Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
コンテナ基盤を支えるHashiCorpソフトウェア / HashiCorp Softwares...
Search
linyows
September 11, 2018
Technology
6
5.1k
コンテナ基盤を支えるHashiCorpソフトウェア / HashiCorp Softwares on Container Base
2018.09.11 DevOpsを支える今話題のHashiCorpツール群について(HashiCorp Meetup 3rd)でお話しした資料です
linyows
September 11, 2018
Tweet
Share
More Decks by linyows
See All by linyows
研究開発と実装OSSと プロダクトの好循環 / A virtuous cycle of research and development implementation OSS and products
linyows
1
300
コードジェネレーターで 効率的な開発をする / Efficient development with code generators
linyows
0
280
研究を支える拡張性の高い ワークフローツールの提案 / Proposal of highly expandable workflow tools to support research
linyows
0
400
非コンテナ環境において宣言的Deploymentを手軽に実現する / Declarative deployment in non-container environments
linyows
0
170
メール送信サーバの集約における透過型SMTP プロキシの定量評価 / Quantitative Evaluation of Transparent SMTP Proxy in Email Sending Server Aggregation
linyows
0
900
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
420
研究の再現性を高める 仕組みをGoでつくる / Creating a system to improve the reproducibility of research using go
linyows
1
220
奥が深いメールのシステム / The depth of Email system
linyows
4
570
IaCにおけるテスト考察 / Tests in IaC
linyows
2
670
Other Decks in Technology
See All in Technology
うちの会社の評判は?SNSの投稿分析にAIを使ってみた
doumae
0
600
Introduction to Sansan Meishi Maker Development Engineer
sansan33
PRO
0
270
Sansan Engineering Unit 紹介資料
sansan33
PRO
1
1.9k
データベースの引越しを Ora2Pg でスマートにやろう
jri_narita
0
170
入門 ESlint Typegen #TSKaigi #TSKaigi2025_kataritai
bengo4com
0
2k
Information Architecture Recommoning: How Standardization Enables Differentiation
angioia
0
150
医療業界に特化した音声認識モデル構築のためのアノテーションの実態
thickstem
0
370
FastMCPでSQLをチェックしてくれるMCPサーバーを自作してCursorから動かしてみた
nayuts
1
260
【ClickHouseMeetup】ClickHouseを活用したセキュリティログ解析AIエージェント『LogEater』とは
