2018.09.11 DevOpsを支える今話題のHashiCorpツール群について(HashiCorp Meetup 3rd)でお話しした資料です
খాԝ(.01FQBCP *OD%FW0QTΛࢧ͑Δࠓͷ)BTIJ$PSQπʔϧ܈ʹ͍ͭͯ)BTIJ$PSQ.FFUVQSEίϯςφج൫Λࢧ͑Δ)BTIJ$PSQιϑτΣΞ
View Slide
)BTIJ$PSQ.FFUVQSE(.0ϖύϘϓϦϯγύϧΤϯδχΞ!MJOZPXTCMPHUPNPIJTBPEBDPN
)BTIJ$PSQ.FFUVQSE࠷ۙͷ͓ࣄϖύϘݚڀॴͱभେֶ͕ڞಉݚڀ
)BTIJ$PSQ.FFUVQSEদຊ྄հʹΑΔจʢ%*$0.0༧ߘʣਫ਼៛ʹ੍ޚՄೳͳ߃ৗੑͷ͋ΔߴूੵϚϧνΞΧϯτܕͷϝʔϧج൫IUUQTSBOEQFQBCPDPNQBQFSTEJDPNPQSPDFFEJOHNBUTVNPUPSZQEG࠷ۙͷ͓ࣄओʹ'BTU$POUBJOFSʹΑΔϝʔϧج൫ݚڀ։ൃɺ࠷࣮ۙྫΛ(JU)VCͰެ։IUUQTHJUIVCDPN'BTU$POUBJOFS
)BTIJ$PSQ.FFUVQSE࠷ۙͷ͓ࣄ7BVMUͷ8PSLTIPQΛ͚ࣾʹ։࠵ɻҎԼͦͷհهࣄIUUQTUFDIQFQBCPDPNWBVMUXPSLTIPQ
)BTIJ$PSQ.FFUVQSE8%#13&44WPM)BTIJ$PSQ7BVMUͷهࣄدߘԬͷ(PMBOHίϛϡχςΟ'VLVPLBHPͷओ࠵ͷਓMJOVYϢʔβͷ໊લղܾΛ(JU)VC͔ΒϚοϐϯά͢ΔιϑτΣΞͷ։ൃ
)BTIJ$PSQ.FFUVQSEίϯςφج൫Λࢧ͑Δ)BTIJ$PSQιϑτΣΞ
)BTIJ$PSQ.FFUVQSE๏ Ұൠతͳ,VCFSOFUFT%PDLFS͍ͬͯ·ͤΜ๏ -9%ͷΑ͏ͳγεςϜίϯςφͰ͋Γ·ͤΜ๏ ಠࣗίϯςφڥΛఏڙ͢ΔଆͷͰ͢๏ 0PIPSJ'BTU$POUBJOFSɺ)BDPOJXBΛ͍ͬͯ·͢લఏίϯςφج൫ͱ͍ͬͯʜ
)BTIJ$PSQ.FFUVQSE0PIPSJ'BTU$POUBJOFS)BDPOJXB☺
)BTIJ$PSQ.FFUVQSE0PIPSJ'BTU$POUBJOFS)BDPOJXB☺☺☺☺☺͜ΕΒಠࣗ։ൃͨ͠ͷͰ͢ΞʔΩςΫνϟ ίϯςφϥϯλΠϜΦʔέετϨʔλʔԿʹʁ
)BTIJ$PSQ.FFUVQSEϩϦϙοϓʂϚωʔδυΫϥυ
)BTIJ$PSQ.FFUVQSE๏ ίϯςφϕʔεͷ1BB4๏ ӡ༻͖ͷΫϥυͰΫϥυدΓͷϨϯλϧαʔό๏ ίΞػೳͷΦʔτεέʔϧίϯςφෛՙʹԠͯ͡εέʔϧΞτ͠ෛՙܰݮΑΓεέʔϧΠϯ๏ ఆ֎ͷ༻ྔϝʔϧ௨ར༻੍ݶͳͲͷઃఆ͕ՄೳϩϦϙοϓʂϚωʔδυΫϥυ
)BTIJ$PSQ.FFUVQSE๏ ҆Ձͳίϯςφڥͷఏڙʹίϯςφ͕ߴूੵͰ͋Δඞཁ͕͋ΔʢϨϯαόϩϯάςʔϧతʣ๏ Ϣʔβཧͷίϯςφ͕ܧଓతʹ҆શͰ͋Δඞཁ͕͋ΔʢϛυϧΣΞґଘϥΠϒϥϦ͕ఆظతʹ࠷৽ʣ๏ ίϯςφϦιʔεݖݶʹରͯ͠ॊೈͳઃఆ͕ՄೳͰ͋Δ͜ͱͱɺͦΕΒ͕ೳಈతͰ͋Δඞཁ͕͋Δʢίϯςφ͕ࣗಈతʹϦιʔεมߋʣͳͥಠࣗ։ൃͯ͠͏ͷ͔
)BTIJ$PSQ.FFUVQSEཁٻΛຬͨͨ͢Ίʹඞཁ֤ٕͩͬͨज़ৄࡉʹ͍ͭͯݕࡧͯ͠Έ͍ͯͩ͘͞
)BTIJ$PSQ.FFUVQSEίϯςφج൫Λࢧ͑ΔϩϦϙοϓʂϚωʔδυΫϥυΛࢧ͑Δ)BTIJ$PSQιϑτΣΞ
)BTIJ$PSQ.FFUVQSE·ͣγεςϜશମ૾
)BTIJ$PSQ.FFUVQSE$BDIF1SPYZ"1*4ZTUFN0WFSWJFX4FDSFU.BOBHFS4FSWJDF.BOBHFS.POJUPS"$.&#FIBWJPS5FTUFS4.51.FUSJDT4DIFEVMFS8FC"1*%#$BDIF+PC-#1SPYZ$PNQVUF%JTQBUDIFS-#4UPSBHF%#4UBSUFS1SPYZ&OW1SPEVDUJPO 4UBHJOH %FWFMPQNFOU"MFSU.BOBHFS)PTUJOH#VTJOFTT#BTUJPO%#0QFO4UBDL #BSFNFUBM$.%#
