zoukankan      html  css  js  c++  java
  • Ansible playbook Vault 加密

    Ansible playbook Vault 加密详解与使用案例

    主机规划

    添加用户账号

    说明:

    1、 运维人员使用的登录账号;

    2、 所有的业务都放在 /app/ 下「yun用户的家目录」,避免业务数据乱放;

    3、 该用户也被 ansible 使用,因为几乎所有的生产环境都是禁止 root 远程登录的(因此该 yun 用户也进行了 sudo 提权)。

    复制代码
    1 # 使用一个专门的用户,避免直接使用root用户
    2 # 添加用户、指定家目录并指定用户密码
    3 # sudo提权
    4 # 让其它普通用户可以进入该目录查看信息
    5 useradd -u 1050 -d /app yun && echo '123456' | /usr/bin/passwd --stdin yun
    6 echo "yun  ALL=(ALL)       NOPASSWD: ALL" >>  /etc/sudoers
    7 chmod 755 /app/
    复制代码

    Ansible 配置清单Inventory

    之后文章都是如下主机配置清单

    复制代码
     1 [yun@ansi-manager ansible_info]$ pwd
     2 /app/ansible_info
     3 [yun@ansi-manager ansible_info]$ cat hosts_key 
     4 # 方式1、主机 + 端口 + 密钥
     5 [manageservers]
     6 172.16.1.180:22
     7 
     8 [proxyservers]
     9 172.16.1.18[1:2]:22
    10 
    11 # 方式2:别名 + 主机 + 端口 + 密码
    12 [webservers]
    13 web01 ansible_ssh_host=172.16.1.183 ansible_ssh_port=22
    14 web02 ansible_ssh_host=172.16.1.184 ansible_ssh_port=22
    15 web03 ansible_ssh_host=172.16.1.185 ansible_ssh_port=22
    复制代码

    Ansible Vault 概述

    当我们写的 playbook 中涉及敏感信息,如:数据库账号密码;MQ账号密码;主机账号密码。这时为了防止这些敏感信息泄露,就可以使用 vault 进行加密。

    复制代码
     1 [yun@ansi-manager ~]$ ansible-vault -h
     2 Usage: ansible-vault [create|decrypt|edit|encrypt|encrypt_string|rekey|view] [options] [vaultfile.yml]
     3 
     4 Options:
     5   --ask-vault-pass      ask for vault password
     6   -h, --help            show this help message and exit
     7   --new-vault-id=NEW_VAULT_ID
     8                         the new vault identity to use for rekey
     9   --new-vault-password-file=NEW_VAULT_PASSWORD_FILE
    10                         new vault password file for rekey
    11   --vault-id=VAULT_IDS  the vault identity to use
    12   --vault-password-file=VAULT_PASSWORD_FILES
    13                         vault password file
    14   -v, --verbose         verbose mode (-vvv for more, -vvvv to enable
    15                         connection debugging)
    16   --version             show program's version number, config file location,
    17                         configured module search path, module location,
    18                         executable location and exit
    19 
    20  See 'ansible-vault <command> --help' for more information on a specific
    21 command.
    复制代码

    参数说明

    create:创建一个加密文件,在创建时会首先要求输入 Vault 密码,之后才能进入文件中编辑。

    decrypt:对 vault 加密的文件进行解密。

    edit:对 vault 加密文件进行编辑。

    encrypt:对提供的文件,进行 vault 加密。

    encrypt_string:对提供的字符串进行 vault 加密。

    rekey:对已 vault 加密的文件进行免密更改,需要提供之前的密码。

    view:查看已加密的文件,需要提供密码。

    Ansible Vault 交互式

    创建加密文件

    复制代码
     1 [yun@ansi-manager object06]$ pwd
     2 /app/ansible_info/object06
     3 [yun@ansi-manager object06]$ ansible-vault create test_vault.yml
     4 New Vault password: # 输入密码
     5 Confirm New Vault password: # 确认密码
     6 ---
     7 # vault test
     8 - hosts: proxyservers
     9 
    10   tasks:
    11     - name: "touch file"
    12       file:
    13         path: /tmp/with_itemstestfile
    14         state: touch
    15 
    16 [yun@ansi-manager object06]$ cat test_vault.yml   # 加密后查看
    17 $ANSIBLE_VAULT;1.1;AES256
    18 33663239636530353564393731363161623462386266613165326235353762343465653235396639
    19 6138353833366637383066366662666236666338333237610a303263336234303866623834663361
    20 39343633646434353334396162643063613964333337343336373232653266613264626564346566
    21 6262633334353036620a633136313364383536323531373164346436663739663631353166663434
    22 38663962363032643163333266633662376538383134333862373961313166656536353734363537
    23 30626261366138383864653834336637393230363466336662306138323032373361656566663231
    24 65363039393736326266316261383065363739633861646464373733643966333233343436303731
    25 37366130363064366337393837396664356335363738663130333436656238666233396466393137
    26 33306434343262313961393661313536386338383233303230613962663732323630663638313531
    27 3236636438646166643937613761396564373033623637636166
    复制代码

