AnsibleplaybookVault加密
Ansible playbook Vault 加密详解与使用案例
主机规划
添加用户账号
说明:
1、 运维人员使用的登录账号;
2、 所有的业务都放在 /app/ 下「yun用户的家目录」,避免业务数据乱放;
3、 该用户也被 ansible 使用,因为几乎所有的生产环境都是禁止 root 远程登录的(因此该 yun 用户也进行了 sudo 提权)。
1# 使用一个专门的用户,避免直接使用root用户2# 添加用户、指定家目录并指定用户密码3# sudo提权4# 让其它普通用户可以进入该目录查看信息5 useradd -u 1050 -d /app yun && echo"123456" | /usr/bin/passwd --stdin yun6echo"yun ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers7chmod755 /app/
Ansible 配置清单Inventory
之后文章都是如下主机配置清单
1 [yun@ansi-manager ansible_info]$ pwd2 /app/ansible_info
3 [yun@ansi-manager ansible_info]$ cat hosts_key
4 # 方式1、主机 + 端口 + 密钥
5[manageservers]
6172.16.1.180:22
7
8[proxyservers]
9172.16.1.18[1:2]:22
10
11 # 方式2:别名 + 主机 + 端口 + 密码
12[webservers]
13 web01 ansible_ssh_host=172.16.1.183 ansible_ssh_port=22
14 web02 ansible_ssh_host=172.16.1.184 ansible_ssh_port=22
15 web03 ansible_ssh_host=172.16.1.185 ansible_ssh_port=22
Ansible Vault 概述
当我们写的 playbook 中涉及敏感信息,如:数据库账号密码;MQ账号密码;主机账号密码。这时为了防止这些敏感信息泄露,就可以使用 vault 进行加密。
1 [yun@ansi-manager ~]$ ansible-vault -h 2 Usage: ansible-vault [create|decrypt|edit|encrypt|encrypt_string|rekey|view] [options] [vaultfile.yml] 34Options:
5 --ask-vault-pass ask for vault password
6 -h, --help show this help message and exit
7 --new-vault-id=NEW_VAULT_ID
8 the new vault identity to use for rekey
9 --new-vault-password-file=NEW_VAULT_PASSWORD_FILE
10 new vault password filefor rekey
11 --vault-id=VAULT_IDS the vault identity to use
12 --vault-password-file=VAULT_PASSWORD_FILES
13 vault password file
14 -v, --verbose verbose mode (-vvv formore, -vvvv to enable
15 connection debugging)
16 --version show program"s version number, config file location,
17 configured module search path, module location,
18 executable location and exit
19
20 See "ansible-vault <command> --help"formore information on a specific
21 command.
参数说明
create:创建一个加密文件,在创建时会首先要求输入 Vault 密码,之后才能进入文件中编辑。
decrypt:对 vault 加密的文件进行解密。
edit:对 vault 加密文件进行编辑。
encrypt:对提供的文件,进行 vault 加密。
encrypt_string:对提供的字符串进行 vault 加密。
rekey:对已 vault 加密的文件进行免密更改,需要提供之前的密码。
view:查看已加密的文件,需要提供密码。
Ansible Vault 交互式
创建加密文件
1 [yun@ansi-manager object06]$ pwd2 /app/ansible_info/object06
3 [yun@ansi-manager object06]$ ansible-vault create test_vault.yml
4New Vault password: # 输入密码
5Confirm New Vault password: # 确认密码
6 ---
7# vault test
8 - hosts: proxyservers
9
10 tasks:
11 - name: "touch file"
12file:
13 path: /tmp/with_itemstestfile
14 state: touch
15
16 [yun@ansi-manager object06]$ cat test_vault.yml # 加密后查看
17 $ANSIBLE_VAULT;1.1;AES256
1833663239636530353564393731363161623462386266613165326235353762343465653235396639
196138353833366637383066366662666236666338333237610a303263336234303866623834663361
2039343633646434353334396162643063613964333337343336373232653266613264626564346566
216262633334353036620a633136313364383536323531373164346436663739663631353166663434
2238663962363032643163333266633662376538383134333862373961313166656536353734363537
2330626261366138383864653834336637393230363466336662306138323032373361656566663231
2465363039393736326266316261383065363739633861646464373733643966333233343436303731
