Blog

Blog

Hashicorp Vault docker installation and client testing

Posted on by Bian Xi Leave a Comment on Hashicorp Vault docker installation and client testing

Hashicorp Vault docker installation and client testing

Vault Server Installation

Create one folder with 3 subfolders

mkdir -p vault/{config,file,logs}

Create vault configuration file

Create vault/config/vault.json

{
  "backend": {
    "file": {
      "path": "/vault/file"
    }
  },
  "listener": {
    "tcp":{
      "address": "0.0.0.0:8200",
      "tls_disable": 1
    }
  },
  "ui": true
}

Create docker-compose.yml

Create file vault/docker-compose.yml

version: '3.7'
services:
  vault:
    image: vault:latest
    container_name: vault
    ports:
      - "8200:8200"
    restart: unless-stopped
    volumes:
      -  ./logs:/vault/logs
      -  ./file:/vault/file
      -  ./config:/vault/config
    cap_add:
      - IPC_LOCK
    entrypoint: vault server -config=/vault/config/vault.json

Create container

Run docker-compose command in vault folder

cd vault
docker-compose up -d

Access WebUI

Access http://localhost:8200/ from browser

  • Select 5 as Key shares, and 3 as Key threshold, and Initialize
  • Download keys into a Json file
  • Use 3 keys to unseal vault
  • Use root token to login

Client installation

Ubuntu x86

  • Add the HashiCorp GPG key
# curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add -
  • Add the official HashiCorp Linux repository
# apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
  • Install vault
# apt-get install vault
  • Verify
# vault

Connect to vault

  • Set environment
$ export VAULT_ADDR='http://127.0.0.1:8200'
$ export VAULT_TOKEN="<token>"
  • Check status
$ vault status
...
Sealed          false
...

Secrets operations

Subcommand kv v1 kv v2 Description
delete x x Delete versions of secrets stored in K/V
destroy x Permanently remove one or more versions of secrets
enable-versioning x Turns on versioning for an existing K/V v1 store
get x x Retrieve data
list x x List data or secrets
metadata x Interact with Vault\'s Key-Value storage
patch x Update secrets without overwriting existing secrets
put x x Sets or update secrets (this replaces existing secrets)
rollback x Rolls back to a previous version of secrets
undelete x Restore the deleted version of secrets

Example:

vault-getting-started:~# vault login root
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                root
token_accessor       rSn3h08ikdez4zch5ghr4wYY
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]
vault-getting-started:~# vault kv put secret/hello foo=world
Key              Value
---              -----
created_time     2021-11-25T06:15:45.332182013Z
deletion_time    n/a
destroyed        false
version          1
vault-getting-started:~# vault kv put secret/hello foo=world excited=yes
Key              Value
---              -----
created_time     2021-11-25T06:15:48.808651794Z
deletion_time    n/a
destroyed        false
version          2
vault-getting-started:~# vault kv get secret/hello
====== Metadata ======
Key              Value
---              -----
created_time     2021-11-25T06:15:48.808651794Z
deletion_time    n/a
destroyed        false
version          2

===== Data =====
Key        Value
---        -----
excited    yes
foo        world
vault-getting-started:~# vault kv get -field=excited secret/hello
yes
vault-getting-started:~# vault kv get -format=json secret/hello | jq -r .data.data.excited
yes
vault-getting-started:~# vault kv delete secret/hello
Success! Data deleted (if it existed) at: secret/hello
vault-getting-started:~#

Secret Engine

The driver to save secret in different way, type of secret.

List

Every path has it's own secret type

$ vault secrets list

Path          Type         Accessor              Description
----          ----         --------              -----------
cubbyhole/    cubbyhole    cubbyhole_78189996    per-token private secret storage
identity/     identity     identity_ac07951e     identity store
kv/           kv           kv_15087625           n/a
secret/       kv           kv_4b990c45           key/value secret storage
sys/          system       system_adff0898       system endpoints used for control, policy and debugging

Enable

Set one path to specific secret type

$ vault secrets enable -path=kv kv

Success! Enabled the kv secrets engine at: kv/

or

$ vault secrets enable kv

Create secret

$ vault kv put kv/hello target=world
Success! Data written to: kv/hello

Get secret

$ vault kv get kv/hello

===== Data =====
Key       Value
---       -----
target    world

Delete secret

$ vault kv delete kv/hello
Success! Data deleted (if it existed) at: kv/hello

List

$ vault kv list kv/

Keys
----
hello

Disable

$ vault secrets disable kv/

Success! Disabled the secrets engine (if it existed) at: kv/

Dynamic Secrets

When using secret engine such as aws engine.

