Upgrade to Pro — share decks privately, control downloads, hide ads and more …

コンテナ基盤を支えるHashiCorpソフトウェア / HashiCorp Softwares on Container Base

5d769d109697012317c09c6a27a6a4bf?s=47 linyows
September 11, 2018
Technology
6
4.3k

コンテナ基盤を支えるHashiCorpソフトウェア / HashiCorp Softwares on Container Base

2018.09.11 DevOpsを支える今話題のHashiCorpツール群について(HashiCorp Meetup 3rd)でお話しした資料です

5d769d109697012317c09c6a27a6a4bf?s=128

linyows

September 11, 2018
Tweet

More Decks by linyows

See All by linyows
なぜNotionを使うのか2022 / Why use notion as our workspace in 2022
5d769d109697012317c09c6a27a6a4bf?s=48 linyows
2
2.8k
Denoの仕組み / How deno works as TypeScript runtime
5d769d109697012317c09c6a27a6a4bf?s=48 linyows
1
310
透過型SMTPプロキシによるメール送信集約とキュー輻輳回避の検討 / A Study on Aggregation of Email Transfer and Avoidance of QueueCongestion using a Transparent SMTP Proxy
5d769d109697012317c09c6a27a6a4bf?s=48 linyows
0
1.2k
Goでつくる透過型SMTPプロキシ / Transparent SMTP proxy in Go
5d769d109697012317c09c6a27a6a4bf?s=48 linyows
1
390
Goでサーバの健全性を確保する / Keeping servers healthy with Go
5d769d109697012317c09c6a27a6a4bf?s=48 linyows
0
1.2k
なぜNotionを使うのか / Why use notion as our workspace
5d769d109697012317c09c6a27a6a4bf?s=48 linyows
4
870
みんなのIMAPを可視化する / Visualize IMAP Everybody
5d769d109697012317c09c6a27a6a4bf?s=48 linyows
2
320
CockroachDBって何 / What is CockroachDB
5d769d109697012317c09c6a27a6a4bf?s=48 linyows
1
300
TypeScript v3.7のおさらい / Learning TypeScript v3.7
5d769d109697012317c09c6a27a6a4bf?s=48 linyows
0
140

Other Decks in Technology

See All in Technology
CloudWatchアラームによるサービス継続のための監視入門 / Introduction to Monitoring for Service Continuity with CloudWatch Alarms
107ea34bd4da51e40f1c30b9ca0c459e?s=48 inomasosan
1
450
Reactivity Transform
38bee248082f6071230de65e9d74a944?s=48 kazupon
1
310
ロボットの実行すらメンドクサイ!?
3a06a93a8db01666fd2b822484930594?s=48 kou12092
0
220
8日で作るオレオレRISC-V CPU
8704bea231d4947980094e915111e950?s=48 matsud224
1
140
GCCP Creator @ COSCUP 2022
2102a6b8760bd6f57f672805723dd83a?s=48 line_developers_tw
PRO
0
1.4k
テクニカルライティングの検定を受けてみた話 / "My Story About Taking the Technical Writing Exam
A3966f193f4bef226a0d3e3c1f728d7f?s=48 line_developers
PRO
1
220
プロダクトマネージャーの役割と育成、評価
4ab5447926c5d5cb2c2ff6873b626d2f?s=48 middleokada
18
12k
SBOMを利用したソフトウェアサプライチェーンの保護
45b7a05a1056c10d70bc4caa77d1b2c9?s=48 masahiro331
1
200
JAWS-UG 朝会 #36 登壇資料
08dd0b93e011904f40d60d5a1b54c671?s=48 takakuni
1
590
ECS on EC2 で Auto Scaling やってみる!
5a6e159c3f74fb7bd85e62efe5f34e2b?s=48 sayjoy
1
290
ニコニコ生放送におけるWebフロントエンドBFFサーバーのKubernetes移行事例の紹介
3a206ec7df76023cca167a8886b69672?s=48 himenon
2
500
EKS AnywhereとIAM Anywhereを組み合わせてみた
28dd434482959f605e535fb81f691326?s=48 regmarmcem
0
420

