Question

几天前它起作用了，我什至检查了类似here之类的问题我尝试添加环境变量和所有内容，据我所知，我的hcl文件aslo并不是问题

hcl文件是

storage "file" {
path = "/home/***/vault/"
}

listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}

我的unseal.yml看起来像这样

---
- name: Removing login and putting to another file
  shell: sed -n '7p' keys.txt > login.txt

- name: Remove all lines other than the keys
  shell: sed '6,$d' keys.txt > temp.txt

- name: Extracting the keys 
  shell: cut -c15- temp.txt > unseal_keys.txt

- name: Deleting unnecessary files
  shell: rm temp.txt

- name: Unsealing the vault
  environment: 
    VAULT_ADDR: http://127.0.0.1:8200
  shell: vault operator unseal $(awk 'NR==1' unseal_keys.txt)

- name: Unsealing the vault
  environment: 
    VAULT_ADDR: http://127.0.0.1:8200
  shell: vault operator unseal $(awk 'NR==2' unseal_keys.txt)

- name: Unsealing the vault
  environment: 
    VAULT_ADDR: http://127.0.0.1:8200
  shell: vault operator unseal $(awk 'NR==3' unseal_keys.txt)
  register: check

- debug: var=check.stdout_lines

- name: Login
  environment: 
    VAULT_ADDR: http://127.0.0.1:8200
  shell: vault login $(sed 's/Initial Root Token://; s/ //' login.txt)
  register: checkLogin

- debug: var=checkLogin.stdout_lines

我的start-server.yml看起来像这样

---
#- name: Disable mlock 
#  shell: sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
#  shell: LimitMEMLOCK=infinity

- name: Start vault service
  systemd:
    state: started
    name: vault
    daemon_reload: yes
  environment: 
    VAULT_ADDR: http://127.0.0.1:8200
  become: true

- pause:
    seconds: 15

此错误显示。

fatal: [europa]: FAILED! => {"changed": true, "cmd": "vault operator unseal $(awk 'NR==1' unseal_keys.txt)", "delta": "0:00:00.049258", "end": "2019-09-17 12:25:48.987789", "msg": "non-zero return code", "rc": 2, "start": "2019-09-17 12:25:48.938531", "stderr": "Error unsealing: Put http://127.0.0.1:8200/v1/sys/unseal: dial tcp 127.0.0.1:8200: connect: connection refused", "stderr_lines": ["Error unsealing: Put http://127.0.0.1:8200/v1/sys/unseal: dial tcp 127.0.0.1:8200: connect: connection refused"], "stdout": "", "stdout_lines": []}

这是主要错误

"Error unsealing: Put http://127.0.0.1:8200/v1/sys/unseal: dial tcp 127.0.0.1:8200: connect: connection refused", "stderr_lines": ["Error unsealing: Put http://127.0.0.1:8200/v1/sys/unseal: dial tcp 127.0.0.1:8200: connect: connection refused"

Answer 1

“错误启封：放入http://127.0.0.1:8200/v1/sys/unseal：拨叫tcp 127.0.0.1:8200：connect：连接被拒绝”

由于显示连接被拒绝，很可能您的库服务未运行。

我可以建议的另一件事是，您可以创建一个名为unseal_vault.sh的脚本，并且可以使用该脚本来取消对Vault的密封，而不必在剧本中重复相同的任务。

下面是我在设置中用来解封金库的脚本。

#!/bin/bash

# Assumptions: vault is already initialized 

# Fetching first three keys to unseal the vault
KEY_1=$(cat keys.log | grep 'Unseal Key 1' | awk '{print $4}')
KEY_2=$(cat keys.log | grep 'Unseal Key 2' | awk '{print $4}')
KEY_3=$(cat keys.log | grep 'Unseal Key 3' | awk '{print $4}')

# Unseal using first key
curl --silent -X PUT \
  http://192.*.*.*:8200/v1/sys/unseal \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -d '{
  "key": "'$KEY_1'"
}'

# Unseal using second key
curl --silent -X PUT \
  http://192.*.*.*:8200/v1/sys/unseal \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -d '{
  "key": "'$KEY_2'"
}'

# Unseal using third key
curl --silent  -X PUT \
  http://192.*.*.*:8200/v1/sys/unseal \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -d '{
  "key": "'$KEY_3'"
}'

您可以使用ansible中的单个任务运行此脚本。

我正在尝试使用Ansible解开金库。但我收到连接被拒绝的错误

1 个答案: