playbook 管理变量 机密
1.通过inventory定义变量
//在清单文件里定义变量 (不推荐)
[root@localhost opt]# ls
ansible.cfg inventory playbook
[root@localhost opt]# vim inventory
[httpd]
192.168.200.147
[mysql]
192.168.200.145
[php]
192.168.200.146
[lamp:children]
httpd
mysql
php
[lamp:vars]
user=lol
//写个playbook引用变量
[root@localhost opt]# vim playbook/user.yml
---
- hosts: lamp
tasks:
- name: create user
user:
name: "{{ user }}"
state: present
[root@localhost opt]# ansible-playbook playbook/user.yml
PLAY [lamp] ********************************************************************
TASK [Gathering Facts] *********************************************************
ok: [192.168.200.147]
ok: [192.168.200.145]
ok: [192.168.200.146]
TASK [create user] *************************************************************
ok: [192.168.200.145]
changed: [192.168.200.147]
changed: [192.168.200.146]
PLAY RECAP *********************************************************************
192.168.200.145 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
192.168.200.146 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
192.168.200.147 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
2.通过host_vars和group_vars定义变量
//创建host_vars和group_vars目录
[root@localhost opt]# mkdir host_vars
[root@localhost opt]# mkdir group_vars
//在host_vars目录里创建一个192.168.200.147的文件指定变量
[root@localhost opt]# vim host_vars/192.168.200.147
package: git
//写个playbook引用变量
[root@localhost opt]# vim playbook/test.yml
---
- hosts: 192.168.200.147
tasks:
- name: install package
yum:
name: "{{ package }}"
state: present
[root@localhost opt]# ansible-playbook playbook/test.yml
PLAY [192.168.200.147] *********************************************************
TASK [Gathering Facts] *********************************************************
ok: [192.168.200.147]
TASK [install package] *********************************************************
changed: [192.168.200.147]
PLAY RECAP *********************************************************************
192.168.200.147 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
//在被控主机上查看
[root@www ~]# rpm -qa | grep git
crontabs-1.11-16.20150630git.el8.noarch
git-2.27.0-1.el8.x86_64
dracut-config-rescue-049-70.git20200228.el8.x86_64
libnsl2-1.2.0-2.20180605git4a062cf.el8.x86_64
git-core-doc-2.27.0-1.el8.noarch
dracut-squash-049-70.git20200228.el8.x86_64
dracut-network-049-70.git20200228.el8.x86_64
dracut-049-70.git20200228.el8.x86_64
crypto-policies-20191128-2.git23e1bf1.el8.noarch
git-core-2.27.0-1.el8.x86_64
audit-libs-3.0-0.17.20191104git1c2f876.el8.x86_64
audit-3.0-0.17.20191104git1c2f876.el8.x86_64
linux-firmware-20191202-97.gite8a0f4c9.el8.noarch
//在group_vars目录里创建一个mysql的文件指定变量
[root@localhost opt]# vim group_vars/mysql
package: httpd
//写个playbook引用变量
[root@localhost opt]# vim playbook/test.yml
---
- hosts: mysql
tasks:
- name: install package
yum:
name: "{{ package }}"
state: present
[root@localhost opt]# ansible-playbook playbook/test.yml
PLAY [mysql] *******************************************************************
TASK [Gathering Facts] *********************************************************
ok: [192.168.200.145]
TASK [install package] *********************************************************
changed: [192.168.200.145]
PLAY RECAP *********************************************************************
192.168.200.145 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
//被控主机查看
[root@localhost ~]# rpm -qa |grep http
centos-logos-httpd-85.8-1.el8.noarch
libnghttp2-1.33.0-1.el8_0.1.x86_64
httpd-tools-2.4.37-39.module_el8.4.0+778+c970deab.x86_64
mod_http2-1.15.7-3.module_el8.4.0+778+c970deab.x86_64
httpd-filesystem-2.4.37-39.module_el8.4.0+778+c970deab.noarch
httpd-2.4.37-39.module_el8.4.0+778+c970deab.x86_64
3.通过playbook里的vars,vars_files定义变量
//使用vars来定义变量
[root@localhost opt]# vim playbook/test.yml
---
- hosts: httpd
vars:
ip: 192.168.200.111
name: web
tasks:
- name:
lineinfile:
path: /etc/hosts
line: "{{ ip }} {{ name }}"
