Ansible, Hashicorp vault container 연동

 

 

Ansible, Hashicorp vault container 연동

 

환경

 

[Ansible Server]

CentOS7

ip : 10.0.2.10

 

[원격 Server]

CentOS7

ip : 10.0.2.7

 

 

 

 

---

 

 

Docker를 사용한 방법

 

 

 

 

 

사전 작업

 

 

 

docker 설치

yum update -y

yum install -y yum-utils device-mapper-persistent-data lvm2

yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

yum install -y docker-ce

systemctl start docker

systemctl enable docker.service

 

 

작업 폴더 생성

mkdir ~/agentless/{ssh,ansible,vault}

 

 

ssh key-pair 생성

ssh-keygen -f ~/agentless/ssh/id_rsa

 

 

 

ssh public key 원격지로 전송

ssh-copy-id -i ~/agentless/ssh/id_rsa.pub 10.0.2.7

 

 

 

 

 

HashiCorp Vault Container 실행

 

 

hasicorp vault container pull

docker pull vault

 

 

hasicorp vault 작업 directory 생성

 

[명령어]

cd ~/agentless/vault

mkdir -p ~/agentless/vault/volumes/{config,file,logs}

 

해당 directory를 vault container에 mount할 것임

 

 

 

hashicorp vault 설정 파일 생성

 

cat > ~/agentless/vault/volumes/config/vault.json << EOF {   "backend": {     "file": {       "path": "/vault/file"     }   },   "listener": {     "tcp":{       "address": "0.0.0.0:8200",       "tls_disable": 1     }   },   "ui": true } EOF

[backend 옵션 설명]

file/path 설정이 vault data 저장 경로임.

해당 경로는 vault container 내부에서의 경로로 생각해줘야함.

 

[listener 옵션 설명]

vault server에서 접근할 수 있는 ip 대역을 설정.

 

 

hashicorp vault container 실행(server mode)

vault server는 외부에 노출시키지 않고 

ansible server 만 통신함으로

port 설정은 별도로 하지 않음.

 

[명령어]

docker run --cap-add=IPC_LOCK -d \

 -e 'VAULT_ADDR=http://127.0.0.1:8200' \

 -e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' \

 -v ~/agentless/vault/volumes/logs:/vault/logs \

 -v ~/agentless/vault/volumes/file:/vault/file \

 -v ~/agentless/vault/volumes/config:/vault/config \

 -v ~/agentless/ssh:/agentless/ssh \

 --name=AgentlessVault \

vault \

 vault server -config=/vault/config/vault.json

 

 

 

hashicorp vault container 접속

[명령어]

docker exec -it  AgentlessVault sh

 

 

hashicorp vault 초기화 (Initialize)

 

[명령어]

vault operator init -key-shares=6 -key-threshold=3

Unseal Key 1: YzrrWUT3oksc8c+8XFYk2NaoodmM+eoXsqmVXMvdCw8F Unseal Key 2: iaIMXl5VQPbRmXtzgNOhYErgEH/SlbVnPKyrHp08kJPh Unseal Key 3: PnjoQcctLP04XO+qnzvhQ6NzBtzKH0xwFOFoJa68YVmi Unseal Key 4: +rtcKJtt2bBRDyLFdDpkO3RFRs0HByJ8FZ75xxxshUEg Unseal Key 5: UoPZLRj27Pa+a87CVkSdxx41f4dRcPZl9Z3lWtgCvbXr Unseal Key 6: f0gFm9pxmu9SNBhWtzqiMKg3zBQe7oMcJaU8/KrHnbgG   Initial Root Token: s.P5h7KQjWwgQfHeSsA1Hduq9i

unseal key 정보와

Initial Root Token 정보를 별도로 저장하고 있어야함.

 

 

 

hashicorp vault 봉인 해제 (unseal)

vault server의 봉인을 풀려면 3개의 Unseal 키를 입력해야함.

 

[명령어]

vault operator unseal [unseal key 정보]

 

vault operator unseal YzrrWUT3oksc8c+8XFYk2NaoodmM+eoXsqmVXMvdCw8F

vault operator unseal iaIMXl5VQPbRmXtzgNOhYErgEH/SlbVnPKyrHp08kJPh

vault operator unseal PnjoQcctLP04XO+qnzvhQ6NzBtzKH0xwFOFoJa68YVmi

3개 key 입력

 

 

hashicorp vault server login

 

상위에서 확인했던

Initial Root Token으로 login함.

