165 lines
3.1 KiB
Markdown
165 lines
3.1 KiB
Markdown
> 本文作者:丁辉
|
|
|
|
# Ansible 加密
|
|
|
|
- 创建加密文件
|
|
|
|
```bash
|
|
ansible-vault create password.yml
|
|
```
|
|
|
|
> 示例
|
|
>
|
|
> ```bash
|
|
> [root@offends]# ansible-vault create password.yml
|
|
> New Vault password: # 输入加密密码
|
|
> Confirm New Vault password: # 二次输入加密密码
|
|
> ```
|
|
|
|
- 指定文件加密
|
|
|
|
```bash
|
|
ansible-vault encrypt /etc/ansible/hosts
|
|
```
|
|
|
|
- 加密字符串
|
|
|
|
```bash
|
|
ansible-vault encrypt_string 123456
|
|
```
|
|
|
|
- 编辑加密文件
|
|
|
|
```bash
|
|
ansible-vault edit password.yml
|
|
```
|
|
|
|
- 重新加密文件
|
|
|
|
```bash
|
|
ansible-vault rekey password.yml
|
|
```
|
|
|
|
- 文件解密
|
|
|
|
```bash
|
|
ansible-vault decrypt password.yml
|
|
```
|
|
|
|
- 查看加密数据文件原文
|
|
|
|
```bash
|
|
ansible-vault view password.yml
|
|
```
|
|
|
|
# 剧本的使用
|
|
|
|
- 编写一份 `demo.yml` 剧本文件
|
|
|
|
```bash
|
|
vi demo.yml
|
|
```
|
|
|
|
```yml
|
|
---
|
|
- hosts: node1
|
|
# 定义变量
|
|
vars:
|
|
- user_password: !vault |
|
|
$ANSIBLE_VAULT;1.1;AES256
|
|
36616162626462323130626563393433663637383166613262333433313534386561666531633837
|
|
3663636662663363303463313662333064326537343563340a653566346636333633383163623662
|
|
37386432626437636464386339316366346665383935336564623630333238353661666566343036
|
|
3338613861393061320a626464306230626265656163613730303035613161616235373539613333
|
|
6164
|
|
|
|
tasks:
|
|
- name: display variable from encryption variable
|
|
ansible.builtin.debug:
|
|
msg: The user password is {{ user_password }}
|
|
```
|
|
|
|
- 通过询问口令执行剧本
|
|
|
|
```bash
|
|
ansible-playbook demo.yml -v --ask-vault-pass
|
|
```
|
|
|
|
- 从密码文件中读取口令执行剧本
|
|
|
|
```bash
|
|
echo '密钥密码' > .pwdfile && chmod 600 .pwdfile
|
|
```
|
|
|
|
```bash
|
|
ansible-playbook demo.yml -v --vault-id .pwdfile
|
|
```
|
|
|
|
# 加密用户密码
|
|
|
|
- 创建变量文件
|
|
|
|
```bash
|
|
mkdir vars -p
|
|
vi vars/user_list.yml
|
|
```
|
|
|
|
```yml
|
|
user_hosts:
|
|
- all
|
|
user_info:
|
|
- user: demo
|
|
# 密码需要用引号括起来,避免纯数字密码被解析成int类型数字
|
|
password: "123456"
|
|
# 备注信息可以使用中文,但尽量不用中文
|
|
comment: "hello"
|
|
```
|
|
|
|
- 创建剧本文件
|
|
|
|
```bash
|
|
vi user.yml
|
|
```
|
|
|
|
```yml
|
|
- hosts: "{{ user_hosts }}"
|
|
vars_files:
|
|
- demo.yml
|
|
tasks:
|
|
- name: display variable from variable list
|
|
ansible.builtin.debug:
|
|
msg: |
|
|
The username is "{{ item.user }}",
|
|
the password is "{{ item.password }}",
|
|
the comment is "{{ item.comment }}".
|
|
loop: "{{ user_info }}"
|
|
- name: create users
|
|
ansible.builtin.user:
|
|
name: "{{ item.user }}"
|
|
password: "{{ item.password|password_hash('sha512') }}"
|
|
comment: "{{ item.comment }}"
|
|
state: present
|
|
loop: "{{ user_info }}"
|
|
become: yes
|
|
```
|
|
|
|
- 加密变量文件
|
|
|
|
```bash
|
|
ansible-vault encrypt vars/user_list.yml
|
|
```
|
|
|
|
- 执行剧本
|
|
|
|
```bash
|
|
ansible-playbook user.yml -v --ask-vault-pass
|
|
```
|
|
|
|
- 查看是否创建用户
|
|
|
|
```bash
|
|
tail -n 1 /etc/passwd
|
|
```
|
|
|
|
|