Ansible playbook Vault 加密

Ansible playbook Vault 加密详解与使用案例

主机规划

添加用户账号

说明：

1、 运维人员使用的登录账号；

2、 所有的业务都放在 /app/ 下「yun用户的家目录」，避免业务数据乱放；

3、 该用户也被 ansible 使用，因为几乎所有的生产环境都是禁止 root 远程登录的（因此该 yun 用户也进行了 sudo 提权）。

 # 使用一个专门的用户，避免直接使用root用户
 # 添加用户、指定家目录并指定用户密码
 # sudo提权
 # 让其它普通用户可以进入该目录查看信息
 useradd -u  -d /app yun && echo '' | /usr/bin/passwd --stdin yun
 echo "yun  ALL=(ALL)       NOPASSWD: ALL" >>  /etc/sudoers
 chmod  /app/

Ansible 配置清单Inventory

之后文章都是如下主机配置清单

 [yun@ansi-manager ansible_info]$ pwd
 /app/ansible_info
 [yun@ansi-manager ansible_info]$ cat hosts_key
 # 方式1、主机 + 端口 + 密钥
 [manageservers]
 172.16.1.180:

 [proxyservers]
 172.16.1.18[:]:

 # 方式2：别名 + 主机 + 端口 + 密码
 [webservers]
 web01 ansible_ssh_host=172.16.1.183 ansible_ssh_port=
 web02 ansible_ssh_host=172.16.1.184 ansible_ssh_port=
 web03 ansible_ssh_host=172.16.1.185 ansible_ssh_port=

Ansible Vault 概述

当我们写的 playbook 中涉及敏感信息，如：数据库账号密码；MQ账号密码；主机账号密码。这时为了防止这些敏感信息泄露，就可以使用 vault 进行加密。

 [yun@ansi-manager ~]$ ansible-vault -h
 Usage: ansible-vault [create|decrypt|edit|encrypt|encrypt_string|rekey|view] [options] [vaultfile.yml]

 Options:
   --ask-vault-pass      ask for vault password
   -h, --help            show this help message and exit
   --new-vault-id=NEW_VAULT_ID
                         the new vault identity to use for rekey
   --new-vault-password-file=NEW_VAULT_PASSWORD_FILE
                         new vault password file for rekey
   --vault-id=VAULT_IDS  the vault identity to use
   --vault-password-file=VAULT_PASSWORD_FILES
                         vault password file
   -v, --verbose         verbose mode (-vvv for more, -vvvv to enable
                         connection debugging)
   --version             show program's version number, config file location,
                         configured module search path, module location,
                         executable location and exit

  See 'ansible-vault <command> --help' for more information on a specific
 command.

参数说明

create：创建一个加密文件，在创建时会首先要求输入 Vault 密码，之后才能进入文件中编辑。

decrypt：对 vault 加密的文件进行解密。

edit：对 vault 加密文件进行编辑。

encrypt：对提供的文件，进行 vault 加密。

encrypt_string：对提供的字符串进行 vault 加密。

rekey：对已 vault 加密的文件进行免密更改，需要提供之前的密码。

view：查看已加密的文件，需要提供密码。

Ansible Vault 交互式

创建加密文件

 [yun@ansi-manager object06]$ pwd
 /app/ansible_info/object06
 [yun@ansi-manager object06]$ ansible-vault create test_vault.yml
 New Vault password: # 输入密码
 Confirm New Vault password: # 确认密码
 ---
 # vault test
 - hosts: proxyservers

   tasks:
     - name: "touch file"
       file:
         path: /tmp/with_itemstestfile
         state: touch

 [yun@ansi-manager object06]$ cat test_vault.yml   # 加密后查看
 $ANSIBLE_VAULT;1.1;AES256

 6138353833366637383066366662666236666338333237610a303263336234303866623834663361

 6262633334353036620a633136313364383536323531373164346436663739663631353166663434

对已加密的文件进行解密

 [yun@ansi-manager object06]$ ansible-vault decrypt test_vault.yml
 Vault password:
 Decryption successful
 [yun@ansi-manager object06]$
 [yun@ansi-manager object06]$ cat test_vault.yml  # 解密后查看
 ---
 # vault test
 - hosts: proxyservers

   tasks:
     - name: "touch file"
       file:
         path: /tmp/with_itemstestfile
         state: touch

对已存在文件进行加密

 [yun@ansi-manager object06]$ ansible-vault encrypt test_vault.yml
 New Vault password:
 Confirm New Vault password:
 Encryption successful
 [yun@ansi-manager object06]$ cat test_vault.yml
 $ANSIBLE_VAULT;1.1;AES256

