$30 off During Our Annual Pro Sale. View Details »

コンテナ基盤を支えるHashiCorpソフトウェア / HashiCorp Softwares on Container Base

linyows
September 11, 2018

コンテナ基盤を支えるHashiCorpソフトウェア / HashiCorp Softwares on Container Base

2018.09.11 DevOpsを支える今話題のHashiCorpツール群について(HashiCorp Meetup 3rd)でお話しした資料です

linyows

September 11, 2018
Tweet

More Decks by linyows

Other Decks in Technology

Transcript

  1. খా஌ԝ(.01FQBCP *OD
    %FW0QTΛࢧ͑Δࠓ࿩୊ͷ)BTIJ$PSQπʔϧ܈ʹ͍ͭͯ
    )BTIJ$PSQ.FFUVQSE
    ίϯςφج൫Λࢧ͑Δ
    )BTIJ$PSQιϑτ΢ΣΞ

    View Slide

  2. )BTIJ$PSQ.FFUVQSE
    (.0ϖύϘ
    ϓϦϯγύϧΤϯδχΞ
    !MJOZPXT
    CMPHUPNPIJTBPEBDPN

    View Slide

  3. )BTIJ$PSQ.FFUVQSE
    ࠷ۙͷ͓࢓ࣄ
    ϖύϘݚڀॴͱ۝भେֶ͕ڞಉݚڀ

    View Slide

  4. )BTIJ$PSQ.FFUVQSE
    দຊ྄հʹΑΔ࿦จʢ%*$0.0༧ߘʣਫ਼៛ʹ੍ޚՄೳͳ߃ৗੑͷ͋ΔߴूੵϚϧνΞΧ΢ϯτܕͷϝʔϧج൫
    IUUQTSBOEQFQBCPDPNQBQFSTEJDPNPQSPDFFEJOHNBUTVNPUPSZQEG
    ࠷ۙͷ͓࢓ࣄ
    ओʹ'BTU$POUBJOFSʹΑΔϝʔϧج൫ݚڀ։ൃɺ࠷࣮ۙ૷ྫΛ(JU)VCͰެ։
    IUUQTHJUIVCDPN'BTU$POUBJOFS

    View Slide

  5. )BTIJ$PSQ.FFUVQSE
    ࠷ۙͷ͓࢓ࣄ
    7BVMUͷ8PSLTIPQΛࣾ಺޲͚ʹ։࠵ɻҎԼ͸ͦͷ঺հهࣄ
    IUUQTUFDIQFQBCPDPNWBVMUXPSLTIPQ

    View Slide

  6. )BTIJ$PSQ.FFUVQSE
    8%#13&44WPM
    )BTIJ$PSQ7BVMUͷهࣄدߘ
    ෱Ԭͷ(PMBOHίϛϡχςΟ
    'VLVPLBHPͷओ࠵ͷਓ
    MJOVYϢʔβͷ໊લղܾΛ
    (JU)VC͔ΒϚοϐϯά͢Δ
    ιϑτ΢ΣΞͷ։ൃ

    View Slide

  7. )BTIJ$PSQ.FFUVQSE
    ίϯςφج൫Λࢧ͑Δ)BTIJ$PSQιϑτ΢ΣΞ

    View Slide

  8. )BTIJ$PSQ.FFUVQSE
    ๏ Ұൠతͳ,VCFSOFUFT΍%PDLFS͸࢖͍ͬͯ·ͤΜ
    ๏ -9%ͷΑ͏ͳγεςϜίϯςφͰ΋͋Γ·ͤΜ
    ๏ ಠࣗίϯςφ؀ڥΛఏڙ͢Δଆͷ࿩Ͱ͢
    ๏ 0PIPSJ΍'BTU$POUBJOFSɺ)BDPOJXBΛ࢖͍ͬͯ·͢
    લఏίϯςφج൫ͱ͍ͬͯ΋ʜ

    View Slide

  9. )BTIJ$PSQ.FFUVQSE
    0PIPSJ'BTU$POUBJOFS)BDPOJXB

    View Slide

  10. )BTIJ$PSQ.FFUVQSE
    0PIPSJ'BTU$POUBJOFS)BDPOJXB
    ☺☺☺☺☺
    ͜ΕΒ͸ಠࣗ։ൃͨ͠΋ͷͰ͢
    ΞʔΩςΫνϟ ίϯςφϥϯλΠϜ
    ΦʔέετϨʔλʔ
    Կʹʁ

