Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
コンテナ基盤を支えるHashiCorpソフトウェア / HashiCorp Softwares...
Search
linyows
September 11, 2018
Technology
6
5.2k
コンテナ基盤を支えるHashiCorpソフトウェア / HashiCorp Softwares on Container Base
2018.09.11 DevOpsを支える今話題のHashiCorpツール群について(HashiCorp Meetup 3rd)でお話しした資料です
linyows
September 11, 2018
Tweet
Share
More Decks by linyows
See All by linyows
研究開発と実装OSSと プロダクトの好循環 / A virtuous cycle of research and development implementation OSS and products
linyows
1
360
コードジェネレーターで 効率的な開発をする / Efficient development with code generators
linyows
0
310
研究を支える拡張性の高い ワークフローツールの提案 / Proposal of highly expandable workflow tools to support research
linyows
0
430
非コンテナ環境において宣言的Deploymentを手軽に実現する / Declarative deployment in non-container environments
linyows
0
210
メール送信サーバの集約における透過型SMTP プロキシの定量評価 / Quantitative Evaluation of Transparent SMTP Proxy in Email Sending Server Aggregation
linyows
0
960
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
460
研究の再現性を高める 仕組みをGoでつくる / Creating a system to improve the reproducibility of research using go
linyows
1
240
奥が深いメールのシステム / The depth of Email system
linyows
4
600
IaCにおけるテスト考察 / Tests in IaC
linyows
2
720
Other Decks in Technology
See All in Technology
P2P通信の標準化 WebRTCを知ろう
faithandbrave
4
1.6k
安定した基盤システムのためのライブラリ選定
kakehashi
PRO
3
140
全部AI、全員Cursor、ドキュメント駆動開発 〜DevinやGeminiも添えて〜
rinchsan
10
5.3k
BEYOND THE RAG🚀 ~とりあえずRAG?を超えていけ! 本当に使えるAIエージェント&生成AIプロダクトを目指して~ / BEYOND-THE-RAG-Toward Practical-GenerativeAI-Products-AOAI-DevDay-2025
jnymyk
3
110
CDK Vibe Coding Fes
tomoki10
1
650
セキュアなAI活用のためのLiteLLMの可能性
tk3fftk
1
390
QAを早期に巻き込む”って どうやるの? モヤモヤから抜け出す実践知
moritamasami
2
120
Data Engineering Study#30 LT資料
tetsuroito
1
350
Frontier Airlines Customer®️ USA Contact Numbers: Complete 2025 Support Guide
