• Ansible playbook Vault 加密


    Ansible playbook Vault 加密详解与使用案例

    主机规划

    添加用户账号

    说明:

    1、 运维人员使用的登录账号;

    2、 所有的业务都放在 /app/ 下「yun用户的家目录」,避免业务数据乱放;

    3、 该用户也被 ansible 使用,因为几乎所有的生产环境都是禁止 root 远程登录的(因此该 yun 用户也进行了 sudo 提权)。

    复制代码
    1 # 使用一个专门的用户,避免直接使用root用户
    2 # 添加用户、指定家目录并指定用户密码
    3 # sudo提权
    4 # 让其它普通用户可以进入该目录查看信息
    5 useradd -u 1050 -d /app yun && echo '123456' | /usr/bin/passwd --stdin yun
    6 echo "yun  ALL=(ALL)       NOPASSWD: ALL" >>  /etc/sudoers
    7 chmod 755 /app/
    复制代码

    Ansible 配置清单Inventory

    之后文章都是如下主机配置清单

    复制代码
     1 [yun@ansi-manager ansible_info]$ pwd
     2 /app/ansible_info
     3 [yun@ansi-manager ansible_info]$ cat hosts_key 
     4 # 方式1、主机 + 端口 + 密钥
     5 [manageservers]
     6 172.16.1.180:22
     7 
     8 [proxyservers]
     9 172.16.1.18[1:2]:22
    10 
    11 # 方式2:别名 + 主机 + 端口 + 密码
    12 [webservers]
    13 web01 ansible_ssh_host=172.16.1.183 ansible_ssh_port=22
    14 web02 ansible_ssh_host=172.16.1.184 ansible_ssh_port=22
    15 web03 ansible_ssh_host=172.16.1.185 ansible_ssh_port=22
    复制代码

    Ansible Vault 概述

    当我们写的 playbook 中涉及敏感信息,如:数据库账号密码;MQ账号密码;主机账号密码。这时为了防止这些敏感信息泄露,就可以使用 vault 进行加密。

    复制代码
     1 [yun@ansi-manager ~]$ ansible-vault -h
     2 Usage: ansible-vault [create|decrypt|edit|encrypt|encrypt_string|rekey|view] [options] [vaultfile.yml]
     3 
     4 Options:
     5   --ask-vault-pass      ask for vault password
     6   -h, --help            show this help message and exit
     7   --new-vault-id=NEW_VAULT_ID
     8                         the new vault identity to use for rekey
     9   --new-vault-password-file=NEW_VAULT_PASSWORD_FILE
    10                         new vault password file for rekey
    11   --vault-id=VAULT_IDS  the vault identity to use
    12   --vault-password-file=VAULT_PASSWORD_FILES
    13                         vault password file
    14   -v, --verbose         verbose mode (-vvv for more, -vvvv to enable
    15                         connection debugging)
    16   --version             show program's version number, config file location,
    17                         configured module search path, module location,
    18                         executable location and exit
    19 
    20  See 'ansible-vault <command> --help' for more information on a specific
    21 command.
    复制代码

    参数说明

    create:创建一个加密文件,在创建时会首先要求输入 Vault 密码,之后才能进入文件中编辑。

    decrypt:对 vault 加密的文件进行解密。

    edit:对 vault 加密文件进行编辑。

    encrypt:对提供的文件,进行 vault 加密。

    encrypt_string:对提供的字符串进行 vault 加密。

    rekey:对已 vault 加密的文件进行免密更改,需要提供之前的密码。

    view:查看已加密的文件,需要提供密码。

    Ansible Vault 交互式

    创建加密文件

    复制代码
     1 [yun@ansi-manager object06]$ pwd
     2 /app/ansible_info/object06
     3 [yun@ansi-manager object06]$ ansible-vault create test_vault.yml
     4 New Vault password: # 输入密码
     5 Confirm New Vault password: # 确认密码
     6 ---
     7 # vault test
     8 - hosts: proxyservers
     9 
    10   tasks:
    11     - name: "touch file"
    12       file:
    13         path: /tmp/with_itemstestfile
    14         state: touch
    15 
    16 [yun@ansi-manager object06]$ cat test_vault.yml   # 加密后查看
    17 $ANSIBLE_VAULT;1.1;AES256
    18 33663239636530353564393731363161623462386266613165326235353762343465653235396639
    19 6138353833366637383066366662666236666338333237610a303263336234303866623834663361
    20 39343633646434353334396162643063613964333337343336373232653266613264626564346566
    21 6262633334353036620a633136313364383536323531373164346436663739663631353166663434
    22 38663962363032643163333266633662376538383134333862373961313166656536353734363537
    23 30626261366138383864653834336637393230363466336662306138323032373361656566663231
    24 65363039393736326266316261383065363739633861646464373733643966333233343436303731
    25 37366130363064366337393837396664356335363738663130333436656238666233396466393137
    26 33306434343262313961393661313536386338383233303230613962663732323630663638313531
    27 3236636438646166643937613761396564373033623637636166
    复制代码