)BTIJ$PSQ.FFUVQSEϛυϧΣΞΛՃͯ͠ΈΔ
)BTIJ$PSQ.FFUVQSE$BDIF1SPYZ"1*4FDSFU.BOBHFS4FSWJDF.BOBHFS.POJUPS"$.&#FIBWJPS5FTUFS4.51.FUSJDT4DIFEVMFS8FC"1*%#$BDIF+PC-#1SPYZ$PNQVUF%JTQBUDIFS-#4UPSBHF%#4UBSUFS1SPYZ"MFSU.BOBHFS)PTUJOH#VTJOFTT#BTUJPO%#0QFO4UBDL #BSFNFUBM$.%#4ZTUFN0WFSWJFX&OW1SPEVDUJPO 4UBHJOH %FWFMPQNFOU
)BTIJ$PSQ.FFUVQSE࣍ʹσϓϩΠϑϩʔ
)BTIJ$PSQ.FFUVQSE0QFO4UBDL#BSFNFUBM .""4,OJGF;FSP$*%FQMPZ'MPX
)BTIJ$PSQ.FFUVQSE๏ 0QFO4UBDLͱ#BSFNFUBMͷϋΠϒϦουڥ๏ 1BDLFSͰ࡞ΔΠϝʔδ࠷খݶͰશϩʔϧڞ௨Խͯ͠༻๏ 5FSSBGPSNͷ1SPWJTJPOFS༻ͤͣ,OJGF;FSPΛ͏๏ ։ൃڥ7BHSBOUʢϩʔϧ͕ଟ͍ͷͰZNMཧͰ͖ΔQMVHJOΛ༻ʣ๏ සൟʹൃੜ͢Δେ͖ͳ༷มߋͱεςʔτϑϧͳϩʔϧଟ͍͜ͱ͔Β*NNVUBCMF*OGSBΛࣺͯΔઓུશମతಛ
)BTIJ$PSQ.FFUVQSE๏ 7BHSBOU๏ 1BDLFS๏ 5FSSBGPSN๏ $POTVM๏ 7BVMU๏ /PNBEʢͷͪʹKSBMMJTPOHPXPSLFSTͱബ͍"1*ʹมߋʣར༻͍ͯ͠Δ)BTIJ$PSQιϑτΣΞ
)BTIJ$PSQ.FFUVQSEαʔϏεܧଓʹͳͯ͘ͳΒͳ͍ѹతײँ
)BTIJ$PSQ.FFUVQSE5FSSBGPSN༻ͷಛ
)BTIJ$PSQ.FFUVQSE๏ ՄೳͳݶΓNPEVMFΛ࠶ར༻Ͱ͖ΔΑ͏ʹ͍ͯ͠Δ๏ ॳUGTUBUFΛHJUཧ͍ͯͯ͠ෳਓͰ࡞ۀ͢Δͱҋ͔͠ͳ͙͘͢ʹ4ʹมߋ๏ 8PSLTQBDF1SPEVDUJPOͱ4UBHJOHͰ͍ͬͯΔ๏ DMPVEJOJUͰ4MBDL௨ɺར༻ऀґଘ෦Λೖ͍ͯ͠Δ๏ MJGFDZDMFͷઃఆࣄނࢭʹඞਢ๏ $*ͰGNU͢ΔΑ͏ʹ͍ͯ͠Δ5FSSBGPSN
)BTIJ$PSQ.FFUVQSEmodule "reserved_vip" {source = "../reserved_vip"count = "${var.int_vip_count}"name = "${var.role}"network = "${var.network}"}module "pairaddress_port" {source = "../pairaddress_port"count = "${var.count}"network = "${var.network}"security_group_ids = ["${values(var.security_groups)}"]use_floating_ip = falseallowed_ip_address = "${data.openstack_networking_subnet_v2.subnet.cidr}"role = "${var.role}"}resource "openstack_compute_instance_v2" "instance" {lifecycle {ignore_changes = ["user_data", "key_pair", "image_name", "availability_zone"]}count = "${var.count}"name = "${terraform.env != "staging" ? "" : "staging-"}${var.role}-${count.index + var.count_offset +1}.