frontierairlineswithflyagent
0
100
AI時代にも変わらぬ価値を発揮したい: インフラ・クラウドを切り口にユーザー価値と非機能要件に向き合ってエンジニアとしての地力を培う
netmarkjp
0
150
ClaudeCodeにキレない技術
gtnao
1
890
[SRE NEXT 2025] すみずみまで暖かく照らすあなたの太陽でありたい
carnappopper
2
560
Featured
See All Featured
Mobile First: as difficult as doing things right
swwweet
223
9.7k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.6k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
35
2.4k
Bash Introduction
62gerente
613
210k
Making Projects Easy
brettharned
116
6.3k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
138
34k
Practical Orchestrator
shlominoach
189
11k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
The Cost Of JavaScript in 2023
addyosmani
51
8.6k
It's Worth the Effort
3n
185
28k
Optimising Largest Contentful Paint
csswizardry
37
3.3k
Transcript
খాԝ(.01FQBCP *OD %FW0QTΛࢧ͑Δࠓͷ)BTIJ$PSQπʔϧ܈ʹ͍ͭͯ )BTIJ$PSQ.FFUVQSE ίϯςφج൫Λࢧ͑Δ )BTIJ$PSQιϑτΣΞ
)BTIJ$PSQ.FFUVQSE (.0ϖύϘ ϓϦϯγύϧΤϯδχΞ !MJOZPXT CMPHUPNPIJTBPEBDPN
)BTIJ$PSQ.FFUVQSE ࠷ۙͷ͓ࣄ ϖύϘݚڀॴͱभେֶ͕ڞಉݚڀ
)BTIJ$PSQ.FFUVQSE দຊ྄հʹΑΔจʢ%*$0.0༧ߘʣਫ਼៛ʹ੍ޚՄೳͳ߃ৗੑͷ͋ΔߴूੵϚϧνΞΧϯτܕͷϝʔϧج൫ IUUQTSBOEQFQBCPDPNQBQFSTEJDPNPQSPDFFEJOHNBUTVNPUPSZQEG ࠷ۙͷ͓ࣄ ओʹ'BTU$POUBJOFSʹΑΔϝʔϧج൫ݚڀ։ൃɺ࠷࣮ۙྫΛ(JU)VCͰެ։ IUUQTHJUIVCDPN'BTU$POUBJOFS
)BTIJ$PSQ.FFUVQSE ࠷ۙͷ͓ࣄ 7BVMUͷ8PSLTIPQΛ͚ࣾʹ։࠵ɻҎԼͦͷհهࣄ IUUQTUFDIQFQBCPDPNWBVMUXPSLTIPQ
)BTIJ$PSQ.FFUVQSE 8&# %#13&44WPM )BTIJ$PSQ7BVMUͷهࣄدߘ Ԭͷ(PMBOHίϛϡχςΟ 'VLVPLBHPͷओ࠵ͷਓ MJOVYϢʔβͷ໊લղܾΛ (JU)VC͔ΒϚοϐϯά͢Δ ιϑτΣΞͷ։ൃ
)BTIJ$PSQ.FFUVQSE ίϯςφج൫Λࢧ͑Δ)BTIJ$PSQιϑτΣΞ
)BTIJ$PSQ.FFUVQSE ๏ Ұൠతͳ,VCFSOFUFT%PDLFS͍ͬͯ·ͤΜ ๏ -9%ͷΑ͏ͳγεςϜίϯςφͰ͋Γ·ͤΜ ๏ ಠࣗίϯςφڥΛఏڙ͢ΔଆͷͰ͢ ๏ 0PIPSJ'BTU$POUBJOFSɺ)BDPOJXBΛ͍ͬͯ·͢ લఏίϯςφج൫ͱ͍ͬͯʜ
)BTIJ$PSQ.FFUVQSE 0PIPSJ'BTU$POUBJOFS)BDPOJXB ☺
)BTIJ$PSQ.FFUVQSE 0PIPSJ'BTU$POUBJOFS)BDPOJXB ☺☺☺☺☺ ͜ΕΒಠࣗ։ൃͨ͠ͷͰ͢ ΞʔΩςΫνϟ ίϯςφϥϯλΠϜ ΦʔέετϨʔλʔ Կʹʁ
)BTIJ$PSQ.FFUVQSE ϩϦϙοϓʂϚωʔδυΫϥυ
