我有一个docker compose安装程序,成功启动consul(config 这里 )。 保险柜似乎开始好,除了在设置TTL(日志在这里 )的一些错误。
进一步来说,领事似乎在试图达到/v1/agent/check/fail/vault:127.0.0.1:8200:vault-sealed-check?note=Vault+Sealed时/v1/agent/check/fail/vault:127.0.0.1:8200:vault-sealed-check?note=Vault+Sealed 。 显然'vault:127.0.0.1:8200:vault-sealed-check' status is now critical 。
consul1 | 2016/11/05 20:50:04 [DEBUG] agent: Check 'vault:127.0.0.1:8200:vault-sealed-check' status is now critical consul1 | 2016/11/05 20:50:04 [DEBUG] agent: Service 'vault:127.0.0.1:8200' in sync consul1 | 2016/11/05 20:50:04 [DEBUG] agent: Service 'consul' in sync consul1 | 2016/11/05 20:50:04 [DEBUG] agent: Check 'vault:127.0.0.1:8200:vault-sealed-check' in sync consul1 | 2016/11/05 20:50:04 [DEBUG] agent: Node info in sync consul1 | 2016/11/05 20:50:04 [DEBUG] http: Request PUT /v1/agent/check/fail/vault:127.0.0.1:8200:vault-sealed-check?note=Vault+Sealed (92.314µs) from=172.18.0.3:48742
当保险柜容器启动时(与consul后端) 1)我们如何获得最初的i)密钥和ii)根令牌。 我用自定义/vault/config/vault.hcl (和consul图像 )使用Hashicorp的官方库文件 。
最终,我想知道2)如何开启电子仓服务器。 在这种情况下,我想要解除在docker容器中运行的库服务器。 3)这就是我需要的一切,开始为保险库写秘密。
为了使用正式源代码库图像打开容器中的容器,我将启动Vault容器:
vm# docker run -it --cap-add IPC_LOCK -p 8200:8200 -p 8215:8125 --name vault --volume /my/vault:/my/vault vault server -config=/my/vault/vaultCfg.hcl
vm运行的地方是1.12.4 docker引擎和vault hcl config列表:
backend "consul" { address = "myconsul.com:8500" path = "vault" } listener "tcp" { address = "0.0.0.0:8200" tls_disable = 1 }
然后在同一个docker主机上:
vm# VAULT_ADDR=http://myvault.com:8200 vm# docker exec -it vault vault "$@" init -address=${VAULT_ADDR}
并期望输出如下所示:
2016/12/11 10:21:10.628736 [WARN ] physical/consul: appending trailing forward slash to path 2016/12/11 12:09:12.117238 [INFO ] core: security barrier not initialized 2016/12/11 12:09:12.136037 [INFO ] core: security barrier initialized: shares=5 threshold=3 2016/12/11 12:09:12.169987 [INFO ] core: post-unseal setup starting 2016/12/11 12:09:12.181963 [INFO ] core: successfully mounted backend: type=generic path=secret/ 2016/12/11 12:09:12.181990 [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/ 2016/12/11 12:09:12.182057 [INFO ] core: successfully mounted backend: type=system path=sys/ 2016/12/11 12:09:12.182156 [INFO ] rollback: starting rollback manager 2016/12/11 12:09:12.218527 [INFO ] core: post-unseal setup complete 2016/12/11 12:09:12.218733 [INFO ] core/startClusterListener: starting listener 2016/12/11 12:09:12.218899 [INFO ] core/startClusterListener: serving cluster requests: cluster_listen_address=[::]:8201 2016/12/11 12:09:12.228888 [INFO ] core: root token generated 2016/12/11 12:09:12.228905 [INFO ] core: pre-seal teardown starting 2016/12/11 12:09:12.228911 [INFO ] core/stopClusterListener: stopping listeners 2016/12/11 12:09:12.228921 [INFO ] core/startClusterListener: shutting down listeners 2016/12/11 12:09:12.724179 [INFO ] core/startClusterListener: listeners successfully shut down 2016/12/11 12:09:12.724209 [INFO ] core/stopClusterListener: success 2016/12/11 12:09:12.724225 [INFO ] rollback: stopping rollback manager 2016/12/11 12:09:12.724250 [INFO ] core: pre-seal teardown complete
这个链接可能有帮助。 需要工作的互联网连接docker run
所以我find了一个工作解决scheme 与我工作的设置。 一个领事节点, 二。 一个保险柜实例与之通话iii。 连接到Vault的能力,并生成初始的开封和根令牌。
A)有了这个docker文件 ,我可以。 docker-compose build && docker-compose up 。
B)然后在另一个shell中,我可以连接$ docker exec -i -t gently_vault_1 /bin/sh 。
C)然后,在该shell中,只需运行vault init 。
/ # vault init Unseal Key 1: asdf... Unseal Key 2: qwer... Unseal Key 3: zxcv... Unseal Key 4: piou... Unseal Key 5: lkjh... Initial Root Token: mbnv... Vault initialized with 5 keys and a key threshold of 3. Please securely distribute the above keys. When the Vault is re-sealed, restarted, or stopped, you must provide at least 3 of these keys to unseal it again. Vault does not store the master key. Without at least 3 keys, your Vault will remain permanently sealed.