2537366130363064366337393837396664356335363738663130333436656238666233396466393137
2633306434343262313961393661313536386338383233303230613962663732323630663638313531
273236636438646166643937613761396564373033623637636166
对已加密的文件进行解密
1 [yun@ansi-manager object06]$ ansible-vault decrypt test_vault.yml 2Vault password: 3Decryption successful 4 [yun@ansi-manager object06]$ 5 [yun@ansi-manager object06]$ cat test_vault.yml # 解密后查看 6 ---7# vault test
8 - hosts: proxyservers
9
10 tasks:
11 - name: "touch file"
12file:
13 path: /tmp/with_itemstestfile
14 state: touch
对已存在文件进行加密
1 [yun@ansi-manager object06]$ ansible-vault encrypt test_vault.yml 2New Vault password: 3Confirm New Vault password: 4Encryption successful 5 [yun@ansi-manager object06]$ cat test_vault.yml 6 $ANSIBLE_VAULT;1.1;AES256 73731396466316461343465666632326537646530343363343861303230373336313631623562306683930343836396537343333336432363732343936323937370a363239356233333634303464633539
961613264363037313833363738623866643762666662646165646561343631646434383864373338
106334333162616332320a353033323538643566666562646334623630343938646264663561316566
1135633939653166326631303635363533613338326561666663623238396464383363613738323464
1237306163663933323836316165666532336664353038303036383564346436633235373166663834
1362383464373632373839323562306163666366313738663234656139346130373031626265613830
1438373135616261616137326337633566306633343338306264646139396230613665356264353134
1537376636646266626236323663376230313964323034623133333539393131333065323964303030
163139366661353732333961323764613332316535323334343939
对已加密的文件进行编辑
1 [yun@ansi-manager object06]$ ansible-vault edit test_vault.yml 2Vault password: 3 ---4 # vault test ==
5 - hosts: proxyservers
6
7 tasks:
8 - name: "touch file"
9file:
10 path: /tmp/with_itemstestfile
11 state: touch
对已加密文件更改密码
1 [yun@ansi-manager object06]$ ansible-vault rekey test_vault.yml2Vault password: 3New Vault password: 4Confirm New Vault password: 5 Rekey successful
对已加密文件进行查看
1 [yun@ansi-manager object06]$ ansible-vault view test_vault.yml 2Vault password: 3 ---4 # vault test ==
5 - hosts: proxyservers
6
7 tasks:
8 - name: "touch file"
9file:
10 path: /tmp/with_itemstestfile
11 state: touch
对提供的字符串进行加密
1 [yun@ansi-manager object06]$ ansible-vault encrypt_string "111 222 333"2New Vault password:
3Confirm New Vault password:
4 !vault |
5 $ANSIBLE_VAULT;1.1;AES256
661343332386237363437623939633334626231613539353566313336306562373538633937363566
7 6537336166356466666431663037623835643964366137340a336439313066356265666636383430
836613661393232613134333961643936646164396130613663656237393837366566356631353061
9 3034326337303932610a303232643464633239383563393836306565353835666431363132303835
103635
11 Encryption successful
Ansible Vault 非交互式
创建密码文件
安全使用,记得使用 400 或 600 权限。
1 [yun@ansi-manager object06]$ echo"111111" > vault_pwd2 [yun@ansi-manager object06]$ echo"123456" > vault_pwd23 [yun@ansi-manager object06]$ ll vault_pwd* # 权限 4004 -r-------- 1 yun yun 7 Aug 3010:35 vault_pwd
5 -r-------- 1 yun yun 7 Aug 3010:39 vault_pwd2
创建加密文件
1 [yun@ansi-manager object06]$ ansible-vault create test_vault02.yml --vault-password-file=vault_pwd 2 ---3 # vault test 2