 

[명령어]

vault login [Initial Root Token]

vault login s.P5h7KQjWwgQfHeSsA1Hduq9i

 

 

hashicorp vault secret 생성 

 

vault secrets enable -path="agentless" -description="agentless Test key pair save" kv

vault secrets list

vault kv put agentless/keypair private=@/agentless/ssh/id_rsa public=@/agentless/ssh/id_rsa.pub

vault kv get agentless/keypair

vault kv get -field=private agentless/keypair 

vault kv get -field=public agentless/keypair 

exit

 

 

 

Ansible Container 실행

 

~/agentless/ansible directory 에서 작업 진행

cd ~/agentless/ansible

 

 

HashiCorp vault container와 통신해서 private key file을 생성하는 playbook 작성

 

token=s.P5h7KQjWwgQfHeSsA1Hduq9i

해당 token값은 vault server 초기화 했을 때 확인했던 

Initial Root Token: s.P5h7KQjWwgQfHeSsA1Hduq9i

값을 넣어줘야함.

 

일반적으로 root token을 사용하는건 보안상 좋지 않지만

test 임으로 root token 사용함.

추후 policy token으로 변경 예정

 

[~/agentless/ansible/makePrivateKey.yml]

--- - hosts: localhost   connection: local   become: true   vars:     vaultdata: "{{ lookup('hashi_vault', 'secret=agentless/keypair token=s.P5h7KQjWwgQfHeSsA1Hduq9i url=http://AgentlessVault:8200')}}"   tasks:   - name: Creates directory     file:       path: ~/agentless       state: directory   - name: Creates private key file     file:       path: ~/agentless/private.key       state: touch   - name: insert private key data     lineinfile:       path: ~/agentless/private.key       line: "{{vaultdata['private']}}"   - name: file permission change     file:       path: ~/agentless/private.key       mode: 0600

 

 

 

test 용도로 원격지 host에서 실행 시킬 shell script 파일 작성

 

간단하게 echo 문 출력과 네트워크 인터페이스 정보를 저장하는 script

 

[~/agentless/ansible/test.sh]

#!/bin/bash   echo "ansible playbook Test!!!!!" > sample.txt ifconfig >> sample.txt

 

 

 

원격지 host 정보를 가지고 있는 inventory file 작성

 

[~/agentless/ansible/host.ini]

[linux] 10.0.2.7   [linux:vars] ansible_ssh_user=root   [all:vars] ansible_ssh_private_key_file=/runner/agentless/private.key ansible_ssh_common_args='-o StrictHostKeyChecking=no'

 

 

 

 

원격지 host 에서 실행 시킬 playbook 작성

 

[~/agentless/ansible/testplaybook.yml]

--- - hosts: all   remote_user: root   become: true   tasks:   - name: Creates directory     file:       path: /temp       state: directory   - name: store file to remote server     copy:       src: /runner/agentless/test.sh       dest: /temp/test.sh       mode: 0744   - name: execute the script     shell: ./test.sh     args:       chdir: /temp       executable: /bin/bash   - name: check file exists     wait_for:       path: /temp/sample.txt   - name: file move to control node     fetch:       src: /temp/sample.txt       dest: ./{{ inventory_hostname }}_result.txt       flat: yes   - name: delete directory     file:       path: /temp/       state: absent

 

 

 

Ansible container image 생성

 

[ansible container image pull 받음 ]

docker pull ansible/ansible-runner

 

 

[ansible container image Dockerfile 작성]

~/agentless/ansible/Dockerfile

FROM ansible/ansible-runner   RUN pip3 install hvac[parser]   CMD ["ansible-runner" "run" "/runner"]

 

 

[Dockerfile 빌드 명령어]

cd ~/agentless/ansible

docker build --tag agentless-ansible:1.0.0 .

 

[생성된 docker images 확인]

docker images

 

 

 

Ansible container 실행

 

[명령어]

docker run -it  -d --name AgentlessAnsible -v ~/agentless/ansible:/runner/agentless  --link AgentlessVault  agentless-ansible:1.0.0  /bin/bash

 

[--link vault]

AgentlessVault container와 같은 network를 사용하도록 함.

 

 

Ansible container 접속

docker exec -it  AgentlessAnsible  /bin/bash

ansible-playbook   /runner/agentless/makePrivateKey.yml

ansible-playbook -i  /runner/agentless/host.ini  /runner/agentless/testplaybook.yml