    View Slide

  11. )BTIJ$PSQ.FFUVQSE
    ϩϦϙοϓʂϚωʔδυΫϥ΢υ

    View Slide

  12. )BTIJ$PSQ.FFUVQSE
    ๏ ίϯςφϕʔεͷ1BB4
    ๏ ӡ༻෇͖ͷΫϥ΢υͰΫϥ΢υدΓͷϨϯλϧαʔό
    ๏ ίΞػೳͷΦʔτεέʔϧ͸ίϯςφෛՙʹԠͯ͡εέʔϧΞ΢τ͠ෛՙ
    ܰݮΑΓεέʔϧΠϯ
    ๏ ૝ఆ֎ͷ࢖༻ྔ͸ϝʔϧ௨஌΍ར༻੍ݶͳͲͷઃఆ͕Մೳ
    ϩϦϙοϓʂϚωʔδυΫϥ΢υ

    View Slide

  13. )BTIJ$PSQ.FFUVQSE
    ๏ ҆Ձͳίϯςφ؀ڥͷఏڙʹίϯςφ͕ߴूੵͰ͋Δඞཁ͕͋ΔʢϨϯ
    αό͸ϩϯάςʔϧతʣ
    ๏ Ϣʔβ؅ཧͷίϯςφ͕ܧଓతʹ҆શͰ͋Δඞཁ͕͋Δʢϛυϧ΢ΣΞ΍
    ґଘϥΠϒϥϦ͕ఆظతʹ࠷৽ʣ
    ๏ ίϯςφϦιʔε΍ݖݶʹରͯ͠ॊೈͳઃఆ͕ՄೳͰ͋Δ͜ͱͱɺͦΕ
    Β͕ೳಈతͰ͋Δඞཁ͕͋Δʢίϯςφࣗ਎͕ಈతʹϦιʔεมߋʣ
    ͳͥಠࣗ։ൃͯ͠࢖͏ͷ͔

    View Slide

  14. )BTIJ$PSQ.FFUVQSE
    ཁٻΛຬͨͨ͢Ίʹඞཁͩͬͨ
    ֤ٕज़ৄࡉʹ͍ͭͯ͸ݕࡧͯ͠Έ͍ͯͩ͘͞

    View Slide

  15. )BTIJ$PSQ.FFUVQSE
    ίϯςφج൫Λࢧ͑Δ
    ϩϦϙοϓʂϚωʔδυΫϥ΢υΛࢧ͑Δ
    )BTIJ$PSQιϑτ΢ΣΞ

    View Slide

  16. )BTIJ$PSQ.FFUVQSE
    ·ͣγεςϜશମ૾

    View Slide

  17. )BTIJ$PSQ.FFUVQSE
    $BDIF
    1SPYZ
    "1*
    4ZTUFN0WFSWJFX
    4FDSFU.BOBHFS
    4FSWJDF.BOBHFS
    .POJUPS
    "$.&
    #FIBWJPS5FTUFS
    4.51
    .FUSJDT
    4DIFEVMFS
    8FC
    "1*
    %#
    $BDIF
    +PC
    -#
    1SPYZ
    $PNQVUF
    %JTQBUDIFS
    -#
    4UPSBHF
    %#
    4UBSUFS
    1SPYZ
    &OW1SPEVDUJPO 4UBHJOH %FWFMPQNFOU
    "MFSU.BOBHFS
    )PTUJOH
    #VTJOFTT
    #BTUJPO
    %#
    0QFO4UBDL #BSFNFUBM
    $.%#

