目录
1. 对整个脚本进行加密
2. 查看文件内容
3. 运行Playbook
4. 对脚本进行加密
5. 使用密码文件
5.1 对单个字符串进行加密
本章主要介绍如何对ansible的 playbook 进行加密。
前面写了许多playbook,这些playbook都是以明文的方式存在的,有时想对这些playbook进行加密,可以使用ansible-vault命令来实现。本章实验都在/home/demo6下操作,先把 demo6目录创建出来并把ansible.cfg 和 hosts拷贝
[bdqn@RHEL813 ~]$ mkdir demo6
[bdqn@RHEL813 ~]$ cp ansible.cfg hosts demo6/
[bdqn@RHEL813 ~]$ cd demo6
[bdqn@RHEL813 demo6]$ ls
ansible.cfg hosts
[bdqn@RHEL813 demo6]$
创建test1.yaml,内容如下。
[bdqn@RHEL813 demo6]$ cat test1.yaml
---
- hosts: server2
gather_facts: false
vars:
aa: haha001
tasks:
- name: 打印一个变量
debug: msg="{{aa}}"
[bdqn@RHEL813 demo6]$
ansible‐vault encrypt file
[bdqn@RHEL813 demo6]$ ansible-vault encrypt test1.yaml
New Vault password:
Confirm New Vault password:
Encryption successful
[bdqn@RHEL813 demo6]$
[bdqn@RHEL813 demo6]$ cat test1.yaml
$ANSIBLE_VAULT;1.1;AES256
62343461616535376532626534633031376434323636653532383530336536373237393132323463
3038653739616337316330616239623335363166353865660a373137626338386335643261343761
62653438643865643931613434373635663335646561393434376332646136316666356431613335
3132383830323864330a306564373864376532326436383762316631356361303236323736663734
35663538373439333030363037643461633438333230383064636135326138326139653536303035
39306166386463333933386363396237343834643263336334653338363761643263366338633735
33626536356237363633633864653430343635363466343332663434623566616633323333373837
36373339316263383233363737303766663566656637643166386664633433653531613432316362
39363131303039353637653739643663373966316563653931343266663765616663326333633363
62353637646663393138336663373136393639353761653936623231336436636230383434373261
35353766313665613631376335313631306333666266333232383463653630353237396537353734
62333933353365303635
[bdqn@RHEL813 demo6]$
[bdqn@RHEL813 demo6]$ ansible-vault view test1.yaml
Vault password:
---
- hosts: server2
gather_facts: false
vars:
aa: haha001
tasks:
- name: 打印一个变量
debug: msg="{{aa}}"
[bdqn@RHEL813 demo6]$
[bdqn@RHEL813 demo6]$ ansible-vault view test1.yaml
Vault password:
ERROR! Decryption failed (no vault secrets were found that could decrypt) on test1.yaml for test1.yaml
[bdqn@RHEL813 demo6]$
如果直接运行加密后的YAML文件,则会报错,如下所示。
[bdqn@RHEL813 demo6]$ ansible-playbook test1.yaml
ERROR! Attempting to decrypt but no vault secrets found
[bdqn@RHEL813 demo6]$
[bdqn@RHEL813 demo6]$ ansible-playbook --ask-vault-pass test1.yaml
Vault password:
PLAY [server2] ***********************************************************************************************************************************************
TASK [打印一个变量] ************************************************************************************************************************************************
ok: [server2] => {
"msg": "haha001"
}
PLAY RECAP ***************************************************************************************************************************************************
server2 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
[bdqn@RHEL813 demo6]$
[bdqn@RHEL813 demo6]$ ansible-vault rekey test1.yaml
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful
[bdqn@RHEL813 demo6]$
[bdqn@RHEL813 demo6]$ ansible-vault decrypt test1.yaml
Vault password:
Decryption successful
[bdqn@RHEL813 demo6]$
[bdqn@RHEL813 demo6]$ cat test1.yaml
---
- hosts: server2
gather_facts: false
vars:
aa: haha001
tasks:
- name: 打印一个变量
debug: msg="{{aa}}"
[bdqn@RHEL813 demo6]$
[bdqn@RHEL813 demo6]$ echo haha001 > aa.txt
[bdqn@RHEL813 demo6]$ cat aa.txt
haha001
[bdqn@RHEL813 demo6]$
[bdqn@RHEL813 demo6]$ ansible-vault encrypt --vault-id aa.txt test1.yaml
Encryption successful
[bdqn@RHEL813 demo6]$
[bdqn@RHEL813 demo6]$ cat test1.yaml
$ANSIBLE_VAULT;1.1;AES256