Featured

See All Featured
Scaling GitHub
78b475797a14c84799063c7cd073962f?s=48 holman
451
140k
Fantastic passwords and where to find them - at NoRuKo
8ec1383b240b5ba15ffb9743fceb3c0e?s=48 philnash
27
1.6k
Web development in the modern age
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
197
9.3k
The Success of Rails: Ensuring Growth for the Next 100 Years
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
15
3.9k
Art, The Web, and Tiny UX
D67fff74178013024d833b3eec6cf27f?s=48 lynnandtonic
280
18k
The Pragmatic Product Professional
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
19
3.1k
Building Flexible Design Systems
91cefdf141106fa10674aae74ce05890?s=48 yeseniaperezcruz
310
34k
5 minutes of I Can Smell Your CMS
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
196
18k
VelocityConf: Rendering Performance Case Studies
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
316
22k
Rebuilding a faster, lazier Slack
C0b42577cfc2b321be3474618107e933?s=48 samanthasiow
62
7.3k
The Art of Programming - Codeland 2020
719435d98d452de7ac367c828266cf01?s=48 erikaheidi
32
11k
Build your cross-platform service in a week with App Engine
5f83ef806155b403c3393160ce51f955?s=48 jlugia
219
17k

Transcript

  1. খా஌ԝ(.01FQBCP *OD %FW0QTΛࢧ͑Δࠓ࿩୊ͷ)BTIJ$PSQπʔϧ܈ʹ͍ͭͯ )BTIJ$PSQ.FFUVQSE ίϯςφج൫Λࢧ͑Δ )BTIJ$PSQιϑτ΢ΣΞ

  2. )BTIJ$PSQ.FFUVQSE (.0ϖύϘ ϓϦϯγύϧΤϯδχΞ !MJOZPXT CMPHUPNPIJTBPEBDPN

  3. )BTIJ$PSQ.FFUVQSE ࠷ۙͷ͓࢓ࣄ ϖύϘݚڀॴͱ۝भେֶ͕ڞಉݚڀ

  4. )BTIJ$PSQ.FFUVQSE দຊ྄հʹΑΔ࿦จʢ%*$0.0༧ߘʣਫ਼៛ʹ੍ޚՄೳͳ߃ৗੑͷ͋ΔߴूੵϚϧνΞΧ΢ϯτܕͷϝʔϧج൫ IUUQTSBOEQFQBCPDPNQBQFSTEJDPNPQSPDFFEJOHNBUTVNPUPSZQEG ࠷ۙͷ͓࢓ࣄ ओʹ'BTU$POUBJOFSʹΑΔϝʔϧج൫ݚڀ։ൃɺ࠷࣮ۙ૷ྫΛ(JU)VCͰެ։ IUUQTHJUIVCDPN'BTU$POUBJOFS

  5. )BTIJ$PSQ.FFUVQSE ࠷ۙͷ͓࢓ࣄ 7BVMUͷ8PSLTIPQΛࣾ಺޲͚ʹ։࠵ɻҎԼ͸ͦͷ঺հهࣄ IUUQTUFDIQFQBCPDPNWBVMUXPSLTIPQ

  6. )BTIJ$PSQ.FFUVQSE 8&# %#13&44WPM )BTIJ$PSQ7BVMUͷهࣄدߘ ෱Ԭͷ(PMBOHίϛϡχςΟ 'VLVPLBHPͷओ࠵ͷਓ MJOVYϢʔβͷ໊લղܾΛ (JU)VC͔ΒϚοϐϯά͢Δ ιϑτ΢ΣΞͷ։ൃ