${var.domain}"image_name = "${var.image_name}"flavor_name = "${var.flavor_name}"key_pair = "${var.key_pair}"availability_zone = "${var.availability_zones[(count.index + var.count_offset) % length(var.availability_zones)]}"security_groups = ["${keys(var.security_groups)}"]user_data = "${data.template_file.init.rendered}"network {port = "${element(module.pairaddress_port.ids, count.index)}"modules/├── instance│ ├── main.tf│ ├── outputs.tf│ └── variables.tf├── instance_with_extvip│ ├── main.tf│ ├── outputs.tf│ └── variables.tf├── instance_with_intvip│ ├── main.tf│ ├── outputs.tf│ └── variables.tf├── pairaddress_port│ ├── main.tf│ ├── outputs.tf│ └── varaibales.tf├── reserved_vip│ ├── main.tf│ ├── outputs.tf│ └── variables.tf└── volume├── main.tf└── variables.tf5FSSBGPSNࡉ͔۠ͬͨ͘NPEVMFͷྫ
)BTIJ$PSQ.FFUVQSE5FSSBGPSNࡉ͔۠ͬͨ͘NPEVMFͷྫmodule "api" {count = "${terraform.env == "staging" ? 3 : var.api_count}"source = "./modules/instance"role = "api"flavor_name = "c1.large"network_id = "${openstack_networking_network_v2.lan.id}"security_groups = {"${openstack_networking_secgroup_v2.base.name}" = "${openstack_networking_secgroup_v2.base.id}""${openstack_networking_secgroup_v2.api.name}" = "${openstack_networking_secgroup_v2.api.id}"}}module "secretmanager" {count = "${terraform.env == "staging" ? 2 : var.vault_count}"source = "./modules/instance_with_intvip"role = "secretmanager"flavor_name = "c1.medium"network = "${var.nyah["tenant_name"]}-lan"security_groups = {"${openstack_networking_secgroup_v2.base.name}" = "${openstack_networking_secgroup_v2.base.id}""${openstack_networking_secgroup_v2.secretmanager.name}" = "${openstack_networking_secgroup_v2.secretmanager.id}"}}ڞ௨ԽʹΑΓ*OTUBODFͷఆ͕ٛγϯϓϧʹ