)BTIJ$PSQ.FFUVQSE ๏ ίϯςφϕʔεͷ1BB4 ๏ ӡ༻͖ͷΫϥυͰΫϥυدΓͷϨϯλϧαʔό ๏ ίΞػೳͷΦʔτεέʔϧίϯςφෛՙʹԠͯ͡εέʔϧΞτ͠ෛՙ ܰݮΑΓεέʔϧΠϯ ๏ ఆ֎ͷ༻ྔϝʔϧ௨ར༻੍ݶͳͲͷઃఆ͕Մೳ
ϩϦϙοϓʂϚωʔδυΫϥυ
)BTIJ$PSQ.FFUVQSE ๏ ҆Ձͳίϯςφڥͷఏڙʹίϯςφ͕ߴूੵͰ͋Δඞཁ͕͋ΔʢϨϯ αόϩϯάςʔϧతʣ ๏ Ϣʔβཧͷίϯςφ͕ܧଓతʹ҆શͰ͋Δඞཁ͕͋ΔʢϛυϧΣΞ ґଘϥΠϒϥϦ͕ఆظతʹ࠷৽ʣ ๏ ίϯςφϦιʔεݖݶʹରͯ͠ॊೈͳઃఆ͕ՄೳͰ͋Δ͜ͱͱɺͦΕ Β͕ೳಈతͰ͋Δඞཁ͕͋Δʢίϯςφ͕ࣗಈతʹϦιʔεมߋʣ
ͳͥಠࣗ։ൃͯ͠͏ͷ͔
)BTIJ$PSQ.FFUVQSE ཁٻΛຬͨͨ͢Ίʹඞཁͩͬͨ ֤ٕज़ৄࡉʹ͍ͭͯݕࡧͯ͠Έ͍ͯͩ͘͞
)BTIJ$PSQ.FFUVQSE ίϯςφج൫Λࢧ͑Δ ϩϦϙοϓʂϚωʔδυΫϥυΛࢧ͑Δ )BTIJ$PSQιϑτΣΞ
)BTIJ$PSQ.FFUVQSE ·ͣγεςϜશମ૾
)BTIJ$PSQ.FFUVQSE $BDIF 1SPYZ "1* 4ZTUFN0WFSWJFX 4FDSFU.BOBHFS 4FSWJDF.BOBHFS .POJUPS "$.& #FIBWJPS5FTUFS
4.51 .FUSJDT 4DIFEVMFS 8FC "1* %# $BDIF +PC -# 1SPYZ $PNQVUF %JTQBUDIFS -# 4UPSBHF %# 4UBSUFS 1SPYZ &OW1SPEVDUJPO 4UBHJOH %FWFMPQNFOU "MFSU.BOBHFS )PTUJOH #VTJOFTT #BTUJPO %# 0QFO4UBDL #BSFNFUBM $.%#
)BTIJ$PSQ.FFUVQSE ϛυϧΣΞΛՃͯ͠ΈΔ
)BTIJ$PSQ.FFUVQSE $BDIF 1SPYZ "1* 4FDSFU.BOBHFS 4FSWJDF.BOBHFS .POJUPS "$.& #FIBWJPS5FTUFS 4.51
.FUSJDT 4DIFEVMFS 8FC "1* %# $BDIF +PC -# 1SPYZ $PNQVUF %JTQBUDIFS -# 4UPSBHF %# 4UBSUFS 1SPYZ "MFSU.BOBHFS )PTUJOH #VTJOFTT #BTUJPO %# 0QFO4UBDL #BSFNFUBM $.%# 4ZTUFN0WFSWJFX &OW1SPEVDUJPO 4UBHJOH %FWFMPQNFOU
)BTIJ$PSQ.FFUVQSE ࣍ʹσϓϩΠϑϩʔ
)BTIJ$PSQ.FFUVQSE 0QFO4UBDL #BSFNFUBM .""4 ,OJGF;FSP $* %FQMPZ'MPX
)BTIJ$PSQ.FFUVQSE ๏ 0QFO4UBDLͱ#BSFNFUBMͷϋΠϒϦουڥ ๏ 1BDLFSͰ࡞ΔΠϝʔδ࠷খݶͰશϩʔϧڞ௨Խͯ͠༻ ๏ 5FSSBGPSNͷ1SPWJTJPOFS༻ͤͣ,OJGF;FSPΛ͏ ๏ ։ൃڥ7BHSBOUʢϩʔϧ͕ଟ͍ͷͰZNMཧͰ͖ΔQMVHJOΛ༻ʣ ๏
සൟʹൃੜ͢Δେ͖ͳ༷มߋͱεςʔτϑϧͳϩʔϧଟ͍͜ͱ͔Β *NNVUBCMF*OGSBΛࣺͯΔઓུ શମతಛ
)BTIJ$PSQ.FFUVQSE ๏ 7BHSBOU ๏ 1BDLFS ๏ 5FSSBGPSN ๏ $POTVM ๏
7BVMU ๏ /PNBEʢͷͪʹKSBMMJTPOHPXPSLFSTͱബ͍"1*ʹมߋʣ ར༻͍ͯ͠Δ)BTIJ$PSQιϑτΣΞ
)BTIJ$PSQ.FFUVQSE αʔϏεܧଓʹͳͯ͘ͳΒͳ͍ ѹతײँ
)BTIJ$PSQ.FFUVQSE 5FSSBGPSN༻ͷಛ
)BTIJ$PSQ.FFUVQSE ๏ ՄೳͳݶΓNPEVMFΛ࠶ར༻Ͱ͖ΔΑ͏ʹ͍ͯ͠Δ ๏ ॳUGTUBUFΛHJUཧ͍ͯͯ͠ෳਓͰ࡞ۀ͢Δͱҋ͔͠ͳ͙͘͢ʹ4ʹมߋ ๏ 8PSLTQBDF1SPEVDUJPOͱ4UBHJOHͰ͍ͬͯΔ ๏ DMPVEJOJUͰ4MBDL௨ɺར༻ऀґଘ෦Λೖ͍ͯ͠Δ ๏