4 [yun@ansi-manager object06]$ cat test_vault02.yml
5 $ANSIBLE_VAULT;1.1;AES256
634356364613864656136616365383361386635316332363861656334643230366136313333376366
76638666536306162366263333037323231386365316238390a383139623435363738663832623533
834666539393036383365333062333039643832616233623764613132303966396534616633326366
96131313833383761620a383534363564393836306238666135656137623036386531653931623362
1030613036333161613235393539633233663136653566366266353232386230383434
对已加密的文件进行解密
1 [yun@ansi-manager object06]$ ansible-vault decrypt test_vault02.yml --vault-password-file=vault_pwd2Decryption successful3 [yun@ansi-manager object06]$ cat test_vault02.yml 4 ---5 # vault test 2
对已存在文件进行加密
1 [yun@ansi-manager object06]$ ansible-vault encrypt test_vault02.yml --vault-password-file=vault_pwd 2Encryption successful 3 [yun@ansi-manager object06]$ 4 [yun@ansi-manager object06]$ cat test_vault02.yml 5 $ANSIBLE_VAULT;1.1;AES256 66565303539323036636536363734313763633766363834646330353262313935313736616239653673533393766313339393665386463613831323366623962650a643365653833636663653938613966
839323037396635333236663239316431343461346562393731363537313865623534396533653931
93638363937626635390a303962653366353138373139623237356637656230386565663364626438
1031613837383338323065346634323632396339323635323766386236623038616233
对已加密的文件进行编辑
1 [yun@ansi-manager object06]$ ansible-vault edit test_vault02.yml --vault-password-file=vault_pwd2 ---3 # vault test 2 ##
对已加密文件更改密码
1 [yun@ansi-manager object06]$ ansible-vault rekey test_vault02.yml --vault-password-file=vault_pwd --new-vault-password-file=vault_pwd22 Rekey successful
对已加密文件进行查看
1 [yun@ansi-manager object06]$ ansible-vault view test_vault02.yml --vault-password-file=vault_pwd22 ---3 # vault test 2 ##
对提供的字符串进行加密
1 [yun@ansi-manager object06]$ ansible-vault encrypt_string "test info" --vault-password-file=vault_pwd22 !vault |3 $ANSIBLE_VAULT;1.1;AES256
430313766613263363963316663623664353862623032323331356563626636646239636666343766
5 6633363733303334373831303732326435396566313066630a373562633530333832613335393835
634396161313862656466353433313835643030633966383032656561343331616234373831623233
7 6636396135306436640a313531373835663633383665396139343464613861313034386365393137
86133
9 Encryption successful
Playbook 使用 vault 文件
1# 其中 test_vault.yml 的 vault 密码为 vault_pwd 中的信息 2 [yun@ansi-manager object06]$ ansible-vault view test_vault.yml --vault-password-file=vault_pwd 3 ---4 # vault test ==
5 - hosts: proxyservers
6
7 tasks:
8 - name: "touch file"
9file:
10 path: /tmp/with_itemstestfile
11 state: touch
12
13 [yun@ansi-manager object06]$ ansible-playbook -b -i ../hosts_key --syntax-check test_vault.yml --vault-password-file=vault_pwd # 语法检测
14 [yun@ansi-manager object06]$ ansible-playbook -b -i ../hosts_key -C test_vault.yml --vault-password-file=vault_pwd # 预执行,测试执行
15 [yun@ansi-manager object06]$ ansible-playbook -b -i ../hosts_key test_vault.yml --vault-password-file=vault_pwd # 执行
完毕!
———END———
如果觉得不错就关注下呗 (-^O^-) !
以上是 AnsibleplaybookVault加密 的全部内容, 来源链接: utcz.com/z/515968.html