)BTIJ$PSQ.FFUVQSE$POTVM༻ͷಛ
)BTIJ$PSQ.FFUVQSE๏ ϝΠϯαʔϏεσΟεΧόϦʢͪΖΜࢹʣ๏ .BDLFSFMͱׂ୲֎ܗࢹ͔αʔϏεࢹ͔๏ ϗετͷ໊લղܾ$POTVM%/4ͱ6OCPVOEΛ༻๏ 7BVMUͷετϨʔδόοΫΤϯυͱͯ͠ར༻๏ શϊʔυʹ$POTVM"HFOUͱαʔϏεࢹͰ༻͢Δ1SPNFUIFVTͷDPOTVM OPEF CMBDLCPYFYQPSUFS͕ೖ͍ͬͯΔ$POTVM
)BTIJ$PSQ.FFUVQSE$POTVM%/4ͷศར༻๏$ cat ~/.ssh/config…Host bastion-1.ohrHostName xxx.xxx.xxx.xxxUser linyowsHost *.ohr !bastion-1.ohr !bastion-2.ohr !staging-*.ohr !*baremetal.ohrProxyCommand ssh -W "$(basename "$(sed -E "s/.ohr/.node.consul/"<<<"%h")")":%p bastion-1.ohrUser linyows$ ssh app-1.ohr_____ __ _____ _/ // _ \/ // / _ `/ _ \/_//_/\_, /\_,_/_//_//___/ ubuntuhttps://github.pepabo.com/tech/packer-templates(c) GMO Pepabo, Inc.linyows@app-1:~$౿ΈαʔόͰ໊લղܾ͢Δ͜ͱͰଟஈ44)Λศརʹ
)BTIJ$PSQ.FFUVQSE$POTVM%/4ͷศར༻๏1SPYZͷ6QTUSFBNΛ$POTVM%/4ͰϥϯυϩϏϯhosts:"foo.service.consul:443":listen:port: 443ssl:certificate-file: /etc/h2o/tls.crtkey-file: /etc/h2o/tls.keypaths:"/":proxy.reverse.url: "https://foo.service.consul:443/"
)BTIJ$PSQ.FFUVQSE$POTVM5FNQMBUFͷ༻,FFQBMJWFEͷDPOGʹDPOTVMUFNQMBUFΛ༻͢Δ͜ͱͰ1SPYZͷ$POTVMKPJOͰαʔϏεΠϯ͢Δvirtual_server <%= @vip %> 443 {delay_loop 10lvs_sched rrlvs_method NATprotocol TCP{{range service "proxy|passing"}}real_server {{.Address}} 443 {weight 1TCP_CHECK {connect_port 443connect_timeout 30}}{{end}}}
)BTIJ$PSQ.FFUVQSE͍ΖΜͳϨΠϠʔ͕ͳΊΒ͔ʹϦϦʔε%/4-#-#1SPYZ1SPYZ1SPYZ/FX1SPYZ8FC8FC8FC/FX8FC8FC8FCXFCTFSWJDFDPOTVMDPOTVMUFNQMBUFDPOTVMEOTYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
