-
第五章、ansible变量配置与机密
有些事你会觉得很难,但经历过一切皆记忆
1、ansible变量的由来
Ansible支持利用变量来存储值,并在Ansible项目的所有文件中重复使用这些值。这可以
简化项目的创建和维护,并减少错误的数量。
通过变量,可以轻松地在Ansible项目中管理给定环境的动态值。例如,变量可能包含下面这些值:
• 要创建的用户
• 要安装的软件包
• 要重新启动的服务
• 要删除的文件
• 要从互联网检索的存档定义变量规则:由字母/数字/下划线(必须有其中的两组)组成,变量需要以字母开头,ansible内置的关键字不能作为变量名
变量中的优先级:
ansible中,可以将变量简化为三个范围优先级- Global范围(高):从命令行和ansible配置设置的变量,也就是在命令中自定义变量或者在ansible配置文件设置的变量
例:
//定义的aa变量 vars: - aa: 11 //使用变量输出 debug: msg: "{{ aa }}"- 1
- 2
- 3
- 4
- 5
- 6
- 7
- play范围(中):在play和相关结构中设置的变量,在文件中提前定义好方便我们直接使用
[student@server ansible]$ cat bl.yml - aa: 11 - bb: 22 - cc: a1: c31 a2: c32- 1
- 2
- 3
- 4
- 5
- 6
- Host范围(低):inventory(主机清单中)、facts或register(注册表将输出的结果在循环到另一个值)的变量,在主机组和个别主机上设置的变量
//类似于这种 [student@server ansible]$ cat inventory node1 node2 node3- 1
- 2
- 3
- 4
- 5
==三个范围的变量优先级依次降低,如果变量重复定义,则以优先级高的为准 ==
注册和定义变量的各种方式
ansible中定义变量的方式有很多种,大致有:
(1) 将模块的执⾏结果注册为变量;(注册变量)
(2) 直接定义字典类型的变量;
(3) role中⽂件内定义变量;
(4) 命令⾏传递变量;(在执行playbook的时候自定义变量)
(5) 借助with_items(循环中的多个结果)迭代将多个task的结果赋值给⼀个变量;
(6) inventory中的主机或主机组变量;
(7) 内置变量。2、vars命令行定义变量
[student@server ansible]$ cat test.yml --- - name: test hosts: node1 vars: aa: 11 bb: 22 cc: c1: 33 c2: 44 tasks: - name: debug1 debug: msg: "{{ aa }}" - name: debug2 debug: msg: "{{ bb }}" - name: debug3 debug: msg: "{{ cc }}" - name: debug4 debug: msg: "{{ cc.c1 }}" - name: debug5 debug: msg: "{{ cc.c2 }}" //测试语法是否有错误。 [student@server ansible]$ ansible-playbook --syntax-check test.yml playbook: test.yml //结果 [student@server ansible]$ ansible-playbook test.yml PLAY [test] *************************************************************************** TASK [Gathering Facts] **************************************************************** ok: [node1] TASK [debug1] ************************************************************************* ok: [node1] => { "msg": 11 } TASK [debug2] ************************************************************************* ok: [node1] => { "msg": 22 } TASK [debug3] ************************************************************************* ok: [node1] => { "msg": { "c1": 33, "c2": 44 } } TASK [debug4] ************************************************************************* ok: [node1] => { "msg": "33" } TASK [debug5] ************************************************************************* ok: [node1] => { "msg": "44" } PLAY RECAP **************************************************************************** node1 : ok=6 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
3、Vars_files文件定义变量
//自定义文件 [student@server ansible]$ cat var.yml aa: 11 bb: 22 cc: c1: 33 c2: 44 [student@server ansible]$ cat test.yml --- - name: test hosts: node1 vars_files: //指定变量文件位置 - /home/student/ansible/var.yml tasks: - name: debug1 debug: msg: "{{ aa }}" - name: debug2 debug: msg: "{{ bb }}" - name: debug3 debug: msg: "{{ cc }}" - name: debug4 debug: msg: "{{ cc.c1 }}" - name: debug5 debug: msg: "{{ cc.c2 }}" //6处ok没问题了 [student@server ansible]$ ansible-playbook test.yml PLAY RECAP **************************************************************************** node1 : ok=6 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
4、register注册变量
使⽤register选项,可以将当前task的输出结果赋值给⼀个变量。
[root@server ansible]# cat test.yaml --- - name: test a playbook hosts: node1 tasks: - name: shell shell: "cat /tmp/zz" //此时查看/tmp/zz内容 register: zz //前面执行成功则返回“zz”作为变量 - name: create debug debug: var: zz //将此作为变量输出结果 [root@server ansible]# ansible-playbook test.yaml PLAY [test a playbook] ********************************************************* TASK [Gathering Facts] ********************************************************* ok: [node1] TASK [shell] ******************************************************************* changed: [node1] TASK [create debug] ************************************************************ ok: [node1] => { //显示使用变量/zz这个文件的详细信息 "zz": { "changed": true, "cmd": "cat /tmp/zz", "delta": "0:00:00.005195", "end": "2020-07-29 10:06:17.704232", "failed": false, "rc": 0, "start": "2020-07-29 10:06:17.699037", "stderr": "", "stderr_lines": [], "stdout": "zz", "stdout_lines": [ "zz" ] } } PLAY RECAP ********************************************************************* node1 : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