hssh2_bin
0
110
LT:組込み屋さんのオシロが壊れた!
windy_pon
0
580
CSSDay, Amsterdam
brucel
0
260
障害を回避するHttpClient再入門 / Avoiding Failures HttpClient Reintroduction
uskey512
1
410
Featured
See All Featured
Site-Speed That Sticks
csswizardry
9
610
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
106
19k
Product Roadmaps are Hard
iamctodd
PRO
53
11k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
Why Our Code Smells
bkeepers
PRO
337
57k
The Invisible Side of Design
smashingmag
299
50k
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.8k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
6
640
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Build The Right Thing And Hit Your Dates
maggiecrowley
35
2.7k
Statistics for Hackers
jakevdp
799
220k
Code Review Best Practice
trishagee
68
18k
Transcript
খాԝ(.01FQBCP *OD %FW0QTΛࢧ͑Δࠓͷ)BTIJ$PSQπʔϧ܈ʹ͍ͭͯ )BTIJ$PSQ.FFUVQSE ίϯςφج൫Λࢧ͑Δ )BTIJ$PSQιϑτΣΞ
)BTIJ$PSQ.FFUVQSE (.0ϖύϘ ϓϦϯγύϧΤϯδχΞ !MJOZPXT CMPHUPNPIJTBPEBDPN
)BTIJ$PSQ.FFUVQSE ࠷ۙͷ͓ࣄ ϖύϘݚڀॴͱभେֶ͕ڞಉݚڀ
)BTIJ$PSQ.FFUVQSE দຊ྄հʹΑΔจʢ%*$0.0༧ߘʣਫ਼៛ʹ੍ޚՄೳͳ߃ৗੑͷ͋ΔߴूੵϚϧνΞΧϯτܕͷϝʔϧج൫ IUUQTSBOEQFQBCPDPNQBQFSTEJDPNPQSPDFFEJOHNBUTVNPUPSZQEG ࠷ۙͷ͓ࣄ ओʹ'BTU$POUBJOFSʹΑΔϝʔϧج൫ݚڀ։ൃɺ࠷࣮ۙྫΛ(JU)VCͰެ։ IUUQTHJUIVCDPN'BTU$POUBJOFS
)BTIJ$PSQ.FFUVQSE ࠷ۙͷ͓ࣄ 7BVMUͷ8PSLTIPQΛ͚ࣾʹ։࠵ɻҎԼͦͷհهࣄ IUUQTUFDIQFQBCPDPNWBVMUXPSLTIPQ
)BTIJ$PSQ.FFUVQSE 8&# %#13&44WPM )BTIJ$PSQ7BVMUͷهࣄدߘ Ԭͷ(PMBOHίϛϡχςΟ 'VLVPLBHPͷओ࠵ͷਓ MJOVYϢʔβͷ໊લղܾΛ (JU)VC͔ΒϚοϐϯά͢Δ ιϑτΣΞͷ։ൃ
)BTIJ$PSQ.FFUVQSE ίϯςφج൫Λࢧ͑Δ)BTIJ$PSQιϑτΣΞ
)BTIJ$PSQ.FFUVQSE ๏ Ұൠతͳ,VCFSOFUFT%PDLFS͍ͬͯ·ͤΜ ๏ -9%ͷΑ͏ͳγεςϜίϯςφͰ͋Γ·ͤΜ ๏ ಠࣗίϯςφڥΛఏڙ͢ΔଆͷͰ͢ ๏ 0PIPSJ'BTU$POUBJOFSɺ)BDPOJXBΛ͍ͬͯ·͢ લఏίϯςφج൫ͱ͍ͬͯʜ
)BTIJ$PSQ.FFUVQSE 0PIPSJ'BTU$POUBJOFS)BDPOJXB ☺
)BTIJ$PSQ.FFUVQSE 0PIPSJ'BTU$POUBJOFS)BDPOJXB ☺☺☺☺☺ ͜ΕΒಠࣗ։ൃͨ͠ͷͰ͢ ΞʔΩςΫνϟ ίϯςφϥϯλΠϜ ΦʔέετϨʔλʔ Կʹʁ
)BTIJ$PSQ.FFUVQSE ϩϦϙοϓʂϚωʔδυΫϥυ
