管理机密管理事实与循环

管理机密

管理机密
1、目标:使用 ansible vault 加密敏感变量,并运行 vault 加密变量文件的playbook
2、ansible可能需要访问密码或者 api 密钥等敏感数据,以便配置主机。
3、加密解密工具:ansible-vault 命令。ansible vault不实施自有的加密函数,而使用外部 python 工具集

机密文件
命令:ansible-vault create filename
新建加密文件
```
[root@localhost xzz]# ansible-vault create group_vars/xzz
New Vault password: 
Confirm New Vault password: 
[WARNING]: group_vars does not exist, creating...
[root@localhost xzz]# cat group_vars/xzz 
$ANSIBLE_VAULT;1.1;AES256
63663961353765633765353631363039373335643436316165663063616533346166666137663162
6566323465653538323832636166326131333265323730620a393863393465353436616335393031
36393065643939633766666233646336373862373932636264336236366334663662353735656337
6534393935333563660a383562633664643836386565636665613631336535313935653638613533
6536

给已经存在的文件加密
[root@localhost xzz]# ansible-vault encrypt group_vars/xzzz
New Vault password: 
Confirm New Vault password: 
Encryption successful
[root@localhost xzz]# cat group_vars/xzzz 
$ANSIBLE_VAULT;1.1;AES256
33323036363332366164363739393230323665663835303064616639333765653736383866303464
3631646133323561356163373366343134323866393531640a663234636634396632373731326538
36646564393034383865383936646362383163323265633464313761383934336362613933626639
6339653939623633300a343332663165303662373461353764643435313236336262633635323563
6337

查看加密文件
命令:ansible-vault view filename
[root@localhost xzz]# ansible-vault view group_vars/xzh 
Vault password: 
1

编辑加密文件
命令:ansible-vault edit fiename
[root@localhost xzz]# ansible-vault edit group_vars/xzh 
Vault password: 

解密文件
命令:ansible-vault decrypt filename
[root@localhost xzz]# ansible-vault decrypt group_vars/xzh 
Vault password: 
Decryption successful
[root@localhost xzz]# cat group_vars/xzh 
123

更改加密文件的密码
命令:ansible-vault rekey fiename
[root@localhost xzz]# ansible-vault rekey group_vars/zs 
Vault password: 
New Vault password: 
Confirm New Vault password: 
Rekey successful

管理事实

管理事实
事实包括:主机名称、内核版本、网络接口、IP地址、操作系统版本、各种环境变量、CPU数量、提供的或可用的内存、可用磁盘空间

获取事实的方式
使用setup模块显示所有事实信息
[root@localhost ansible]# ansible 192.168.145.163 -m setup|less
192.168.145.163 | SUCCESS => {
"ansible_facts": {
    "ansible_all_ipv4_addresses": [
        "192.168.122.1", 
        "192.168.145.163"
    ], 
    "ansible_all_ipv6_addresses": [
        "fe80::31cc:c056:1eb3:e351", 
        "fe80::ce16:9b1c:3731:2695"
    ], 
    "ansible_apparmor": {
        "status": "disabled"
    }, 
    "ansible_architecture": "x86_64", 
    "ansible_bios_date": "07/29/2019", 
    "ansible_bios_version": "6.00", 
    "ansible_cmdline": {
        "BOOT_IMAGE": "/vmlinuz-3.10.0-862.el7.x86_64", 
        "LANG": "zh_CN.UTF-8", 
        "crashkernel": "auto", 
        "quiet": true, 
        "rd.lvm.lv": "centos/swap", 
        "rhgb": true, 
        "ro": true, 

playbook方式获取事实:
[root@localhost ansible]# vim playbook/test.yml
[root@localhost ansible]# cat playbook/test.yml 
---
- hosts: 192.168.145.163
  tasks:
    - name: waou
      debug:
        var: ansible_facts
[root@localhost ansible]# ansible-playbook playbook/test.yml 

PLAY [192.168.145.163] **************************************************************

TASK [Gathering Facts] **************************************************************
ok: [192.168.145.163]

TASK [waou] *************************************************************************
ok: [192.168.145.163] => {
    "ansible_facts": {
        "all_ipv4_addresses": [
            "192.168.122.1", 
            "192.168.145.163"
        ], 
        "all_ipv6_addresses": [
            "fe80::31cc:c056:1eb3:e351", 
            "fe80::ce16:9b1c:3731:2695"
        ], 
        "ansible_local": {}, 
        "apparmor": {
            "status": "disabled"
        }, 

选定的Ansible事实名称比较
ansible_facts形式
ansible_facts['hostname']
ansible_facts['fqdn']
ansible_facts['default_ipv4']['address']
ansible_facts['interfaces']
ansible_facts['devices']['vda']['partitions']['vda1']['size']
ansible_facts['dns']['nameservers']
ansible_facts['kernel']

旧事实变量形式
ansible_hostname
ansible_fqdn
ansible_default_ipv4['address']
ansible_interfaces
ansible_devices['vda']['partitions']['vda1']['size']
ansible_dns['nameservers']
ansible_kernel


关闭事实收集
有时我们不想为play收集事实。这样做的原因可能有:
不准备使用任何事实
希望加快play速度
希望减小play在受管主机上造成的负载
受管主机因为某种原因无法运行setup模块
需要安装一些必备软件后再收集事实
以上种种原因导致我们可能想要永久或暂时关闭事实收集的功能,要为play禁用事实收集功能,可将gather_facts关键字设置为no:
---
- name: This play gathers no facts automatically
  hosts: large_farm
  gather_facts: no

即使play设置了gather_facts: no,也可以随时通过运行使用setup模块的任务来手动收集事实:
---
- name: gather_facts
  hosts: 192.168.145.163
  gather_facts: no
  tasks:
    - name: get gather_facts
      setup:
    - name: debug
      debug:
        var: ansible_facts

创建自定义事实
[packages]
web_package = httpd
db_package = mariadb-server

[users]
server1 = zs
server2 = xzh

同样的事实可能以JSON格式提供。以下JSON事实等同于以上示例中INI格式指定的事实。JSON数据可以存储在静态文本文件中,或者通过可执行脚本输出到标准输出:
{
 "packages": {
   "web_package": "httpd",
   "db_package": "mariadb-server"
 },
 "users": {
   "server1": "zs",
   "server2": "xzh"
 }
}

自定义事实的使用方式与playbook中的默认事实相同:
---
- hosts: all
    tasks:
    - name: Prints various Ansible facts
    debug:
      msg: >
        The package to install on {{ ansible_facts['fqdn'] }}
        is {{ ansible_facts['ansible_local']['cutstom']['packages']['web_package'] }}

使用魔法变量
一些变量并非事实或通过setup模块配置,但也由Ansible自动设置。这些魔法变量也可用于获取与特定受管主机相关的信息。
最常用的有四个:
hostvars:包含受管主机的变量,可以用于获取另一台受管主机的变量的值。
如果还没有为受管主机收集事实,则它不会包含该主机的事实。
group_names:列出当前受管主机所属的所有组
groups:列出清单中的所有组和主机
inventory_hostname:包含清单中配置的当前受管主机的主机名称。
因为各种原因有可能与事实报告的主机名称不同

循环

循环是每门语言必不可少的特性,在Ansible中,循环的玩法更是多,但是莫怕,我们常用的循环就那么几类,下面我们就对我们常用的几种Ansible循环展开一番总结。
标准循环
[root@localhost ansible]# vim pbook.yml
[root@localhost ansible]# cat pbook.yml 
---
- hosts: 192.168.145.163
  remote_user: root
  tasks:
- name: create_user
    user: name={{ item }}
    with_items: 
    - user1
    - user2
    - user3
[root@localhost ansible]# ansible-playbook pbook.yml 

PLAY [192.168.145.163] **************************************************************

TASK [Gathering Facts] **************************************************************
ok: [192.168.145.163]

TASK [create_user] ******************************************************************
changed: [192.168.145.163] => (item=user1)
changed: [192.168.145.163] => (item=user2)
changed: [192.168.145.163] => (item=user3)

PLAY RECAP **************************************************************************
192.168.145.163            : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

判断nginx服务是否开启再决定是否执行开启命令
编写playbook文件
[root@localhost ansible]# vim start_nginx.yml
[root@localhost ansible]# cat start_nginx.yml 
---
- hosts: 192.168.145.163
  tasks:
    - name: "获取nginx运行状态"
    shell: ss -ntl | grep -wc 80 || true
    register: port


    - name: "启动nginx"
    shell: /usr/local/nginx/sbin/nginx
    when: port.stdout == "0"

执行playbook文件
[root@localhost ansible]# ansible-playbook start_nginx.yml 

PLAY [192.168.145.163] **************************************************************

TASK [Gathering Facts] **************************************************************
ok: [192.168.145.163]

TASK [获取nginx运行状态] ******************************************************************
changed: [192.168.145.163]

TASK [启动nginx] **********************************************************************
skipping: [192.168.145.163]

PLAY RECAP **************************************************************************
192.168.145.163            : ok=2    changed=1    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0   

验证
[root@localhost ansible]# ansible 192.168.145.163 -m shell -a "netstat -nltp|grep -w 80"
192.168.145.163 | CHANGED | rc=0 >>
tcp6       0      0 :::80                   :::*                    LISTEN      24105/httpd
posted @ 2021-07-26 17:03  Aimmi  阅读(69)  评论(0)    收藏  举报