Ansible 安全 之【加密主机清单】
创建ansible-vault加密工具
ln -s /usr/local/python3/bin/ansible-vault /usr/bin/ansible-vault
设置主机清单配置文件密码
ansible-vault encrypt /etc/ansible/hosts
# New Vault password:
# Confirm New Vault password:
# Encryption successful
加密后查看主机清单配置文件,无法查看
cat /etc/ansible/hosts
# $ANSIBLE_VAULT;1.1;AES256
# 37333832643234663939653731373066323563313433316363326561656637633632333861393665
# 3165376463633262393935343831633131303831363733310a653865346365323137303661366536
# 35646135323865636138343365623464653032353164336335626263356266633038353134626663
# 6464633132313432300a646333333962663434633362373563386165363737653261313332646663
# 64316164333834303830306435343635376236666161623439623462326165663761356330623436
# 3561663564643235656165343464623939373862363735643162
命令行测试
# 测试(无法运行命令,无法访问主机清单配置文件)
ansible all -a hostname
# [WARNING]: * Failed to parse /etc/ansible/hosts with yaml plugin: Attempting to decrypt but no vault secrets found
# [WARNING]: * Failed to parse /etc/ansible/hosts with ini plugin: Attempting to decrypt but no vault secrets found
# [WARNING]: Unable to parse /etc/ansible/hosts as an inventory source
# [WARNING]: No inventory was parsed, only implicit localhost is available
# [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
# 正常在命令行运行命令,需要加参数--ask-vault-pass,并且输入密码
ansible all -a hostname --ask-vault-pass
# Vault password:
# 192.168.15.13 | CHANGED | rc=0 >>
# k8s-node-02
# 192.168.15.12 | CHANGED | rc=0 >>
# k8s-node-01
剧本测试
# 编写剧本
vim abc.yml
- hosts: all
tasks:
- name: hostname
shell: hostname
# 测试剧本(无法执行剧本,无法访问主机清单配置文件)
ansible-playbook abc.yml
# [WARNING]: * Failed to parse /etc/ansible/hosts with yaml plugin: Attempting to decrypt but no vault secrets found
# [WARNING]: * Failed to parse /etc/ansible/hosts with ini plugin: Attempting to decrypt but no vault secrets found
# [WARNING]: Unable to parse /etc/ansible/hosts as an inventory source
# [WARNING]: No inventory was parsed, only implicit localhost is available
# [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
# PLAY [all] ******************************************************************************************************************************************************************************
# skipping: no hosts matched
# PLAY RECAP ******************************************************************************************************************************************************************************
# 正常运行剧本,需要加参数--ask-vault-pass,并且输入密码
ansible-playbook abc.yml --ask-vault-pass
# Vault password:
# PLAY [all] ******************************************************************************************************************************************************************************
# TASK [Gathering Facts] ******************************************************************************************************************************************************************
# ok: [192.168.15.13]
# ok: [192.168.15.12]
# TASK [hostname] *************************************************************************************************************************************************************************
# changed: [192.168.15.13]
# changed: [192.168.15.12]
# PLAY RECAP ******************************************************************************************************************************************************************************
# 192.168.15.12 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
# 192.168.15.13 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0