)BTIJ$PSQ.FFUVQSE ๏ ίϯςφϕʔεͷ1BB4 ๏ ӡ༻͖ͷΫϥυͰΫϥυدΓͷϨϯλϧαʔό ๏ ίΞػೳͷΦʔτεέʔϧίϯςφෛՙʹԠͯ͡εέʔϧΞτ͠ෛՙ ܰݮΑΓεέʔϧΠϯ ๏ ఆ֎ͷ༻ྔϝʔϧ௨ར༻੍ݶͳͲͷઃఆ͕Մೳ
ϩϦϙοϓʂϚωʔδυΫϥυ
)BTIJ$PSQ.FFUVQSE ๏ ҆Ձͳίϯςφڥͷఏڙʹίϯςφ͕ߴूੵͰ͋Δඞཁ͕͋ΔʢϨϯ αόϩϯάςʔϧతʣ ๏ Ϣʔβཧͷίϯςφ͕ܧଓతʹ҆શͰ͋Δඞཁ͕͋ΔʢϛυϧΣΞ ґଘϥΠϒϥϦ͕ఆظతʹ࠷৽ʣ ๏ ίϯςφϦιʔεݖݶʹରͯ͠ॊೈͳઃఆ͕ՄೳͰ͋Δ͜ͱͱɺͦΕ Β͕ೳಈతͰ͋Δඞཁ͕͋Δʢίϯςφ͕ࣗಈతʹϦιʔεมߋʣ
ͳͥಠࣗ։ൃͯ͠͏ͷ͔
)BTIJ$PSQ.FFUVQSE ཁٻΛຬͨͨ͢Ίʹඞཁͩͬͨ ֤ٕज़ৄࡉʹ͍ͭͯݕࡧͯ͠Έ͍ͯͩ͘͞
)BTIJ$PSQ.FFUVQSE ίϯςφج൫Λࢧ͑Δ ϩϦϙοϓʂϚωʔδυΫϥυΛࢧ͑Δ )BTIJ$PSQιϑτΣΞ
)BTIJ$PSQ.FFUVQSE ·ͣγεςϜશମ૾
)BTIJ$PSQ.FFUVQSE $BDIF 1SPYZ "1* 4ZTUFN0WFSWJFX 4FDSFU.BOBHFS 4FSWJDF.BOBHFS .POJUPS "$.& #FIBWJPS5FTUFS
4.51 .FUSJDT 4DIFEVMFS 8FC "1* %# $BDIF +PC -# 1SPYZ $PNQVUF %JTQBUDIFS -# 4UPSBHF %# 4UBSUFS 1SPYZ &OW1SPEVDUJPO 4UBHJOH %FWFMPQNFOU "MFSU.BOBHFS )PTUJOH #VTJOFTT #BTUJPO %# 0QFO4UBDL #BSFNFUBM $.%#
)BTIJ$PSQ.FFUVQSE ϛυϧΣΞΛՃͯ͠ΈΔ
)BTIJ$PSQ.FFUVQSE $BDIF 1SPYZ "1* 4FDSFU.BOBHFS 4FSWJDF.BOBHFS .POJUPS "$.& #FIBWJPS5FTUFS 4.51
.FUSJDT 4DIFEVMFS 8FC "1* %# $BDIF +PC -# 1SPYZ $PNQVUF %JTQBUDIFS -# 4UPSBHF %# 4UBSUFS 1SPYZ "MFSU.BOBHFS )PTUJOH #VTJOFTT #BTUJPO %# 0QFO4UBDL #BSFNFUBM $.%# 4ZTUFN0WFSWJFX &OW1SPEVDUJPO 4UBHJOH %FWFMPQNFOU
)BTIJ$PSQ.FFUVQSE ࣍ʹσϓϩΠϑϩʔ
)BTIJ$PSQ.FFUVQSE 0QFO4UBDL #BSFNFUBM .""4 ,OJGF;FSP $* %FQMPZ'MPX
)BTIJ$PSQ.FFUVQSE ๏ 0QFO4UBDLͱ#BSFNFUBMͷϋΠϒϦουڥ ๏ 1BDLFSͰ࡞ΔΠϝʔδ࠷খݶͰશϩʔϧڞ௨Խͯ͠༻ ๏ 5FSSBGPSNͷ1SPWJTJPOFS༻ͤͣ,OJGF;FSPΛ͏ ๏ ։ൃڥ7BHSBOUʢϩʔϧ͕ଟ͍ͷͰZNMཧͰ͖ΔQMVHJOΛ༻ʣ ๏
සൟʹൃੜ͢Δେ͖ͳ༷มߋͱεςʔτϑϧͳϩʔϧଟ͍͜ͱ͔Β *NNVUBCMF*OGSBΛࣺͯΔઓུ શମతಛ
)BTIJ$PSQ.FFUVQSE ๏ 7BHSBOU ๏ 1BDLFS ๏ 5FSSBGPSN ๏ $POTVM ๏
7BVMU ๏ /PNBEʢͷͪʹKSBMMJTPOHPXPSLFSTͱബ͍"1*ʹมߋʣ ར༻͍ͯ͠Δ)BTIJ$PSQιϑτΣΞ
)BTIJ$PSQ.FFUVQSE αʔϏεܧଓʹͳͯ͘ͳΒͳ͍ ѹతײँ
)BTIJ$PSQ.FFUVQSE 5FSSBGPSN༻ͷಛ
)BTIJ$PSQ.FFUVQSE ๏ ՄೳͳݶΓNPEVMFΛ࠶ར༻Ͱ͖ΔΑ͏ʹ͍ͯ͠Δ ๏ ॳUGTUBUFΛHJUཧ͍ͯͯ͠ෳਓͰ࡞ۀ͢Δͱҋ͔͠ͳ͙͘͢ʹ4ʹมߋ ๏ 8PSLTQBDF1SPEVDUJPOͱ4UBHJOHͰ͍ͬͯΔ ๏ DMPVEJOJUͰ4MBDL௨ɺར༻ऀґଘ෦Λೖ͍ͯ͠Δ ๏