其中name: create debug
debug:
var: zz 也可以使用msg:"{{ zz.rc }}"来指定想看的某一项[root@server ansible]# cat test.yaml --- - name: test a playbook hosts: node1 tasks: - name: shell shell: "cat /tmp/zz" register: zz - name: create debug debug: msg: "{{ zz.rc }}" [root@server ansible]# ansible-playbook test.yaml PLAY [test a playbook] ********************************************************* TASK [Gathering Facts] ********************************************************* ok: [node1] TASK [shell] ******************************************************************* changed: [node1] TASK [create debug] ************************************************************ ok: [node1] => { "msg": "0" } PLAY RECAP ********************************************************************* node1 : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
5、set_fact定义变量(事实变量也就是本机自带的变量)
set_fact和register的功能很相似,也是将值赋值给变量。它更像shell中变量的赋值⽅式,可以将某个变量的值赋值给另⼀个变量,也可以将字符串赋值给变量
通过ansible node1 -m setup 可以查询node1主机所有的事实变量
[student@server ansible]$ ansible node1 -m setup | wc -l 854 [student@server ansible]$ ansible node1 -m setup > a [student@server ansible]$ vim a node1 | SUCCESS => { //标识属于第一个大标题 "ansible_facts": { "ansible_all_ipv4_addresses": [ //属于第一个变量的值 "192.168.47.20" //变量所表示的内容 ],- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
而一般我们所找的合格域名,有以下几个:
- IP地址:
/address进行搜索 //这里是主机通信指向变量,可以以`ipv4.address` 为变量 "hw_timestamp_filters": [], "ipv4": { "address": "192.168.47.20", "broadcast": "192.168.47.255", "netmask": "255.255.255.0", "network": "192.168.47.0" //在往上翻找到属于自己的子变量(也就是自己的网卡) "ansible_ens32": { "active": true, "device": "ens32",- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
调用时就可写成变量
ansible_ens160.ipv4.address但是需要注意一个事,当我们拥有
多个客户端进行通信时每个客户端网卡不一样,依靠这样找岂不是很费力可以使用网卡的默认变量:
ansible_default_ipv4.address不过还是得注意下里面的内容,防止空值
-
fqdn(完全合格域名,主机名称和域名):
ansible_fqdn -
hostname:ansible_hostname
-
bios(版本):ansible_bios_version
-
mem(内存大小): ansible_memtotal_mb
-
sda(查找磁盘大小): ansible_devices.sda.size
查找事实变量方法:
//模拟域名
[root@server ansible]# cat test.yaml --- - name: test a playbook hosts: node1 tasks: - name: hostname debug: msg: "{{ ansible_fqdn }}" [root@server ansible]# ansible-playbook test.yaml PLAY [test a playbook] ********************************************************* TASK [Gathering Facts] ********************************************************* ok: [node1] TASK [hostname] **************************************************************** ok: [node1] => { "msg": "node1.example.com" } PLAY RECAP ********************************************************************* node1 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
//模拟网卡变量
Vim cy.yml --- - name: abc hosts: node1 tasks: - name: test debug: msg: the ipv4 address of {{ansible_nodename}} is {{ansible_ens160.ipv4.address}} [root@server ansible]# ansible-playbook cy.yml PLAY [abc] ********************************************************************* TASK [Gathering Facts] ********************************************************* ok: [node1] TASK [test] ******************************************************************** ok: [node1] => { "msg": "the ipv4 address of node1.example.com is 172.16.30.10" } PLAY RECAP ********************************************************************* node1 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