  7. )BTIJ$PSQ.FFUVQSE ίϯςφج൫Λࢧ͑Δ)BTIJ$PSQιϑτ΢ΣΞ

  8. )BTIJ$PSQ.FFUVQSE ๏ Ұൠతͳ,VCFSOFUFT΍%PDLFS͸࢖͍ͬͯ·ͤΜ ๏ -9%ͷΑ͏ͳγεςϜίϯςφͰ΋͋Γ·ͤΜ ๏ ಠࣗίϯςφ؀ڥΛఏڙ͢Δଆͷ࿩Ͱ͢ ๏ 0PIPSJ΍'BTU$POUBJOFSɺ)BDPOJXBΛ࢖͍ͬͯ·͢ લఏίϯςφج൫ͱ͍ͬͯ΋ʜ

  9. )BTIJ$PSQ.FFUVQSE 0PIPSJ'BTU$POUBJOFS)BDPOJXB ☺

  10. )BTIJ$PSQ.FFUVQSE 0PIPSJ'BTU$POUBJOFS)BDPOJXB ☺☺☺☺☺ ͜ΕΒ͸ಠࣗ։ൃͨ͠΋ͷͰ͢ ΞʔΩςΫνϟ ίϯςφϥϯλΠϜ ΦʔέετϨʔλʔ Կʹʁ

  11. )BTIJ$PSQ.FFUVQSE ϩϦϙοϓʂϚωʔδυΫϥ΢υ

  12. )BTIJ$PSQ.FFUVQSE ๏ ίϯςφϕʔεͷ1BB4 ๏ ӡ༻෇͖ͷΫϥ΢υͰΫϥ΢υدΓͷϨϯλϧαʔό ๏ ίΞػೳͷΦʔτεέʔϧ͸ίϯςφෛՙʹԠͯ͡εέʔϧΞ΢τ͠ෛՙ ܰݮΑΓεέʔϧΠϯ ๏ ૝ఆ֎ͷ࢖༻ྔ͸ϝʔϧ௨஌΍ར༻੍ݶͳͲͷઃఆ͕Մೳ

    ϩϦϙοϓʂϚωʔδυΫϥ΢υ

  13. )BTIJ$PSQ.FFUVQSE ๏ ҆Ձͳίϯςφ؀ڥͷఏڙʹίϯςφ͕ߴूੵͰ͋Δඞཁ͕͋ΔʢϨϯ αό͸ϩϯάςʔϧతʣ ๏ Ϣʔβ؅ཧͷίϯςφ͕ܧଓతʹ҆શͰ͋Δඞཁ͕͋Δʢϛυϧ΢ΣΞ΍ ґଘϥΠϒϥϦ͕ఆظతʹ࠷৽ʣ ๏ ίϯςφϦιʔε΍ݖݶʹରͯ͠ॊೈͳઃఆ͕ՄೳͰ͋Δ͜ͱͱɺͦΕ Β͕ೳಈతͰ͋Δඞཁ͕͋Δʢίϯςφࣗ਎͕ಈతʹϦιʔεมߋʣ

    ͳͥಠࣗ։ൃͯ͠࢖͏ͷ͔

  14. )BTIJ$PSQ.FFUVQSE ཁٻΛຬͨͨ͢Ίʹඞཁͩͬͨ ֤ٕज़ৄࡉʹ͍ͭͯ͸ݕࡧͯ͠Έ͍ͯͩ͘͞

  15. )BTIJ$PSQ.FFUVQSE ίϯςφج൫Λࢧ͑Δ ϩϦϙοϓʂϚωʔδυΫϥ΢υΛࢧ͑Δ )BTIJ$PSQιϑτ΢ΣΞ

  16. )BTIJ$PSQ.FFUVQSE ·ͣγεςϜશମ૾

  17. )BTIJ$PSQ.FFUVQSE $BDIF 1SPYZ "1* 4ZTUFN0WFSWJFX 4FDSFU.BOBHFS 4FSWJDF.BOBHFS .POJUPS "$.& #FIBWJPS5FTUFS

    4.51 .FUSJDT 4DIFEVMFS 8FC "1* %# $BDIF +PC -# 1SPYZ $PNQVUF %JTQBUDIFS -# 4UPSBHF %# 4UBSUFS 1SPYZ &OW1SPEVDUJPO 4UBHJOH %FWFMPQNFOU "MFSU.BOBHFS )PTUJOH #VTJOFTT #BTUJPO %# 0QFO4UBDL #BSFNFUBM $.%#