    View Slide

  18. )BTIJ$PSQ.FFUVQSE
    ϛυϧ΢ΣΞΛ௥Ճͯ͠ΈΔ

    View Slide

  19. )BTIJ$PSQ.FFUVQSE
    $BDIF
    1SPYZ
    "1*
    4FDSFU.BOBHFS
    4FSWJDF.BOBHFS
    .POJUPS
    "$.&
    #FIBWJPS5FTUFS
    4.51
    .FUSJDT
    4DIFEVMFS
    8FC
    "1*
    %#
    $BDIF
    +PC
    -#
    1SPYZ
    $PNQVUF
    %JTQBUDIFS
    -#
    4UPSBHF
    %#
    4UBSUFS
    1SPYZ
    "MFSU.BOBHFS
    )PTUJOH
    #VTJOFTT
    #BTUJPO
    %#
    0QFO4UBDL #BSFNFUBM
    $.%#
    4ZTUFN0WFSWJFX
    &OW1SPEVDUJPO 4UBHJOH %FWFMPQNFOU

    View Slide

  20. )BTIJ$PSQ.FFUVQSE
    ࣍ʹσϓϩΠϑϩʔ

    View Slide

  21. )BTIJ$PSQ.FFUVQSE
    0QFO4UBDL
    #BSFNFUBM .""4
    ,OJGF;FSP
    $*
    %FQMPZ'MPX

    View Slide

  22. )BTIJ$PSQ.FFUVQSE
    ๏ 0QFO4UBDLͱ#BSFNFUBMͷϋΠϒϦου؀ڥ
    ๏ 1BDLFSͰ࡞ΔΠϝʔδ͸࠷খݶͰશϩʔϧڞ௨Խͯ͠࢖༻
    ๏ 5FSSBGPSNͷ1SPWJTJPOFS͸࢖༻ͤͣ,OJGF;FSPΛ࢖͏
    ๏ ։ൃ؀ڥ͸7BHSBOUʢϩʔϧ͕ଟ͍ͷͰZNM؅ཧͰ͖ΔQMVHJOΛ࢖༻ʣ
    ๏ සൟʹൃੜ͢Δେ͖ͳ࢓༷มߋͱεςʔτϑϧͳϩʔϧ΋ଟ͍͜ͱ͔Β
    *NNVUBCMF*OGSBΛࣺͯΔઓུ
    શମతಛ௃

    View Slide

  23. )BTIJ$PSQ.FFUVQSE
    ๏ 7BHSBOU
    ๏ 1BDLFS
    ๏ 5FSSBGPSN
    ๏ $POTVM
    ๏ 7BVMU
    ๏ /PNBEʢͷͪʹKSBMMJTPOHPXPSLFSTͱബ͍"1*ʹมߋʣ
    ར༻͍ͯ͠Δ)BTIJ$PSQιϑτ΢ΣΞ

    View Slide

  24. )BTIJ$PSQ.FFUVQSE
    αʔϏεܧଓʹͳͯ͘͸ͳΒͳ͍
    ѹ౗తײँ

    View Slide

  25. )BTIJ$PSQ.FFUVQSE
    5FSSBGPSN࢖༻ͷಛ௃

    View Slide

  26. )BTIJ$PSQ.FFUVQSE
    ๏ ՄೳͳݶΓNPEVMFΛ࠶ར༻Ͱ͖ΔΑ͏ʹ͍ͯ͠Δ
    ๏ ౰ॳUGTUBUFΛHJU؅ཧ͍ͯͯ͠ෳ਺ਓͰ࡞ۀ͢Δͱҋ͔͠ͳ͙͘͢ʹ4ʹมߋ
    ๏ 8PSLTQBDF͸1SPEVDUJPOͱ4UBHJOHͰ࢖͍ͬͯΔ
    ๏ DMPVEJOJUͰ4MBDL௨஌౳ɺར༻ऀґଘ෦෼Λ஫ೖ͍ͯ͠Δ
    ๏ MJGFDZDMFͷઃఆ͸ࣄނ๷ࢭʹඞਢ
    ๏ $*ͰGNU͢ΔΑ͏ʹ͍ͯ͠Δ
    5FSSBGPSN

