管理机密与事实
一、管理机密
- 目标:使用 ansible vault 加密敏感变量,并运行 vault 加密变量文件的playbook
- ansible可能需要访问密码或者 api 密钥等敏感数据,以便配置主机。
- 加密解密工具:ansible-vault 命令。ansible vault不实施自有的加密函数,而使用外部 python 工具集
1、 加密文件
命令:ansible-vault create filename
新建加密文件
[root@ansible ansible]# cat inventory
[apache]
192.168.47.129 ansible_user=root ansible_password=1
[wjj]
[root@ansible ansible]# ansible-vault create group_vars/wjj //创建加密文件
New Vault password: // 输入设定的密码
Confirm New Vault password: //二次输入密码
[root@ansible ansible]# cat group_vars/wjj
$ANSIBLE_VAULT;1.1;AES256
31363831653934643433376334646563333033383138336538353833643261323264646532326536
6366373462613534366630666230363334633330613431340a326433653834383266303961616331
32316234393061363336373837363666383165336638666636353438306239323165376461373337
6563303332633431620a623434363237306261376238393137656365323033373536306234393030
63636637313965313061666266393966393032346639656262663930626530633365
给已经存在的文件加密
[root@ansible ansible]# ansible-vault encrypt group_vars/wjj
New Vault password: // 输入要加密的密码
Confirm New Vault password:
Encryption successful
[root@ansible ansible]# cat group_vars/wjj
$ANSIBLE_VAULT;1.1;AES256
61353637616466373431323731333934366464316232393861616531383862376530393334626131
6665373633313836396430396630363035323738323064300a396637656535383766663962643461
30306461363363623530363763393563653232376638313935633761363363333235353636653765
6135316537346162340a643765343561393566626463316436363462363935373834633365333832
62373663633237663838383734306632646431343531636630333631623537313634
创建加密文件同时将密码保存到密码文件
密码文件中必须先写入密码
[root@apache ~]# openssl rand -base64 50 // 随机的50位密码
[root@apache ~]# openssl rand -base64 50
bVQiRIUkUIr8Bam+LHTWHFW+AE92l2WtiSrqExg1IkbTevSu8GPjTtwJscXKNO02
C14=
[root@ansible ansible]# vim .jjjjj // 创建一个隐藏文件
123
[root@ansible ansible]# ansible-vault view --vault-password-file=.jjjjj group_vars/wjj // 直接查看加密文件,把密码放入文件里面就不用输密码
password:wangjingjing
[root@ansible ansible]# ansible-vault decrypt --vault-password-file=.jjjjj group_vars/wjj
Decryption successful // 解密
用新的密码文件去加密
[root@ansible ansible]# vim .jjjjj
[root@ansible ansible]# ansible-vault encrypt --vault-password-file=.jjjjj group_vars/wjj
Encryption successful
2、 查看加密文件
查看文件命令:ansible-vault view filename
[root@ansible ansible]# ansible-vault view group_vars/wjj
Vault password:
passwd:wangjingjing
3、 编辑加密文件
命令:ansible-vault edit filename
[root@ansible ansible]# ansible-vault edit group_vars/wjj
Vault password:
4、 解密文件
解密文件命令:ansible-vault decrypt filename
[root@ansible ansible]# ansible-vault decrypt group_vars/wjj
Vault password:
Decryption successful
[root@ansible ansible]# cat group_vars/wjj
passwd:wangjingjing
5、 更改加密文件的密码
命令:ansible-vault rekey filename
可以一次更新多个文件密码
[root@ansible ansible]# ansible-vault rekey group_vars/wjj
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful
用新密码重新加密
[root@ansible ansible]# vim .wwwww
[root@ansible ansible]# ansible-vault rekey --vault-password-file=.jjjjj --new-vault-password-file=.wwwww group_vars/wjj // 重新加密不能改wjj这个文件
Rekey successful
[root@ansible ansible]# ansible-vault view --vault-password-file=.wwwww group_vars/wjj
password:wangjingjing
6、 运行加密的playbook
在playbook中用到文件加密的内容
//把经常连接用户的用户名跟密码加密
[root@ansible ansible]# cat group_vars/webservers
ansible_user:root
ansible_password:wangjingjing
[root@ansible ansible]# ansible-vault encrypt --vault-password-file=.wwwww group_vars/webservers // 加密
Encryption successful
[root@ansible ansible]# ansible 192.168.47.129 -m ping --vault-password-file=.wwwww
192.168.47.129 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"ping": "pong"
}
[root@ansible ansible]# ansible-vault encrypt --vault-password-file=.wwwww group_vars/webservers
Encryption successful
[root@ansible ansible]# ansible all -m ping
192.168.47.129 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"ping": "pong"
}
运行加密的playbook
[root@ansible ansible]# > group_vars/webservers // 清空密码
[root@ansible ansible]# cat group_vars/webservers
[root@ansible ansible]# cat playbook/test.yml
---
- hosts: "192.168.47.129"
