如何将ansible_become_pass存储在保管库中以及如何使用它?
[英]How to store ansible_become_pass in a vault and how to use it?
问题描述
I am a newbie to ansible and I am using a very simple playbook to issue sudo apt-get update and sudo apt-get upgrade on a couple of servers. 
我是ansible的新手,并且我使用一个非常简单的剧本在几台服务器上发布sudo apt-get update和sudo apt-get upgrade 。
This is the playbook I am using: 这是我正在使用的剧本:
---
- name: Update Servers
hosts: my-servers
become: yes
become_user: root
tasks:
- name: update packages
apt: update_cache=yes
- name: upgrade packages
apt: upgrade=dist
and this is an extract from my ~/.ansible/inventory/hosts file: 这是我的~/.ansible/inventory/hosts文件的摘录:
[my-servers]
san-francisco ansible_host=san-francisco ansible_ssh_user=user ansible_become_pass=<my_sudo_password_for_user_on_san-francisco>
san-diego ansible_host=san-diego ansible_ssh_user=user ansible_become_pass=<my_sudo_password_for_user_on_san-diego>
This is what I get if I launch the playbook: 这是我启动该剧本所得到的:
$ ansible-playbook update-servers-playbook.yml
PLAY [Update Servers] **********************************************************
TASK [setup] *******************************************************************
ok: [san-francisco]
ok: [san-diego]
TASK [update packages] *********************************************************
ok: [san-francisco]
ok: [san-diego]
TASK [upgrade packages] ********************************************************
ok: [san-francisco]
ok: [san-diego]
PLAY RECAP *********************************************************************
san-francisco : ok=3 changed=0 unreachable=0 failed=0
san-diego : ok=3 changed=0 unreachable=0 failed=0
What is bothering me is the fact that I have the password for my user user stored in plaintext in my ~/.ansible/inventory/hosts file. 让我困扰的是我的用户user密码以明文形式存储在~/.ansible/inventory/hosts文件中。
I have read about vaults , I have also read about the best practices for variables and vaults but I do not understand how to apply this to my very minimal use case. 我已经阅读了有关保管库的信息 ,也了解了有关变量和保管库的最佳做法,但是我不知道如何将其应用于我的最小用例。
I also tried to use lookups . 我也尝试使用查找 。 While in general they also work in the inventory file, and I am able to do something like this: 通常,它们也可以在清单文件中工作,而我可以执行以下操作:
[my-servers]
san-francisco ansible_host=san-francisco ansible_ssh_user=user ansible_become_pass="{{ lookup('env', 'ANSIBLE_BECOME_PASSWORD_SAN_FRANCISCO') }}"
where this case the password would be stored in an environment variable called ANSIBLE_BECOME_PASSWORD_SAN_FRANCISCO ; 在这种情况下,密码将存储在名为ANSIBLE_BECOME_PASSWORD_SAN_FRANCISCO的环境变量中; there is no way to look up variables in vaults as far as I know. 据我所知,没有办法在金库中查找变量。
So, how could I organize my file such that I would be able to lookup up my passwords from somewhere and have them safely stored? 因此,如何组织文件,以便能够从某个地方查找密码并将其安全存储?