    View Slide

  27. )BTIJ$PSQ.FFUVQSE
    module "reserved_vip" {
    source = "../reserved_vip"
    count = "${var.int_vip_count}"
    name = "${var.role}"
    network = "${var.network}"
    }
    module "pairaddress_port" {
    source = "../pairaddress_port"
    count = "${var.count}"
    network = "${var.network}"
    security_group_ids = ["${values(var.security_groups)}"]
    use_floating_ip = false
    allowed_ip_address = "${data.openstack_networking_subnet_v2.subnet.cidr}"
    role = "${var.role}"
    }
    resource "openstack_compute_instance_v2" "instance" {
    lifecycle {
    ignore_changes = ["user_data", "key_pair", "image_name", "availability_zone"]
    }
    count = "${var.count}"
    name = "${terraform.env != "staging" ? "" : "staging-"}${var.role}-${count.index + var.count_offset +
    1}.${var.domain}"
    image_name = "${var.image_name}"
    flavor_name = "${var.flavor_name}"
    key_pair = "${var.key_pair}"
    availability_zone = "${var.availability_zones[(count.index + var.count_offset) % length(var.availability_zones)]}"
    security_groups = ["${keys(var.security_groups)}"]
    user_data = "${data.template_file.init.rendered}"
    network {
    port = "${element(module.pairaddress_port.ids, count.index)}"
    modules/
    ├── instance
    │ ├── main.tf
    │ ├── outputs.tf
    │ └── variables.tf
    ├── instance_with_extvip
    │ ├── main.tf
    │ ├── outputs.tf
    │ └── variables.tf
    ├── instance_with_intvip
    │ ├── main.tf
    │ ├── outputs.tf
    │ └── variables.tf
    ├── pairaddress_port
    │ ├── main.tf
    │ ├── outputs.tf
    │ └── varaibales.tf
    ├── reserved_vip
    │ ├── main.tf
    │ ├── outputs.tf
    │ └── variables.tf
    └── volume
    ├── main.tf
    └── variables.tf
    5FSSBGPSNࡉ͔۠͘੾ͬͨNPEVMFͷྫ

    View Slide

  28. )BTIJ$PSQ.FFUVQSE
    5FSSBGPSNࡉ͔۠͘੾ͬͨNPEVMFͷྫ
    module "api" {
    count = "${terraform.env == "staging" ? 3 : var.api_count}"
    source = "./modules/instance"
    role = "api"
    flavor_name = "c1.large"
    network_id = "${openstack_networking_network_v2.lan.id}"
    security_groups = {
    "${openstack_networking_secgroup_v2.base.name}" = "${openstack_networking_secgroup_v2.base.id}"
    "${openstack_networking_secgroup_v2.api.name}" = "${openstack_networking_secgroup_v2.api.id}"
    }
    }
    module "secretmanager" {
    count = "${terraform.env == "staging" ? 2 : var.vault_count}"
    source = "./modules/instance_with_intvip"
    role = "secretmanager"
    flavor_name = "c1.medium"
    network = "${var.nyah["tenant_name"]}-lan"
    security_groups = {
    "${openstack_networking_secgroup_v2.base.name}" = "${openstack_networking_secgroup_v2.base.id}"
    "${openstack_networking_secgroup_v2.secretmanager.name}" = "${openstack_networking_secgroup_v2.secretmanager.id}"
    }
    }
    ڞ௨ԽʹΑΓ*OTUBODFͷఆ͕ٛγϯϓϧʹ

    View Slide

  29. )BTIJ$PSQ.FFUVQSE
    $POTVM࢖༻ͷಛ௃

    View Slide

  30. )BTIJ$PSQ.FFUVQSE
    ๏ ϝΠϯ͸αʔϏεσ
    ΟεΧόϦʢ΋ͪΖΜ؂ࢹʣ
    ๏ .BDLFSFMͱ໾ׂ෼୲͸֎ܗ؂ࢹ͔αʔϏε؂ࢹ͔
    ๏ ϗετͷ໊લղܾ͸$POTVM%/4ͱ6OCPVOEΛ࢖༻
    ๏ 7BVMUͷετϨʔδόοΫΤϯυͱͯ͠΋ར༻
    ๏ શϊʔυʹ$POTVM"HFOUͱαʔϏε΍؂ࢹͰ࢖༻͢Δ1SPNFUIFVTͷ
    DPOTVM OPEF CMBDLCPYFYQPSUFS͕ೖ͍ͬͯΔ
    $POTVM