MJGFDZDMFͷઃఆࣄނࢭʹඞਢ ๏ $*ͰGNU͢ΔΑ͏ʹ͍ͯ͠Δ 5FSSBGPSN
)BTIJ$PSQ.FFUVQSE module "reserved_vip" { source = "../reserved_vip" count = "${var.int_vip_count}"
name = "${var.role}" network = "${var.network}" } module "pairaddress_port" { source = "../pairaddress_port" count = "${var.count}" network = "${var.network}" security_group_ids = ["${values(var.security_groups)}"] use_floating_ip = false allowed_ip_address = "${data.openstack_networking_subnet_v2.subnet.cidr}" role = "${var.role}" } resource "openstack_compute_instance_v2" "instance" { lifecycle { ignore_changes = ["user_data", "key_pair", "image_name", "availability_zone"] } count = "${var.count}" name = "${terraform.env != "staging" ? "" : "staging-"}${var.role}-${count.index + var.count_offset + 1}.${var.domain}" image_name = "${var.image_name}" flavor_name = "${var.flavor_name}" key_pair = "${var.key_pair}" availability_zone = "${var.availability_zones[(count.index + var.count_offset) % length(var.availability_zones)]}" security_groups = ["${keys(var.security_groups)}"] user_data = "${data.template_file.init.rendered}" network { port = "${element(module.pairaddress_port.ids, count.index)}" modules/ ├── instance │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── instance_with_extvip │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── instance_with_intvip │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── pairaddress_port │ ├── main.tf │ ├── outputs.tf │ └── varaibales.tf ├── reserved_vip │ ├── main.tf │ ├── outputs.tf │ └── variables.tf └── volume ├── main.tf └── variables.tf 5FSSBGPSNࡉ͔۠ͬͨ͘NPEVMFͷྫ
)BTIJ$PSQ.FFUVQSE 5FSSBGPSNࡉ͔۠ͬͨ͘NPEVMFͷྫ module "api" { count = "${terraform.env == "staging"