3 个解决方案
解决方案1
18 已采纳 2016-05-18 12:44:11
You need to create some vaulted variable files and then either include them in your playbooks or on the command line. 您需要创建一些拱形变量文件,然后将其包括在您的剧本或命令行中。
If you change your inventory file to use a variable for the become pass this variable can be vaulted: 如果将清单文件更改为使用变量作为通行证,则可以存储此变量:
[my-servers]
san-francisco ansible_host=san-francisco ansible_ssh_user=user ansible_become_pass='{{ sanfrancisco_become_pass }}'
san-diego ansible_host=san-diego ansible_ssh_user=user ansible_become_pass='{{ sandiego_become_pass }}'
Then use ansible-vault create vaulted_vars.yml to create a vaulted file with the following contents: 然后使用ansible-vault create vaulted_vars.yml创建具有以下内容的存储文件:
sanfrancisco_become_pass: <my_sudo_password_for_user_on_san-francisco>
sandiego_become_pass : <my_sudo_password_for_user_on_san-diego>
Then either include the vaulted file as extra vars like this: 然后,将像这样的文件作为额外的变量包括在内:
ansible-playbook -i ~/.ansible/inventory/hosts playbook.yml --ask-vault-pass -e@~/.ansible/inventory/vault_vars
Or include the vars file in your playbook with an include_vars task: 或通过include_vars任务将vars文件包括在您的剧本中:
- name : include vaulted variables
include_vars: ~/.ansible/inventory/vault_vars
解决方案2
3 2018-04-20 06:14:22
After setting up an inventory with your own relevant settings. 用您自己的相关设置设置清单后。 These settings assume that you have already set up a rsa-key pair to access your server. 这些设置假定您已经设置了rsa-key对来访问服务器。 You should be able to ssh into your server with ssh remoteuser@155.42.88.199 您应该能够使用ssh remoteuser@155.42.88.199 SSH进入服务器
[local]
localhost ansible_connection=local
[remote]
155.42.88.199 ansible_connection=ssh ansible_user=remoteuser ansible_become_user=root ansible_become=yes ansible_ssh_private_key_file=<private_key_file_path>
You need to store your root password in a file (I called mine 'my_vault.yml'). 您需要将您的根密码存储在一个文件中(我叫我的“ my_vault.yml”)。 You can do this with the following command: 您可以使用以下命令执行此操作:
~/.ansible$ ansible-vault create my_vault.yml
Simple store your remote server password as follows (do not include the '<>' tags) 只需按以下方式存储远程服务器密码(不包括'<>'标记)
su_password: <myreallyspecialpassword>
The password will now be encrypted by vault and the only way to view this is to enter the following command. 现在,密码将由Vault加密,查看此密码的唯一方法是输入以下命令。
~/.ansible$ ansible-vault edit my_vault.yml
We now need to include our 'my_vault.yml' file in our playbook. 现在,我们需要在我们的剧本中包含“ my_vault.yml”文件。 We can do this by using vars-files to get the value of su-password . 我们可以使用vars-files来获取su-password的值。 We can now create a var titled ansible_become_pass which will be passed the value from our my_vault.yml file which will allow our remoteuser to su once on the server. 现在,我们可以创建一个名为ansible_become_pass ,该变量将传递自my_vault.yml文件中的值,这将使我们的my_vault.yml用户可以在服务器上运行一次。
---
- name: My Awesome Playbook
hosts: remote
become: yes
vars_files:
- ~/.ansible/my_vault.yml
vars:
ansible_become_pass: '{{ su_password }}'
roles:
- some_awesome_role
As we are using vault each time we want to run this playbook we need to use the following command. 每次我们要运行此剧本时都在使用保管库,因此我们需要使用以下命令。
ansible-playbook myawesome_playbook.yml --ask-vault-pass
解决方案3
1 2019-01-31 18:06:39
The best way to solve this problem is to use host_vars. 解决此问题的最佳方法是使用host_vars。 The easiest setup is to just put the ansible_become_pass in Vault encrypted files in the corresponding host_vars directories like this: 最简单的设置是将ansible_become_pass放入相应host_vars目录中的Vault加密文件中,如下所示:
myplaybook.yml
host_vars/onehost.com/crypted
host_vars/otherhost.com/crypted
In the crypted files you place the assignment of the ansible_become_pass variable: 在crypted文件中,放置ansible_become_pass变量的分配:
ansible_become_pass: SuperSecre3t
Create the file with ansible-vault create , edit it with ansible-vault edit . 使用ansible-vault create创建文件,使用ansible-vault edit 。
Following the advice in the Ansible docs you need to create an additional file per host that assigns the ansible_become_passwd from the crypted variable that has a different name. 按照Ansible文档中的建议,您需要为每个主机创建一个附加文件,该ansible_become_passwd从名称不同的加密变量中分配ansible_become_passwd 。 That way it is possible to search for the ansible_become_passwd in the project files. 这样,可以在项目文件中搜索ansible_become_passwd 。
myplaybook.yml
host_vars/onehost.com/plain
host_vars/onehost.com/crypted
host_vars/otherhost.com/plain
host_vars/otherhost.com/crypted
where a plain file contains something like this: plain文件包含以下内容:
ansible_become_pass: "{{ vaulted_become_pass }}"
and the crypted file sets the vaulted_become_pass like shown above. crypted文件将设置vaulted_become_pass所示。
All crypted files must be encrypted with the same key and ansible-playbook must be called with --ask-vault-pass . 所有crypted文件必须使用相同的密钥加密,并且ansible-playbook必须使用--ask-vault-pass调用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.