MJGFDZDMFͷઃఆࣄނࢭʹඞਢ ๏ $*ͰGNU͢ΔΑ͏ʹ͍ͯ͠Δ 5FSSBGPSN
)BTIJ$PSQ.FFUVQSE module "reserved_vip" { source = "../reserved_vip" count = "${var.int_vip_count}"
name = "${var.role}" network = "${var.network}" } module "pairaddress_port" { source = "../pairaddress_port" count = "${var.count}" network = "${var.network}" security_group_ids = ["${values(var.security_groups)}"] use_floating_ip = false allowed_ip_address = "${data.openstack_networking_subnet_v2.subnet.cidr}" role = "${var.role}" } resource "openstack_compute_instance_v2" "instance" { lifecycle { ignore_changes = ["user_data", "key_pair", "image_name", "availability_zone"] } count = "${var.count}" name = "${terraform.env != "staging" ? "" : "staging-"}${var.role}-${count.index + var.count_offset + 1}.${var.domain}" image_name = "${var.image_name}" flavor_name = "${var.flavor_name}" key_pair = "${var.key_pair}" availability_zone = "${var.availability_zones[(count.index + var.count_offset) % length(var.availability_zones)]}" security_groups = ["${keys(var.security_groups)}"] user_data = "${data.template_file.init.rendered}" network { port = "${element(module.pairaddress_port.ids, count.index)}" modules/ ├── instance │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── instance_with_extvip │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── instance_with_intvip │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── pairaddress_port │ ├── main.tf │ ├── outputs.tf │ └── varaibales.tf ├── reserved_vip │ ├── main.tf │ ├── outputs.tf │ └── variables.tf └── volume ├── main.tf └── variables.tf 5FSSBGPSNࡉ͔۠ͬͨ͘NPEVMFͷྫ
)BTIJ$PSQ.FFUVQSE 5FSSBGPSNࡉ͔۠ͬͨ͘NPEVMFͷྫ module "api" { count = "${terraform.env == "staging"