 3930343836396537343333336432363732343936323937370a363239356233333634303464633539

 6334333162616332320a353033323538643566666562646334623630343938646264663561316566

对已加密的文件进行编辑

 [yun@ansi-manager object06]$ ansible-vault edit test_vault.yml
 Vault password:
 ---
 # vault test  ==
 - hosts: proxyservers

   tasks:
     - name: "touch file"
       file:
         path: /tmp/with_itemstestfile
         state: touch

对已加密文件更改密码

 [yun@ansi-manager object06]$ ansible-vault rekey test_vault.yml
 Vault password:
 New Vault password:
 Confirm New Vault password:
 Rekey successful

对已加密文件进行查看

 [yun@ansi-manager object06]$ ansible-vault view test_vault.yml
 Vault password:
 ---
 # vault test  ==
 - hosts: proxyservers

   tasks:
     - name: "touch file"
       file:
         path: /tmp/with_itemstestfile
         state: touch

对提供的字符串进行加密

 [yun@ansi-manager object06]$ ansible-vault encrypt_string "111 222 333"
 New Vault password:
 Confirm New Vault password:
 !vault |
           $ANSIBLE_VAULT;1.1;AES256

           6537336166356466666431663037623835643964366137340a336439313066356265666636383430

           3034326337303932610a303232643464633239383563393836306565353835666431363132303835

 Encryption successful

Ansible Vault 非交互式

创建密码文件

安全使用，记得使用 400 或 600 权限。

 [yun@ansi-manager object06]$ echo "" > vault_pwd
 [yun@ansi-manager object06]$ echo "" > vault_pwd2
 [yun@ansi-manager object06]$ ll vault_pwd*  # 权限
 -r--------  yun yun  Aug  : vault_pwd
 -r--------  yun yun  Aug  : vault_pwd2

创建加密文件

 [yun@ansi-manager object06]$ ansible-vault create test_vault02.yml --vault-password-file=vault_pwd
 ---
 # vault test
 [yun@ansi-manager object06]$ cat test_vault02.yml
 $ANSIBLE_VAULT;1.1;AES256

 6638666536306162366263333037323231386365316238390a383139623435363738663832623533

 6131313833383761620a383534363564393836306238666135656137623036386531653931623362
 

对已加密的文件进行解密

 [yun@ansi-manager object06]$ ansible-vault decrypt test_vault02.yml --vault-password-file=vault_pwd
 Decryption successful
 [yun@ansi-manager object06]$ cat test_vault02.yml
 ---
 # vault test 

对已存在文件进行加密

 [yun@ansi-manager object06]$ ansible-vault encrypt test_vault02.yml --vault-password-file=vault_pwd
 Encryption successful
 [yun@ansi-manager object06]$
 [yun@ansi-manager object06]$ cat test_vault02.yml
 $ANSIBLE_VAULT;1.1;AES256

 3533393766313339393665386463613831323366623962650a643365653833636663653938613966

 3638363937626635390a303962653366353138373139623237356637656230386565663364626438
 

对已加密的文件进行编辑

 [yun@ansi-manager object06]$ ansible-vault edit test_vault02.yml --vault-password-file=vault_pwd
 ---
 # vault test   ##

对已加密文件更改密码

 [yun@ansi-manager object06]$ ansible-vault rekey test_vault02.yml --vault-password-file=vault_pwd --new-vault-password-file=vault_pwd2
 Rekey successful

对已加密文件进行查看

 [yun@ansi-manager object06]$ ansible-vault view test_vault02.yml --vault-password-file=vault_pwd2
 ---
 # vault test   ##

对提供的字符串进行加密

 [yun@ansi-manager object06]$ ansible-vault encrypt_string "test info" --vault-password-file=vault_pwd2
 !vault |
           $ANSIBLE_VAULT;1.1;AES256

           6633363733303334373831303732326435396566313066630a373562633530333832613335393835

           6636396135306436640a313531373835663633383665396139343464613861313034386365393137

 Encryption successful

Playbook 使用 vault 文件

 # 其中 test_vault.yml 的 vault 密码为 vault_pwd 中的信息
 [yun@ansi-manager object06]$ ansible-vault view test_vault.yml --vault-password-file=vault_pwd
 ---
 # vault test  ==
 - hosts: proxyservers

   tasks:
     - name: "touch file"
       file:
         path: /tmp/with_itemstestfile
         state: touch

 [yun@ansi-manager object06]$ ansible-playbook -b -i ../hosts_key --syntax-check test_vault.yml --vault-password-file=vault_pwd  # 语法检测
 [yun@ansi-manager object06]$ ansible-playbook -b -i ../hosts_key -C test_vault.yml --vault-password-file=vault_pwd  # 预执行，测试执行
 [yun@ansi-manager object06]$ ansible-playbook -b -i ../hosts_key test_vault.yml --vault-password-file=vault_pwd  # 执行

完毕！

---

———END———
如果觉得不错就关注下呗 (-^O^-) ！