$ vault secrets enable -path=aws aws

Success! Enabled the aws secrets engine at: aws/

More Info: Dynamic Secrets

Authentication

Token

  • Create token
$ vault token create
Key                  Value
---                  -----
token                s.iyNUhq8Ov4hIAx6snw5mB2nL
token_accessor       maMfHsZfwLB6fi18Zenj3qh6
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]
  • Login
$ vault login s.iyNUhq8Ov4hIAx6snw5mB2nL

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                s.iyNUhq8Ov4hIAx6snw5mB2nL
token_accessor       maMfHsZfwLB6fi18Zenj3qh6
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]
  • Revoke
$ vault token revoke s.iyNUhq8Ov4hIAx6snw5mB2nL

Success! Revoked token (if it existed)

GitHub

  • Enable
$ vault auth enable github

Success! Enabled github auth method at: github/
  • Set organization
$ vault write auth/github/config organization=hashicorp

Success! Data written to: auth/github/config
  • Configure the GitHub engineering team authentication to be granted the default and applications policies
$ vault write auth/github/map/teams/engineering value=default,applications

Success! Data written to: auth/github/map/teams/engineering
  • List
$ vault auth list

Path       Type      Description
----       ----      -----------
github/    github    n/a
token/     token     token based credentials
  • Set login method
$ vault login -method=github

GitHub Personal Access Token (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  s.DNtKCjVQ1TxAzgMqtDuwjjC2
token_accessor         e7zLJuPg2tLpav66ZSu5AyDC
token_duration         768h
token_renewable        true
token_policies         [default applications]
token_meta_org         hashicorp
token_meta_username    my-user
  • Login
$ vault login root
  • Revoke all tokens generated the github auth method
$ vault token revoke -mode path auth/github
  • Disable the github auth method
$ vault auth disable github

Success! Disabled the auth method (if it existed) at: github/

Policy

  • Policy for token

The policy path secret/data/* is related to all secret path secret/*.
The policy path secret/data/foo is related to secret path secret/foo.

  • Policy for approle

The policy path secret/approle/* is related to role_id + secret_id authentication.

Policy for token

  • Create
$ vault policy write my-policy - << EOF
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
  capabilities = ["create", "update"]
}

path "secret/data/foo" {
  capabilities = ["read"]
}
EOF
  • List
$ vault policy list

default
my-policy
root
  • Show
$ vault policy read my-policy

# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
  capabilities = ["create", "update"]
}

path "secret/data/foo" {
  capabilities = ["read"]
}
  • Create token
$ export VAULT_TOKEN="$(vault token create -field token -policy=my-policy)"
  • Check policy
$ vault token lookup | grep policies
policies            [default my-policy]
  • Write success
$ vault kv put secret/creds password="my-long-password"

Key              Value
---              -----
created_time     2018-05-22T18:05:42.537496856Z
deletion_time    n/a
destroyed        false
version          1
  • Write failed
$ vault kv put secret/foo robot=beepboop

Error writing data to secret/data/foo: Error making API request.

URL: PUT http://localhost:8200/v1/secret/data/foo
Code: 403. Errors:

* 1 error occurred:
  * permission denied

Policy for approle

  • Enable
$ vault auth enable approle
Success! Enabled approle auth method at: approle/
  • Create my-role link to my-policy
$ vault write auth/approle/role/my-role \
    secret_id_ttl=10m \
    token_num_uses=10 \
    token_ttl=20m \
    token_max_ttl=30m \
    secret_id_num_uses=40 \
    token_policies=my-policy
Success! Data written to: auth/approle/role/my-role
  • Create role_id
$ export ROLE_ID="$(vault read -field=role_id auth/approle/role/my-role/role-id)"
  • Create secret_id
$ export SECRET_ID="$(vault write -f -field=secret_id auth/approle/role/my-role/secret-id)"
  • Login
$ vault write auth/approle/login role_id="$ROLE_ID" secret_id="$SECRET_ID"
Key                     Value
---                     -----
token                   s.Sh9h1wZ9ycATeSaASoOQvovr
token_accessor          xCgUIu6WWLM9opkEkAiNLsRc
token_duration          20m
token_renewable         true
token_policies          ["default" "my-policy"]
identity_policies       []
policies                ["default" "my-policy"]
token_meta_role_name    my-role

References

vault-docker
Install Vault

Thinking about the future of Chef

Posted on by Bian Xi Leave a Comment on Thinking about the future of Chef

Thinking about the future of Chef

DevOps tools

These few days, I was thinking about how to manage my servers. Thinking about any DevOps tools to be used.

Looking for Ansible, the center management tool, which is called Ansible Tower, offers free for handling up to 10 nodes...

Looking for Chef, free for 25 nodes? That was 2014. Then now, free for 5 nodes...

Looking for Puppet, I bad experience in the past due to it's OS support, and I'm a scripter, perfer Chef's imperative language, not Puppet's declarative language.

Serverless

Chef people mentioned the word Serverless couple of years back, read some on-line documents, didn't understand how Chef goes serverless...

Today, After read another document, understand the real serverless meaning. It means Stateless for all servers, such as Core OS, no Chef required. True?

