如何解封在 Docker 容器中运行的 Vault 服务器

如何解封在 Docker 容器中运行的 Vault 服务器

我有一个docker compose设置,成功启动了consul(配置这里)。Vault 似乎启动正常,除了设置 TTL 时出现一些错误(日志这里)。

进一步说,领事在尝试联系时似乎打了个嗝/v1/agent/check/fail/vault:127.0.0.1:8200:vault-sealed-check?note=Vault+Sealed。显然'vault:127.0.0.1:8200:vault-sealed-check' status is now critical

consul1    |     2016/11/05 20:50:04 [DEBUG] agent: Check 'vault:127.0.0.1:8200:vault-sealed-check' status is now critical
consul1    |     2016/11/05 20:50:04 [DEBUG] agent: Service 'vault:127.0.0.1:8200' in sync
consul1    |     2016/11/05 20:50:04 [DEBUG] agent: Service 'consul' in sync
consul1    |     2016/11/05 20:50:04 [DEBUG] agent: Check 'vault:127.0.0.1:8200:vault-sealed-check' in sync
consul1    |     2016/11/05 20:50:04 [DEBUG] agent: Node info in sync
consul1    |     2016/11/05 20:50:04 [DEBUG] http: Request PUT /v1/agent/check/fail/vault:127.0.0.1:8200:vault-sealed-check?note=Vault+Sealed (92.314µs) from=172.18.0.3:48742

当 Vault 容器启动时(使用 Consul 后端)1)我们如何获得初始我)钥匙和二)根令牌。我使用的是 Hashicorp 的官方保险库图像按照我的习惯/vault/config/vault.hcl(和领事形象)。

最终,我想知道2)如何解封 vault 服务器。在本例中,我想解封在 docker 容器中运行的 vault 服务器。3)这就是我所需要的,开始将秘密写入保险库。

答案1

为了使用官方来源保险库图像我将使用以下命令启动保险库容器:

vm# docker run -it --cap-add IPC_LOCK -p 8200:8200 -p 8215:8125 --name vault --volume /my/vault:/my/vault vault server -config=/my/vault/vaultCfg.hcl 

其中虚拟机运行 1.12.4 docker 引擎和 vault hcl 配置列表:

backend "consul" {
  address = "myconsul.com:8500"
  path = "vault"
}

listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = 1
}

然后在同一个docker主机上:

vm# VAULT_ADDR=http://myvault.com:8200 
vm# docker exec -it vault vault  "$@" init -address=${VAULT_ADDR}

并期望输出如下:

2016/12/11 10:21:10.628736 [WARN ] physical/consul: appending trailing forward slash to path
2016/12/11 12:09:12.117238 [INFO ] core: security barrier not initialized
2016/12/11 12:09:12.136037 [INFO ] core: security barrier initialized: shares=5 threshold=3
2016/12/11 12:09:12.169987 [INFO ] core: post-unseal setup starting
2016/12/11 12:09:12.181963 [INFO ] core: successfully mounted backend: type=generic path=secret/
2016/12/11 12:09:12.181990 [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2016/12/11 12:09:12.182057 [INFO ] core: successfully mounted backend: type=system path=sys/
2016/12/11 12:09:12.182156 [INFO ] rollback: starting rollback manager
2016/12/11 12:09:12.218527 [INFO ] core: post-unseal setup complete
2016/12/11 12:09:12.218733 [INFO ] core/startClusterListener: starting listener
2016/12/11 12:09:12.218899 [INFO ] core/startClusterListener: serving cluster requests: cluster_listen_address=[::]:8201
2016/12/11 12:09:12.228888 [INFO ] core: root token generated
2016/12/11 12:09:12.228905 [INFO ] core: pre-seal teardown starting
2016/12/11 12:09:12.228911 [INFO ] core/stopClusterListener: stopping listeners
2016/12/11 12:09:12.228921 [INFO ] core/startClusterListener: shutting down listeners
2016/12/11 12:09:12.724179 [INFO ] core/startClusterListener: listeners successfully shut down
2016/12/11 12:09:12.724209 [INFO ] core/stopClusterListener: success
2016/12/11 12:09:12.724225 [INFO ] rollback: stopping rollback manager
2016/12/11 12:09:12.724250 [INFO ] core: pre-seal teardown complete

关联可能会有帮助。需要有效的互联网连接docker run

答案2

所以我找到了一个可行的解决方案。一个有效的设置我。一个领事节点,二。然后一个 Vault 实例与之对话三.连接到保险库并生成初始解封和根令牌的能力。

A)有了这个docker文件, 我可以我。 docker-compose build && docker-compose up

B)然后在另一个 shell 中,我可以使用 进行连接$ docker exec -i -t gently_vault_1 /bin/sh

C)然后,在该 shell 中,只需运行vault init

/ # vault init
Unseal Key 1: asdf...
Unseal Key 2: qwer...
Unseal Key 3: zxcv...
Unseal Key 4: piou...
Unseal Key 5: lkjh...
Initial Root Token: mbnv...

Vault initialized with 5 keys and a key threshold of 3. Please
securely distribute the above keys. When the Vault is re-sealed,
restarted, or stopped, you must provide at least 3 of these keys
to unseal it again.

Vault does not store the master key. Without at least 3 keys,
your Vault will remain permanently sealed.

相关内容