? 3 : var.api_count}" source = "./modules/instance" role = "api" flavor_name = "c1.large" network_id = "${openstack_networking_network_v2.lan.id}" security_groups = { "${openstack_networking_secgroup_v2.base.name}" = "${openstack_networking_secgroup_v2.base.id}" "${openstack_networking_secgroup_v2.api.name}" = "${openstack_networking_secgroup_v2.api.id}" } } module "secretmanager" { count = "${terraform.env == "staging" ? 2 : var.vault_count}" source = "./modules/instance_with_intvip" role = "secretmanager" flavor_name = "c1.medium" network = "${var.nyah["tenant_name"]}-lan" security_groups = { "${openstack_networking_secgroup_v2.base.name}" = "${openstack_networking_secgroup_v2.base.id}" "${openstack_networking_secgroup_v2.secretmanager.name}" = "${openstack_networking_secgroup_v2.secretmanager.id}" } } ڞ௨ԽʹΑΓ*OTUBODFͷఆ͕ٛγϯϓϧʹ
)BTIJ$PSQ.FFUVQSE $POTVM༻ͷಛ
)BTIJ$PSQ.FFUVQSE ๏ ϝΠϯαʔϏεσ ΟεΧόϦʢͪΖΜࢹʣ ๏ .BDLFSFMͱׂ୲֎ܗࢹ͔αʔϏεࢹ͔ ๏ ϗετͷ໊લղܾ$POTVM%/4ͱ6OCPVOEΛ༻ ๏ 7BVMUͷετϨʔδόοΫΤϯυͱͯ͠ར༻
๏ શϊʔυʹ$POTVM"HFOUͱαʔϏεࢹͰ༻͢Δ1SPNFUIFVTͷ DPOTVM OPEF CMBDLCPYFYQPSUFS͕ೖ͍ͬͯΔ $POTVM
)BTIJ$PSQ.FFUVQSE $POTVM%/4ͷศར༻๏ $ cat ~/.ssh/config … Host bastion-1.ohr HostName xxx.xxx.xxx.xxx
User linyows Host *.ohr !bastion-1.ohr !bastion-2.ohr !staging-*.ohr !*baremetal.ohr ProxyCommand ssh -W "$(basename "$(sed -E "s/.ohr/.node.consul/"<<<"%h")")":%p bastion-1.ohr User linyows $ ssh app-1.ohr __ ___ __ _____ _/ / / _ \/ // / _ `/ _ \ /_//_/\_, /\_,_/_//_/ /___/ ubuntu https://github.pepabo.com/tech/packer-templates (c) GMO Pepabo, Inc. linyows@app-1:~$ ౿ΈαʔόͰ໊લղܾ͢Δ͜ͱͰଟஈ44)Λศརʹ
)BTIJ$PSQ.FFUVQSE $POTVM%/4ͷศར༻๏ 1SPYZͷ6QTUSFBNΛ$POTVM%/4ͰϥϯυϩϏϯ hosts: "foo.service.consul:443": listen: port: 443 ssl: certificate-file:
/etc/h2o/tls.crt key-file: /etc/h2o/tls.key paths: "/": proxy.reverse.url: "https://foo.service.consul:443/"
)BTIJ$PSQ.FFUVQSE $POTVM5FNQMBUFͷ༻ ,FFQBMJWFEͷDPOGʹDPOTVMUFNQMBUFΛ༻͢Δ͜ͱͰ1SPYZͷ$POTVMKPJOͰαʔϏεΠϯ͢Δ virtual_server <%= @vip %> 443 { delay_loop