? 3 : var.api_count}" source = "./modules/instance" role = "api" flavor_name = "c1.large" network_id = "${openstack_networking_network_v2.lan.id}" security_groups = { "${openstack_networking_secgroup_v2.base.name}" = "${openstack_networking_secgroup_v2.base.id}" "${openstack_networking_secgroup_v2.api.name}" = "${openstack_networking_secgroup_v2.api.id}" } } module "secretmanager" { count = "${terraform.env == "staging" ? 2 : var.vault_count}" source = "./modules/instance_with_intvip" role = "secretmanager" flavor_name = "c1.medium" network = "${var.nyah["tenant_name"]}-lan" security_groups = { "${openstack_networking_secgroup_v2.base.name}" = "${openstack_networking_secgroup_v2.base.id}" "${openstack_networking_secgroup_v2.secretmanager.name}" = "${openstack_networking_secgroup_v2.secretmanager.id}" } } ڞ௨ԽʹΑΓ*OTUBODFͷఆ͕ٛγϯϓϧʹ
)BTIJ$PSQ.FFUVQSE $POTVM༻ͷಛ
)BTIJ$PSQ.FFUVQSE ๏ ϝΠϯαʔϏεσ ΟεΧόϦʢͪΖΜࢹʣ ๏ .BDLFSFMͱׂ୲֎ܗࢹ͔αʔϏεࢹ͔ ๏ ϗετͷ໊લղܾ$POTVM%/4ͱ6OCPVOEΛ༻ ๏ 7BVMUͷετϨʔδόοΫΤϯυͱͯ͠ར༻
๏ શϊʔυʹ$POTVM"HFOUͱαʔϏεࢹͰ༻͢Δ1SPNFUIFVTͷ DPOTVM OPEF CMBDLCPYFYQPSUFS͕ೖ͍ͬͯΔ $POTVM
)BTIJ$PSQ.FFUVQSE $POTVM%/4ͷศར༻๏ $ cat ~/.ssh/config … Host bastion-1.ohr HostName xxx.xxx.xxx.xxx
User linyows Host *.ohr !bastion-1.ohr !bastion-2.ohr !staging-*.ohr !*baremetal.ohr ProxyCommand ssh -W "$(basename "$(sed -E "s/.ohr/.node.consul/"<<<"%h")")":%p bastion-1.ohr User linyows $ ssh app-1.ohr __ ___ __ _____ _/ / / _ \/ // / _ `/ _ \ /_//_/\_, /\_,_/_//_/ /___/ ubuntu https://github.pepabo.com/tech/packer-templates (c) GMO Pepabo, Inc. linyows@app-1:~$ ౿ΈαʔόͰ໊લղܾ͢Δ͜ͱͰଟஈ44)Λศརʹ
)BTIJ$PSQ.FFUVQSE $POTVM%/4ͷศར༻๏ 1SPYZͷ6QTUSFBNΛ$POTVM%/4ͰϥϯυϩϏϯ hosts: "foo.service.consul:443": listen: port: 443 ssl: certificate-file:
/etc/h2o/tls.crt key-file: /etc/h2o/tls.key paths: "/": proxy.reverse.url: "https://foo.service.consul:443/"
)BTIJ$PSQ.FFUVQSE $POTVM5FNQMBUFͷ༻ ,FFQBMJWFEͷDPOGʹDPOTVMUFNQMBUFΛ༻͢Δ͜ͱͰ1SPYZͷ$POTVMKPJOͰαʔϏεΠϯ͢Δ virtual_server <%= @vip %> 443 { delay_loop