    View Slide

  31. )BTIJ$PSQ.FFUVQSE
    $POTVM%/4ͷศར࢖༻๏
    $ cat ~/.ssh/config

    Host bastion-1.ohr
    HostName xxx.xxx.xxx.xxx
    User linyows
    Host *.ohr !bastion-1.ohr !bastion-2.ohr !staging-*.ohr !*baremetal.ohr
    ProxyCommand ssh -W "$(basename "$(sed -E "s/.ohr/.node.consul/"<<<"%h")")":%p bastion-1.ohr
    User linyows
    $ ssh app-1.ohr
    __
    ___ __ _____ _/ /
    / _ \/ // / _ `/ _ \
    /_//_/\_, /\_,_/_//_/
    /___/ ubuntu
    https://github.pepabo.com/tech/packer-templates
    (c) GMO Pepabo, Inc.
    linyows@app-1:~$
    ౿Έ୆αʔόͰ໊લղܾ͢Δ͜ͱͰଟஈ44)Λศརʹ

    View Slide

  32. )BTIJ$PSQ.FFUVQSE
    $POTVM%/4ͷศར࢖༻๏
    1SPYZͷ6QTUSFBNΛ$POTVM%/4Ͱϥ΢ϯυϩϏϯ
    hosts:
    "foo.service.consul:443":
    listen:
    port: 443
    ssl:
    certificate-file: /etc/h2o/tls.crt
    key-file: /etc/h2o/tls.key
    paths:
    "/":
    proxy.reverse.url: "https://foo.service.consul:443/"

    View Slide

  33. )BTIJ$PSQ.FFUVQSE
    $POTVM5FNQMBUFͷ࢖༻
    ,FFQBMJWFEͷDPOGʹDPOTVMUFNQMBUFΛ࢖༻͢Δ͜ͱͰ1SPYZͷ$POTVMKPJOͰαʔϏεΠϯ͢Δ
    virtual_server <%= @vip %> 443 {
    delay_loop 10
    lvs_sched rr
    lvs_method NAT
    protocol TCP
    {{range service "proxy|passing"}}
    real_server {{.Address}} 443 {
    weight 1
    TCP_CHECK {
    connect_port 443
    connect_timeout 30
    }
    }{{end}}
    }

    View Slide

  34. )BTIJ$PSQ.FFUVQSE
    ͍ΖΜͳϨΠϠʔ͕ͳΊΒ͔ʹϦϦʔε
    %/4
    -#
    -#
    1SPYZ
    1SPYZ
    1SPYZ
    /FX1SPYZ
    8FC
    8FC
    8FC
    /FX8FC
    8FC
    8FC
    XFCTFSWJDFDPOTVM
    DPOTVMUFNQMBUF
    DPOTVMEOT
    YYYYYYYYYYY
    YYYYYYYYYYY
    YYYYYYYYYYY
    YYYYYYYYYYY

    View Slide

  35. )BTIJ$PSQ.FFUVQSE
    7BVMU࢖༻ͷಛ௃

    View Slide

  36. )BTIJ$PSQ.FFUVQSE
    7BVMU
    ๏ 1,*ͱ5SBOTJUγʔΫϨοτΛར༻ʢ͞Βʹ௥Ճ༧ఆʣ
    ๏ %#ʹอ࣋͢Δൿີ৘ใ͸શͯ7BVMUͰ҉߸Խ
    ๏ ൃߦͨ͠ൿີ৘ใ͸$IFGͰ഑෍ʢSPPU$"΍DPOTVMUFNQMBUFͷUPLFO౳ʣ
    ๏ 5PLFO͸SFOFXʢ55-ͷԆ௕ʣ͠ͳ͕Β࢖༻
    ๏ NBYMFBTFUUMͷظݶͰࣦޮ͢Δʢ௕͘SFOFX͢Δͱཁ஫ҙʣৄ͘͠͸ޙड़

    View Slide

  37. )BTIJ$PSQ.FFUVQSE
    ๏ $POTVMΛετϨʔδͱͯ͠ར༻͢ΔͱΞΫςΟϒͳ7BVMUʹରͯ͠
    WBVMUTFSWJDFDPOTVM͕ࣗಈతʹઃఆ͞ΕΔ
    ๏ 7BVMUΛೝূہͱͯ͠ઃఆ͠αʔόূ໌ॻΛࣗ෼Ͱൃߦ͢Δ
    ๏ 7BVMU͸࠶ىಈ͢Δͱ4FBM͞ΕΔ
    ๏ -FU`T&ODSZQUΛ࢖ͬͯαʔόূ໌ॻൃߦ͢Δʁ
    1,*ͷ3PPU$"഑෍໰୊
    7BVMUαʔόʹ5-4઀ଓ͢Δ৔߹Ͳ͏ͨ͠Βྑ͍͔