  18. )BTIJ$PSQ.FFUVQSE ϛυϧ΢ΣΞΛ௥Ճͯ͠ΈΔ

  19. )BTIJ$PSQ.FFUVQSE $BDIF 1SPYZ "1* 4FDSFU.BOBHFS 4FSWJDF.BOBHFS .POJUPS "$.& #FIBWJPS5FTUFS 4.51

    .FUSJDT 4DIFEVMFS 8FC "1* %# $BDIF +PC -# 1SPYZ $PNQVUF %JTQBUDIFS -# 4UPSBHF %# 4UBSUFS 1SPYZ "MFSU.BOBHFS )PTUJOH #VTJOFTT #BTUJPO %# 0QFO4UBDL #BSFNFUBM $.%# 4ZTUFN0WFSWJFX &OW1SPEVDUJPO 4UBHJOH %FWFMPQNFOU

  20. )BTIJ$PSQ.FFUVQSE ࣍ʹσϓϩΠϑϩʔ

  21. )BTIJ$PSQ.FFUVQSE 0QFO4UBDL #BSFNFUBM .""4 ,OJGF;FSP $* %FQMPZ'MPX

  22. )BTIJ$PSQ.FFUVQSE ๏ 0QFO4UBDLͱ#BSFNFUBMͷϋΠϒϦου؀ڥ ๏ 1BDLFSͰ࡞ΔΠϝʔδ͸࠷খݶͰશϩʔϧڞ௨Խͯ͠࢖༻ ๏ 5FSSBGPSNͷ1SPWJTJPOFS͸࢖༻ͤͣ,OJGF;FSPΛ࢖͏ ๏ ։ൃ؀ڥ͸7BHSBOUʢϩʔϧ͕ଟ͍ͷͰZNM؅ཧͰ͖ΔQMVHJOΛ࢖༻ʣ ๏

    සൟʹൃੜ͢Δେ͖ͳ࢓༷มߋͱεςʔτϑϧͳϩʔϧ΋ଟ͍͜ͱ͔Β *NNVUBCMF*OGSBΛࣺͯΔઓུ શମతಛ௃

  23. )BTIJ$PSQ.FFUVQSE ๏ 7BHSBOU ๏ 1BDLFS ๏ 5FSSBGPSN ๏ $POTVM ๏

    7BVMU ๏ /PNBEʢͷͪʹKSBMMJTPOHPXPSLFSTͱബ͍"1*ʹมߋʣ ར༻͍ͯ͠Δ)BTIJ$PSQιϑτ΢ΣΞ

  24. )BTIJ$PSQ.FFUVQSE αʔϏεܧଓʹͳͯ͘͸ͳΒͳ͍ ѹ౗తײँ

  25. )BTIJ$PSQ.FFUVQSE 5FSSBGPSN࢖༻ͷಛ௃

  26. )BTIJ$PSQ.FFUVQSE ๏ ՄೳͳݶΓNPEVMFΛ࠶ར༻Ͱ͖ΔΑ͏ʹ͍ͯ͠Δ ๏ ౰ॳUGTUBUFΛHJU؅ཧ͍ͯͯ͠ෳ਺ਓͰ࡞ۀ͢Δͱҋ͔͠ͳ͙͘͢ʹ4ʹมߋ ๏ 8PSLTQBDF͸1SPEVDUJPOͱ4UBHJOHͰ࢖͍ͬͯΔ ๏ DMPVEJOJUͰ4MBDL௨஌౳ɺར༻ऀґଘ෦෼Λ஫ೖ͍ͯ͠Δ ๏