通过命令传入变量
[root@server ansible]# cat d.yml --- - name: test4 hosts: node1 tasks: - name: create debug debug: msg: my name is {{name1}} - name: create debug2 debug: msg: my name is {{name2}} [root@server ansible]# ansible-playbook d.yml -e 'name1=tom name2=marry' PLAY [test4] ******************************************************************* TASK [Gathering Facts] ********************************************************* ok: [node1] TASK [create debug] ************************************************************ ok: [node1] => { "msg": "my name is tom" } TASK [create debug2] *********************************************************** ok: [node1] => { "msg": "my name is marry" } PLAY RECAP ********************************************************************* node1 : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
6、 主机清单中的变量
[root@server ansible]# Vim /etc/ansible/hosts node1 node2 [net] //代表可以访问两台node node1 node2 [net:vars] //定义变量时 vars1= 'hello' vars2= 'hi' Vim /etc/ansible/e.yml --- - name: test5 hosts: node1 tasks: - name: create debug1 debug: msg: say "{{ vars1 }}" - name: create debug2 debug: msg: say "{{ vars2 }}" [root@server ansible]# ansible-playbook e.yml PLAY [test5] ******************************************************************* TASK [Gathering Facts] ********************************************************* ok: [node1] TASK [create debug1] *********************************************************** ok: [node1] => { "msg": "say hello" } TASK [create debug2] *********************************************************** ok: [node1] => { "msg": "say hi" } PLAY RECAP ********************************************************************* node1 : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
除了可以在主机清单里定义变量外,还可以在/etc/ansible目录下创建group_vars和host_vars目录下定义变量
例子:
//创建两个存在的主机文件,判断其谁更优先[root@server ansible]# cd /etc/ansible/ [root@server ansible]# Mkdir host_vars [root@server ansible]# cd host_vars [root@server ansible]# Vim node1 Vars1: groupvars1 Vars2: groupvars2 [root@server ansible]# Vim node1.yml Vars1: abc Vars2: bcd [root@server ansible]# Cd /etc/ansible/ Vim b.yml --- - name: test hosts: node1 tasks: - name: create debug debug: msg: my name is {{vars1}} - name: create debug2 debug: msg: my name is {{vars2}} ~ [root@server ansible]# ansible-playbook b.yml PLAY [test] ******************************************************************** TASK [Gathering Facts] ********************************************************* ok: [node1] TASK [create debug] ************************************************************ ok: [node1] => { "msg": "my name is groupvars1" } TASK [create debug2] *********************************************************** ok: [node1] => { "msg": "my name is groupvars2" } PLAY RECAP ********************************************************************* node1 : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
删除/etc/ansible/host_vars/node1 保留/etc/ansible/host_vars/node1.yml,再次执行playbook
[root@server ansible]# ansible-playbook b.yml PLAY [test] ******************************************************************** TASK [Gathering Facts] ********************************************************* ok: [node1] TASK [create debug] ************************************************************ ok: [node1] => { "msg": "my name is abc" } TASK [create debug2] *********************************************************** ok: [node1] => { "msg": "my name is bcd" } PLAY RECAP ********************************************************************* node1 : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
