我正在尝试使用 ansible 解封保险库。但我收到连接被拒绝错误答案

【问题标题】：I'm trying to unseal vault using ansible. But I'm getting connection refused error我正在尝试使用 ansible 解封保险库。但我收到连接被拒绝错误
【发布时间】：2020-01-18 00:10:52
【问题描述】：

几天前它工作了，我什至检查了类似的问题，如here 我尝试添加环境变量和所有内容，据我所知，我的 hcl 文件也不是问题

hcl 文件是

storage "file" {
path = "/home/***/vault/"
}

listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}

我的 unseal.yml 看起来像这样

---
- name: Removing login and putting to another file
  shell: sed -n '7p' keys.txt > login.txt

- name: Remove all lines other than the keys
  shell: sed '6,$d' keys.txt > temp.txt

- name: Extracting the keys 
  shell: cut -c15- temp.txt > unseal_keys.txt

- name: Deleting unnecessary files
  shell: rm temp.txt

- name: Unsealing the vault
  environment: 
    VAULT_ADDR: http://127.0.0.1:8200
  shell: vault operator unseal $(awk 'NR==1' unseal_keys.txt)

- name: Unsealing the vault
  environment: 
    VAULT_ADDR: http://127.0.0.1:8200
  shell: vault operator unseal $(awk 'NR==2' unseal_keys.txt)

- name: Unsealing the vault
  environment: 
    VAULT_ADDR: http://127.0.0.1:8200
  shell: vault operator unseal $(awk 'NR==3' unseal_keys.txt)
  register: check

- debug: var=check.stdout_lines

- name: Login
  environment: 
    VAULT_ADDR: http://127.0.0.1:8200
  shell: vault login $(sed 's/Initial Root Token://; s/ //' login.txt)
  register: checkLogin

- debug: var=checkLogin.stdout_lines

我的 start-server.yml 看起来像这样

---
#- name: Disable mlock 
#  shell: sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
#  shell: LimitMEMLOCK=infinity

- name: Start vault service
  systemd:
    state: started
    name: vault
    daemon_reload: yes
  environment: 
    VAULT_ADDR: http://127.0.0.1:8200
  become: true

- pause:
    seconds: 15

这是显示的错误。

fatal: [europa]: FAILED! => {"changed": true, "cmd": "vault operator unseal $(awk 'NR==1' unseal_keys.txt)", "delta": "0:00:00.049258", "end": "2019-09-17 12:25:48.987789", "msg": "non-zero return code", "rc": 2, "start": "2019-09-17 12:25:48.938531", "stderr": "Error unsealing: Put http://127.0.0.1:8200/v1/sys/unseal: dial tcp 127.0.0.1:8200: connect: connection refused", "stderr_lines": ["Error unsealing: Put http://127.0.0.1:8200/v1/sys/unseal: dial tcp 127.0.0.1:8200: connect: connection refused"], "stdout": "", "stdout_lines": []}

这是主要错误

"Error unsealing: Put http://127.0.0.1:8200/v1/sys/unseal: dial tcp 127.0.0.1:8200: connect: connection refused", "stderr_lines": ["Error unsealing: Put http://127.0.0.1:8200/v1/sys/unseal: dial tcp 127.0.0.1:8200: connect: connection refused"

【问题讨论】：

你能检查一下8200端口是否打开了吗？
是的，我刚刚检查过，它看起来没有打开。我尝试了命令 netstat -vatn 来检查，没有端口 8200 可以打开
打开端口然后尝试
我打开了端口，但是 Vault 服务器没有启动。我在另一个远程系统中尝试过，它可以工作

标签： ansible command-line-interface hashicorp-vault

【解决方案1】：

“开封错误：Put http://127.0.0.1:8200/v1/sys/unseal: dial tcp 127.0.0.1:8200: connect: connection denied”

因为它显示连接被拒绝，很可能您的保管库服务没有运行。

我可以建议的其他事情是，您可以制作一个名为 unseal_vault.sh 的脚本，并可以使用该脚本来解封您的保管库，而不是在您的剧本中重复相同的任务。

以下是我在设置中用来解封保险库的脚本。

#!/bin/bash

# Assumptions: vault is already initialized 

# Fetching first three keys to unseal the vault
KEY_1=$(cat keys.log | grep 'Unseal Key 1' | awk '{print $4}')
KEY_2=$(cat keys.log | grep 'Unseal Key 2' | awk '{print $4}')
KEY_3=$(cat keys.log | grep 'Unseal Key 3' | awk '{print $4}')

# Unseal using first key
curl --silent -X PUT \
  http://192.*.*.*:8200/v1/sys/unseal \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -d '{
  "key": "'$KEY_1'"
}'

# Unseal using second key
curl --silent -X PUT \
  http://192.*.*.*:8200/v1/sys/unseal \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -d '{
  "key": "'$KEY_2'"
}'

# Unseal using third key
curl --silent  -X PUT \
  http://192.*.*.*:8200/v1/sys/unseal \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -d '{
  "key": "'$KEY_3'"
}'

您可以在 ansible 中使用单个任务运行此脚本。

【讨论】：