    MJGFDZDMFͷઃఆ͸ࣄނ๷ࢭʹඞਢ ๏ $*ͰGNU͢ΔΑ͏ʹ͍ͯ͠Δ 5FSSBGPSN

  27. )BTIJ$PSQ.FFUVQSE module "reserved_vip" { source = "../reserved_vip" count = "${var.int_vip_count}"

    name = "${var.role}" network = "${var.network}" } module "pairaddress_port" { source = "../pairaddress_port" count = "${var.count}" network = "${var.network}" security_group_ids = ["${values(var.security_groups)}"] use_floating_ip = false allowed_ip_address = "${data.openstack_networking_subnet_v2.subnet.cidr}" role = "${var.role}" } resource "openstack_compute_instance_v2" "instance" { lifecycle { ignore_changes = ["user_data", "key_pair", "image_name", "availability_zone"] } count = "${var.count}" name = "${terraform.env != "staging" ? "" : "staging-"}${var.role}-${count.index + var.count_offset + 1}.${var.domain}" image_name = "${var.image_name}" flavor_name = "${var.flavor_name}" key_pair = "${var.key_pair}" availability_zone = "${var.availability_zones[(count.index + var.count_offset) % length(var.availability_zones)]}" security_groups = ["${keys(var.security_groups)}"] user_data = "${data.template_file.init.rendered}" network { port = "${element(module.pairaddress_port.ids, count.index)}" modules/ ├── instance │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── instance_with_extvip │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── instance_with_intvip │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── pairaddress_port │ ├── main.tf │ ├── outputs.tf │ └── varaibales.tf ├── reserved_vip │ ├── main.tf │ ├── outputs.tf │ └── variables.tf └── volume ├── main.tf └── variables.tf 5FSSBGPSNࡉ͔۠͘੾ͬͨNPEVMFͷྫ

  28. )BTIJ$PSQ.FFUVQSE 5FSSBGPSNࡉ͔۠͘੾ͬͨNPEVMFͷྫ module "api" { count = "${terraform.env == "staging"

    ? 3 : var.api_count}" source = "./modules/instance" role = "api" flavor_name = "c1.large" network_id = "${openstack_networking_network_v2.lan.id}" security_groups = { "${openstack_networking_secgroup_v2.base.name}" = "${openstack_networking_secgroup_v2.base.id}" "${openstack_networking_secgroup_v2.api.name}" = "${openstack_networking_secgroup_v2.api.id}" } } module "secretmanager" { count = "${terraform.env == "staging" ? 2 : var.vault_count}" source = "./modules/instance_with_intvip" role = "secretmanager" flavor_name = "c1.medium" network = "${var.nyah["tenant_name"]}-lan" security_groups = { "${openstack_networking_secgroup_v2.base.name}" = "${openstack_networking_secgroup_v2.base.id}" "${openstack_networking_secgroup_v2.secretmanager.name}" = "${openstack_networking_secgroup_v2.secretmanager.id}" } } ڞ௨ԽʹΑΓ*OTUBODFͷఆ͕ٛγϯϓϧʹ

  29. )BTIJ$PSQ.FFUVQSE $POTVM࢖༻ͷಛ௃

  30. )BTIJ$PSQ.FFUVQSE ๏ ϝΠϯ͸αʔϏεσ ΟεΧόϦʢ΋ͪΖΜ؂ࢹʣ ๏ .BDLFSFMͱ໾ׂ෼୲͸֎ܗ؂ࢹ͔αʔϏε؂ࢹ͔ ๏ ϗετͷ໊લղܾ͸$POTVM%/4ͱ6OCPVOEΛ࢖༻ ๏ 7BVMUͷετϨʔδόοΫΤϯυͱͯ͠΋ར༻

    ๏ શϊʔυʹ$POTVM"HFOUͱαʔϏε΍؂ࢹͰ࢖༻͢Δ1SPNFUIFVTͷ DPOTVM OPEF CMBDLCPYFYQPSUFS͕ೖ͍ͬͯΔ $POTVM

  31. )BTIJ$PSQ.FFUVQSE $POTVM%/4ͷศར࢖༻๏ $ cat ~/.ssh/config … Host bastion-1.ohr HostName xxx.xxx.xxx.xxx

