ansible的命令行工具ansible-vault可以加密和解密任何ansible使用的文件。
有两种更安全的方式来存储这类数据:
1.ansible的命令行工具ansible-vault可以加密和解密任何ansible使用的文件。
2.使用第三方的密钥管理服务来存储数据。
ansible-vault可以创建,编辑,加密,解密和查看文件。ansible vault可以加密任何ansible使用的文件,包含inventory变量,playbook中调用的变量文件,通过参数传递给playbook的变量文件,ansible-roles定义的变量文件。
ansible vault使用的是外部的Python工具实现的加密。文件使用AES256加密,并且你需要提供一个密码作为加密密钥。
ansible vault使用的是外部的Python工具实现的加密。文件使用AES256加密,并且你需要提供一个密码作为加密密钥。
#交互式 [root@ansible-server ansible]# ansible-vault create test.yml #创建加密文件 New Vault password: Confirm New Vault password: [root@ansible-server ansible]# cat test.yml $ANSIBLE_VAULT;1.1;AES256 35323132396639386132393132373663326664316466333863666136623661333863666365633938 3134356261396233323532633732386235343463656334300a383862323435613132366330666134 37613065613833633832633565653133643334313439373339663934653437383536653430656166 3435323165623962640a383933393738613330396334323438303965633666343531336236626431 3866 [root@ansible-server ansible]# ansible-vault view test.yml #查看加密文件 Vault password: --- [root@ansible-server ansible]# ansible-vault edit test.yml #编辑加密文件 Vault password:
#非交互式 [root@ansible-server ansible]# echo redhat >> vault.pass [root@ansible-server ansible]# ansible-vault create test2.yml --vault-password-file=vault.pass [root@ansible-server ansible]# ansible-vault rekey test2.yml --vault-password-file=vault.pass New Vault password: Confirm New Vault password: Rekey successful #加密已存在的yaml文件 [root@ansible-server ansible]# ansible-vault encrypt del-local.yml New Vault password: Confirm New Vault password: Encryption successful [root@ansible-server ansible]# cat del-local.yml $ANSIBLE_VAULT;1.1;AES256 32646664306332383564613237373231323262386630336330313839353164386462633831376362 6364306130356131643039366561663065633831343630340a623133383132313331323231373734 35643435633139626131663837626266353139303236396532343434386133303962666165663330 3637616461336364650a333938343539323063643364383334653361393661643233636133633363 65386537623536313466343263333034643636376562373562663535363537396430653062656137 62616465623633333036303831613238393939363563663137663830386461383865323965393732 66396233363833666561383235646236343930396533636131643035636437343766326633316336 32616230343030386462396537383730316566396566383461383766646561303936303939353838 33666634393363316538323137303464363265383562666161306461623664303332346662363439 34323165653336613736356635653964363638646364383365613230613735666663626134323939 63363635353634333963373363383264356633656637623131373865353164323433643630613935 33633039363461646331393032333535393339666562353231633266306463346166366233306162 36343035353935336431636434666139346531643230643933393634373562303161616562333335 36393636303763336463383630633937393332333630626666303239643534323162303765303033 61336366646566313331343533613566353261643638633235376635343362636632636132343233 35353131623238633933326330643263303032326233323362303533306262626135633832626264 32626431623139613938346633653834366438306663393635396635366330303130383565633966 30653364653936393163616130386638313166346265613834626538643961356139363563616666 38353931323465316666333434393964643265383239626632323863613165346539663538663238 34653930653263326134383731653337626437663736653762343731616333363238336435653933 66653664323937653666656337376439373731333839616663306335313832353266363631393231 3161636532643435623961376630386562613533363039376261 #解密一个已经加密的文件 [root@ansible-server ansible]# ansible-vault decrypt del-local.yml --output=del-local-1.yml Vault password: Decryption successful [root@ansible-server ansible]# cat del-local-1.yml - name: dele to local hosts: 172.16.216.181 tasks: - command: ps register: a_ps changed_when: false - debug: msg: "{{ a_ps.stdout }}" - local_action: command ps #command: ps #delegate_to: localhost register: local_ps changed_when: false - debug: msg: "{{ local_ps.stdout }}" [root@ansible-server ansible]# cat del-local.yml $ANSIBLE_VAULT;1.1;AES256 