10 lvs_sched rr lvs_method NAT protocol TCP {{range service "proxy|passing"}} real_server {{.Address}} 443 { weight 1 TCP_CHECK { connect_port 443 connect_timeout 30 } }{{end}} }
)BTIJ$PSQ.FFUVQSE ͍ΖΜͳϨΠϠʔ͕ͳΊΒ͔ʹϦϦʔε %/4 -# -# 1SPYZ 1SPYZ 1SPYZ /FX1SPYZ 8FC
8FC 8FC /FX8FC 8FC 8FC XFCTFSWJDFDPOTVM DPOTVMUFNQMBUF DPOTVMEOT YYYYYYYYYYY YYYYYYYYYYY YYYYYYYYYYY YYYYYYYYYYY
)BTIJ$PSQ.FFUVQSE 7BVMU༻ͷಛ
)BTIJ$PSQ.FFUVQSE 7BVMU ๏ 1,*ͱ5SBOTJUγʔΫϨοτΛར༻ʢ͞ΒʹՃ༧ఆʣ ๏ %#ʹอ࣋͢Δൿີใશͯ7BVMUͰ҉߸Խ ๏ ൃߦͨ͠ൿີใ$IFGͰʢSPPU$"DPOTVMUFNQMBUFͷUPLFOʣ ๏ 5PLFOSFOFXʢ55-ͷԆʣ͠ͳ͕Β༻
๏ NBYMFBTFUUMͷظݶͰࣦޮ͢Δʢ͘SFOFX͢Δͱཁҙʣৄ͘͠ޙड़
)BTIJ$PSQ.FFUVQSE ๏ $POTVMΛετϨʔδͱͯ͠ར༻͢ΔͱΞΫςΟϒͳ7BVMUʹରͯ͠ WBVMUTFSWJDFDPOTVM͕ࣗಈతʹઃఆ͞ΕΔ ๏ 7BVMUΛೝূہͱͯ͠ઃఆ͠αʔόূ໌ॻΛࣗͰൃߦ͢Δ ๏ 7BVMU࠶ىಈ͢Δͱ4FBM͞ΕΔ ๏ -FU`T&ODSZQUΛͬͯαʔόূ໌ॻൃߦ͢Δʁ
1,*ͷ3PPU$" 7BVMUαʔόʹ5-4ଓ͢Δ߹Ͳ͏ͨ͠Βྑ͍͔
)BTIJ$PSQ.FFUVQSE ๏ 7BVMUʹ4*()61γάφϧͰαʔόূ໌ॻͷ࠶ಡΈࠐΈΛ͢Δ ๏ 4*()61Ͱ4FBM͞Εͳ͍ ๏ "VEJUMPHͷMPHSPUBUFʹ͑Δ ๏ 7BVMU͕ൃߦͨ͠3PPU$"$IFGͰ $POTVMUF5FNQMBUFͷ༻
αʔόূ໌ॻʹDPOTVMUFNQMBUFΛ༻͢Δ͜ͱܧଓతͳূ໌ॻൃߦΛࣗಈԽ͢Δ
)BTIJ$PSQ.FFUVQSE vault { address = "https://127.0.0.1:8200" token = "<%= node['vault']['token']
%>" renew_token = true grace = "5m" ssl { enabled = true verify = false } } template { contents = "{{ with secret \"pki/issue/service-consul\" \"common_name=vault.service.consul\" }}{{ .Data.issuing_ca }}{{ end }}" destination = "/usr/share/ca-certificates/extra/Vault_Root_CA.crt" command = "sudo /usr/local/sbin/update_ca_certs" } template { contents = "{{ with secret \"pki/issue/service-consul\" \"common_name=vault.service.consul\" }}{{ .Data.certificate }}{{ end }}" destination = "/etc/vault.d/vault.service.consul.crt" command = "sudo /usr/local/sbin/reload_vault" } template { contents = "{{ with secret \"pki/issue/service-consul\" \"common_name=vault.service.consul\" }}{{ .Data.private_key }}{{ end }}" destination = "/etc/vault.d/vault.service.consul.key" command = "sudo /usr/local/sbin/reload_vault" } TVEPFSTͰڐՄ͢ΔͨΊʹ֤εΫϦϓτʹ ͍ͷͰΠϯϥΠϯͰهड़ 5PLFOͷ55-ΛԆͯ͠༻ $POTVMUF5FNQMBUFͷ༻