    User linyows Host *.ohr !bastion-1.ohr !bastion-2.ohr !staging-*.ohr !*baremetal.ohr ProxyCommand ssh -W "$(basename "$(sed -E "s/.ohr/.node.consul/"<<<"%h")")":%p bastion-1.ohr User linyows $ ssh app-1.ohr __ ___ __ _____ _/ / / _ \/ // / _ `/ _ \ /_//_/\_, /\_,_/_//_/ /___/ ubuntu https://github.pepabo.com/tech/packer-templates (c) GMO Pepabo, Inc. linyows@app-1:~$ ౿Έ୆αʔόͰ໊લղܾ͢Δ͜ͱͰଟஈ44)Λศརʹ

  32. )BTIJ$PSQ.FFUVQSE $POTVM%/4ͷศར࢖༻๏ 1SPYZͷ6QTUSFBNΛ$POTVM%/4Ͱϥ΢ϯυϩϏϯ hosts: "foo.service.consul:443": listen: port: 443 ssl: certificate-file:

    /etc/h2o/tls.crt key-file: /etc/h2o/tls.key paths: "/": proxy.reverse.url: "https://foo.service.consul:443/"

  33. )BTIJ$PSQ.FFUVQSE $POTVM5FNQMBUFͷ࢖༻ ,FFQBMJWFEͷDPOGʹDPOTVMUFNQMBUFΛ࢖༻͢Δ͜ͱͰ1SPYZͷ$POTVMKPJOͰαʔϏεΠϯ͢Δ virtual_server <%= @vip %> 443 { delay_loop

    10 lvs_sched rr lvs_method NAT protocol TCP {{range service "proxy|passing"}} real_server {{.Address}} 443 { weight 1 TCP_CHECK { connect_port 443 connect_timeout 30 } }{{end}} }

  34. )BTIJ$PSQ.FFUVQSE ͍ΖΜͳϨΠϠʔ͕ͳΊΒ͔ʹϦϦʔε %/4 -# -# 1SPYZ 1SPYZ 1SPYZ /FX1SPYZ 8FC

    8FC 8FC /FX8FC 8FC 8FC XFCTFSWJDFDPOTVM DPOTVMUFNQMBUF DPOTVMEOT YYYYYYYYYYY YYYYYYYYYYY YYYYYYYYYYY YYYYYYYYYYY

  35. )BTIJ$PSQ.FFUVQSE 7BVMU࢖༻ͷಛ௃

  36. )BTIJ$PSQ.FFUVQSE 7BVMU ๏ 1,*ͱ5SBOTJUγʔΫϨοτΛར༻ʢ͞Βʹ௥Ճ༧ఆʣ ๏ %#ʹอ࣋͢Δൿີ৘ใ͸શͯ7BVMUͰ҉߸Խ ๏ ൃߦͨ͠ൿີ৘ใ͸$IFGͰ഑෍ʢSPPU$"΍DPOTVMUFNQMBUFͷUPLFO౳ʣ ๏ 5PLFO͸SFOFXʢ55-ͷԆ௕ʣ͠ͳ͕Β࢖༻

    ๏ NBYMFBTFUUMͷظݶͰࣦޮ͢Δʢ௕͘SFOFX͢Δͱཁ஫ҙʣৄ͘͠͸ޙड़

  37. )BTIJ$PSQ.FFUVQSE ๏ $POTVMΛετϨʔδͱͯ͠ར༻͢ΔͱΞΫςΟϒͳ7BVMUʹରͯ͠ WBVMUTFSWJDFDPOTVM͕ࣗಈతʹઃఆ͞ΕΔ ๏ 7BVMUΛೝূہͱͯ͠ઃఆ͠αʔόূ໌ॻΛࣗ෼Ͱൃߦ͢Δ ๏ 7BVMU͸࠶ىಈ͢Δͱ4FBM͞ΕΔ ๏ -FU`T&ODSZQUΛ࢖ͬͯαʔόূ໌ॻൃߦ͢Δʁ