    对已加密的文件进行解密

    复制代码
     1 [yun@ansi-manager object06]$ ansible-vault decrypt test_vault.yml
     2 Vault password: 
     3 Decryption successful
     4 [yun@ansi-manager object06]$ 
     5 [yun@ansi-manager object06]$ cat test_vault.yml  # 解密后查看
     6 ---
     7 # vault test
     8 - hosts: proxyservers
     9 
    10   tasks:
    11     - name: "touch file"
    12       file:
    13         path: /tmp/with_itemstestfile
    14         state: touch
    复制代码

    对已存在文件进行加密

    复制代码
     1 [yun@ansi-manager object06]$ ansible-vault encrypt test_vault.yml
     2 New Vault password: 
     3 Confirm New Vault password: 
     4 Encryption successful
     5 [yun@ansi-manager object06]$ cat test_vault.yml 
     6 $ANSIBLE_VAULT;1.1;AES256
     7 37313964663164613434656666323265376465303433633438613032303733363136316235623066
     8 3930343836396537343333336432363732343936323937370a363239356233333634303464633539
     9 61613264363037313833363738623866643762666662646165646561343631646434383864373338
    10 6334333162616332320a353033323538643566666562646334623630343938646264663561316566
    11 35633939653166326631303635363533613338326561666663623238396464383363613738323464
    12 37306163663933323836316165666532336664353038303036383564346436633235373166663834
    13 62383464373632373839323562306163666366313738663234656139346130373031626265613830
    14 38373135616261616137326337633566306633343338306264646139396230613665356264353134
    15 37376636646266626236323663376230313964323034623133333539393131333065323964303030
    16 3139366661353732333961323764613332316535323334343939
    复制代码

    对已加密的文件进行编辑

    复制代码
     1 [yun@ansi-manager object06]$ ansible-vault edit test_vault.yml
     2 Vault password: 
     3 ---
     4 # vault test  ==
     5 - hosts: proxyservers
     6 
     7   tasks:
     8     - name: "touch file"
     9       file:
    10         path: /tmp/with_itemstestfile
    11         state: touch
    复制代码

    对已加密文件更改密码

    1 [yun@ansi-manager object06]$ ansible-vault rekey test_vault.yml
    2 Vault password: 
    3 New Vault password: 
    4 Confirm New Vault password: 
    5 Rekey successful

    对已加密文件进行查看

    复制代码
     1 [yun@ansi-manager object06]$ ansible-vault view test_vault.yml
     2 Vault password: 
     3 ---
     4 # vault test  ==
     5 - hosts: proxyservers
     6 
     7   tasks:
     8     - name: "touch file"
     9       file:
    10         path: /tmp/with_itemstestfile
    11         state: touch
    复制代码

    对提供的字符串进行加密

    复制代码
     1 [yun@ansi-manager object06]$ ansible-vault encrypt_string "111 222 333"
     2 New Vault password: 
     3 Confirm New Vault password: 
     4 !vault |
     5           $ANSIBLE_VAULT;1.1;AES256
     6           61343332386237363437623939633334626231613539353566313336306562373538633937363566
     7           6537336166356466666431663037623835643964366137340a336439313066356265666636383430
     8           36613661393232613134333961643936646164396130613663656237393837366566356631353061
     9           3034326337303932610a303232643464633239383563393836306565353835666431363132303835
    10           3635
    11 Encryption successful
    复制代码

    Ansible Vault 非交互式

    创建密码文件

    安全使用,记得使用 400 或 600 权限。

    1 [yun@ansi-manager object06]$ echo "111111" > vault_pwd
    2 [yun@ansi-manager object06]$ echo "123456" > vault_pwd2
    3 [yun@ansi-manager object06]$ ll vault_pwd*  # 权限 400
    4 -r-------- 1 yun yun 7 Aug 30 10:35 vault_pwd
    5 -r-------- 1 yun yun 7 Aug 30 10:39 vault_pwd2

