이쿠의 슬기로운 개발생활

함께 성장하기 위한 보안 개발자 EverNote 내용 공유

클라우드/Ansible

Ansible, Hashicorp vault container 연동

이쿠우우 2022. 4. 7. 20:19
반응형

 

 

Ansible, Hashicorp vault container 연동

 

환경

 
[Ansible Server]
CentOS7
ip : 10.0.2.10
 
[원격 Server]
CentOS7
ip : 10.0.2.7
 
 
 
 

 
 
Docker를 사용한 방법

 

 

 

 
 

사전 작업

 
 
 

docker 설치

yum update -y
yum install -y yum-utils device-mapper-persistent-data lvm2
yum install -y docker-ce
systemctl start docker
systemctl enable docker.service
 
 

작업 폴더 생성

mkdir ~/agentless/{ssh,ansible,vault}
 
 

ssh key-pair 생성

ssh-keygen -f ~/agentless/ssh/id_rsa

 

 

 

ssh public key 원격지로 전송

ssh-copy-id -i ~/agentless/ssh/id_rsa.pub 10.0.2.7
 
 
 
 
 

HashiCorp Vault Container 실행

 
 

hasicorp vault container pull

docker pull vault
 
 

hasicorp vault 작업 directory 생성

 
[명령어]
cd ~/agentless/vault
mkdir -p ~/agentless/vault/volumes/{config,file,logs}
 
해당 directory를 vault container에 mount할 것임
 
 
 

hashicorp vault 설정 파일 생성

 
cat > ~/agentless/vault/volumes/config/vault.json << EOF
{
  "backend": {
    "file": {
      "path": "/vault/file"
    }
  },
  "listener": {
    "tcp":{
      "address": "0.0.0.0:8200",
      "tls_disable": 1
    }
  },
  "ui": true
}
EOF
[backend 옵션 설명]
file/path 설정이 vault data 저장 경로임.
해당 경로는 vault container 내부에서의 경로로 생각해줘야함.
 
[listener 옵션 설명]
vault server에서 접근할 수 있는 ip 대역을 설정.
 
 

hashicorp vault container 실행(server mode)

vault server는 외부에 노출시키지 않고 
ansible server 만 통신함으로
port 설정은 별도로 하지 않음.
 
[명령어]
docker run --cap-add=IPC_LOCK -d \
 -e 'VAULT_ADDR=http://127.0.0.1:8200' \
 -e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' \
 -v ~/agentless/vault/volumes/logs:/vault/logs \
 -v ~/agentless/vault/volumes/file:/vault/file \
 -v ~/agentless/vault/volumes/config:/vault/config \
 -v ~/agentless/ssh:/agentless/ssh \
 --name=AgentlessVault \
vault \
 vault server -config=/vault/config/vault.json
 
 
 

hashicorp vault container 접속

[명령어]
docker exec -it  AgentlessVault sh
 
 

hashicorp vault 초기화 (Initialize)

 
[명령어]
vault operator init -key-shares=6 -key-threshold=3
Unseal Key 1: YzrrWUT3oksc8c+8XFYk2NaoodmM+eoXsqmVXMvdCw8F
Unseal Key 2: iaIMXl5VQPbRmXtzgNOhYErgEH/SlbVnPKyrHp08kJPh
Unseal Key 3: PnjoQcctLP04XO+qnzvhQ6NzBtzKH0xwFOFoJa68YVmi
Unseal Key 4: +rtcKJtt2bBRDyLFdDpkO3RFRs0HByJ8FZ75xxxshUEg
Unseal Key 5: UoPZLRj27Pa+a87CVkSdxx41f4dRcPZl9Z3lWtgCvbXr
Unseal Key 6: f0gFm9pxmu9SNBhWtzqiMKg3zBQe7oMcJaU8/KrHnbgG
 
Initial Root Token: s.P5h7KQjWwgQfHeSsA1Hduq9i
unseal key 정보와
Initial Root Token 정보를 별도로 저장하고 있어야함.
 
 
 

hashicorp vault 봉인 해제 (unseal)

vault server의 봉인을 풀려면 3개의 Unseal 키를 입력해야함.
 
[명령어]
vault operator unseal [unseal key 정보]
 
vault operator unseal YzrrWUT3oksc8c+8XFYk2NaoodmM+eoXsqmVXMvdCw8F
vault operator unseal iaIMXl5VQPbRmXtzgNOhYErgEH/SlbVnPKyrHp08kJPh
vault operator unseal PnjoQcctLP04XO+qnzvhQ6NzBtzKH0xwFOFoJa68YVmi

3개 key 입력
 
 

hashicorp vault server login

 
상위에서 확인했던
Initial Root Token으로 login함.
 