    1,*ͷ3PPU$"഑෍໰୊ 7BVMUαʔόʹ5-4઀ଓ͢Δ৔߹Ͳ͏ͨ͠Βྑ͍͔

  38. )BTIJ$PSQ.FFUVQSE ๏ 7BVMUʹ4*()61γάφϧͰαʔόূ໌ॻͷ࠶ಡΈࠐΈΛ͢Δ ๏ 4*()61Ͱ͸4FBM͞Εͳ͍ ๏ "VEJUMPHͷMPHSPUBUFʹ΋࢖͑Δ ๏ 7BVMU͕ൃߦͨ͠3PPU$"͸$IFGͰ഑෍ $POTVMUF5FNQMBUFͷ࢖༻

    αʔόূ໌ॻʹDPOTVMUFNQMBUFΛ࢖༻͢Δ͜ͱܧଓతͳূ໌ॻൃߦΛࣗಈԽ͢Δ

  39. )BTIJ$PSQ.FFUVQSE vault { address = "https://127.0.0.1:8200" token = "<%= node['vault']['token']

    %>" renew_token = true grace = "5m" ssl { enabled = true verify = false } } template { contents = "{{ with secret \"pki/issue/service-consul\" \"common_name=vault.service.consul\" }}{{ .Data.issuing_ca }}{{ end }}" destination = "/usr/share/ca-certificates/extra/Vault_Root_CA.crt" command = "sudo /usr/local/sbin/update_ca_certs" } template { contents = "{{ with secret \"pki/issue/service-consul\" \"common_name=vault.service.consul\" }}{{ .Data.certificate }}{{ end }}" destination = "/etc/vault.d/vault.service.consul.crt" command = "sudo /usr/local/sbin/reload_vault" } template { contents = "{{ with secret \"pki/issue/service-consul\" \"common_name=vault.service.consul\" }}{{ .Data.private_key }}{{ end }}" destination = "/etc/vault.d/vault.service.consul.key" command = "sudo /usr/local/sbin/reload_vault" } TVEPFSTͰڐՄ͢ΔͨΊʹ֤εΫϦϓτʹ ୹͍ͷͰΠϯϥΠϯͰهड़ 5PLFOͷ55-ΛԆ௕ͯ͠࢖༻ $POTVMUF5FNQMBUFͷ࢖༻

  40. )BTIJ$PSQ.FFUVQSE ๏ "QQMJDBUJPO͕7BVMUʹରͯ͠ೝূ͢ΔBQQSPMF ๏ ೝূ͢Δͱࢦఆͷ55-͕ઃఆ͞Εͨ5PLFO͕ൃߦ͞ΕΔ ๏ "QQMJDBUJPO͸ͦͷ5PLFOΛ࢖ͬͯ7BVMUͱ΍ΓऔΓΛ͢Δ ๏ "QQMJDBUJPO͕BQQSPMFͷSPMF@JEͱTFDSFU@JEΛ͍࣋ͬͯͯ΋ҙຯ͕ͳ͍ ๏

    "QQMJDBUJPOϓϩηεͷ֎Ͱ5PLFOΛൃߦ͢Δ "QQMJDBUJPO5PLFOͷ഑෍໰୊

  41. )BTIJ$PSQ.FFUVQSE ๏ "QQMJDBUJPOͷσϓϩΠ࣌ʹBQQSPMFBVUIΛ͢ΔίϚϯυΛ࣮ߦ ๏ ίϚϯυ͸ೝূͷ18Ͱ͋ΔTFDSFU@JEͷ55-Ԇ௕Λ1045 ๏ ଓ͚ͯೝূΛ࣮ߦ͠5PLFOΛऔಘ͢Δ ๏ औಘͨ͠5PLFOΛ"QQMJDBUJPO͕ಡΊΔύεʹ഑ஔ "QQMJDBUJPO5PLFOͷ഑෍໰୊ղܾ๏

