未检测到 group_vars 中的 Ansible 保险库密码 [英] Ansible vault password in group_vars not detected
问题描述
我正在尝试使用 ansible-vault 来保护单个 Windows 登录密码.我不想将 hte 密码作为纯文本放置在我的 windows.yml 文件中(见下文),因此我尝试使用 ansible-vault
来保护/加密此密码.
I am trying to use ansible-vault to secure a single Windows login password. I do not want to place hte password as plain text in my windows.yml file (see below) and so I am trying to use ansible-vault
to secure/encrypt this password.
我有这个目录结构:
myansiblehome
- windows_manage
- group_vars
- windows.yml
- vault
- hosts
- win_playbook.yml
我的问题是关于文件 vault
.我试图将 Windows 登录密码作为加密变量放置在这里,根据 this教程.变量名称是 ansible_password
并且这个想法是我应该在 vault
文件中有一个哈希值,而不是文本中的实际密码.
My question is about the file vault
. I am trying to place a Windows login password here as an encrypted variable, as per this tutorial. The variable name is ansible_password
and the idea is that I should have a hash in the vault
file and not the actual password in text.
我的 windows.yml
文件如下所示(遵循 这里):
My windows.yml
file looks like this (following the guidance here):
ansible_user: administrator
ansible_password: "{{ vault_ansible_password }}"
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
现在,要创建 vault
文件,我的步骤如下:
Now, to create the vault
file, here are my steps:
cd windows_manage
ansible-vault create group_vars/vault
然后这里是我放入vault
文件的所有内容:
Then here are all the contents that I place into the vault
file:
---
vault_ansible_password: mypassword
当我使用 ansible-playbook -i ./hosts win_playbook.yml --ask-vault-pass
运行此文件时,出现此错误(问题 A):
When I run this file with ansible-playbook -i ./hosts win_playbook.yml --ask-vault-pass
, I get this error (problem A):
The field 'password' has an invalid value, which includes an
undefined variable. The error was: 'vault_ansible_password' is
undefined\nexception type: <...>\nexception: 'vault_ansible_password' is
undefined.
因此,我尝试生成哈希而不是使用文本.我这样做了:
So, I tried to generate a hash instead of using text. I did this:
mkpasswd --method=SHA-512
# copy the resulting hash to the clipboard
ansible-vault create group_vars/vault
我用这个哈希替换了文本 mypassword.我将哈希粘贴到 vi
编辑器中并保存了 vault
文件.再次,我使用 ansible-playbook -i ./hosts win_playbook.yml --ask-vault-pass
运行剧本.这次我遇到了不同的错误(问题 B):
I replaced the text mypassword by this hash. I pasted the hash in the vi
editor and saved the vault
file. Again, I ran the playbook with ansible-playbook -i ./hosts win_playbook.yml --ask-vault-pass
. This time I got a different error (problem B):
fatal: [...]: UNREACHABLE! => ..."ssl: the specified
credentials were rejected by the server", "unreachable": true}
为了克服这个,我必须做两件事:
To overcome this, I have to do 2 things:
- 解决问题A.:在
win_playbook.yml
中,我需要添加vars_files: group_vars\vault
,有点类似于this StackOverflow 帖子. - 要解决问题 B.:我必须用文本中的实际密码 (mypassword) 替换
vault
中的哈希值.
- To resolve problem A.: in
win_playbook.yml
, I need to addvars_files: group_vars\vault
, somewhat similar to this StackOverflow post. - To resolve problem B.: I have to replace the hash in
vault
with the actual password in text (mypassword).
问题:
关于 A:在我遇到的 ansible Vault 教程中,我没有看到为什么
vars_file: group_vars\vars
应该出现在主剧本文件中的特殊原因(请参阅下面的链接 1-4)).任何地方都没有提到这一点.我以为 Ansible 会自动检测group_vars
目录中的变量???需要这条线有什么原因吗?
Regarding A: In the tutorials I have come across for ansible vault, I do not see a particular reason why
vars_file: group_vars\vars
should be present in the main playbook file (see links 1-4 below).i.e. there is no mention of this anywhere. I thought Ansible would auto-detect the variables in thegroup_vars
directory??? Is there a reason why this line is required?
- https://serversforhackers.com/c/ansible-using-vault
- https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data-on-ubuntu-16-04
- 这些家伙使用
group_vars/vars
(类似于我的group_vars/vars
的未加密变量文件)和group_vars/vault
(类似于我的group_vars/vault
的加密变量文件到我的group_vars/vault
) 但他们使用了一个角色而我没有使用 Ansible 角色
- 这些家伙使用
- https://serversforhackers.com/c/ansible-using-vault
- https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data-on-ubuntu-16-04
- these guys use
group_vars/vars
(unencrypted variable file similar to mygroup_vars/vars
) andgroup_vars/vault
(encrypted variable file similar to mygroup_vars/vault
) but they are using a role while I am not using an Ansible role
- these guys use
关于 B:它看起来像其他用户(见 此处 使用哈希作为其变量).实际上,即使是 Ansible 文档也建议 使用 mkpasswd
来生成密码.也许我误解了一些东西.我们不应该使用 mkpasswd --method=SHA-512
来散列密码,然后将散列作为变量值吗?是否不能使用散列作为 vault
文件中 key:value 的值?
Regarding B: It looks like other users (see here are using hashes as their variables). Actually, even the Ansible docs suggest to use mkpasswd
to generate passwords. Maybe I am misunderstanding something. Should we not use mkpasswd --method=SHA-512
to hash the password and then place the hash as the variable value? Is it not possible to use a hash as the value in key:value in the vault
file?
推荐答案
group_vars
依赖于文件/目录名——它应该对应特定的组名.
group_vars
rely on file/directory name – it should correspond to specific group name.
如果 windows.yml
应用于名为 windows
的组,但 vault
将应用于名为 vault 的组代码>.
In you case windows.yml
is applied to group named windows
, but vault
would have been applied to group named vault
.
为了解决您的问题,创建名为 windows
的目录并将您的文件放在那里(windows
目录下的每个文件都将应用于 windows
中的主机> 按字母顺序分组):
To overcome your issue, create directory named windows
and place your files there (every file under windows
directory will be applied to hosts in windows
group in alphabetical order):
myansiblehome
\ windows_manage
\ group_vars
\ windows
\ windows.yml
- vault
这篇关于未检测到 group_vars 中的 Ansible 保险库密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!