10 lvs_sched rr lvs_method NAT protocol TCP {{range service "proxy|passing"}} real_server {{.Address}} 443 { weight 1 TCP_CHECK { connect_port 443 connect_timeout 30 } }{{end}} }
)BTIJ$PSQ.FFUVQSE ͍ΖΜͳϨΠϠʔ͕ͳΊΒ͔ʹϦϦʔε %/4 -# -# 1SPYZ 1SPYZ 1SPYZ /FX1SPYZ 8FC
8FC 8FC /FX8FC 8FC 8FC XFCTFSWJDFDPOTVM DPOTVMUFNQMBUF DPOTVMEOT YYYYYYYYYYY YYYYYYYYYYY YYYYYYYYYYY YYYYYYYYYYY
)BTIJ$PSQ.FFUVQSE 7BVMU༻ͷಛ
)BTIJ$PSQ.FFUVQSE 7BVMU ๏ 1,*ͱ5SBOTJUγʔΫϨοτΛར༻ʢ͞ΒʹՃ༧ఆʣ ๏ %#ʹอ࣋͢Δൿີใશͯ7BVMUͰ҉߸Խ ๏ ൃߦͨ͠ൿີใ$IFGͰʢSPPU$"DPOTVMUFNQMBUFͷUPLFOʣ ๏ 5PLFOSFOFXʢ55-ͷԆʣ͠ͳ͕Β༻
๏ NBYMFBTFUUMͷظݶͰࣦޮ͢Δʢ͘SFOFX͢Δͱཁҙʣৄ͘͠ޙड़
)BTIJ$PSQ.FFUVQSE ๏ $POTVMΛετϨʔδͱͯ͠ར༻͢ΔͱΞΫςΟϒͳ7BVMUʹରͯ͠ WBVMUTFSWJDFDPOTVM͕ࣗಈతʹઃఆ͞ΕΔ ๏ 7BVMUΛೝূہͱͯ͠ઃఆ͠αʔόূ໌ॻΛࣗͰൃߦ͢Δ ๏ 7BVMU࠶ىಈ͢Δͱ4FBM͞ΕΔ ๏ -FU`T&ODSZQUΛͬͯαʔόূ໌ॻൃߦ͢Δʁ
1,*ͷ3PPU$" 7BVMUαʔόʹ5-4ଓ͢Δ߹Ͳ͏ͨ͠Βྑ͍͔
)BTIJ$PSQ.FFUVQSE ๏ 7BVMUʹ4*()61γάφϧͰαʔόূ໌ॻͷ࠶ಡΈࠐΈΛ͢Δ ๏ 4*()61Ͱ4FBM͞Εͳ͍ ๏ "VEJUMPHͷMPHSPUBUFʹ͑Δ ๏ 7BVMU͕ൃߦͨ͠3PPU$"$IFGͰ $POTVMUF5FNQMBUFͷ༻
αʔόূ໌ॻʹDPOTVMUFNQMBUFΛ༻͢Δ͜ͱܧଓతͳূ໌ॻൃߦΛࣗಈԽ͢Δ
)BTIJ$PSQ.FFUVQSE vault { address = "https://127.0.0.1:8200" token = "<%= node['vault']['token']
%>" renew_token = true grace = "5m" ssl { enabled = true verify = false } } template { contents = "{{ with secret \"pki/issue/service-consul\" \"common_name=vault.service.consul\" }}{{ .Data.issuing_ca }}{{ end }}" destination = "/usr/share/ca-certificates/extra/Vault_Root_CA.crt" command = "sudo /usr/local/sbin/update_ca_certs" } template { contents = "{{ with secret \"pki/issue/service-consul\" \"common_name=vault.service.consul\" }}{{ .Data.certificate }}{{ end }}" destination = "/etc/vault.d/vault.service.consul.crt" command = "sudo /usr/local/sbin/reload_vault" } template { contents = "{{ with secret \"pki/issue/service-consul\" \"common_name=vault.service.consul\" }}{{ .Data.private_key }}{{ end }}" destination = "/etc/vault.d/vault.service.consul.key" command = "sudo /usr/local/sbin/reload_vault" } TVEPFSTͰڐՄ͢ΔͨΊʹ֤εΫϦϓτʹ ͍ͷͰΠϯϥΠϯͰهड़ 5PLFOͷ55-ΛԆͯ͠༻ $POTVMUF5FNQMBUFͷ༻