    View Slide

  38. )BTIJ$PSQ.FFUVQSE
    ๏ 7BVMUʹ4*()61γάφϧͰαʔόূ໌ॻͷ࠶ಡΈࠐΈΛ͢Δ
    ๏ 4*()61Ͱ͸4FBM͞Εͳ͍
    ๏ "VEJUMPHͷMPHSPUBUFʹ΋࢖͑Δ
    ๏ 7BVMU͕ൃߦͨ͠3PPU$"͸$IFGͰ഑෍
    $POTVMUF5FNQMBUFͷ࢖༻
    αʔόূ໌ॻʹDPOTVMUFNQMBUFΛ࢖༻͢Δ͜ͱܧଓతͳূ໌ॻൃߦΛࣗಈԽ͢Δ

    View Slide

  39. )BTIJ$PSQ.FFUVQSE
    vault {
    address = "https://127.0.0.1:8200"
    token = "<%= node['vault']['token'] %>"
    renew_token = true
    grace = "5m"
    ssl {
    enabled = true
    verify = false
    }
    }
    template {
    contents = "{{ with secret \"pki/issue/service-consul\" \"common_name=vault.service.consul\" }}{{ .Data.issuing_ca }}{{ end }}"
    destination = "/usr/share/ca-certificates/extra/Vault_Root_CA.crt"
    command = "sudo /usr/local/sbin/update_ca_certs"
    }
    template {
    contents = "{{ with secret \"pki/issue/service-consul\" \"common_name=vault.service.consul\" }}{{ .Data.certificate }}{{ end }}"
    destination = "/etc/vault.d/vault.service.consul.crt"
    command = "sudo /usr/local/sbin/reload_vault"
    }
    template {
    contents = "{{ with secret \"pki/issue/service-consul\" \"common_name=vault.service.consul\" }}{{ .Data.private_key }}{{ end }}"
    destination = "/etc/vault.d/vault.service.consul.key"
    command = "sudo /usr/local/sbin/reload_vault"
    } TVEPFSTͰڐՄ͢ΔͨΊʹ֤εΫϦϓτʹ
    ୹͍ͷͰΠϯϥΠϯͰهड़
    5PLFOͷ55-ΛԆ௕ͯ͠࢖༻
    $POTVMUF5FNQMBUFͷ࢖༻

    View Slide

  40. )BTIJ$PSQ.FFUVQSE
    ๏ "QQMJDBUJPO͕7BVMUʹରͯ͠ೝূ͢ΔBQQSPMF
    ๏ ೝূ͢Δͱࢦఆͷ55-͕ઃఆ͞Εͨ5PLFO͕ൃߦ͞ΕΔ
    ๏ "QQMJDBUJPO͸ͦͷ5PLFOΛ࢖ͬͯ7BVMUͱ΍ΓऔΓΛ͢Δ
    ๏ "QQMJDBUJPO͕BQQSPMFͷSPMF@JEͱTFDSFU@JEΛ͍࣋ͬͯͯ΋ҙຯ͕ͳ͍
    ๏ "QQMJDBUJPOϓϩηεͷ֎Ͱ5PLFOΛൃߦ͢Δ
    "QQMJDBUJPO5PLFOͷ഑෍໰୊

    View Slide

  41. )BTIJ$PSQ.FFUVQSE
    ๏ "QQMJDBUJPOͷσϓϩΠ࣌ʹBQQSPMFBVUIΛ͢ΔίϚϯυΛ࣮ߦ
    ๏ ίϚϯυ͸ೝূͷ18Ͱ͋ΔTFDSFU@JEͷ55-Ԇ௕Λ1045
    ๏ ଓ͚ͯೝূΛ࣮ߦ͠5PLFOΛऔಘ͢Δ
    ๏ औಘͨ͠5PLFOΛ"QQMJDBUJPO͕ಡΊΔύεʹ഑ஔ
    "QQMJDBUJPO5PLFOͷ഑෍໰୊ղܾ๏
    7BVMU
    $PNNBOE
    SPMF@JE
    TFDSFU@JE
    UPLFO