gather_facts: no
vars_files:
- vars/users.yml
tasks:
- name: create user {{ user}}
user:
name: "{{ user }}"
state: present
[root@ansible ansible]# ansible-vault create --vault-password-file=.wwwww playbook/vars/users.yml //创建一个users.yml加密文件
[root@ansible ansible]# ansible-playbook --vault-password-file=.wwwww playbook/test.yml
PLAY [192.168.47.129] **********************************************************
TASK [create user wj] **********************************************************
changed: [192.168.47.129]
PLAY RECAP *********************************************************************
192.168.47.129 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
[root@apache ~]# id wj
uid=1002(wj) gid=1002(wj) 组=1002(wj)
二、管理事实
事实包括:主机名称、内核版本、网络接口、IP地址、操作系统版本、各种环境变量、CPU数量、提供的或可用的内存、可用磁盘空间
1、 获取事实的方式
命令行获取事实:
使用setup模块显示所有事实信息
[root@ansible ansible]# ansible 192.168.47.129 -m setup|less //查看主机事实
192.168.47.129 | SUCCESS => {
"ansible_facts": {
"ansible_all_ipv4_addresses": [
"192.168.47.129",
"192.168.122.1"
],
"ansible_all_ipv6_addresses": [
"fe80::20c:29ff:fef6:d306"
],
"ansible_apparmor": {
"status": "disabled"
},
"ansible_architecture": "x86_64",
"ansible_bios_date": "07/29/2019",
playbook方式获取事实:
[root@ansible ansible]# vim playbook/test.yml
[root@ansible ansible]# cat playbook/test.yml
---
- hosts: "192.168.47.129"
tasks:
- name: waou
debug:
var: ansible_facts //获取所有事实,还可以获取某一部分,ansible——facts['想要获取的'],例如:ansible_facts['all_ipv4_addresses']
[root@ansible ansible]# ansible-playbook playbook/test.yml
PLAY [192.168.47.129] **********************************************************
TASK [Gathering Facts] *********************************************************
ok: [192.168.47.129]
TASK [waou] ********************************************************************
ok: [192.168.47.129] => {
"ansible_facts": {
"all_ipv4_addresses": [
"192.168.47.129",
Ansible事实的示例
ansible_facts形式 | 旧事实变量形式 |
---|---|
短主机名 | ansible_facts[‘hostname’] |
完全限定域名 | ansible_facts[‘fqdn’] |
IPv4地址[ansible_facts[‘default_ipv4’][‘address’] | |
所有网络接口的名称列表 | ansible_facts[‘interfaces’] |
/dev/vda1磁盘分区的大小 | ansible_facts[‘devices’][‘vda’][‘partitions’][‘vda1’][‘size’] |
DNS服务器列表 | ansible_facts[‘dns’][‘nameservers’] |
当前运行的内核版本 | ansible_facts[‘kernel’] |
注:fqdn:localhost.example.com
在playbook中使用事实,Ansible将事实的变量名动态替换为对应的值:
[root@ansible ansible]# vim playbook/test.yml
[root@ansible ansible]# cat playbook/test.yml
---
- hosts: "192.168.47.129"
tasks:
- name: waou
debug:
msg: >
The host named {{ ansible_facts['fqdn'] }} 的
ip is {{ ansible_facts['default_ipv4']['address'] }}
[root@ansible ansible]# ansible-playbook playbook/test.yml
PLAY [192.168.47.129] **********************************************************
TASK [Gathering Facts] *********************************************************
ok: [192.168.47.129]
TASK [waou] ********************************************************************
ok: [192.168.47.129] => {
"msg": "The host named apache 的 ip is 192.168.47.129\n"
}
PLAY RECAP *********************************************************************
192.168.47.129 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
旧事实变量:
[root@ansible ansible]# vim playbook/test.yml
[root@ansible ansible]# cat playbook/test.yml
---
- hosts: "192.168.47.129"
tasks:
- name: waou
debug:
msg: >
The host named {{ ansible_fqdn }} 的
ip is {{ ansible_facts['default_ipv4']['address'] }}
[root@ansible ansible]# ansible-playbook playbook/test.yml
PLAY [192.168.47.129] **********************************************************
TASK [Gathering Facts] *********************************************************
ok: [192.168.47.129]
TASK [waou] ********************************************************************
ok: [192.168.47.129] => {
"msg": "The host named apache.example.com 的 ip is 192.168.47.129\n"
}
PLAY RECAP *********************************************************************
192.168.47.129 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
// 关闭旧事实变量方式
[root@ansible ansible]# vim ansible.cfg
65 # ansible_facts.
