在Ubuntu/CentOS/Debian上安装和配置Hashicorp Vault服务器
时间:2020-02-23 14:39:12 来源:igfitidea点击:
如何在Ubuntu 18.04/debian 9中安装Vault Server 9?
,如何在CentOS 7上安装Vault Server 7?
,如何在Fedora上安装Hashicorp Vault?
Hashicorp Vault是一个免费的开源工具,专为安全存储和访问秘密而设计。
秘密可以是密码,API密钥,证书等。
Vault Server的作业是为任何存储的秘密提供统一接口,同时提供紧密访问控制并记录详细的审核日志。
Vault有一个Web用户界面,我们可以用来与Vault进行交互。
来自UI,我们可以轻松地创建,更新,读取和删除秘密,身份验证,未密切等。
Vault的特点
以下是Vault的主要功能。
安全秘密存储:默认情况下,Vault在将秘密写入秘密之前,将它们写入持久存储。
对于动态秘密,可以为动态秘密进行:Vault可以在租约后按需生成秘密并撤消它们.Leasing and Renewal:保险库中的所有秘密都有租约相关用它。
秘密在租约结束时自动撤销。
续订通过内置续订APIS.SECRETS撤销:Vault不仅可以撤销单个秘密,而是秘密树,例如由特定用户读取的所有秘密,或者特定类型的所有秘密。
在Ubuntu/Debian/CentOS/Fedora上安装Vault
Vault是在Go,二进制软件包中可用于主要UNIX和Linux发行版。
预编译的保管库二进制文件可在https://releases.hashicorp.com/vault/处获得
VAULT_VERSION="1.3.1"
curl -sO https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
提取下载存档。
unzip vault_${VAULT_VERSION}_linux_amd64.zip
sudo mv vault /usr/local/bin/
检查版本应该匹配下载的版本。
$vault --version Vault v1.3.1
启用命令自动完成。
vault -autocomplete-install complete -C /usr/local/bin/vault vault
配置Vault Systemd服务
安装Vault后,让我们配置SystemD服务以管理其服务。
首先创建一个唯一的非特权系统用户来运行Vault。
创建Vault数据目录。
sudo mkdir /etc/vault sudo mkdir -p /var/lib/vault/data
然后创建用户命名 vault。
sudo useradd --system --home /etc/vault --shell /bin/false vault sudo chown -R vault:vault /etc/vault /var/lib/vault/
创建一个保险库服务文件 /etc/systemd/system/vault.service。
cat <<EOF | sudo tee /etc/systemd/system/vault.service [Unit] Description="HashiCorp Vault - A tool for managing secrets" Documentation=https://www.vaultproject.io/docs/ Requires=network-online.target After=network-online.target ConditionFileNotEmpty=/etc/vault/config.hcl [Service] User=vault Group=vault ProtectSystem=full ProtectHome=read-only PrivateTmp=yes PrivateDevices=yes SecureBits=keep-caps AmbientCapabilities=CAP_IPC_LOCK NoNewPrivileges=yes ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.hcl ExecReload=/bin/kill --signal HUP KillMode=process KillSignal=SIGINT Restart=on-failure RestartSec=5 TimeoutStopSec=30 StartLimitBurst=3 LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF
创建保险库 /etc/vault/config.hcl文件。
touch /etc/vault/config.hcl
添加保管库的基本配置设置 /etc/vault/config.hcl文件。
cat <<EOF | sudo tee /etc/vault/config.hcl
disable_cache = true
disable_mlock = true
ui = true
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}
storage "file" {
path = "/var/lib/vault/data"
}
api_addr = "http://0.0.0.0:8200"
max_lease_ttl = "10h"
default_lease_ttl = "10h"
cluster_name = "vault"
raw_storage_endpoint = true
disable_sealwrap = true
disable_printable_check = true
EOF
我们还可以使用Consul Storage Suppend,但首先我们需要安装Condul,检查:
如何在Ubuntu上设置Consul群集
Consul后端的配置类似于下面。
storage "consul" {
address = "127.0.0.1:8500"
path = "vault"
}
阅读更多关于领导地位存储配置
启动并启用Vault服务以启动系统启动。
sudo systemctl daemon-reload sudo systemctl enable --now vault
检查服务状态,它应该显示运行。
$systemctl status vault
● vault.service - "HashiCorp Vault - A tool for managing secrets"
Loaded: loaded (/etc/systemd/system/vault.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2019-03-04 10:17:19 CET; 4s ago
Docs: https://www.vaultproject.io/docs/
Main PID: 12727 (vault)
Tasks: 7 (limit: 2299)
CGroup: /system.slice/vault.service
└─12727 /usr/local/bin/vault server -config=/etc/vault/vault.hcl
Mar 04 10:17:19 vault.local vault[12727]: Api Address: http://0.0.0.0:8200
Mar 04 10:17:19 vault.local vault[12727]: Cgo: disabled
Mar 04 10:17:19 vault.local vault[12727]: Cluster Address: https://0.0.0.0:8201
Mar 04 10:17:19 vault.local vault[12727]: Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "
Mar 04 10:17:19 vault.local vault[12727]: Log Level: info
Mar 04 10:17:19 vault.local vault[12727]: Mlock: supported: true, enabled: false
Mar 04 10:17:19 vault.local vault[12727]: Storage: file
Mar 04 10:17:19 vault.local vault[12727]: Version: Vault v1.0.3
Mar 04 10:17:19 vault.local vault[12727]: Version Sha: 85909e3373aa743c34a6a0ab59131f61fd9e8e43
Mar 04 10:17:19 vault.local vault[12727]: ==> Vault server started! Log data will stream in below:
初始化保险库服务器
出口 VAULT_ADDR初始化Vault Server之前的环境变量。
export VAULT_ADDR=http://127.0.0.1:8200 echo "export VAULT_ADDR=http://127.0.0.1:8200" >> ~/.bashrc
代替 127.0.0.1使用Vault Server IP地址。
通过运行以下命令,使用默认选项开始初始化:
sudo rm -rf /var/lib/vault/data/* vault operator init > /etc/vault/init.file
访问Vault UI http://serverip:8200/ui
逐个将"未充联钥匙"粘贴到未封闭的保险库中。
你可以得到钥匙 /etc/vault/init.file.
