如何将 ansible_become_pass 存储在保险库中以及如何使用它? [英] How to store ansible_become_pass in a vault and how to use it?

问题描述

我是 ansible 的新手，我正在使用一个非常简单的剧本在几台服务器上发布 sudo apt-get update 和 sudo apt-get upgrade.

这是我正在使用的剧本:

---- 名称:更新服务器主机:我的服务器变成:是成为用户:root任务:- 名称:更新包apt: update_cache=yes- 名称:升级包apt:升级=dist

这是从我的 ~/.ansible/inventory/hosts 文件中摘录的:

[我的服务器]旧金山 ansible_host=san-francisco ansible_ssh_user=用户 ansible_become_pass=<my_sudo_password_for_user_on_san-francisco>san-diego ansible_host=san-diego ansible_ssh_user=user ansible_become_pass=<my_sudo_password_for_user_on_san-diego>

如果我启动剧本，这就是我得到的:

$ ansible-playbook update-servers-playbook.ymlPLAY [更新服务​​器] **********************************************************任务 [设置] ************************************************************************好的:[旧金山]好的:[圣地亚哥]任务[更新包]************************************************************好的:[旧金山]好的:[圣地亚哥]任务【升级包】*******************************************************好的:[旧金山]好的:[圣地亚哥]播放回顾 ****************************************************************************旧金山:ok=3 已更改=0 无法访问=0 失败=0圣地亚哥:ok=3 已更改=0 无法访问=0 失败=0

困扰我的是我的用户 user 的密码以明文形式存储在我的 ~/.ansible/inventory/hosts 文件中.>

我已阅读关于保险库，我还阅读了 最佳实践变量和保险库，但我不明白如何将其应用于我的最小用例.

我也尝试使用查找.虽然通常它们也可以在库存文件中使用，但我可以执行以下操作:

[我的服务器]旧金山 ansible_host=san-francisco ansible_ssh_user=user ansible_become_pass="{{lookup('env', 'ANSIBLE_BECOME_PASSWORD_SAN_FRANCISCO') }}"

在这种情况下，密码将存储在名为 ANSIBLE_BECOME_PASSWORD_SAN_FRANCISCO 的环境变量中；据我所知，没有办法在 Vault 中查找变量.

那么，我该如何组织我的文件，以便我能够从某处查找我的密码并安全地存储它们?

解决方案

您需要创建一些 vault 变量文件，然后将它们包含在您的剧本或命令行中.

如果您更改您的库存文件以使用一个变量来传递这个变量:

[我的服务器]旧金山 ansible_host=旧金山 ansible_ssh_user=用户 ansible_become_pass='{{ sanfrancisco_become_pass }}'圣地亚哥 ansible_host=san-diego ansible_ssh_user=用户 ansible_become_pass='{{sandiego_become_pass }}'

然后使用ansible-vault create vaulted_vars.yml创建一个包含以下内容的文件:

sanfrancisco_become_pass:<my_sudo_password_for_user_on_san-francisco>sandiego_become_pass : <my_sudo_password_for_user_on_san-diego>

然后将 Vaulted 文件作为额外的变量包含在内:

ansible-playbook -i ~/.ansible/inventory/hosts playbook.yml --ask-vault-pass -e@~/.ansible/inventory/vault_vars

或者使用 include_vars 任务将 vars 文件包含在您的剧本中:

- name : 包括拱形变量include_vars: ~/.ansible/inventory/vault_vars

I am a newbie to ansible and I am using a very simple playbook to issue sudo apt-get update and sudo apt-get upgrade on a couple of servers.

This is the playbook I am using:

---

- name: Update Servers
  hosts: my-servers
  become: yes
  become_user: root
  tasks:
    - name: update packages
      apt: update_cache=yes

    - name: upgrade packages
      apt: upgrade=dist

and this is an extract from my ~/.ansible/inventory/hosts file:

[my-servers]
san-francisco ansible_host=san-francisco ansible_ssh_user=user ansible_become_pass=<my_sudo_password_for_user_on_san-francisco>
san-diego     ansible_host=san-diego     ansible_ssh_user=user ansible_become_pass=<my_sudo_password_for_user_on_san-diego>

This is what I get if I launch the playbook:

$ ansible-playbook update-servers-playbook.yml                                                                                                                                     

PLAY [Update Servers] **********************************************************

TASK [setup] *******************************************************************
ok: [san-francisco]
ok: [san-diego]

TASK [update packages] *********************************************************
ok: [san-francisco]
ok: [san-diego]

TASK [upgrade packages] ********************************************************
ok: [san-francisco]
ok: [san-diego]

PLAY RECAP *********************************************************************
san-francisco              : ok=3    changed=0    unreachable=0    failed=0   
san-diego                  : ok=3    changed=0    unreachable=0    failed=0

What is bothering me is the fact that I have the password for my user user stored in plaintext in my ~/.ansible/inventory/hosts file.

I have read about vaults, I have also read about the best practices for variables and vaults but I do not understand how to apply this to my very minimal use case.

I also tried to use lookups. While in general they also work in the inventory file, and I am able to do something like this:

[my-servers]
san-francisco ansible_host=san-francisco ansible_ssh_user=user ansible_become_pass="{{ lookup('env', 'ANSIBLE_BECOME_PASSWORD_SAN_FRANCISCO') }}"

where this case the password would be stored in an environment variable called ANSIBLE_BECOME_PASSWORD_SAN_FRANCISCO; there is no way to look up variables in vaults as far as I know.

So, how could I organize my file such that I would be able to lookup up my passwords from somewhere and have them safely stored?

解决方案

You need to create some vaulted variable files and then either include them in your playbooks or on the command line.

If you change your inventory file to use a variable for the become pass this variable can be vaulted:

[my-servers]
san-francisco ansible_host=san-francisco ansible_ssh_user=user ansible_become_pass='{{ sanfrancisco_become_pass }}'
san-diego     ansible_host=san-diego     ansible_ssh_user=user ansible_become_pass='{{ sandiego_become_pass }}'

Then use ansible-vault create vaulted_vars.yml to create a vaulted file with the following contents:

sanfrancisco_become_pass: <my_sudo_password_for_user_on_san-francisco>
sandiego_become_pass    : <my_sudo_password_for_user_on_san-diego>

Then either include the vaulted file as extra vars like this:

ansible-playbook -i ~/.ansible/inventory/hosts playbook.yml --ask-vault-pass -e@~/.ansible/inventory/vault_vars

Or include the vars file in your playbook with an include_vars task:

- name        : include vaulted variables
  include_vars: ~/.ansible/inventory/vault_vars

这篇关于如何将 ansible_become_pass 存储在保险库中以及如何使用它?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！