)BTIJ$PSQ.FFUVQSE7BVMU༻ͷಛ
)BTIJ$PSQ.FFUVQSE7BVMU๏ 1,*ͱ5SBOTJUγʔΫϨοτΛར༻ʢ͞ΒʹՃ༧ఆʣ๏ %#ʹอ࣋͢Δൿີใશͯ7BVMUͰ҉߸Խ๏ ൃߦͨ͠ൿີใ$IFGͰʢSPPU$"DPOTVMUFNQMBUFͷUPLFOʣ๏ 5PLFOSFOFXʢ55-ͷԆʣ͠ͳ͕Β༻๏ NBYMFBTFUUMͷظݶͰࣦޮ͢Δʢ͘SFOFX͢Δͱཁҙʣৄ͘͠ޙड़
)BTIJ$PSQ.FFUVQSE๏ $POTVMΛετϨʔδͱͯ͠ར༻͢ΔͱΞΫςΟϒͳ7BVMUʹରͯ͠WBVMUTFSWJDFDPOTVM͕ࣗಈతʹઃఆ͞ΕΔ๏ 7BVMUΛೝূہͱͯ͠ઃఆ͠αʔόূ໌ॻΛࣗͰൃߦ͢Δ๏ 7BVMU࠶ىಈ͢Δͱ4FBM͞ΕΔ๏ -FU`T&ODSZQUΛͬͯαʔόূ໌ॻൃߦ͢Δʁ1,*ͷ3PPU$"7BVMUαʔόʹ5-4ଓ͢Δ߹Ͳ͏ͨ͠Βྑ͍͔
)BTIJ$PSQ.FFUVQSE๏ 7BVMUʹ4*()61γάφϧͰαʔόূ໌ॻͷ࠶ಡΈࠐΈΛ͢Δ๏ 4*()61Ͱ4FBM͞Εͳ͍๏ "VEJUMPHͷMPHSPUBUFʹ͑Δ๏ 7BVMU͕ൃߦͨ͠3PPU$"$IFGͰ$POTVMUF5FNQMBUFͷ༻αʔόূ໌ॻʹDPOTVMUFNQMBUFΛ༻͢Δ͜ͱܧଓతͳূ໌ॻൃߦΛࣗಈԽ͢Δ
)BTIJ$PSQ.FFUVQSEvault {address = "https://127.0.0.1:8200"token = "<%= node['vault']['token'] %>"renew_token = truegrace = "5m"ssl {enabled = trueverify = false}}template {contents = "{{ with secret \"pki/issue/service-consul\" \"common_name=vault.service.consul\" }}{{ .Data.issuing_ca }}{{ end }}"destination = "/usr/share/ca-certificates/extra/Vault_Root_CA.crt"command = "sudo /usr/local/sbin/update_ca_certs"}template {contents = "{{ with secret \"pki/issue/service-consul\" \"common_name=vault.service.consul\" }}{{ .Data.certificate }}{{ end }}"destination = "/etc/vault.d/vault.service.consul.crt"command = "sudo /usr/local/sbin/reload_vault"}template {contents = "{{ with secret \"pki/issue/service-consul\" \"common_name=vault.service.consul\" }}{{ .Data.private_key }}{{ end }}"destination = "/etc/vault.d/vault.service.consul.key"command = "sudo /usr/local/sbin/reload_vault"} TVEPFSTͰڐՄ͢ΔͨΊʹ֤εΫϦϓτʹ͍ͷͰΠϯϥΠϯͰهड़5PLFOͷ55-ΛԆͯ͠༻$POTVMUF5FNQMBUFͷ༻