[명령어]
vault login [Initial Root Token]
vault login s.P5h7KQjWwgQfHeSsA1Hduq9i

 

 

hashicorp vault secret 생성 

 
vault secrets enable -path="agentless" -description="agentless Test key pair save" kv
vault secrets list
vault kv put agentless/keypair private=@/agentless/ssh/id_rsa public=@/agentless/ssh/id_rsa.pub
vault kv get agentless/keypair
vault kv get -field=private agentless/keypair 
vault kv get -field=public agentless/keypair 
exit
 
 
 

Ansible Container 실행

 
~/agentless/ansible directory 에서 작업 진행
cd ~/agentless/ansible
 
 

HashiCorp vault container와 통신해서 private key file을 생성하는 playbook 작성

 
token=s.P5h7KQjWwgQfHeSsA1Hduq9i
해당 token값은 vault server 초기화 했을 때 확인했던 
Initial Root Token: s.P5h7KQjWwgQfHeSsA1Hduq9i
값을 넣어줘야함.
 
일반적으로 root token을 사용하는건 보안상 좋지 않지만
test 임으로 root token 사용함.
추후 policy token으로 변경 예정
 
[~/agentless/ansible/makePrivateKey.yml]
---
- hosts: localhost
  connection: local
  become: true
  vars:
    vaultdata: "{{ lookup('hashi_vault', 'secret=agentless/keypair token=s.P5h7KQjWwgQfHeSsA1Hduq9i url=http://AgentlessVault:8200')}}"
  tasks:
  - name: Creates directory
    file:
      path: ~/agentless
      state: directory
  - name: Creates private key file
    file:
      path: ~/agentless/private.key
      state: touch
  - name: insert private key data
    lineinfile:
      path: ~/agentless/private.key
      line: "{{vaultdata['private']}}"
  - name: file permission change
    file:
      path: ~/agentless/private.key
      mode: 0600
 
 
 

test 용도로 원격지 host에서 실행 시킬 shell script 파일 작성

 
간단하게 echo 문 출력과 네트워크 인터페이스 정보를 저장하는 script
 
[~/agentless/ansible/test.sh]
#!/bin/bash
 
echo "ansible playbook Test!!!!!" > sample.txt
ifconfig >> sample.txt
 
 
 

원격지 host 정보를 가지고 있는 inventory file 작성

 
[~/agentless/ansible/host.ini]
[linux]
10.0.2.7
 
[linux:vars]
ansible_ssh_user=root
 
[all:vars]
ansible_ssh_private_key_file=/runner/agentless/private.key
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
 
 
 
 

원격지 host 에서 실행 시킬 playbook 작성

 
[~/agentless/ansible/testplaybook.yml]
---
- hosts: all
  remote_user: root
  become: true
  tasks:
  - name: Creates directory
    file:
      path: /temp
      state: directory
  - name: store file to remote server
    copy:
      src: /runner/agentless/test.sh
      dest: /temp/test.sh
      mode: 0744
  - name: execute the script
    shell: ./test.sh
    args:
      chdir: /temp
      executable: /bin/bash
  - name: check file exists
    wait_for:
      path: /temp/sample.txt
  - name: file move to control node
    fetch:
      src: /temp/sample.txt
      dest: ./{{ inventory_hostname }}_result.txt
      flat: yes
  - name: delete directory
    file:
      path: /temp/
      state: absent
 
 
 

Ansible container image 생성

 
[ansible container image pull 받음 ]
docker pull ansible/ansible-runner
 
 
[ansible container image Dockerfile 작성]
~/agentless/ansible/Dockerfile
FROM ansible/ansible-runner
 
RUN pip3 install hvac[parser]
 
CMD ["ansible-runner" "run" "/runner"]
 
 
[Dockerfile 빌드 명령어]
cd ~/agentless/ansible
docker build --tag agentless-ansible:1.0.0 .

 

[생성된 docker images 확인]
docker images

 

 
 

Ansible container 실행

 
[명령어]
docker run -it  -d --name AgentlessAnsible -v ~/agentless/ansible:/runner/agentless  --link AgentlessVault  agentless-ansible:1.0.0  /bin/bash
 
[--link vault]
AgentlessVault container와 같은 network를 사용하도록 함.
 
 

Ansible container 접속

docker exec -it  AgentlessAnsible  /bin/bash
ansible-playbook   /runner/agentless/makePrivateKey.yml
ansible-playbook -i  /runner/agentless/host.ini  /runner/agentless/testplaybook.yml
 

 

 

 

 

반응형