由此验证得知:在/etc/ansible/host_vars目录中,node1文件名以主机命名,还可以命名为node1.yml,如果node1与node1.yml同时存在,则node1的优先级更高
7、 内置变量ansible_version(版本)
Vim a.yml --- - name: test hosts: node1 tasks: - name: create debug debug: msg: "{{ansible_version}}" [root@server ansible]# ansible-playbook a.yml PLAY [test] ******************************************************************** TASK [Gathering Facts] ********************************************************* ok: [node1] TASK [create debug] ************************************************************ ok: [node1] => { "msg": { "full": "2.9.18", "major": 2, "minor": 9, "revision": 18, "string": "2.9.18" } } PLAY RECAP ********************************************************************* node1 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
8、内置变量inventory_hostname(定义主机)
清单里面写的是什么匹配的就是什么内容。
--- - name: test hosts: node1 tasks: - name: create debug debug: msg: "{{inventory_hostname}}" [root@server ansible]# ansible-playbook a.yml PLAY [test] ******************************************************************** TASK [Gathering Facts] ********************************************************* ok: [node1] TASK [create debug] ************************************************************ ok: [node1] => { "msg": "node1" } PLAY RECAP ********************************************************************* node1 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
9、内置变量play_hosts
变量将会自动匹配主机组的主机值
[student@server ansible]$ vim a [net] node1 node2 [root@server ansible]# cat a.yml ```sql --- - name: test hosts: net tasks: - name: create debug debug: msg: "{{play_hosts}}" [root@server ansible]# ansible-playbook a.yml PLAY [test] ******************************************************************** TASK [Gathering Facts] ********************************************************* ok: [node1] ok: [node2] TASK [create debug] ************************************************************ ok: [node1] => { "msg": [ "node1", "node2" ] } ok: [node2] => { "msg": [ "node1", "node2" ] } PLAY RECAP ********************************************************************* node1 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 node2 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
10、内置变量groups
将主机清单中所有组匹配出来
--- - name: test hosts: node1 tasks: - name: create debug debug: msg: "{{ groups }}" [root@server ansible]# ansible-playbook a.yml PLAY [test] ******************************************************************** TASK [Gathering Facts] ********************************************************* ok: [node1] TASK [create debug] ************************************************************ ok: [node1] => { "msg": { "all": [ "node1", "node2" ], "net": [ "node1", "node2" ], "ungrouped": [] } } PLAY RECAP ********************************************************************* node1 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
11、内置变量group_names
匹配出受控主机的主机名
--- - name: test hosts: node1 tasks: - name: create debug debug: msg: "{{group_names}}" [root@server ansible]# ansible-playbook a.yml PLAY [test] ******************************************************************** TASK [Gathering Facts] ********************************************************* ok: [node1] TASK [create debug] ************************************************************ ok: [node1] => { "msg": [ "net" ] } PLAY RECAP ********************************************************************* node1 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
12、内置变量inventory_dir
查找主机清单的路径
