Ansible playbook Vault 加密詳解與使用案例

主機規劃

添加用戶賬號

說明：

1、 運維人員使用的登錄賬號；

2、 所有的業務都放在 /app/ 下「yun用戶的家目錄」，避免業務數據亂放；

3、 該用戶也被 ansible 使用，因為幾乎所有的生產環境都是禁止 root 遠程登錄的（因此該 yun 用戶也進行了 sudo 提權）。

1 # 使用一個專門的用戶，避免直接使用root用戶
2 # 添加用戶、指定家目錄並指定用戶密碼
3 # sudo提權
4 # 讓其它普通用戶可以進入該目錄查看信息
5 useradd -u 1050 -d /app yun && echo '123456' | /usr/bin/passwd --stdin yun
6 echo "yun  ALL=(ALL)       NOPASSWD: ALL" >>  /etc/sudoers
7 chmod 755 /app/

Ansible 配置清單Inventory

之後文章都是如下主機配置清單

 1 [yun@ansi-manager ansible_info]$ pwd
 2 /app/ansible_info
 3 [yun@ansi-manager ansible_info]$ cat hosts_key 
 4 # 方式1、主機 + 埠 + 密鑰
 5 [manageservers]
 6 172.16.1.180:22
 7 
 8 [proxyservers]
 9 172.16.1.18[1:2]:22
10 
11 # 方式2：別名 + 主機 + 埠 + 密碼
12 [webservers]
13 web01 ansible_ssh_host=172.16.1.183 ansible_ssh_port=22
14 web02 ansible_ssh_host=172.16.1.184 ansible_ssh_port=22
15 web03 ansible_ssh_host=172.16.1.185 ansible_ssh_port=22

Ansible Vault 概述

當我們寫的 playbook 中涉及敏感信息，如：資料庫賬號密碼；MQ賬號密碼；主機賬號密碼。這時為了防止這些敏感信息泄露，就可以使用 vault 進行加密。

 1 [yun@ansi-manager ~]$ ansible-vault -h
 2 Usage: ansible-vault [create|decrypt|edit|encrypt|encrypt_string|rekey|view] [options] [vaultfile.yml]
 3 
 4 Options:
 5   --ask-vault-pass      ask for vault password
 6   -h, --help            show this help message and exit
 7   --new-vault-id=NEW_VAULT_ID
 8                         the new vault identity to use for rekey
 9   --new-vault-password-file=NEW_VAULT_PASSWORD_FILE
10                         new vault password file for rekey
11   --vault-id=VAULT_IDS  the vault identity to use
12   --vault-password-file=VAULT_PASSWORD_FILES
13                         vault password file
14   -v, --verbose         verbose mode (-vvv for more, -vvvv to enable
15                         connection debugging)
16   --version             show program's version number, config file location,
17                         configured module search path, module location,
18                         executable location and exit
19 
20  See 'ansible-vault <command> --help' for more information on a specific
21 command.

參數說明

create：創建一個加密文件，在創建時會首先要求輸入 Vault 密碼，之後才能進入文件中編輯。

decrypt：對 vault 加密的文件進行解密。

edit：對 vault 加密文件進行編輯。

encrypt：對提供的文件，進行 vault 加密。

encrypt_string：對提供的字元串進行 vault 加密。

rekey：對已 vault 加密的文件進行免密更改，需要提供之前的密碼。

view：查看已加密的文件，需要提供密碼。

Ansible Vault 互動式

創建加密文件

 1 [yun@ansi-manager object06]$ pwd
 2 /app/ansible_info/object06
 3 [yun@ansi-manager object06]$ ansible-vault create test_vault.yml
 4 New Vault password: # 輸入密碼
 5 Confirm New Vault password: # 確認密碼
 6 ---
 7 # vault test
 8 - hosts: proxyservers
 9 
10   tasks:
11     - name: "touch file"
12       file:
13         path: /tmp/with_itemstestfile
14         state: touch
15 
16 [yun@ansi-manager object06]$ cat test_vault.yml   # 加密後查看
17 $ANSIBLE_VAULT;1.1;AES256
18 33663239636530353564393731363161623462386266613165326235353762343465653235396639
19 6138353833366637383066366662666236666338333237610a303263336234303866623834663361
20 39343633646434353334396162643063613964333337343336373232653266613264626564346566
21 6262633334353036620a633136313364383536323531373164346436663739663631353166663434
22 38663962363032643163333266633662376538383134333862373961313166656536353734363537
23 30626261366138383864653834336637393230363466336662306138323032373361656566663231
24 65363039393736326266316261383065363739633861646464373733643966333233343436303731
25 37366130363064366337393837396664356335363738663130333436656238666233396466393137
26 33306434343262313961393661313536386338383233303230613962663732323630663638313531
27 3236636438646166643937613761396564373033623637636166