66 inject_facts_as_vars = False
2、 关闭事实
关闭事实收集可以提升执行速度,减小play在受管主机上造成的负载,受管主机因为某种原因无法运行setup模块。
---
- hosts: "192.168.47.129"
gather_facts: no
vars_files:
- vars/users.yml
tasks:
- name: create user {{ user}}
user:
name: "{{ user }}"
state: present
3、 创建自定义事实
默认情况下,setup模块从各受管主机的/etc/ansible/facts.d目录下的文件和脚本中加载自定义事实。
如果要自定义事实的话,我们需要在被管理的主机里面的/etc/ansible/facts.d目录下去创建文件,这个文件必须要以.fact结尾才能被使用。
采用INI格式编写的静态自定义事实文件
[root@apache ~]# mkdir -p /etc/ansible/facts.d
[root@apache ~]# cd /etc/ansible/facts.d
[root@apache facts.d]# vi wjj.fact
[root@apache facts.d]# cat wjj.fact
[packages]
web_package = httpd
db_package = mariadb-server
[users]
user1 = joe
user2 = jane
自定义事实由setup模块存储在ansible_facts.ansible_local变量中。
[root@ansible ansible]# ansible 192.168.47.129 -m setup|less
"ansible_local": {
"wjj": {
"packages": {
"db_package": "mariadb-server",
"web_package": "httpd"
},
"users": {
"user1": "joe",
"user2": "jane"
自定义事实的使用方式与playbook中的默认事实相同:
[root@ansible ansible]# vim playbook/test.yml
[root@ansible ansible]# cat playbook/test.yml
---
- hosts: "192.168.47.129"
tasks:
- name: waou
debug:
var: ansible_facts['ansible_local']
[root@ansible ansible]# ansible-playbook playbook/test.yml
PLAY [192.168.47.129] **********************************************************
TASK [Gathering Facts] *********************************************************
ok: [192.168.47.129]
TASK [waou] ********************************************************************
ok: [192.168.47.129] => {
"ansible_facts['ansible_local']": {
"wjj": {
"packages": {
"db_package": "mariadb-server",
"web_package": "httpd"
},
"users": {
"user1": "joe",
"user2": "jane"
}
}
}
}
PLAY RECAP *********************************************************************
192.168.47.129 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
4、 使用魔法变量(主机变量)
基本不会用到
官网:https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable
魔法变量 | 说明 |
---|---|
hostvars | 包含受管主机的变量,可以用于获取另一台受管主机的变量的值。 如果还没有为受管主机收集事实,则它不会包含该主机的事实 |
group_names | 列出当前受管主机所属的所有组 |
groups | 列出清单中的所有组和主机 |
inventory_hostname | 包含清单中配置的当前受管主机的主机名称。 因为各种原因有可能与事实报告的主机名称不同 |
[root@ansible ansible]# ansible 192.168.47.129 -m debug -a 'var=hostvars["localhost"]' //查看本机的参数
192.168.47.129 | SUCCESS => {
"hostvars[\"localhost\"]": {
"ansible_check_mode": false,
"ansible_connection": "local",
"ansible_diff_mode": false,
"ansible_facts": {},
"ansible_forks": 5,
"ansible_inventory_sources": [
"/etc/ansible/inventory"
],
"ansible_local": {},
"ansible_playbook_python": "/usr/bin/python3.6",
"ansible_python_interpreter": "/usr/bin/python3.6",
"ansible_verbosity": 0,
"ansible_version": {