--- - name: test hosts: node1 tasks: - name: create debug debug: msg: "{{ inventory_dir }}" [root@server ansible]# ansible-playbook a.yml PLAY [test] ******************************************************************** TASK [Gathering Facts] ********************************************************* ok: [node1] TASK [create debug] ************************************************************ ok: [node1] => { "msg": "/etc/ansible" } PLAY RECAP ********************************************************************* node1 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
13、With_items叠加变量—可以给一个变量赋予多个值
//就是批量对多个值输出内容
//第一个小测试Vim d.yml - name: abc shell: cmd: echo "{{ item }}" with_items: - haha - heihei - hehe register: hi_var - name: debug1 debug: msg: "{{ hi_var }}" [root@server ansible]# ansible-playbook d.yml PLAY [test] ******************************************************************** TASK [Gathering Facts] ********************************************************* ok: [node1] TASK [abc] ********************************************************************* changed: [node1] => (item=haha) changed: [node1] => (item=heihei) changed: [node1] => (item=hehe) TASK [debug1] ****************************************************************** ok: [node1] => { "msg": { "changed": true, "msg": "All items completed", "results": [ //这里所输出三个数据保存的父值是在这里的 { "ansible_loop_var": "item", "changed": true, "cmd": "echo \"haha\"", "delta": "0:00:00.003206", "end": "2021-04-09 00:36:52.433624", "failed": false, "invocation": { "module_args": { "_raw_params": "echo \"haha\"", "_uses_shell": true, "argv": null, "chdir": null, "creates": null, "executable": null, "removes": null, "stdin": null, "stdin_add_newline": true, "strip_empty_ends": true, "warn": true } }, "item": "haha", "rc": 0, "start": "2021-04-09 00:36:52.430418", "stderr": "", "stderr_lines": [], "stdout": "haha", "stdout_lines": [ "haha" ] }, { "ansible_loop_var": "item", "changed": true, "cmd": "echo \"heihei\"", "delta": "0:00:00.002276", "end": "2021-04-09 00:36:52.676159", "failed": false, "invocation": { "module_args": { "_raw_params": "echo \"heihei\"", "_uses_shell": true, "argv": null, "chdir": null, "creates": null, "executable": null, "removes": null, "stdin": null, "stdin_add_newline": true, "strip_empty_ends": true, "warn": true } }, "item": "heihei", "rc": 0, "start": "2021-04-09 00:36:52.673883", "stderr": "", "stderr_lines": [], "stdout": "heihei", "stdout_lines": [ "heihei" ] }, { "ansible_loop_var": "item", "changed": true, "cmd": "echo \"hehe\"", "delta": "0:00:00.002589", "end": "2021-04-09 00:36:52.920442", "failed": false, "invocation": { "module_args": { "_raw_params": "echo \"hehe\"", "_uses_shell": true, "argv": null, "chdir": null, "creates": null, "executable": null, "removes": null, "stdin": null, "stdin_add_newline": true, "strip_empty_ends": true, "warn": true } }, "item": "hehe", "rc": 0, "start": "2021-04-09 00:36:52.917853", "stderr": "", "stderr_lines": [], "stdout": "hehe", "stdout_lines": [ "hehe" ] } ] } } PLAY RECAP ********************************************************************* node1 : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
//给数值做指定变量
Vim c.yml - name: test hosts: node1 tasks: - name: abc shell: cmd: echo "{{ item }}" //使用循环则用item with_items: - haha - heihei - hehe register: hi_var //hi_var做返回值 - name: debug1 //截取变量 debug: var: hi_var.results[0].stdout //0代表输出第一个值 - name: debug2 debug: var: hi_var.results[1].stdout - name: debug3 debug: var: hi_var.results[2].stdout [root@server ansible]# ansible-playbook c.yml PLAY [test] ******************************************************************** TASK [Gathering Facts] ********************************************************* ok: [node1] TASK [abc] ********************************************************************* changed: [node1] => (item=haha) changed: [node1] => (item=heihei) changed: [node1] => (item=hehe) TASK [debug1] ****************************************************************** ok: [node1] => { "hi_var.results[0].stdout": "haha" } TASK [debug2] ****************************************************************** ok: [node1] => { "hi_var.results[1].stdout": "heihei" } TASK [debug3] ****************************************************************** ok: [node1] => { "hi_var.results[2].stdout": "hehe" } PLAY RECAP ********************************************************************* node1 : ok=5 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
13、管理机密
-
Ansible可能需要访问密码或者API密钥等敏感数据,以便配置受控主机。通常,此信息可能以纯文本形式存储在清单变量或其他ansible文件中。但若如此,任何有权访问ansible文件的用户或者存储这些ansible文件的版本控制系统都能够访问此敏感数据。这显然存在安全风险。
-
使用ansible随附的ansible-vault 可以加密和解密任何由ansible使用的结构化数据文件。若要使用ansible-vault,可通过一个名为ansible-vault的命令行工具创建、编辑、加密、解密和查看文件。Ansible-vault可以加密任何由ansible使用的结构化数据文件。这可能包括清单变量、playbook中含有的变量文件、在执行playbook时作为参数传递的变量文件,或者ansible角色中定义的变量。
创建加密的文件,直接创建一个
使用ansible-vault create 命令(自定义创建一个)
ansible-vault create test.yml默认使用vi编辑,需注意的是里面的格式需要自己手写
[student@server ansible]$ ansible-vault create test.yml 输入密码:redhat 确认密码:redhat --- //直接进来 - name: test1 hosts: node1 tasks: - name: create user2 user: name: user2 state: present 默认使用ansile-playbook test.yml会执行失败 [root@server ansible]# ansible-playbook test.yml ERROR! Attempting to decrypt but no vault secrets found 需要添加 `view`查看加密的文件 ```sql [root@server ansible]# ansible-vault view test.yml Vault password: 输入设置的密码redhat --- - name: test1 hosts: node1 tasks: - name: create user2 user: name: user2 state: present 编辑现有的加密文件 [root@server ansible]# ansible-vault edit test.yml 加密现有的文件,也就是自己手动提前添加的在进行加密,这样就不会对格式有限制 [root@server ansible]# Ansible-vault encrypt a.yml 输入密码:redhat 确认密码:redhat- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
解密现有的文件
现有的加密文件可以通过ansible-vaultdecryptfilename命令永久解密。在解密单个文件时,可使用--output选项以其他名称保存解密文件。1、直接解密, [root@server ansible]# ansible-vault decrypt test.yml 2、解密文件并存放为其他名称,原文件仍然处于加密状态(其中原文件a.yml仍处于加密状态,a-secret.yml处于解密状态) [root@server ansible]# ansible-vault decrypt a.yml --output=a-secret.yml 重置密码 更改加密文件的密码 ansible-vault rekey filename命令可以修改 [root@server ansible]# ansible-vault rekey a.yml 输入旧密码 输入新密码 确认新密码- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
前面说到了加密后的文件直接用
playbook执行会报错,那么该使用什么命令呢?
使用选项--vault-id @prompt或者--ask-vault-pass都可以
//一种方法[root@server ansible]# ansible-playbook --vault-id @prompt a.yml Vault password (default): PLAY [test] ******************************************************************** TASK [Gathering Facts] ********************************************************* ok: [node1] TASK [create user1] ************************************************************ changed: [node1] PLAY RECAP ********************************************************************* node1 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 //二种方法 [root@server ansible]# ansible-playbook --ask-vault-pass a.yml -C Vault password: PLAY [test] ******************************************************************** TASK [Gathering Facts] ********************************************************* ok: [node1] TASK [create user1] ************************************************************ changed: [node1] PLAY RECAP ********************************************************************* node1 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
最简单
还可以将密码手动添加的配置文件中,运行时直接调用里面的文件,可以自动匹配
[root@server ansible]# vim pass redhat //给与权限 chmod 600 pass //使用`--vault-id`对其加密并将密钥保存到`pass文件中` [root@server ansible]# ansible-vault encrypt a.yml --vault-id pass //在此执行则不用输入密码了 [root@server ansible]# ansible-playbook a.yml --vault-id pass- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