對已加密的文件進行解密

 1 [yun@ansi-manager object06]$ ansible-vault decrypt test_vault.yml
 2 Vault password: 
 3 Decryption successful
 4 [yun@ansi-manager object06]$ 
 5 [yun@ansi-manager object06]$ cat test_vault.yml  # 解密後查看
 6 ---
 7 # vault test
 8 - hosts: proxyservers
 9 
10   tasks:
11     - name: "touch file"
12       file:
13         path: /tmp/with_itemstestfile
14         state: touch

對已存在文件進行加密

 1 [yun@ansi-manager object06]$ ansible-vault encrypt test_vault.yml
 2 New Vault password: 
 3 Confirm New Vault password: 
 4 Encryption successful
 5 [yun@ansi-manager object06]$ cat test_vault.yml 
 6 $ANSIBLE_VAULT;1.1;AES256
 7 37313964663164613434656666323265376465303433633438613032303733363136316235623066
 8 3930343836396537343333336432363732343936323937370a363239356233333634303464633539
 9 61613264363037313833363738623866643762666662646165646561343631646434383864373338
10 6334333162616332320a353033323538643566666562646334623630343938646264663561316566
11 35633939653166326631303635363533613338326561666663623238396464383363613738323464
12 37306163663933323836316165666532336664353038303036383564346436633235373166663834
13 62383464373632373839323562306163666366313738663234656139346130373031626265613830
14 38373135616261616137326337633566306633343338306264646139396230613665356264353134
15 37376636646266626236323663376230313964323034623133333539393131333065323964303030
16 3139366661353732333961323764613332316535323334343939

對已加密的文件進行編輯

 1 [yun@ansi-manager object06]$ ansible-vault edit test_vault.yml
 2 Vault password: 
 3 ---
 4 # vault test  ==
 5 - hosts: proxyservers
 6 
 7   tasks:
 8     - name: "touch file"
 9       file:
10         path: /tmp/with_itemstestfile
11         state: touch

對已加密文件更改密碼

1 [yun@ansi-manager object06]$ ansible-vault rekey test_vault.yml
2 Vault password: 
3 New Vault password: 
4 Confirm New Vault password: 
5 Rekey successful

對已加密文件進行查看

 1 [yun@ansi-manager object06]$ ansible-vault view test_vault.yml
 2 Vault password: 
 3 ---
 4 # vault test  ==
 5 - hosts: proxyservers
 6 
 7   tasks:
 8     - name: "touch file"
 9       file:
10         path: /tmp/with_itemstestfile
11         state: touch

對提供的字元串進行加密

 1 [yun@ansi-manager object06]$ ansible-vault encrypt_string "111 222 333"
 2 New Vault password: 
 3 Confirm New Vault password: 
 4 !vault |
 5           $ANSIBLE_VAULT;1.1;AES256
 6           61343332386237363437623939633334626231613539353566313336306562373538633937363566
 7           6537336166356466666431663037623835643964366137340a336439313066356265666636383430
 8           36613661393232613134333961643936646164396130613663656237393837366566356631353061
 9           3034326337303932610a303232643464633239383563393836306565353835666431363132303835
10           3635
11 Encryption successful

Ansible Vault 非互動式

創建密碼文件

安全使用，記得使用 400 或 600 許可權。

1 [yun@ansi-manager object06]$ echo "111111" > vault_pwd
2 [yun@ansi-manager object06]$ echo "123456" > vault_pwd2
3 [yun@ansi-manager object06]$ ll vault_pwd*  # 許可權 400
4 -r-------- 1 yun yun 7 Aug 30 10:35 vault_pwd
5 -r-------- 1 yun yun 7 Aug 30 10:39 vault_pwd2