66356632393733333732663336343038386265653335356137613234386463346539346530356232
3731346663633133373939613034646530646230336266390a353566353930363635363263643162
31623539623834373665346561633064646132303734363861333163323366653539343563656539
6534633431623136310a646231326561366634306338636431666661346331343431323130333135
36393665663361633761646662643939663439653364653462326461336437366636663565613333
61336437626130383635366636623064613562386232313862623431303537363330646465646361
39396666393165353030366134626630383564616162643631356361636266633635366566646430
39316666313832663763656230303030396232313131373861626133636436303532343865343932
65643938323866363263386363656437313664666666306130656461313662336365633337326537
35376433373466313537653864396636363938613538366564383066386634386635393737623764
65366165633432633063646436333532356366386530323135303134373030656134366365353566
31656435333030336566
[bdqn@RHEL813 demo6]$
[bdqn@RHEL813 demo6]$ ansible-vault view --vault-id aa.txt test1.yaml
---
- hosts: server2
gather_facts: false
vars:
aa: haha001
tasks:
- name: 打印一个变量
debug: msg="{{aa}}"
[bdqn@RHEL813 demo6]$
[bdqn@RHEL813 demo6]$ ansible-playbook --vault-id aa.txt test1.yaml
PLAY [server2] ***********************************************************************************************************************************************
TASK [打印一个变量] ************************************************************************************************************************************************
ok: [server2] => {
"msg": "haha001"
}
PLAY RECAP ***************************************************************************************************************************************************
server2 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
[bdqn@RHEL813 demo6]$
[bdqn@RHEL813 demo6]$ ansible‐vaultypt ‐‐vault‐id aa.txt test1.yaml
Decryption successful
[bdqn@RHEL813 demo6]$ cat test1.yaml
---
- hosts: server2
gather_facts: false
vars:
aa: haha001
tasks:
- name: 打印一个变量
debug: msg="{{aa}}"
[bdqn@RHEL813 demo6]$
[bdqn@RHEL813 demo6]$ ansible-vault encrypt_string --vault-id aa.txt haha001
!vault |
$ANSIBLE_VAULT;1.1;AES256
37363236613436646565643665396663633437346437376364383536313764376163656261366537
6634373462346435616432356464373933316261616435350a386134646161313138616432633937
36653031633134633738613061633730353138646665663938636331623366313939633035636365
6562633838653038370a373632613438636164396666316162616439643166343136323336666630
6365
Encryption successful
[bdqn@RHEL813 demo6]$
[bdqn@RHEL813 demo6]$ cat test1.yaml
---
- hosts: server2
gather_facts: false
vars:
aa: !vault |
$ANSIBLE_VAULT;1.1;AES256
37363236613436646565643665396663633437346437376364383536313764376163656261366537
6634373462346435616432356464373933316261616435350a386134646161313138616432633937
36653031633134633738613061633730353138646665663938636331623366313939633035636365
6562633838653038370a373632613438636164396666316162616439643166343136323336666630
6365
tasks:
- name: 打印一个变量
debug: msg="{{aa}}"
[bdqn@RHEL813 demo6]$
[bdqn@RHEL813 demo6]$ ansible-playbook --vault-id aa.txt test1.yaml
PLAY [server2] ***********************************************************************************************************************************************
TASK [打印一个变量] ************************************************************************************************************************************************
ok: [server2] => {
"msg": "haha001"
}
PLAY RECAP ***************************************************************************************************************************************************
server2 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
[bdqn@RHEL813 demo6]$
可以看到,已经正常运行了。