)BTIJ$PSQ.FFUVQSE ๏ "QQMJDBUJPO͕7BVMUʹରͯ͠ೝূ͢ΔBQQSPMF ๏ ೝূ͢Δͱࢦఆͷ55-͕ઃఆ͞Εͨ5PLFO͕ൃߦ͞ΕΔ ๏ "QQMJDBUJPOͦͷ5PLFOΛͬͯ7BVMUͱΓऔΓΛ͢Δ ๏ "QQMJDBUJPO͕BQQSPMFͷSPMF@JEͱTFDSFU@JEΛ͍࣋ͬͯͯҙຯ͕ͳ͍ ๏
"QQMJDBUJPOϓϩηεͷ֎Ͱ5PLFOΛൃߦ͢Δ "QQMJDBUJPO5PLFOͷ
)BTIJ$PSQ.FFUVQSE ๏ "QQMJDBUJPOͷσϓϩΠ࣌ʹBQQSPMFBVUIΛ͢ΔίϚϯυΛ࣮ߦ ๏ ίϚϯυೝূͷ18Ͱ͋ΔTFDSFU@JEͷ55-ԆΛ1045 ๏ ଓ͚ͯೝূΛ࣮ߦ͠5PLFOΛऔಘ͢Δ ๏ औಘͨ͠5PLFOΛ"QQMJDBUJPO͕ಡΊΔύεʹஔ "QQMJDBUJPO5PLFOͷղܾ๏
7BVMU $PNNBOE SPMF@JE TFDSFU@JE UPLFO
)BTIJ$PSQ.FFUVQSE 7BVMUUPLFO͕ࣦޮͯ͠ো
)BTIJ$PSQ.FFUVQSE ๏ "QQSPMFͷTFDSFU@JEΛSFOFX͢ΔͨΊʹDVTUPNTFDSFU@JEͱͯ͠ઃఆͯ͠ ͍Δ ๏ DVTUPNTFDSFU@JEʹઃఆ͢ΔUPLFOBVUIUPLFOͰൃߦ ๏ Ϛϯτͨ͠TFDSFU͝ͱʹNBYMFBTFUUMͱ͍͏ઃఆ͕͋ΓɺγεςϜશମ ʹNBYUUM͕ଘࡏ͢Δ ๏
྆ํ͕ະઃఆͷ߹ɺγεςϜͷNBYUUMͰ͋ΔEBZT্͕ݶ 7BVMUUPLFO͕ࣦޮͯ͠ো
)BTIJ$PSQ.FFUVQSE IUUQTXXXWBVMUQSPKFDUJPEPDTDPODFQUTUPLFOTIUNMUIFHFOFSBMDBTF ίϯηϓτʹॻ͍ͯ͋ͬͨ
)BTIJ$PSQ.FFUVQSE .BY55-ઃఆɺ֤Ϛϯτ͞ΕͨγʔΫϨοτ͝ͱʹઃఆ͢ ΔͷͰɺຊ൪ӡ༻࣌ʹඞͣߟྀ͠·͠ΐ͏ɻ ͱͯॏཁͰ͢
)BTIJ$PSQ.FFUVQSE ๏ 5PLFO͕ࣦޮͨ͠ΒBVEJUMPHʹΤϥʔ ͕සൃ͍ͯͨ͠ ๏ 7BVMUTFSWFSͷ$POTVMDIFDLTͰBVEJUMPHͷ ࢹΛՃ ๏ ݕͨ͠ͷ$POTVM"MFSUͰ4MBDL௨ Αͦ͠ΕͳΒࢹՃͩ
{ "name": "vault-audit-log", "tags": ["vault", "audit"], "checks": [ { "script": "sudo /usr/local/sbin/check_audit", "interval": "60s" } ] } #!/bin/bash check-log --file /var/log/vault_audit.log \ --pattern '\"error\":\".+\"' \ —exclude='invalid request|unsupported path|unsupported operation' .BDLFSFMͷDIFDLDPNNBOE
)BTIJ$PSQ.FFUVQSE $POTVMؾܰʹࢹՃͰ͖ͯศརʂ
)BTIJ$PSQ.FFUVQSE ๏ ϩϦϙοϓʂϚωʔδυΫϥυͰͷ)BTIJ$PSQιϑτΣΞͷ׆༻ํ๏ ΛഎܠͱಛΛ౿·͑ղઆ ๏ )BTIJ$PSQιϑτΣΞ͍͜ͳ͢͜ͱͰγεςϜ͕͍͍ײ͡ʹͳΔ ͷͰυΩϡϝϯτΛख़ಡ͢͠ ๏ )BTIJ$PSQͷ֤ιϑτΣΞʹྲྀΕ͕͋Γɺซ༻͢Δ͜ͱͰศར͕͞ ૿͢ʂʂʂ
$PODMVTJPO
)BTIJ$PSQ.FFUVQSE 5IBOLZPV 8FSFIJSJOH