)BTIJ$PSQ.FFUVQSE ๏ "QQMJDBUJPO͕7BVMUʹରͯ͠ೝূ͢ΔBQQSPMF ๏ ೝূ͢Δͱࢦఆͷ55-͕ઃఆ͞Εͨ5PLFO͕ൃߦ͞ΕΔ ๏ "QQMJDBUJPOͦͷ5PLFOΛͬͯ7BVMUͱΓऔΓΛ͢Δ ๏ "QQMJDBUJPO͕BQQSPMFͷSPMF@JEͱTFDSFU@JEΛ͍࣋ͬͯͯҙຯ͕ͳ͍ ๏
"QQMJDBUJPOϓϩηεͷ֎Ͱ5PLFOΛൃߦ͢Δ "QQMJDBUJPO5PLFOͷ
)BTIJ$PSQ.FFUVQSE ๏ "QQMJDBUJPOͷσϓϩΠ࣌ʹBQQSPMFBVUIΛ͢ΔίϚϯυΛ࣮ߦ ๏ ίϚϯυೝূͷ18Ͱ͋ΔTFDSFU@JEͷ55-ԆΛ1045 ๏ ଓ͚ͯೝূΛ࣮ߦ͠5PLFOΛऔಘ͢Δ ๏ औಘͨ͠5PLFOΛ"QQMJDBUJPO͕ಡΊΔύεʹஔ "QQMJDBUJPO5PLFOͷղܾ๏
7BVMU $PNNBOE SPMF@JE TFDSFU@JE UPLFO
)BTIJ$PSQ.FFUVQSE 7BVMUUPLFO͕ࣦޮͯ͠ো
)BTIJ$PSQ.FFUVQSE ๏ "QQSPMFͷTFDSFU@JEΛSFOFX͢ΔͨΊʹDVTUPNTFDSFU@JEͱͯ͠ઃఆͯ͠ ͍Δ ๏ DVTUPNTFDSFU@JEʹઃఆ͢ΔUPLFOBVUIUPLFOͰൃߦ ๏ Ϛϯτͨ͠TFDSFU͝ͱʹNBYMFBTFUUMͱ͍͏ઃఆ͕͋ΓɺγεςϜશମ ʹNBYUUM͕ଘࡏ͢Δ ๏
྆ํ͕ະઃఆͷ߹ɺγεςϜͷNBYUUMͰ͋ΔEBZT্͕ݶ 7BVMUUPLFO͕ࣦޮͯ͠ো
)BTIJ$PSQ.FFUVQSE IUUQTXXXWBVMUQSPKFDUJPEPDTDPODFQUTUPLFOTIUNMUIFHFOFSBMDBTF ίϯηϓτʹॻ͍ͯ͋ͬͨ
)BTIJ$PSQ.FFUVQSE .BY55-ઃఆɺ֤Ϛϯτ͞ΕͨγʔΫϨοτ͝ͱʹઃఆ͢ ΔͷͰɺຊ൪ӡ༻࣌ʹඞͣߟྀ͠·͠ΐ͏ɻ ͱͯॏཁͰ͢
)BTIJ$PSQ.FFUVQSE ๏ 5PLFO͕ࣦޮͨ͠ΒBVEJUMPHʹΤϥʔ ͕සൃ͍ͯͨ͠ ๏ 7BVMUTFSWFSͷ$POTVMDIFDLTͰBVEJUMPHͷ ࢹΛՃ ๏ ݕͨ͠ͷ$POTVM"MFSUͰ4MBDL௨ Αͦ͠ΕͳΒࢹՃͩ
{ "name": "vault-audit-log", "tags": ["vault", "audit"], "checks": [ { "script": "sudo /usr/local/sbin/check_audit", "interval": "60s" } ] } #!/bin/bash check-log --file /var/log/vault_audit.log \ --pattern '\"error\":\".+\"' \ —exclude='invalid request|unsupported path|unsupported operation' .BDLFSFMͷDIFDLDPNNBOE
)BTIJ$PSQ.FFUVQSE $POTVMؾܰʹࢹՃͰ͖ͯศརʂ
)BTIJ$PSQ.FFUVQSE ๏ ϩϦϙοϓʂϚωʔδυΫϥυͰͷ)BTIJ$PSQιϑτΣΞͷ׆༻ํ๏ ΛഎܠͱಛΛ౿·͑ղઆ ๏ )BTIJ$PSQιϑτΣΞ͍͜ͳ͢͜ͱͰγεςϜ͕͍͍ײ͡ʹͳΔ ͷͰυΩϡϝϯτΛख़ಡ͢͠ ๏ )BTIJ$PSQͷ֤ιϑτΣΞʹྲྀΕ͕͋Γɺซ༻͢Δ͜ͱͰศར͕͞ ૿͢ʂʂʂ
$PODMVTJPO
)BTIJ$PSQ.FFUVQSE 5IBOLZPV 8FSFIJSJOH