分类目录归档:Software

Hashicorp Vault在auto unseal不可用时的恢复措施

首先想办法拿到原来vault服务器的配置文件。在seal块里面写上一行disabled = "true",然后启动vault服务器(开个新的或者用原来的都行,只要存储后端能连上就行),进入migration模式。你应该会看到类似的log:

[WARN]  core: entering seal migration mode; Vault will not automatically unseal even if using an autoseal: from_barrier_type=azurekeyvault to_barrier_type=shamir

然后每个recovery key持有人下载一个vault,在自己的设备上执行:

(PowerShell)

$env:VAULT_ADDR="http://localhost:8200"
./vault.exe operator unseal "-migrate"

(Bash)

export VAULT_ADDR="http://localhost:8200"
./vault operator unseal -migrate

然后输入自己的那份recovery key。如果成功的话,会提示

Unseal Key (will be hidden):
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 1/3
Unseal Nonce -UUID-
Seal Migration in Progress true
Version 1.1.2
HA Enabled false

等输入的recovery key数量到达阈值以后,vault会解锁。

如果要设置新的auto unseal,同样修改配置文件,然后手工unseal一次即可。

使用Azure Blob Storage和Azure Key Vault作为后端建立Hashicorp Vault服务器

设置Azure

首先建立一个Storage account,获得:

  • storage account的名字
  • accountkey(两个之一即可)

然后建立一个Key Vault,去keys里面新建一个key,获得:

  • Tenant ID
  • key vault的名字
  • 新建的key的名字

然后我们需要设置Key Vault的access policy。

  • 如果Vault程序运行在Azure VM上,那么需要加一下那台虚拟机
  • 否则,去Azure AD注册一个新的application,加一下那个application

权限的话key permissions里面全选即可。如果你注册了一个新的application,那么需要在application里面生成一个client secret。

设置Hashicorp Vault

参考配置文件:

storage "azure" {
  accountName = "storage-account-name"
  accountKey  = "storage-account-key"
  container   = "blob-storage-name"
  environment = "AzurePublicCloud"
}

seal "azurekeyvault" {
  tenant_id      = "your-aad-tenant-id"
  vault_name     = "key-vault-name"
  key_name       = "key-name"

# only if Vault server is not run on Azure VM:
  client_id      = "aad application client id"
  client_secret  = "aad application client secret"
}

listener "tcp" {
  address     = "127.0.0.1:8200"
  tls_disable = 1
}

ui = true
#log_level = "Trace"
default_lease_ttl = "30m"

max_lease_ttl = "43800h"
disable_mlock = false
disable_cache = false
cluster_name = "test-cluster"

# cannot use with free version
disable_sealwrap = true

初始化Hashicorp Vault

.\vault.exe server "-config=vault.conf"

启动服务器,然后访问http://localhost:8200/ui/vault/init完成初始化向导即可。

在Microsoft Word 2016/2019中保留页面顶部段落的段前间距

首先我们启用文档的兼容性模式:

  1. 按Alt+F11打开VBA编辑器
  2. 选择View菜单->Immediate Window,或者使用快捷键Ctrl+G
  3. 输入ActiveDocument.SetCompatibilityMode 14回车
  4. 关闭VBA编辑器

然后给页面顶端的段落设置一下段前分页即可。


参考:

Sourcegraph Docker安装和配置Azure AD登录

Sourcegraph

暂时用systemd来管理Docker service。因为我们要用Nginx来做反代,所有端口都监听本地即可。

[Unit]
Description=Sourcegraph
Requires=docker.service
Conflicts=systemd-resolved.service,dnsdist.service

[Service]
ExecStart=/usr/bin/docker run --name=sourcegraph --publish 127.0.0.1:7080:7080 --publish 127.0.0.1:2633:2633 --rm --volume /etc/sourcegraph:/etc/sourcegraph --volume /var/lib/sourcegraph/data:/var/opt/sourcegraph sourcegraph/server:3.3.5
ExecStop=/usr/bin/docker stop sourcegraph
ExecReload=/usr/bin/docker restart sourcegraph
TimeoutStartSec=infinity

[Install]
WantedBy=multi-user.target

Nginx SSL卸载

证书签发的问题就不细讲了,以certbot自动签发为例。涉及的文件参见oh-my-nginx

# 主站
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name sourcegraph.example.com;

    ssl_certificate     /etc/letsencrypt/live/sourcegraph.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/sourcegraph.example.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:7080;
        include conf.d/templates/proxy-default.conf;
        include conf.d/templates/transparent-proxy.conf;
    }

    include conf.d/templates/ssl.conf;
    include conf.d/templates/performance.conf;
    include conf.d/templates/security.conf;
}

# 管理控制台
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name sourcegraph-mgmt-console.example.com;

    ssl_certificate     /etc/letsencrypt/live/sourcegraph-mgmt-console.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/sourcegraph-mgmt-console.example.com/privkey.pem;
    
    location / {
        proxy_pass https://127.0.0.1:2633;
        include conf.d/templates/proxy-default.conf;
        include conf.d/templates/transparent-proxy.conf;
    }

    include conf.d/templates/ssl.conf;
    include conf.d/templates/performance.conf;
    include conf.d/templates/security.conf;
}

创建管理员

打开sourcegraph.example.com,创建一个管理员账号。如果你之后想合并这个账号和Azure AD账号,可以使用你的sAMAccountName作为用户名,并且添加一个userPrincipleName作为邮箱地址。

设置Azure AD登录

那这里我们还是用OpenID Connect登录流程。首先去Azure AD创建新应用程序,callback URL填写:

  • https://sourcegraph.example.com/.auth/callback

拿到:

  • tenant ID
  • client ID
  • client secret

然后打开Sourcegraph的管理控制台(用户名随便填,密码在第一次启动的时候log会打出来),填入:

{
  "externalURL": "https://sourcegraph.example.com",
  "auth.providers": [
    {
      "type": "builtin",
      "allowSignup": false
    },
    {
      "type": "openidconnect",
      "displayName": "Azure AD",
      "issuer": "https://login.microsoftonline.com/{tenant_id}/v2.0",
      "clientID": "{client_id}",
      "clientSecret": "{client_secret}"
    }
  ],
}

这里需要注意的是externalURL要准确填写。完成以后重启一下Sourcegraph以使externalURL生效。

添加Azure DevOps的Git repo

在External Services里面添加一个Single Git repositories,填入:

{
  "url": "https://{org_name}:{your_access_token}@dev.azure.com/{org_name}/",
  "repos": [
    "{project_name}/_git/{repo_name}"
  ]
}

注意Sourcegraph目前不支持project name中出现空格,详见sourcegraph/issues/2867