32646664306332383564613237373231323262386630336330313839353164386462633831376362 6364306130356131643039366561663065633831343630340a623133383132313331323231373734 35643435633139626131663837626266353139303236396532343434386133303962666165663330 3637616461336364650a333938343539323063643364383334653361393661643233636133633363 65386537623536313466343263333034643636376562373562663535363537396430653062656137 62616465623633333036303831613238393939363563663137663830386461383865323965393732 66396233363833666561383235646236343930396533636131643035636437343766326633316336 32616230343030386462396537383730316566396566383461383766646561303936303939353838 33666634393363316538323137303464363265383562666161306461623664303332346662363439 34323165653336613736356635653964363638646364383365613230613735666663626134323939 63363635353634333963373363383264356633656637623131373865353164323433643630613935 33633039363461646331393032333535393339666562353231633266306463346166366233306162 36343035353935336431636434666139346531643230643933393634373562303161616562333335 36393636303763336463383630633937393332333630626666303239643534323162303765303033 61336366646566313331343533613566353261643638633235376635343362636632636132343233 35353131623238633933326330643263303032326233323362303533306262626135633832626264 32626431623139613938346633653834366438306663393635396635366330303130383565633966 30653364653936393163616130386638313166346265613834626538643961356139363563616666 38353931323465316666333434393964643265383239626632323863613165346539663538663238 34653930653263326134383731653337626437663736653762343731616333363238336435653933 66653664323937653666656337376439373731333839616663306335313832353266363631393231 3161636532643435623961376630386562613533363039376261
[root@ansible-server ansible]# cat j2.yml - name: test j2 hosts: all tasks: - name: first use template module template: src: motd.j2 dest: /etc/motd owner: root group: root mode: 0644 [root@ansible-server ansible]# ansible-vault encrypt j2.yml New Vault password: Confirm New Vault password: Encryption successful [root@ansible-server ansible]# ansible-playbook j2.yml --ask-vault-pass Vault password: PLAY [test j2] ****************************************************************************************************************** TASK [Gathering Facts] ********************************************************************************************************** ok: [172.16.216.181] ok: [172.16.216.182] TASK [first use template module] ************************************************************************************************ changed: [172.16.216.182] changed: [172.16.216.181] PLAY RECAP ********************************************************************************************************************** 172.16.216.181 : ok=2 changed=1 unreachable=0 failed=0 172.16.216.182 : ok=2 changed=1 unreachable=0 failed=0 [root@ansible-server ansible]# ansible-playbook j2.yml --vault-password-file=vault.pass PLAY [test j2] ****************************************************************************************************************** TASK [Gathering Facts] ********************************************************************************************************** ok: [172.16.216.182] ok: [172.16.216.181] TASK [first use template module] ************************************************************************************************ ok: [172.16.216.182] ok: [172.16.216.181] PLAY RECAP ********************************************************************************************************************** 172.16.216.181 : ok=2 changed=0 unreachable=0 failed=0 172.16.216.182 : ok=2 changed=0 unreachable=0 failed=0 #将密码文件设置成环境变量 [root@ansible-server ansible]# vim /etc/profile export ANSIBLE_VAULT_PASSWORD_FILE=/etc/ansible/vault.pass [root@ansible-server ansible]# . /etc/profile [root@ansible-server ansible]# ansible-playbook j2.yml PLAY [test j2] ****************************************************************************************************************** TASK [Gathering Facts] ********************************************************************************************************** ok: [172.16.216.182] ok: [172.16.216.181] TASK [first use template module] ************************************************************************************************ ok: [172.16.216.182] ok: [172.16.216.181] PLAY RECAP ********************************************************************************************************************** 172.16.216.181 : ok=2 changed=0 unreachable=0 failed=0 172.16.216.182 : ok=2 changed=0 unreachable=0 failed=0 [root@ansible-server ~]# yum install python2-cryptography #提高加密速度
实例
[root@ansible-server ~]# ansible-vault create secret.yml newusers: - name: ansibleuser1 pw: redhat - name: ansibleuser2 pw: $Re4H1t@ [root@ansible-server ansible]# cat create_users.yml - name: create user accounts for all our servers hosts: client vars_files: - secret.yml tasks: - name: create users user: name: "{{ item.name }}" password: "{{ item.pw | password_hash('sha512') }}" with_items: "{{ newusers }}" [root@ansible-server ansible]# ansible-playbook --syntax-check --ask-vault-pass create_users.yml Vault password: playbook: create_users.yml [root@ansible-server ansible]# echo redhat > vault.pass [root@ansible-server ansible]# chmod 0600 vault.pass [root@ansible-server ansible]# ansible-playbook --syntax-check --vault-password-file=vault.pass create_users.yml playbook: create_users.yml [root@ansible-server ansible]# ansible-playbook --vault-password-file=vault.pass create_users.yml PLAY [create user accounts for all our servers] ********************************************************************************* TASK [Gathering Facts] ********************************************************************************************************** ok: [172.16.216.182] ok: [172.16.216.181] TASK [create users] ************************************************************************************************************* changed: [172.16.216.182] => (item={u'name': u'ansibleuser1', u'pw': u'redhat'}) changed: [172.16.216.181] => (item={u'name': u'ansibleuser1', u'pw': u'redhat'}) changed: [172.16.216.182] => (item={u'name': u'ansibleuser2', u'pw': u'$Re4H1t@'}) changed: [172.16.216.181] => (item={u'name': u'ansibleuser2', u'pw': u'$Re4H1t@'}) PLAY RECAP ********************************************************************************************************************** 172.16.216.181 : ok=2 changed=1 unreachable=0 failed=0 172.16.216.182 : ok=2 changed=1 unreachable=0 failed=0 [root@ansible-server ansible]# ssh ansibleuser1@172.16.216.181 ansibleuser1@172.16.216.181's password: the hostname is ansible-client1.liuxplus.com today's date is 2018-10-11 [ansibleuser1@ansible-client1 ~]$ exit 登出 Connection to 172.16.216.181 closed. [root@ansible-server ansible]# ssh ansibleuser1@172.16.216.182 ansibleuser1@172.16.216.182's password: the hostname is ansible-client2.linuxplust.com today's date is 2018-10-11 [ansibleuser1@ansible-client2 ~]$ exit 登出 Connection to 172.16.216.182 closed. [root@ansible-server ansible]# ssh ansibleuser2@172.16.216.181 ansibleuser2@172.16.216.181's password: the hostname is ansible-client1.liuxplus.com today's date is 2018-10-11 [ansibleuser2@ansible-client1 ~]$ exit 登出 Connection to 172.16.216.181 closed. [root@ansible-server ansible]# ssh ansibleuser2@172.16.216.182 ansibleuser2@172.16.216.182's password: the hostname is ansible-client2.linuxplust.com today's date is 2018-10-11 [ansibleuser2@ansible-client2 ~]$ exit 登出 Connection to 172.16.216.182 closed.
本文来自博客园,作者:IT老登,转载请注明原文链接:https://www.cnblogs.com/nb-blog/p/10614946.html
分类:
ansible操作记录
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· 浏览器原生「磁吸」效果!Anchor Positioning 锚点定位神器解析
· 没有源码,如何修改代码逻辑?
· 分享4款.NET开源、免费、实用的商城系统
· 全程不用写代码,我用AI程序员写了一个飞机大战
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了
· 上周热点回顾(2.24-3.2)
2016-03-28 lnmp-zabbix