$cat /etc/vault/init.file Unseal Key 1: bNxZRU3azPZtzXjeS0pfGHLoif3Scs64fFk9j/FFtUN7 Unseal Key 2: kChe6UJ5+BnkU6UjSzalvjIuh01dLX8v/OMabz+uPtly Unseal Key 3: MIRYhY1zQXZyod05tWtbgAnc14qBXM7hPHrqyEVQ7tCi Unseal Key 4: KBVhzztVDUJRqNi2LDYfRFHThQe/iDbNdEaOFkAztMDN Unseal Key 5: GJplvpcPVu6IQeJ3lqa5xvPfXTDA3ftgcZJT6xhrAUUL Initial Root Token: s.RcW0LuNIyCoTLWxrDPtUDkCw Vault initialized with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above. When the Vault is re-sealed, restarted, or stopped, you must supply at least 3 of these keys to unseal it before it can start servicing requests. Vault does not store the generated master key. Without at least 3 key to reconstruct the master key, Vault will remain permanently sealed! It is possible to generate new unseal keys, provided you have a quorum of existing unseal keys shares. See "vault operator rekey" for more information.
一旦你"未进行"悬停"拱顶,使用 Initial Root Token登录保险库。
我们应该在下一页中看到Vault Web仪表板。
我们还可以查看CLI的Vault状态。
$vault status Key Value --- ---- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.0.3 Cluster Name vault Cluster ID 92ed9909-8088-a797-d5be-768d8c09ce27 HA Enabled false
使用CURL测试HTTP API端点以检查初始化状态。
$curl http://127.0.0.1:8200/v1/sys/init
{"initialized":true}
配置Vault角色和策略
导出Vault根令牌:
export VAULT_TOKEN="s.RcW0LuNIyCoTLWxrDPtUDkCw"
用你的替换"s.boklkveaxyn5os0lvfhzvbur Initial Root Token存储在 /etc/vault/init.file文件。
然后启用 approleauth方法允许计算机或者应用程序使用Vault定义的角色进行身份验证
$vault auth enable approle Success! Enabled approle auth method at: approle/
相同的命令可用于其他身份验证方法,例如
# vault auth enable kubernetes Success! Enabled kubernetes auth method at: kubernetes/ # vault auth enable userpass Success! Enabled userpass auth method at: userpass/ # vault auth enable ldap Success! Enabled ldap auth method at: ldap/
使用命令列出所有身份验证方法:
$vault auth list Path Type Accessor Description ---- ---- -------- ---------- approle/ approle auth_approle_a113b1e0 n/a kubernetes/ kubernetes auth_kubernetes_e324b8e2 n/a ldap/ ldap auth_ldap_d2f6edde n/a token/ token auth_token_1aa8b643 token based credentials userpass/ userpass auth_userpass_6178aae8 n/a
还可以从Web界面启用其他身份验证方法。
可以从Web控制台"策略"部分管理ACL策略。
写作和秘密
既然我们已安装并配置了保险库服务器,让我们在Vault中编写和检索秘密。
我们用 vault kv写秘密。
获取秘密引擎路径:
$vault secrets list Path Type Accessor Description ---- ---- -------- ---------- cubbyhole/ cubbyhole cubbyhole_4cf73c3d per-token private secret storage identity/ identity identity_248343db identity store secret/ kv kv_30258a59 key/value secret storage sys/ system system_cbeaa203 system endpoints used for control, policy and debugging
写下kv秘密引擎的秘密。
$vault kv put secret/databases/db1 username=DBAdmin Success! Data written to: secret/databases/db1 $vault kv put secret/databases/db1 password=StrongPassword Success! Data written to: secret/databases/db1
我们甚至可以使用单行命令来编写多个数据。
$vault kv put secret/databases/db1 username=DBAdmin password=StrongPassword Success! Data written to: secret/databases/db1
获得秘密,使用 vault get命令。
$vault kv get secret/databases/db1 ====== Data ====== Key Value --- ---- password StrongPassword username DBAdmin
以JSON格式获取数据:
$vault kv get -format=json secret/databases/db1
{
"request_id": "f99170b5-ac38-84ce-8668-1f280b0981c1",
"lease_id": "",
"lease_duration": 36000,
"renewable": false,
"data": {
"password": "StrongPassword",
"username": "DBAdmin"
},
"warnings": null
}
要仅打印给定字段的值,请使用:
$vault kv get -field=username secret/databases/db1 DBAdmin
要删除秘密,请使用:
$vault kv delete secret/databases/db1 Success! Data deleted (if it existed) at: secret/databases/db1 $vault kv get secret/databases/db1 No value found at secret/databases/db1
