티스토리 뷰

___리눅스

vault(hashicorp) install

변군 변군이글루 2020. 3. 21. 16:32

Vault Release

https://releases.hashicorp.com/vault/

prerequirement

yum -y -q install curl unzip openssh openssh-server openssh-clients
yum -y -q install epel-release
yum -y -q install sshpass

install

$ export VAULT_VERSION=1.3.4

$ cd /usr/local/src/
$ curl -fsSLO https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
$ curl -fsSLO https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS
$ grep "vault_${VAULT_VERSION}_linux_amd64.zip" vault_${VAULT_VERSION}_SHA256SUMS | sha256sum -c -
 vault_1.3.4_linux_amd64.zip: 성공
$ unzip -q vault_${VAULT_VERSION}_linux_amd64.zip
$ cp vault /usr/local/bin/
$ which vault
/usr/local/bin/vault
$ vault --version
Vault v1.3.4

setting

$ mkdir -p /app/vault/data

$ cat > /app/vault/config.hcl <<EOF
listener "tcp" {
    address     = "0.0.0.0:8200"
    tls_disable = true # don't do this in production - always use TLS in prod
}


storage "file" {
    path = "/app/vault/data"
}


disable_mlock = true # don't do this in production either
# ^ setting this to true allows leaking of sensitive data to disk/swap
# we're doing it here to avoid running the process as root
# or modifying any system tunables
EOF

vault server start

$ vault server -config=/app/vault/config.hcl
$ vault server -dev
==> Vault server configuration:


             Api Address: http://127.0.0.1:8200
                     Cgo: disabled
         Cluster Address: https://127.0.0.1:8201
              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: true, enabled: false
           Recovery Mode: false
                 Storage: inmem
                 Version: Vault v1.3.4


WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.


You may need to set the following environment variable:


    $ export VAULT_ADDR='http://127.0.0.1:8200'


The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.


Unseal Key: z/zNZCzwvD2vzWpZn7fLWCTYDCnkexYSfcnZI8P2+g4=
Root Token: s.F2bOWngShzH0oehzHbacWBJN


Development mode should NOT be used in production installations!


==> Vault server started! Log data will stream in below:


2020-03-21T11:22:16.897+0900 [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=
2020-03-21T11:22:16.898+0900 [WARN]  no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set
2020-03-21T11:22:16.907+0900 [ERROR] core: no seal config found, can't determine if legacy or new-style shamir
2020-03-21T11:22:16.907+0900 [ERROR] core: no seal config found, can't determine if legacy or new-style shamir
2020-03-21T11:22:16.907+0900 [INFO]  core: security barrier not initialized

listen port

$ ss -nlpt | grep vault
LISTEN     0      128          *:8200                     *:*                   users:(("vault",pid=26974,fd=5))

환경변수 등록 & 서버 상태 확인

$ export VAULT_ADDR=http://127.0.0.1:8200

$ vault status
댓글
댓글쓰기 폼