創建加密文件

 1 [yun@ansi-manager object06]$ ansible-vault create test_vault02.yml --vault-password-file=vault_pwd
 2 ---
 3 # vault test 2
 4 [yun@ansi-manager object06]$ cat test_vault02.yml 
 5 $ANSIBLE_VAULT;1.1;AES256
 6 34356364613864656136616365383361386635316332363861656334643230366136313333376366
 7 6638666536306162366263333037323231386365316238390a383139623435363738663832623533
 8 34666539393036383365333062333039643832616233623764613132303966396534616633326366
 9 6131313833383761620a383534363564393836306238666135656137623036386531653931623362
10 30613036333161613235393539633233663136653566366266353232386230383434

對已加密的文件進行解密

1 [yun@ansi-manager object06]$ ansible-vault decrypt test_vault02.yml --vault-password-file=vault_pwd
2 Decryption successful
3 [yun@ansi-manager object06]$ cat test_vault02.yml 
4 ---
5 # vault test 2

對已存在文件進行加密

 1 [yun@ansi-manager object06]$ ansible-vault encrypt test_vault02.yml --vault-password-file=vault_pwd
 2 Encryption successful
 3 [yun@ansi-manager object06]$ 
 4 [yun@ansi-manager object06]$ cat test_vault02.yml 
 5 $ANSIBLE_VAULT;1.1;AES256
 6 65653035393230366365363637343137636337663638346463303532623139353137366162396536
 7 3533393766313339393665386463613831323366623962650a643365653833636663653938613966
 8 39323037396635333236663239316431343461346562393731363537313865623534396533653931
 9 3638363937626635390a303962653366353138373139623237356637656230386565663364626438
10 31613837383338323065346634323632396339323635323766386236623038616233

對已加密的文件進行編輯

1 [yun@ansi-manager object06]$ ansible-vault edit test_vault02.yml --vault-password-file=vault_pwd
2 ---
3 # vault test 2  ##

對已加密文件更改密碼

1 [yun@ansi-manager object06]$ ansible-vault rekey test_vault02.yml --vault-password-file=vault_pwd --new-vault-password-file=vault_pwd2
2 Rekey successful

對已加密文件進行查看

1 [yun@ansi-manager object06]$ ansible-vault view test_vault02.yml --vault-password-file=vault_pwd2
2 ---
3 # vault test 2  ##

對提供的字元串進行加密

1 [yun@ansi-manager object06]$ ansible-vault encrypt_string "test info" --vault-password-file=vault_pwd2
2 !vault |
3           $ANSIBLE_VAULT;1.1;AES256
4           30313766613263363963316663623664353862623032323331356563626636646239636666343766
5           6633363733303334373831303732326435396566313066630a373562633530333832613335393835
6           34396161313862656466353433313835643030633966383032656561343331616234373831623233
7           6636396135306436640a313531373835663633383665396139343464613861313034386365393137
8           6133
9 Encryption successful

Playbook 使用 vault 文件

 1 # 其中 test_vault.yml 的 vault 密碼為 vault_pwd 中的信息
 2 [yun@ansi-manager object06]$ ansible-vault view test_vault.yml --vault-password-file=vault_pwd
 3 ---
 4 # vault test  ==
 5 - hosts: proxyservers
 6 
 7   tasks:
 8     - name: "touch file"
 9       file:
10         path: /tmp/with_itemstestfile
11         state: touch
12 
13 [yun@ansi-manager object06]$ ansible-playbook -b -i ../hosts_key --syntax-check test_vault.yml --vault-password-file=vault_pwd  # 語法檢測
14 [yun@ansi-manager object06]$ ansible-playbook -b -i ../hosts_key -C test_vault.yml --vault-password-file=vault_pwd  # 預執行，測試執行
15 [yun@ansi-manager object06]$ ansible-playbook -b -i ../hosts_key test_vault.yml --vault-password-file=vault_pwd  # 執行

完畢！

———END———
如果覺得不錯就關註下唄 (-^O^-) ！