificate...
..........+...+.+..+.......+...+..............+...+............+.+........+....+........+....+.....+....+..+..........+.....+.............+.........+.....+...+....+...+...+........+.........+..........+...+..+...+...+.+...+......+...........+....+.....................+........+.+..+..........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.........+......+.....+.......+..+.+........+.+...+..............................+.....+.+...............+..+.......+...........+........................+...+....+.....................+...+..............+......+....+......+...........+....+......+......+.....+....+...........+.......+...........+....+........+....+...........+..........+..+......+....+..+....+.....+......+............................+.....................+..+....+.....+................+...+..+....+...+.....+............+.+........+....+............+....................+...............+....+..+....+........+...............+............................+.........+.....+....+.....+......+....+..+.........+...+......+.+...+...+........+.+...+...+...+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
...+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+.....+.+...+..+...+....+.....+......+.+...+..+......+...........................+.+.....+.+......+..+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+............+..........+.....+......+....+...........+.......+........+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
Vault TLS key and self-signed certificate have been generated in '/opt/vault/tls'.
vault 버전 정보
vault --version
$ vault --version
Vault v1.12.2 (415e1fe3118eebd5df6cb60d13defdc01aa17b03), built 2022-11-23T12:53:46Z
vault 환경 설정 파일
vim /etc/vault.d/vault.hcl
$ cat /etc/vault.d/vault.hcl
# Full configuration options can be found at https://www.vaultproject.io/docs/configuration
ui = true
#mlock = true
#disable_mlock = true
storage "file" {
path = "/opt/vault/data"
}
#storage "consul" {
# address = "127.0.0.1:8500"
# path = "vault"
#}
# HTTP listener
#listener "tcp" {
# address = "127.0.0.1:8200"
# tls_disable = 1
#}
# HTTPS listener
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/opt/vault/tls/tls.crt"
tls_key_file = "/opt/vault/tls/tls.key"
}
# Enterprise license_path
# This will be required for enterprise as of v1.8
#license_path = "/etc/vault.d/vault.hclic"
# Example AWS KMS auto unseal
#seal "awskms" {
# region = "us-east-1"
# kms_key_id = "REPLACE-ME"
#}
# Example HSM auto unseal
#seal "pkcs11" {
# lib = "/usr/vault/lib/libCryptoki2_64.so"
# slot = "0"
# pin = "AAAA-BBBB-CCCC-DDDD"
# key_label = "vault-hsm-key"
# hmac_key_label = "vault-hsm-hmac-key"
#}
vault 환경 설정 파일 편집
- HTTP listener 주석 제거
- HTTPS listener 주석 처리
vim /etc/vault.d/vault.hcl
# Full configuration options can be found at https://www.vaultproject.io/docs/configuration
ui = true
storage "file" {
path = "/opt/vault/data"
}
#storage "consul" {
# address = "127.0.0.1:8500"
# path = "vault"
#}
# HTTP listener
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}
# HTTPS listener
#listener "tcp" {
# address = "0.0.0.0:8200"
# tls_cert_file = "/opt/vault/tls/tls.crt"
# tls_key_file = "/opt/vault/tls/tls.key"
#}
vault 서비스 시작
systemctl --now enable vault
$ systemctl --now enable vault
Created symlink /etc/systemd/system/multi-user.target.wants/vault.service → /lib/systemd/system/vault.service.
728x90
vault 서비스 상태 확인
systemctl status vault.service
$ systemctl status vault.service
● vault.service - "HashiCorp Vault - A tool for managing secrets"
Loaded: loaded (/lib/systemd/system/vault.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2023-01-18 13:17:06 KST; 1min 13s ago
Docs: https://www.vaultproject.io/docs/
Main PID: 3746 (vault)
Tasks: 8 (limit: 686)
Memory: 62.1M
CPU: 289ms
CGroup: /system.slice/vault.service
└─3746 /usr/bin/vault server -config=/etc/vault.d/vault.hcl
Jan 18 13:17:06 ubuntu vault[3746]: Recovery Mode: false
Jan 18 13:17:06 ubuntu vault[3746]: Storage: file
Jan 18 13:17:06 ubuntu vault[3746]: Version: Vault v1.12.2, built 2022-11-23T12:53:46Z
Jan 18 13:17:06 ubuntu vault[3746]: Version Sha: 415e1fe3118eebd5df6cb60d13defdc01aa17b03
Jan 18 13:17:06 ubuntu vault[3746]: ==> Vault server started! Log data will stream in below:
Jan 18 13:17:06 ubuntu vault[3746]: 2023-01-18T04:17:06.468Z [INFO] proxy environment: http_proxy="" https_proxy="" no_proxy=""
Jan 18 13:17:06 ubuntu vault[3746]: 2023-01-18T04:17:06.496Z [INFO] core: Initializing version history cache for core
Jan 18 13:17:06 ubuntu systemd[1]: Started "HashiCorp Vault - A tool for managing secrets".
