带文件后端的 Hashicrop Vault 备份
我有一个 Hashicorp Vault 的小型实例,运行开源版本。我正在使用“文件”存储后端进行配置。我不需要高可用性,为了简化事情,文件后端足以满足我的需求。
/etc/vault.d/vault.hcl
storage "file" {
path = "/opt/vault/data"
}
但是,我确实想定期备份数据库状态。他们网站上的文档演示了如何为 raft 和控制台后端配置备份,但不是为“文件”后端配置备份。另外,“自动”备份选项似乎仅适用于企业版。
https://learn.hashicorp.com/tutorials/vault/sop-backup
使用“文件”存储后端创建 Vault 备份的推荐方法是什么?有没有什么好的工具或方法可以实现自动化?仅备份“数据”目录就足够了,还是该目录在 Vault 运行时偶尔会处于不稳定的“非同步”状态?
I have a small instance of Hashicorp Vault, running the Open Source edition. I am using the 'file' storage backend for my configuration. I do not have a need for high-availability and to simplify things, the file backend is adequate for my needs.
/etc/vault.d/vault.hcl
storage "file" {
path = "/opt/vault/data"
}
However, I do want to take periodic backups of the database state. The documentation on their website demo how to configure backups for the raft and console backends, but not for the 'file' backend. Also, it looks like the "automatic" backup option is only available for the Enterprise Edition.
https://learn.hashicorp.com/tutorials/vault/sop-backup
What is the recommended way to create backups of Vault using the "file" storage backend? Are there any good tools or approaches to automate this? Is it sufficient to just backup the "data" directory, or will that directory be occasionally in an inconstant "non-synced" state as Vault operates?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
由于您的 Vault 服务器集群中有一个实例,因此使用默认配置,您确实可以简单地备份配置
文件存储后端的文件系统位置。其他存储后端(例如 Raft)具有用于备份的 API 端点,因为由于八卦协议和仲裁成员之间的复制等原因,它们需要相当多的复杂性。Vault Enterprise 的自动备份围绕着这样一个事实:该软件附带了一个强大的备份工具。这使您无需开发自己的自动备份工具。例如,我开发了一个软件工具,通过 Golang 绑定定期备份 Vault 中的 Raft 存储后端,并将其发送到 S3 存储桶。 Vault Enterprise 使您无需自己开发类似的东西。
直接回答问题末尾的问题:类似于文件系统位置的“快照”,使用您选择的调度工具(cron、管道等)进行调度,并使用普通软件工具或其他小工具进行自动化你可以发展自己。
Since you have a single instance in your Vault server cluster, then with the default configuration you can indeed simply backup the filesystem location where the
filestorage backend is configured. Other storage backends e.g. Raft have API endpoints for backups, because they require considerably more complexity for reasons such as the gossip protocol and replication across the quorum members.Automatic backups with Vault Enterprise center around the fact that the software comes packaged with a robust tool for backups. This removes the need for you to develop your own tool for automatic backups. For example, I developed a software tool to periodicially backup the Raft storage backend in Vault with the Golang bindings and ship it to a S3 bucket. Vault Enterprise removes the need for you to develop something like this yourself.
To directly answer the question at the end of the question: something like a "snapshot" at the filesystem location that is scheduled with your scheduling tool of choice (cron, pipeline, etc.), and automated with normal software tools, or something small that you can develop yourself.
如果还为时不晚,我会再次建议使用存储后端。问题在于您不能保证您采取的备份将是原子。您最终可能会备份保险库尚未冲洗的文件,或捕获一些中间状态,使您拥有随机“损坏”的备份。
使用
raft集成存储而不是。它仍然最终进入文件系统(作为文件的层次结构),但是Vault具有命令生成存储的快照:木筏还将减轻迁移到多节点故障转移和自动备份(Vault Enterprise)(如果需要的话)。
If it's not too late, I would advise againts using the
filestorage backend. The problem is that you can't guarantee that the backup you take will be atomic. You could end up backuping a file that Vault has not yet flushed to, or capture some intermediate state leaving you with backups that are "corrupted" randomly.Use the
raftintegrated storage instead. It still ends up in the file system (as a hierarchy of files), but Vault has a command to generate a snapshot of the storage:Raft will also ease the migration to multi-node failover and automated backups (Vault Enterprise) if the need arises.