    7BVMU $PNNBOE SPMF@JE TFDSFU@JE UPLFO

  42. )BTIJ$PSQ.FFUVQSE 7BVMUUPLFO͕ࣦޮͯ͠ো֐

  43. )BTIJ$PSQ.FFUVQSE ๏ "QQSPMFͷTFDSFU@JEΛSFOFX͢ΔͨΊʹDVTUPNTFDSFU@JEͱͯ͠ઃఆͯ͠ ͍Δ ๏ DVTUPNTFDSFU@JEʹઃఆ͢ΔUPLFO͸BVUIUPLFOͰൃߦ ๏ Ϛ΢ϯτͨ͠TFDSFU͝ͱʹNBYMFBTFUUMͱ͍͏ઃఆ͕͋ΓɺγεςϜશମ ʹ΋NBYUUM͕ଘࡏ͢Δ ๏

    ྆ํ͕ະઃఆͷ৔߹ɺγεςϜͷNBYUUMͰ͋ΔEBZT্͕ݶ 7BVMUUPLFO͕ࣦޮͯ͠ো֐

  44. )BTIJ$PSQ.FFUVQSE IUUQTXXXWBVMUQSPKFDUJPEPDTDPODFQUTUPLFOTIUNMUIFHFOFSBMDBTF ίϯηϓτʹॻ͍ͯ͋ͬͨ

  45. )BTIJ$PSQ.FFUVQSE .BY55-ઃఆ͸ɺ֤Ϛ΢ϯτ͞ΕͨγʔΫϨοτ͝ͱʹઃఆ͢ ΔͷͰɺຊ൪ӡ༻࣌ʹ͸ඞͣߟྀ͠·͠ΐ͏ɻ ͱͯ΋ॏཁͰ͢

  46. )BTIJ$PSQ.FFUVQSE ๏ 5PLFO͕ࣦޮͨ͠ΒBVEJUMPHʹΤϥʔ ͕සൃ͍ͯͨ͠ ๏ 7BVMUTFSWFSͷ$POTVMDIFDLTͰBVEJUMPHͷ ؂ࢹΛ௥Ճ ๏ ݕ஌ͨ͠΋ͷ͸$POTVM"MFSUͰ4MBDL௨஌ Αͦ͠ΕͳΒ؂ࢹ௥Ճͩ

    { "name": "vault-audit-log", "tags": ["vault", "audit"], "checks": [ { "script": "sudo /usr/local/sbin/check_audit", "interval": "60s" } ] } #!/bin/bash check-log --file /var/log/vault_audit.log \ --pattern '\"error\":\".+\"' \ —exclude='invalid request|unsupported path|unsupported operation' .BDLFSFMͷDIFDLDPNNBOE

  47. )BTIJ$PSQ.FFUVQSE $POTVMؾܰʹ؂ࢹ௥ՃͰ͖ͯศརʂ

  48. )BTIJ$PSQ.FFUVQSE ๏ ϩϦϙοϓʂϚωʔδυΫϥ΢υͰͷ)BTIJ$PSQιϑτ΢ΣΞͷ׆༻ํ๏ Λഎܠͱಛ௃Λ౿·͑ղઆ ๏ )BTIJ$PSQιϑτ΢ΣΞ͸࢖͍͜ͳ͢͜ͱͰγεςϜ͕͍͍ײ͡ʹͳΔ ͷͰυΩϡϝϯτΛख़ಡ͢΂͠ ๏ )BTIJ$PSQͷ֤ιϑτ΢ΣΞʹ͸ྲྀΕ͕͋Γɺซ༻͢Δ͜ͱͰศར͕͞ ૿͢ʂʂʂ

    $PODMVTJPO

  49. )BTIJ$PSQ.FFUVQSE 5IBOLZPV 8FSFIJSJOH