state: present
[root@localhost opt]# ansible-playbook playbook/test.yml
PLAY [httpd] *******************************************************************
TASK [Gathering Facts] *********************************************************
ok: [192.168.200.147]
TASK [lineinfile] **************************************************************
changed: [192.168.200.147]
PLAY RECAP *********************************************************************
192.168.200.147 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
//查看受控主机
[root@www ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.200.111 web
//编写vars_files来定义变量
[root@localhost playbook]# vim vars.yml
ip: 192.168.200.222
name: zzz
[root@localhost playbook]# vim test.yml
---
- hosts: httpd
vars_files:
playbook/vars.yml
tasks:
- name:
lineinfile:
path: /etc/hosts
line: "{{ ip }} {{ name }}"
state: present
[root@localhost opt]# ansible-playbook test.yml[WARNING]: Found variable using reserved name: name
PLAY [httpd] *******************************************************************
TASK [Gathering Facts] *********************************************************
ok: [192.168.200.147]
TASK [lineinfile] **************************************************************
changed: [192.168.200.147]
PLAY RECAP *********************************************************************
192.168.200.147 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
//受控主机查看
[root@www ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.200.147 www.192.168.200.147.com
192.168.200.111 web
192.168.200.222 zzz
4.通过命令来定义变量
//清单变量可被playbook中设置的变量覆盖,这两种变量又可通过在命令行中传递参数到ansible或ansible-playbook命令来覆盖。在命令行上设置的变量称为额外变量。
当需要覆盖一次性运行的playbook的变量的已定义值时,额外变量非常有用
ansible-playbook main.yml -e "package=apache2"
5.通过register注册变量
//编写一个
---
- hosts: httpd
tasks:
- name:
command: "echo woshicaiaochentadie"
register: result
- name:
shell: "echo {{ result['stdout'] }} > /root/zzz"
[root@localhost opt]# ansible-playbook playbook/test.yml
PLAY [httpd] *******************************************************************
TASK [Gathering Facts] *********************************************************
ok: [192.168.200.147]
TASK [command] *****************************************************************
changed: [192.168.200.147]
TASK [shell] *******************************************************************
changed: [192.168.200.147]
PLAY RECAP *********************************************************************
192.168.200.147 : ok=3 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
//被控主机查看
[root@www ~]# cat zzz
woshicaiaochentadie
6.机密管理
Ansible可能需要访问密码或API密钥等敏感数据,以便能配置受管主机。通常,此信息可能以纯文本形式存储在清单变量或其他Ansible文件中。但若如此,任何有权访问Ansible文件的用户或存储这些Ansible文件的版本控制系统都能够访问此敏感数据。这显示存在安全风险。
Ansible提供的Ansible Vault可以加密和解密任何由Ansible使用的结构化数据文件。若要使用Ansible Vault,可通过一个名为ansible-vault的命令行工具创建、编辑、加密、解密和查看文件。Ansible Vault可以加密任何由Ansible使用的结构化数据文件。这可能包括清单变量、playbook中含有的变量文件、在执行playbook时作为参数传递的变量文件,或者Ansible角色中定义的变量。
//创建加密文件
[root@localhost opt]# ansible-vault create abc.yml
New Vault password: 123
Confirm New Vault password: 123
//我们还可以用vault密码文件来存储vault密码,而不是通过标准输入途径输入vault密码。这样做需要使用文件权限和其他方式来严密保护该文件
[root@localhost opt]#vim vault-pass
123
[root@localhost opt]# ansible-vault create --vault-password-file=vault-pass zzz.yml
//查看加密文件
[root@localhost opt]# ansible-vault view abc.yml
Vault password: 123
zzzz
//使用密码文件查看文件
[root@localhost opt]# ansible-vault view --vault-password-file=vault-pass zzz.yml
abc
//编辑现有的加密文件
[root@localhost opt]# ansible-vault edit abc.yml
Vault password: 123
zzzz
asdadlkadja
sdjkahdkajd
jshdkahdas
//加密现有文件
[root@localhost opt]# ansible-vault encrypt bbb.yml
New Vault password: 123
Confirm New Vault password: 123
Encryption successful
//更改加密文件的密码
[root@localhost opt]# ansible-vault rekey bbb.yml
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful
//使用vault文件更改文件加密
[root@localhost opt]# ansible-vault rekey --new-vault-password-file=vault-pass bbb.yml
Vault password:
Rekey successful