    对已加密的文件进行解密

    复制代码
     1 [yun@ansi-manager object06]$ ansible-vault decrypt test_vault.yml
     2 Vault password: 
     3 Decryption successful
     4 [yun@ansi-manager object06]$ 
     5 [yun@ansi-manager object06]$ cat test_vault.yml  # 解密后查看
     6 ---
     7 # vault test
     8 - hosts: proxyservers
     9 
    10   tasks:
    11     - name: "touch file"
    12       file:
    13         path: /tmp/with_itemstestfile
    14         state: touch
    复制代码

    对已存在文件进行加密

    复制代码
     1 [yun@ansi-manager object06]$ ansible-vault encrypt test_vault.yml
     2 New Vault password: 
     3 Confirm New Vault password: 
     4 Encryption successful
     5 [yun@ansi-manager object06]$ cat test_vault.yml 
     6 $ANSIBLE_VAULT;1.1;AES256
     7 37313964663164613434656666323265376465303433633438613032303733363136316235623066
     8 3930343836396537343333336432363732343936323937370a363239356233333634303464633539
     9 61613264363037313833363738623866643762666662646165646561343631646434383864373338
    10 6334333162616332320a353033323538643566666562646334623630343938646264663561316566
    11 35633939653166326631303635363533613338326561666663623238396464383363613738323464
    12 37306163663933323836316165666532336664353038303036383564346436633235373166663834
    13 62383464373632373839323562306163666366313738663234656139346130373031626265613830
    14 38373135616261616137326337633566306633343338306264646139396230613665356264353134
    15 37376636646266626236323663376230313964323034623133333539393131333065323964303030
    16 3139366661353732333961323764613332316535323334343939
    复制代码

    对已加密的文件进行编辑

    复制代码
     1 [yun@ansi-manager object06]$ ansible-vault edit test_vault.yml
     2 Vault password: 
     3 ---
     4 # vault test  ==
     5 - hosts: proxyservers
     6 
     7   tasks:
     8     - name: "touch file"
     9       file:
    10         path: /tmp/with_itemstestfile
    11         state: touch
    复制代码

    对已加密文件更改密码

    1 [yun@ansi-manager object06]$ ansible-vault rekey test_vault.yml
    2 Vault password: 
    3 New Vault password: 
    4 Confirm New Vault password: 
    5 Rekey successful

    对已加密文件进行查看

    复制代码
     1 [yun@ansi-manager object06]$ ansible-vault view test_vault.yml
     2 Vault password: 
     3 ---
     4 # vault test  ==
     5 - hosts: proxyservers
     6 
     7   tasks:
     8     - name: "touch file"
     9       file:
    10         path: /tmp/with_itemstestfile
    11         state: touch
    复制代码

    对提供的字符串进行加密

    复制代码
     1 [yun@ansi-manager object06]$ ansible-vault encrypt_string "111 222 333"
     2 New Vault password: 
     3 Confirm New Vault password: 
     4 !vault |
     5           $ANSIBLE_VAULT;1.1;AES256
     6           61343332386237363437623939633334626231613539353566313336306562373538633937363566
     7           6537336166356466666431663037623835643964366137340a336439313066356265666636383430
     8           36613661393232613134333961643936646164396130613663656237393837366566356631353061
     9           3034326337303932610a303232643464633239383563393836306565353835666431363132303835
    10           3635
    11 Encryption successful
    复制代码

    Ansible Vault 非交互式

    创建密码文件

    安全使用,记得使用 400 或 600 权限。

    1 [yun@ansi-manager object06]$ echo "111111" > vault_pwd
    2 [yun@ansi-manager object06]$ echo "123456" > vault_pwd2
    3 [yun@ansi-manager object06]$ ll vault_pwd*  # 权限 400
    4 -r-------- 1 yun yun 7 Aug 30 10:35 vault_pwd
    5 -r-------- 1 yun yun 7 Aug 30 10:39 vault_pwd2