    View Slide

  42. )BTIJ$PSQ.FFUVQSE
    7BVMUUPLFO͕ࣦޮͯ͠ো֐

    View Slide

  43. )BTIJ$PSQ.FFUVQSE
    ๏ "QQSPMFͷTFDSFU@JEΛSFOFX͢ΔͨΊʹDVTUPNTFDSFU@JEͱͯ͠ઃఆͯ͠
    ͍Δ
    ๏ DVTUPNTFDSFU@JEʹઃఆ͢ΔUPLFO͸BVUIUPLFOͰൃߦ
    ๏ Ϛ΢ϯτͨ͠TFDSFU͝ͱʹNBYMFBTFUUMͱ͍͏ઃఆ͕͋ΓɺγεςϜશମ
    ʹ΋NBYUUM͕ଘࡏ͢Δ
    ๏ ྆ํ͕ະઃఆͷ৔߹ɺγεςϜͷNBYUUMͰ͋ΔEBZT্͕ݶ
    7BVMUUPLFO͕ࣦޮͯ͠ো֐

    View Slide

  44. )BTIJ$PSQ.FFUVQSE
    IUUQTXXXWBVMUQSPKFDUJPEPDTDPODFQUTUPLFOTIUNMUIFHFOFSBMDBTF
    ίϯηϓτʹॻ͍ͯ͋ͬͨ

    View Slide

  45. )BTIJ$PSQ.FFUVQSE
    .BY55-ઃఆ͸ɺ֤Ϛ΢ϯτ͞ΕͨγʔΫϨοτ͝ͱʹઃఆ͢
    ΔͷͰɺຊ൪ӡ༻࣌ʹ͸ඞͣߟྀ͠·͠ΐ͏ɻ
    ͱͯ΋ॏཁͰ͢

    View Slide

  46. )BTIJ$PSQ.FFUVQSE
    ๏ 5PLFO͕ࣦޮͨ͠ΒBVEJUMPHʹΤϥʔ
    ͕සൃ͍ͯͨ͠
    ๏ 7BVMUTFSWFSͷ$POTVMDIFDLTͰBVEJUMPHͷ
    ؂ࢹΛ௥Ճ
    ๏ ݕ஌ͨ͠΋ͷ͸$POTVM"MFSUͰ4MBDL௨஌
    Αͦ͠ΕͳΒ؂ࢹ௥Ճͩ
    {
    "name": "vault-audit-log",
    "tags": ["vault", "audit"],
    "checks": [
    {
    "script": "sudo /usr/local/sbin/check_audit",
    "interval": "60s"
    }
    ]
    }
    #!/bin/bash
    check-log --file /var/log/vault_audit.log \
    --pattern '\"error\":\".+\"' \
    —exclude='invalid request|unsupported path|unsupported operation'
    .BDLFSFMͷDIFDLDPNNBOE

    View Slide

  47. )BTIJ$PSQ.FFUVQSE
    $POTVMؾܰʹ؂ࢹ௥ՃͰ͖ͯศརʂ

    View Slide

  48. )BTIJ$PSQ.FFUVQSE
    ๏ ϩϦϙοϓʂϚωʔδυΫϥ΢υͰͷ)BTIJ$PSQιϑτ΢ΣΞͷ׆༻ํ๏
    Λഎܠͱಛ௃Λ౿·͑ղઆ
    ๏ )BTIJ$PSQιϑτ΢ΣΞ͸࢖͍͜ͳ͢͜ͱͰγεςϜ͕͍͍ײ͡ʹͳΔ
    ͷͰυΩϡϝϯτΛख़ಡ͢΂͠
    ๏ )BTIJ$PSQͷ֤ιϑτ΢ΣΞʹ͸ྲྀΕ͕͋Γɺซ༻͢Δ͜ͱͰศར͕͞
    ૿͢ʂʂʂ
    $PODMVTJPO

    View Slide

  49. )BTIJ$PSQ.FFUVQSE
    5IBOLZPV 8FSFIJSJOH

    View Slide