[英]How to store ansible_become_pass in a vault and how to use it?
I am a newbie to ansible and I am using a very simple playbook to issue sudo apt-get update
and sudo apt-get upgrade
on a couple of servers. 我是ansible的新手,并且我使用一个非常简单的剧本在几台服务器上发布sudo apt-get update
和sudo apt-get upgrade
。
This is the playbook I am using: 这是我正在使用的剧本:
---
- name: Update Servers
hosts: my-servers
become: yes
become_user: root
tasks:
- name: update packages
apt: update_cache=yes
- name: upgrade packages
apt: upgrade=dist
and this is an extract from my ~/.ansible/inventory/hosts
file: 这是我的~/.ansible/inventory/hosts
文件的摘录:
[my-servers]
san-francisco ansible_host=san-francisco ansible_ssh_user=user ansible_become_pass=<my_sudo_password_for_user_on_san-francisco>
san-diego ansible_host=san-diego ansible_ssh_user=user ansible_become_pass=<my_sudo_password_for_user_on_san-diego>
This is what I get if I launch the playbook: 这是我启动该剧本所得到的:
$ ansible-playbook update-servers-playbook.yml
PLAY [Update Servers] **********************************************************
TASK [setup] *******************************************************************
ok: [san-francisco]
ok: [san-diego]
TASK [update packages] *********************************************************
ok: [san-francisco]
ok: [san-diego]
TASK [upgrade packages] ********************************************************
ok: [san-francisco]
ok: [san-diego]
PLAY RECAP *********************************************************************
san-francisco : ok=3 changed=0 unreachable=0 failed=0
san-diego : ok=3 changed=0 unreachable=0 failed=0
What is bothering me is the fact that I have the password for my user user
stored in plaintext in my ~/.ansible/inventory/hosts
file. 让我困扰的是我的用户user
密码以明文形式存储在~/.ansible/inventory/hosts
文件中。
I have read about vaults , I have also read about the best practices for variables and vaults but I do not understand how to apply this to my very minimal use case. 我已经阅读了有关保管库的信息 ,也了解了有关变量和保管库的最佳做法,但是我不知道如何将其应用于我的最小用例。
I also tried to use lookups . 我也尝试使用查找 。 While in general they also work in the inventory file, and I am able to do something like this: 通常,它们也可以在清单文件中工作,而我可以执行以下操作:
[my-servers]
san-francisco ansible_host=san-francisco ansible_ssh_user=user ansible_become_pass="{{ lookup('env', 'ANSIBLE_BECOME_PASSWORD_SAN_FRANCISCO') }}"
where this case the password would be stored in an environment variable called ANSIBLE_BECOME_PASSWORD_SAN_FRANCISCO
; 在这种情况下,密码将存储在名为ANSIBLE_BECOME_PASSWORD_SAN_FRANCISCO
的环境变量中; there is no way to look up variables in vaults as far as I know. 据我所知,没有办法在金库中查找变量。
So, how could I organize my file such that I would be able to lookup up my passwords from somewhere and have them safely stored? 因此,如何组织文件,以便能够从某个地方查找密码并将其安全存储?