)BTIJ$PSQ.FFUVQSE๏ "QQMJDBUJPO͕7BVMUʹରͯ͠ೝূ͢ΔBQQSPMF๏ ೝূ͢Δͱࢦఆͷ55-͕ઃఆ͞Εͨ5PLFO͕ൃߦ͞ΕΔ๏ "QQMJDBUJPOͦͷ5PLFOΛͬͯ7BVMUͱΓऔΓΛ͢Δ๏ "QQMJDBUJPO͕BQQSPMFͷSPMF@JEͱTFDSFU@JEΛ͍࣋ͬͯͯҙຯ͕ͳ͍๏ "QQMJDBUJPOϓϩηεͷ֎Ͱ5PLFOΛൃߦ͢Δ"QQMJDBUJPO5PLFOͷ
)BTIJ$PSQ.FFUVQSE๏ "QQMJDBUJPOͷσϓϩΠ࣌ʹBQQSPMFBVUIΛ͢ΔίϚϯυΛ࣮ߦ๏ ίϚϯυೝূͷ18Ͱ͋ΔTFDSFU@JEͷ55-ԆΛ1045๏ ଓ͚ͯೝূΛ࣮ߦ͠5PLFOΛऔಘ͢Δ๏ औಘͨ͠5PLFOΛ"QQMJDBUJPO͕ಡΊΔύεʹஔ"QQMJDBUJPO5PLFOͷղܾ๏7BVMU$PNNBOESPMF@JETFDSFU@JEUPLFO
)BTIJ$PSQ.FFUVQSE7BVMUUPLFO͕ࣦޮͯ͠ো
)BTIJ$PSQ.FFUVQSE๏ "QQSPMFͷTFDSFU@JEΛSFOFX͢ΔͨΊʹDVTUPNTFDSFU@JEͱͯ͠ઃఆ͍ͯ͠Δ๏ DVTUPNTFDSFU@JEʹઃఆ͢ΔUPLFOBVUIUPLFOͰൃߦ๏ Ϛϯτͨ͠TFDSFU͝ͱʹNBYMFBTFUUMͱ͍͏ઃఆ͕͋ΓɺγεςϜશମʹNBYUUM͕ଘࡏ͢Δ๏ ྆ํ͕ະઃఆͷ߹ɺγεςϜͷNBYUUMͰ͋ΔEBZT্͕ݶ7BVMUUPLFO͕ࣦޮͯ͠ো
)BTIJ$PSQ.FFUVQSEIUUQTXXXWBVMUQSPKFDUJPEPDTDPODFQUTUPLFOTIUNMUIFHFOFSBMDBTFίϯηϓτʹॻ͍ͯ͋ͬͨ
)BTIJ$PSQ.FFUVQSE.BY55-ઃఆɺ֤Ϛϯτ͞ΕͨγʔΫϨοτ͝ͱʹઃఆ͢ΔͷͰɺຊ൪ӡ༻࣌ʹඞͣߟྀ͠·͠ΐ͏ɻͱͯॏཁͰ͢
)BTIJ$PSQ.FFUVQSE๏ 5PLFO͕ࣦޮͨ͠ΒBVEJUMPHʹΤϥʔ͕සൃ͍ͯͨ͠๏ 7BVMUTFSWFSͷ$POTVMDIFDLTͰBVEJUMPHͷࢹΛՃ๏ ݕͨ͠ͷ$POTVM"MFSUͰ4MBDL௨Αͦ͠ΕͳΒࢹՃͩ{"name": "vault-audit-log","tags": ["vault", "audit"],"checks": [{"script": "sudo /usr/local/sbin/check_audit","interval": "60s"}]}#!/bin/bashcheck-log --file /var/log/vault_audit.log \--pattern '\"error\":\".+\"' \—exclude='invalid request|unsupported path|unsupported operation'.BDLFSFMͷDIFDLDPNNBOE
)BTIJ$PSQ.FFUVQSE$POTVMؾܰʹࢹՃͰ͖ͯศརʂ
)BTIJ$PSQ.FFUVQSE๏ ϩϦϙοϓʂϚωʔδυΫϥυͰͷ)BTIJ$PSQιϑτΣΞͷ׆༻ํ๏ΛഎܠͱಛΛ౿·͑ղઆ๏ )BTIJ$PSQιϑτΣΞ͍͜ͳ͢͜ͱͰγεςϜ͕͍͍ײ͡ʹͳΔͷͰυΩϡϝϯτΛख़ಡ͢͠๏ )BTIJ$PSQͷ֤ιϑτΣΞʹྲྀΕ͕͋Γɺซ༻͢Δ͜ͱͰศར͕͞૿͢ʂʂʂ$PODMVTJPO
)BTIJ$PSQ.FFUVQSE5IBOLZPV 8FSFIJSJOH
linyows
tkikuchi1002
lmi
cimadai
clairegiordano
murachiakira
poteboy
asei
nwiizo
hygradme
tomoaki25
chloe463
onecareer_tech
erikaheidi
brad_frost
bkeepers
malarkey
maltzj
tammyeverts
trishagee
sstephenson
danielanewman
eileencodes
andyhume