红帽CE模拟题(一)
- 在ansible节点中新建/home/student/ansible/hwreport.empty的文件,文件内容为
hostname: inventory_hostname
mem: memory_in_MB
bios: BIOS_version
sda: disk_sda_size
[student@server ansible]$ cat hweeport.empty hostname: inventory_hostname men: memory_in_MB bios: BIOS_version sda: disk_sda_size- 1
- 2
- 3
- 4
- 5
- 创建一个名为 /home/student/ansible/hwreport.yml的
playbook,它将在所有受管节点上生成含有以下信息的输出文件 /root/hwreport.txt:
输出文件中的每一行含有一个 key=value 对。
您的 playbook 应当:
从 ansible节点中复制hwreport.empty文件到每台受控主机,并将它保存为/root/hwreport.txt
使用正确的值修改 /root/hwreport.txt
然后将/home/student/ansible/hwreport.yml这个playbook进行加密,加密的密码保存在/home/student/ansible/pass文件中,密码为abcdefg
执行该playbook,实现需求
[root@server ~]# for i in node1 node2 node3 > do scp hwreport.txt root@$i:/root/. > done hwreport.txt 100% 0 0.0KB/s 00:00 hwreport.txt 100% 0 0.0KB/s 00:00 hwreport.txt 100% 0 0.0KB/s 00:00 //定义的主机清单变量 [student@server ansible]$ cat hweeport.empty hostname: inventory_hostname men: memory_in_MB bios: BIOS_version sda: disk_sda_size //编写,使用replace文本正则表达式替换数据 [student@server ansible]$ cat hwreport.yml --- - name: get file hosts: all tasks: - name: get inventory_hostname replace: path: /root/hwreport.txt regexp: inventory_hostname replace: "{{ inventory_hostname }}" - name: get mem replace: path: /root/hwreport.txt regexp: 'memory_in_MB' replace: "{{ ansible_memtotal_mb }}" - name: get bios replace: path: /root/hwreport.txt regexp: 'BIOS_version' replace: "{{ ansible_bios_version }}" - name: get sda replace: path: /root/hwreport.txt regexp: 'disk_sda_size' replace: "{{ ansible_devices.sda.size }}" //创建密钥 [student@server ansible]$ cat pass abcdefg //设为只允许该用户读 [student@server ansible]$ chmod 600 pass //指定加密运行时只指定pass中 [student@server ansible]$ ansible-vault encrypt hwreport.yml --vault-id pass Encryption successful //验证所有的主机通过变量是否验证成功 [student@server ansible]$ ansible-playbook hwreport.yml --vault-id pass PLAY [get file] **************************************************************** TASK [Gathering Facts] ********************************************************* ok: [node1] ok: [node3] ok: [node2] TASK [get inventory_hostname] ************************************************** ok: [node1] ok: [node3] ok: [node2] TASK [get mem] ***************************************************************** [WARNING]: The value 3704 (type int) in a string field was converted to '3704' (type string). If this does not look like what you expect, quote the entire value to ensure it does not change. ok: [node1] [WARNING]: The value 1785 (type int) in a string field was converted to '1785' (type string). If this does not look like what you expect, quote the entire value to ensure it does not change. ok: [node3] [WARNING]: The value 777 (type int) in a string field was converted to '777' (type string). If this does not look like what you expect, quote the entire value to ensure it does not change. ok: [node2] TASK [get bios] **************************************************************** ok: [node1] ok: [node3] ok: [node2] TASK [get sda] ***************************************************************** ok: [node1] ok: [node3] ok: [node2] PLAY RECAP ********************************************************************* node1 : ok=5 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 node2 : ok=5 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 node3 : ok=5 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
-
相关阅读:
数字通信测量仪器5201数据网络测试仪
向量数据库:新一代的数据处理工具
一例疑似MMCore下载器分析
c语言运算符优先级问题
Vue生产环境调试的方法
Dubbo client can not supported string message
vlan简单实验
在 Idea 中配置远程 tomcat 并部署
JAVA获取中文名字的首字母
猿创征文| NoSQL数据库简介
- 原文地址:https://blog.csdn.net/cxyxt/article/details/127573063