You need to create some vaulted variable files and then either include them in your playbooks or on the command line. 您需要创建一些拱形变量文件,然后将其包括在您的剧本或命令行中。
If you change your inventory file to use a variable for the become pass this variable can be vaulted: 如果将清单文件更改为使用变量作为通行证,则可以存储此变量:
[my-servers]
san-francisco ansible_host=san-francisco ansible_ssh_user=user ansible_become_pass='{{ sanfrancisco_become_pass }}'
san-diego ansible_host=san-diego ansible_ssh_user=user ansible_become_pass='{{ sandiego_become_pass }}'
Then use ansible-vault create vaulted_vars.yml
to create a vaulted file with the following contents: 然后使用ansible-vault create vaulted_vars.yml
创建具有以下内容的存储文件:
sanfrancisco_become_pass: <my_sudo_password_for_user_on_san-francisco>
sandiego_become_pass : <my_sudo_password_for_user_on_san-diego>
Then either include the vaulted file as extra vars like this: 然后,将像这样的文件作为额外的变量包括在内:
ansible-playbook -i ~/.ansible/inventory/hosts playbook.yml --ask-vault-pass -e@~/.ansible/inventory/vault_vars
Or include the vars file in your playbook with an include_vars task: 或通过include_vars任务将vars文件包括在您的剧本中:
- name : include vaulted variables
include_vars: ~/.ansible/inventory/vault_vars
After setting up an inventory with your own relevant settings. 用您自己的相关设置设置清单后。 These settings assume that you have already set up a rsa-key pair to access your server. 这些设置假定您已经设置了rsa-key对来访问服务器。 You should be able to ssh into your server with ssh remoteuser@155.42.88.199 您应该能够使用ssh remoteuser@155.42.88.199 SSH进入服务器
[local]
localhost ansible_connection=local
[remote]
155.42.88.199 ansible_connection=ssh ansible_user=remoteuser ansible_become_user=root ansible_become=yes ansible_ssh_private_key_file=<private_key_file_path>
You need to store your root password in a file (I called mine 'my_vault.yml'). 您需要将您的根密码存储在一个文件中(我叫我的“ my_vault.yml”)。 You can do this with the following command: 您可以使用以下命令执行此操作:
~/.ansible$ ansible-vault create my_vault.yml
Simple store your remote server password as follows (do not include the '<>' tags) 只需按以下方式存储远程服务器密码(不包括'<>'标记)
su_password: <myreallyspecialpassword>
The password will now be encrypted by vault and the only way to view this is to enter the following command. 现在,密码将由Vault加密,查看此密码的唯一方法是输入以下命令。
~/.ansible$ ansible-vault edit my_vault.yml
We now need to include our 'my_vault.yml' file in our playbook. 现在,我们需要在我们的剧本中包含“ my_vault.yml”文件。 We can do this by using vars-files
to get the value of su-password
. 我们可以使用vars-files
来获取su-password
的值。 We can now create a var titled ansible_become_pass
which will be passed the value from our my_vault.yml
file which will allow our remoteuser to su once on the server. 现在,我们可以创建一个名为ansible_become_pass
,该变量将传递自my_vault.yml
文件中的值,这将使我们的my_vault.yml
用户可以在服务器上运行一次。
---
- name: My Awesome Playbook
hosts: remote
become: yes
vars_files:
- ~/.ansible/my_vault.yml
vars:
ansible_become_pass: '{{ su_password }}'
roles:
- some_awesome_role
As we are using vault each time we want to run this playbook we need to use the following command. 每次我们要运行此剧本时都在使用保管库,因此我们需要使用以下命令。
ansible-playbook myawesome_playbook.yml --ask-vault-pass
The best way to solve this problem is to use host_vars. 解决此问题的最佳方法是使用host_vars。 The easiest setup is to just put the ansible_become_pass
in Vault encrypted files in the corresponding host_vars directories like this: 最简单的设置是将ansible_become_pass
放入相应host_vars目录中的Vault加密文件中,如下所示:
myplaybook.yml
host_vars/onehost.com/crypted
host_vars/otherhost.com/crypted
In the crypted
files you place the assignment of the ansible_become_pass
variable: 在crypted
文件中,放置ansible_become_pass
变量的分配:
ansible_become_pass: SuperSecre3t
Create the file with ansible-vault create
, edit it with ansible-vault edit
. 使用ansible-vault create
创建文件,使用ansible-vault edit
。
Following the advice in the Ansible docs you need to create an additional file per host that assigns the ansible_become_passwd
from the crypted variable that has a different name. 按照Ansible文档中的建议,您需要为每个主机创建一个附加文件,该ansible_become_passwd
从名称不同的加密变量中分配ansible_become_passwd
。 That way it is possible to search for the ansible_become_passwd
in the project files. 这样,可以在项目文件中搜索ansible_become_passwd
。
myplaybook.yml
host_vars/onehost.com/plain
host_vars/onehost.com/crypted
host_vars/otherhost.com/plain
host_vars/otherhost.com/crypted
where a plain
file contains something like this: plain
文件包含以下内容:
ansible_become_pass: "{{ vaulted_become_pass }}"
and the crypted
file sets the vaulted_become_pass
like shown above. crypted
文件将设置vaulted_become_pass
所示。
All crypted
files must be encrypted with the same key and ansible-playbook
must be called with --ask-vault-pass
. 所有crypted
文件必须使用相同的密钥加密,并且ansible-playbook
必须使用--ask-vault-pass
调用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.