Ruby

Is Ruby hard to learn? I really don't feel it, and I think it is easy comparing with other OO Languages. But some people from DevOps team told me Ansible is easy, Ruby is hard. Hmmm...

Ruby is dying, maybe, it is not an OS default language, will not be the choice for sysadm.

JavaScript and Python

Running some servers using NodeJS, it solved some issues, but not a well structured programming language. Easy to start, hard to master.

Python, learnt and coded AI program, felt messy. Maybe I'm wrong.

A nature language is easy to start but hard to master, will this be the future of programming language as well? Or, nothing to master, just tell enough...

References

Who killed the Chef? The case against Opscode Chef in 2020
Introduction to is Ansible free?
Chef Enterprise Now Free Up to 25 Nodes
Open Source Chef vs Hosted Chef vs. On Premises Chef
Chef vs. Puppet: Methodologies, Concepts, and Support

Windows 11 on RAMOS

Posted on by Bian Xi Leave a Comment on Windows 11 on RAMOS

Windows 11 on RAMOS

To install Windows 11 on ramdisk, the software of ramdisk can be downloaded from https://www.romexsoftware.com/en-us/primo-ramdisk/.

In fact, I'm more interesting in RAM disk card.

References

How to install Windows 11 into memory instead of hard drive
【Fun科技】把Win11装在128G的内存条里:能跑的比PCIe5.0固态硬盘还要快么?

Terminology index – a list of bike part names and cycling concepts (Cache)

Posted on by Bian Xi Leave a Comment on Terminology index – a list of bike part names and cycling concepts (Cache)

Terminology index - a list of bike part names and cycling concepts (Cache)

This is a cached page of https://bicycles.stackexchange.com/questions/244/terminology-index-a-list-of-bike-part-names-and-cycling-concepts.

Page Cached

There's a handy reference at the Park Tool Co. website, a bike repair map; it's a diagram of a bike with all the parts labeled, and is very handy! At the moment, the diagram is up at parktool.com/blog/repair-help. (They've changed the URL in the past, so this link may break.)

A road bike has the following parts (source):

bicycle_parts_labeled.jpg

A mountain bike has the following parts (source):

850px-Bicycle_diagram-en.svg_.png

Edit: This page is meant to identify what things or concepts are (as per this thread in meta). If you want to recommend an accessory or a specific product you've found handy, please use the accessories page.

Contents
Axle Axle Nuts
BCD (Bolt Circle Diameter)
Bearing
Belt Drive
Bidon/Bottle
Bonk/Bonking
Bottle Cage / Bottle Holder
Bottom Bracket		 Boom/Boom Tube
Brazed Frame
Brifter
BSD (Bead Seat Diameter)
BSO/Bike-Shaped-Object
Cable Pull
Cable Stretcher
Cadence
Cassette
Chain
Chain Gauge
Chain Guard/Cover
Chain Tool
Chain Tug/Chain Tensioner		 Chainstay Length
Chainsuck
Chamois
Clipless Pedals
Coaster Brake (foot brake / pedal brake)
Crank
Derailleur
Derailer Hanger/Derailleur Ranger
Direct Drive
Disk/Disc Brake
Disc Hub		 Door Zone
Dropout
Dropper Post
Dunlop Valve
e
Engine/Motor		 Electronic shifting
Eccentric
Fender/Mudguard/Mudflaps
Fixed-Gear
Flip-Flop Hub		 Folding Bike
Frame
Frame Sizing
Gear Inches Groupset
Handlebars
Headset
Hose Clamp aka Jubilee Clip		 Hub
Hub Skewer
Internally-Geared Hub
j
Keel Tube
Lawyer lips/lawyer tabs
Lateral Tube
LBS/Local Bike Shop		 Lights
Luggage Carrier/Rack
Lugged Frame
Master Link
MIPS		 Mixte
Mountain Bike
n
Noodle
o
Over Locknut Dimension or OLD
Pannier
Play
Power Meter		 Presta Valve/Presta Tube
Pump Peg
Q-Factor Quick-Release
Recumbent Cycles
REI (Recreational Equipment Inc)		 Rim
Rim Tape
Rim Brakes, e.g. cantilever, dual pivot, V-brakes
Saddle
Saddlebag
Schrader Valve/ Schrader Tube
Shaft Drive
Single-speed
Skewer		 Spider
Spoke
Stay, Mudguard/fender
Stem
Suspension Fork/Rear Shock
Through/Thru Axle
Tire, Clincher
Tire, Tubeless
Tire, Tubular
Tire, Solid/airless/runflat
Tire Boot
Tire Clearance
Tire Lever/Tire Iron		 Tire Saver
Tire Sealant
Tolerances
Track Pump/Floor Pump
Triathalon Bars/Triathlon Bars
u
U-Brake
V-Brake
Velomobile
Welded Frame
x
y
z

References

Terminology index - a list of bike part names and cycling concepts