    创建加密文件

    复制代码
     1 [yun@ansi-manager object06]$ ansible-vault create test_vault02.yml --vault-password-file=vault_pwd
     2 ---
     3 # vault test 2
     4 [yun@ansi-manager object06]$ cat test_vault02.yml 
     5 $ANSIBLE_VAULT;1.1;AES256
     6 34356364613864656136616365383361386635316332363861656334643230366136313333376366
     7 6638666536306162366263333037323231386365316238390a383139623435363738663832623533
     8 34666539393036383365333062333039643832616233623764613132303966396534616633326366
     9 6131313833383761620a383534363564393836306238666135656137623036386531653931623362
    10 30613036333161613235393539633233663136653566366266353232386230383434
    复制代码

    对已加密的文件进行解密

    1 [yun@ansi-manager object06]$ ansible-vault decrypt test_vault02.yml --vault-password-file=vault_pwd
    2 Decryption successful
    3 [yun@ansi-manager object06]$ cat test_vault02.yml 
    4 ---
    5 # vault test 2

    对已存在文件进行加密

    复制代码
     1 [yun@ansi-manager object06]$ ansible-vault encrypt test_vault02.yml --vault-password-file=vault_pwd
     2 Encryption successful
     3 [yun@ansi-manager object06]$ 
     4 [yun@ansi-manager object06]$ cat test_vault02.yml 
     5 $ANSIBLE_VAULT;1.1;AES256
     6 65653035393230366365363637343137636337663638346463303532623139353137366162396536
     7 3533393766313339393665386463613831323366623962650a643365653833636663653938613966
     8 39323037396635333236663239316431343461346562393731363537313865623534396533653931
     9 3638363937626635390a303962653366353138373139623237356637656230386565663364626438
    10 31613837383338323065346634323632396339323635323766386236623038616233
    复制代码

    对已加密的文件进行编辑

    1 [yun@ansi-manager object06]$ ansible-vault edit test_vault02.yml --vault-password-file=vault_pwd
    2 ---
    3 # vault test 2  ##

    对已加密文件更改密码

    1 [yun@ansi-manager object06]$ ansible-vault rekey test_vault02.yml --vault-password-file=vault_pwd --new-vault-password-file=vault_pwd2
    2 Rekey successful

    对已加密文件进行查看

    1 [yun@ansi-manager object06]$ ansible-vault view test_vault02.yml --vault-password-file=vault_pwd2
    2 ---
    3 # vault test 2  ##

    对提供的字符串进行加密

    复制代码
    1 [yun@ansi-manager object06]$ ansible-vault encrypt_string "test info" --vault-password-file=vault_pwd2
    2 !vault |
    3           $ANSIBLE_VAULT;1.1;AES256
    4           30313766613263363963316663623664353862623032323331356563626636646239636666343766
    5           6633363733303334373831303732326435396566313066630a373562633530333832613335393835
    6           34396161313862656466353433313835643030633966383032656561343331616234373831623233
    7           6636396135306436640a313531373835663633383665396139343464613861313034386365393137
    8           6133
    9 Encryption successful
    复制代码

    Playbook 使用 vault 文件

    复制代码
     1 # 其中 test_vault.yml 的 vault 密码为 vault_pwd 中的信息
     2 [yun@ansi-manager object06]$ ansible-vault view test_vault.yml --vault-password-file=vault_pwd
     3 ---
     4 # vault test  ==
     5 - hosts: proxyservers
     6 
     7   tasks:
     8     - name: "touch file"
     9       file:
    10         path: /tmp/with_itemstestfile
    11         state: touch
    12 
    13 [yun@ansi-manager object06]$ ansible-playbook -b -i ../hosts_key --syntax-check test_vault.yml --vault-password-file=vault_pwd  # 语法检测
    14 [yun@ansi-manager object06]$ ansible-playbook -b -i ../hosts_key -C test_vault.yml --vault-password-file=vault_pwd  # 预执行,测试执行
    15 [yun@ansi-manager object06]$ ansible-playbook -b -i ../hosts_key test_vault.yml --vault-password-file=vault_pwd  # 执行
    复制代码

    完毕!

  • 相关阅读:
    常见寻找OEP脱壳的方法
    Windows内核原理系列01
    HDU 1025 Constructing Roads In JGShining's Kingdom
    HDU 1024 Max Sum Plus Plus
    HDU 1003 Max Sum
    HDU 1019 Least Common Multiple
    HDU 1018 Big Number
    HDU 1014 Uniform Generator
    HDU 1012 u Calculate e
    HDU 1005 Number Sequence
  • 原文地址:https://www.cnblogs.com/shetao/p/14338709.html
Copyright © 2011-2022 走看看