配置 – 如何在docker容器中运行的unseal Vault服务器

前端之家收集整理的这篇文章主要介绍了配置 – 如何在docker容器中运行的unseal Vault服务器前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

我有一个成功启动consul的docker compose设置(config here).除了设置TTL(日志here)之外的一些错误外,Vault似乎开始正常.

此外,当试图达到/v1/agent/check/fail/vault:127.0.0.1:8200:vault-sealed-check?note=Vault Sealed时,领事似乎在打嗝.显然’保险库:127.0.0.1:8200:保险箱密封检查’状态现在至关重要.

consul1    |     2016/11/05 20:50:04 [DEBUG] agent: Check 'vault:127.0.0.1:8200:vault-sealed-check' status is now critical
consul1    |     2016/11/05 20:50:04 [DEBUG] agent: Service 'vault:127.0.0.1:8200' in sync
consul1    |     2016/11/05 20:50:04 [DEBUG] agent: Service 'consul' in sync
consul1    |     2016/11/05 20:50:04 [DEBUG] agent: Check 'vault:127.0.0.1:8200:vault-sealed-check' in sync
consul1    |     2016/11/05 20:50:04 [DEBUG] agent: Node info in sync
consul1    |     2016/11/05 20:50:04 [DEBUG] http: Request PUT /v1/agent/check/fail/vault:127.0.0.1:8200:vault-sealed-check?note=Vault+Sealed (92.314µs) from=172.18.0.3:48742

当保险库容器启动时(带有consul后端)1)我们如何获得初始i)密钥和ii)根令牌.我正在使用Hashicorp的官方vault image和我的自定义/vault/config/vault.hcl(和consul image).

最终,我想知道2)如何解封金库服务器.在这种情况下,我想要开启在docker容器中运行的Vault服务器. 3)这就是我所需要的,开始向保险库写秘密.

最佳答案
为了使用official source vault image开启容器中的保险库,我将使用以下命令启动保管库容器:

vm# docker run -it --cap-add IPC_LOCK -p 8200:8200 -p 8215:8125 --name vault --volume /my/vault:/my/vault vault server -config=/my/vault/vaultCfg.hcl 

vm运行的地方是1.12.4 docker engine和vault hcl config list:

backend "consul" {
  address = "myconsul.com:8500"
  path = "vault"
}

listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = 1
}

然后在同一个docker主机上:

vm# VAULT_ADDR=http://myvault.com:8200 
vm# docker exec -it vault vault  "$@" init -address=${VAULT_ADDR}

并期望输出如下:

2016/12/11 10:21:10.628736 [WARN ] physical/consul: appending trailing forward slash to path
2016/12/11 12:09:12.117238 [INFO ] core: security barrier not initialized
2016/12/11 12:09:12.136037 [INFO ] core: security barrier initialized: shares=5 threshold=3
2016/12/11 12:09:12.169987 [INFO ] core: post-unseal setup starting
2016/12/11 12:09:12.181963 [INFO ] core: successfully mounted backend: type=generic path=secret/
2016/12/11 12:09:12.181990 [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2016/12/11 12:09:12.182057 [INFO ] core: successfully mounted backend: type=system path=sys/
2016/12/11 12:09:12.182156 [INFO ] rollback: starting rollback manager
2016/12/11 12:09:12.218527 [INFO ] core: post-unseal setup complete
2016/12/11 12:09:12.218733 [INFO ] core/startClusterListener: starting listener
2016/12/11 12:09:12.218899 [INFO ] core/startClusterListener: serving cluster requests: cluster_listen_address=[::]:8201
2016/12/11 12:09:12.228888 [INFO ] core: root token generated
2016/12/11 12:09:12.228905 [INFO ] core: pre-seal teardown starting
2016/12/11 12:09:12.228911 [INFO ] core/stopClusterListener: stopping listeners
2016/12/11 12:09:12.228921 [INFO ] core/startClusterListener: shutting down listeners
2016/12/11 12:09:12.724179 [INFO ] core/startClusterListener: listeners successfully shut down
2016/12/11 12:09:12.724209 [INFO ] core/stopClusterListener: success
2016/12/11 12:09:12.724225 [INFO ] rollback: stopping rollback manager
2016/12/11 12:09:12.724250 [INFO ] core: pre-seal teardown complete

link可能有所帮助.需要为docker run运行Internet连接

猜你在找的Docker相关文章