Jan 18 13:17:11 ubuntu vault[3746]: 2023-01-18T04:17:11.417Z [INFO] http: TLS handshake error from 192.168.0.10:60985: remote error: tls: unknown certificate
Jan 18 13:17:11 ubuntu vault[3746]: 2023-01-18T04:17:11.430Z [INFO] http: TLS handshake error from 192.168.0.10:60986: remote error: tls: unknown certificate
환경변수 설정
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN="hvs.7axXYWtfZ4qBwrvwDmoPONrc"
seal 및 HA 상태 표시
vault status -tls-skip-verify
$ vault status -tls-skip-verify
Key Value
--- -----
Seal Type shamir
Initialized false
Sealed true
Total Shares 0
Threshold 0
Unseal Progress 0/0
Unseal Nonce n/a
Version 1.12.2
Build Date 2022-11-23T12:53:46Z
Storage Type file
HA Enabled false
볼트 초기화(initialize vault)
vault operator init -tls-skip-verify
$ vault operator init -tls-skip-verify
Unseal Key 1: +IkPZSTlhAzOIjNbNuk+Z1X6FxggUOxBHPtxRqhqRV/G
Unseal Key 2: nKX5+EHw6sbY8A5h8JGmL4OH1I6EusjtOUVrsDW0HU4o
Unseal Key 3: Oxo/foe6NpMrwkuBt6VgOKpZbsJgt7OG/Xbq6fmgAi9y
Unseal Key 4: rvchAkM2p8z7KB/XVMu6gbPXGOSSqxyMTbZgdL+ziiOK
Unseal Key 5: 37kNYC0kRr1qIs81qBRM9SuPkG6F/KtwxPiqGcJrYsh+
Initial Root Token: hvs.7axXYWtfZ4qBwrvwDmoPONrc
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated root key. Without at least 3 keys to
reconstruct the root key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
Unseal Vault
- unseal 명령 또는 웹브라우저에서 진행
vault operator unseal -tls-skip-verify +IkPZSTlhAzOIjNbNuk+Z1X6FxggUOxBHPtxRqhqRV/G
vault operator unseal -tls-skip-verify nKX5+EHw6sbY8A5h8JGmL4OH1I6EusjtOUVrsDW0HU4o
vault operator unseal -tls-skip-verify Oxo/foe6NpMrwkuBt6VgOKpZbsJgt7OG/Xbq6fmgAi9y
seal 및 HA 상태 표시
vault status -tls-skip-verify
$ vault status -tls-skip-verify
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.12.2
Build Date 2022-11-23T12:53:46Z
Storage Type file
Cluster Name vault-cluster-81637fc9
Cluster ID a0c6fdd0-cbf9-3214-dcbc-6f50584e2750
HA Enabled false
볼트 로그인(vault login)
vault login hvs.7axXYWtfZ4qBwrvwDmoPONrc
$ vault login hvs.7axXYWtfZ4qBwrvwDmoPONrc
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token hvs.7axXYWtfZ4qBwrvwDmoPONrc
token_accessor I6d1vEccUGkFNVrkbgQ1fUyN
token_duration ∞
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"]
vault 웹 브라우저
- http://192.168.0.51:8200
- 볼트 초기화 전 화면
볼트 초기화(initialize vault)
vault operator init -tls-skip-verify
Unseal Vault
참고URL
- vault 설치: https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-install
- 소스에서 컴파일 : https://developer.hashicorp.com/vault/docs/install
728x90
'리눅스' 카테고리의 다른 글
[리눅스] SSH 인증을 위한 SSH 인증서 구성 및 설정 방법 (0) | 2023.01.25 |
---|---|
[리눅스] centos 8 Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: No URLs in mirrorlist (0) | 2023.01.25 |
CentOS 7 컨테이너 내에서 systemctl을 사용하는 방법(centos init) (0) | 2023.01.18 |
BIND DNS 서버에서 뷰(View)와 존 전송(Zone Transfer) 테스트하는 방법 (0) | 2023.01.16 |
bind rndc 명령어 (0) | 2023.01.16 |