    创建加密文件

    复制代码
     1 [yun@ansi-manager object06]$ ansible-vault create test_vault02.yml --vault-password-file=vault_pwd
     2 ---
     3 # vault test 2
     4 [yun@ansi-manager object06]$ cat test_vault02.yml 
     5 $ANSIBLE_VAULT;1.1;AES256
     6 34356364613864656136616365383361386635316332363861656334643230366136313333376366
     7 6638666536306162366263333037323231386365316238390a383139623435363738663832623533
     8 34666539393036383365333062333039643832616233623764613132303966396534616633326366
     9 6131313833383761620a383534363564393836306238666135656137623036386531653931623362
    10 30613036333161613235393539633233663136653566366266353232386230383434
    复制代码

    对已加密的文件进行解密

    1 [yun@ansi-manager object06]$ ansible-vault decrypt test_vault02.yml --vault-password-file=vault_pwd
    2 Decryption successful
    3 [yun@ansi-manager object06]$ cat test_vault02.yml 
    4 ---
    5 # vault test 2

    对已存在文件进行加密

    复制代码
     1 [yun@ansi-manager object06]$ ansible-vault encrypt test_vault02.yml --vault-password-file=vault_pwd
     2 Encryption successful
     3 [yun@ansi-manager object06]$ 
     4 [yun@ansi-manager object06]$ cat test_vault02.yml 
     5 $ANSIBLE_VAULT;1.1;AES256
     6 65653035393230366365363637343137636337663638346463303532623139353137366162396536
     7 3533393766313339393665386463613831323366623962650a643365653833636663653938613966
     8 39323037396635333236663239316431343461346562393731363537313865623534396533653931
     9 3638363937626635390a303962653366353138373139623237356637656230386565663364626438
    10 31613837383338323065346634323632396339323635323766386236623038616233
    复制代码

    对已加密的文件进行编辑

    1 [yun@ansi-manager object06]$ ansible-vault edit test_vault02.yml --vault-password-file=vault_pwd
    2 ---
    3 # vault test 2  ##

    对已加密文件更改密码

    1 [yun@ansi-manager object06]$ ansible-vault rekey test_vault02.yml --vault-password-file=vault_pwd --new-vault-password-file=vault_pwd2
    2 Rekey successful

    对已加密文件进行查看

    1 [yun@ansi-manager object06]$ ansible-vault view test_vault02.yml --vault-password-file=vault_pwd2
    2 ---
    3 # vault test 2  ##

    对提供的字符串进行加密

    复制代码
    1 [yun@ansi-manager object06]$ ansible-vault encrypt_string "test info" --vault-password-file=vault_pwd2
    2 !vault |
    3           $ANSIBLE_VAULT;1.1;AES256
    4           30313766613263363963316663623664353862623032323331356563626636646239636666343766
    5           6633363733303334373831303732326435396566313066630a373562633530333832613335393835
    6           34396161313862656466353433313835643030633966383032656561343331616234373831623233
    7           6636396135306436640a313531373835663633383665396139343464613861313034386365393137
    8           6133
    9 Encryption successful
    复制代码

    Playbook 使用 vault 文件

    复制代码
     1 # 其中 test_vault.yml 的 vault 密码为 vault_pwd 中的信息
     2 [yun@ansi-manager object06]$ ansible-vault view test_vault.yml --vault-password-file=vault_pwd
     3 ---
     4 # vault test  ==
     5 - hosts: proxyservers
     6 
     7   tasks:
     8     - name: "touch file"
     9       file:
    10         path: /tmp/with_itemstestfile
    11         state: touch
    12 
    13 [yun@ansi-manager object06]$ ansible-playbook -b -i ../hosts_key --syntax-check test_vault.yml --vault-password-file=vault_pwd  # 语法检测
    14 [yun@ansi-manager object06]$ ansible-playbook -b -i ../hosts_key -C test_vault.yml --vault-password-file=vault_pwd  # 预执行,测试执行
    15 [yun@ansi-manager object06]$ ansible-playbook -b -i ../hosts_key test_vault.yml --vault-password-file=vault_pwd  # 执行
    复制代码

    完毕!

  • 相关阅读:
    旅行,写作,编程
    Limu:JavaScript的那些书
    怎样花两年时间去面试一个人
    IE6之各种不适记录
    19位编程大师集锦
    开源中最好的Web开发资源汇总
    流行Linux和Windows脚本语言列表
    近来,一组名为“全球郁闷青年写真”的照片在网上热传...
    浏览器端技术体系概览 前端开发的七种武器
    这个世界从来没有任何一件工作叫“钱多、事少、离家近”
  • 原文地址:https://www.cnblogs.com/shetao/p/14338709.html
Copyright © 2020-2023  润新知