Vault 文件中包含两个变量:
pw_developer: imadev
pw_manager: imamgr
加密此文件的密码为redhat
此密码存放在:~/ansible/secret.txt
[student@workstation ansible]$ echo redhat > secret.txt
[student@workstation ansible]$ chmod 600 secret.txt
[student@workstation ansible]$ ansible-vault --vault-password-file=secret.txt create locker.yml
pw_developer: imadev
pw_manager: imamgr
[student@workstation ansible]$ ansible-vault --vault-password-file=secret.txt view locker.yml
pw_developer: imadev
pw_manager: imamgr
需要创建的用户账户清单来自于files/14/user_list.yml,请拷贝到~/ansible中
配合上一题的locler.yml,创建名为users.yml的playbook,要求如下:
■ 用户的 job description 为 developer 的用户, 创建到 dev和test 主机组中,用户密码来自pw_developer变用量,用户的附加组是devops
■ 用户的 job description 为 manager 的用户,创建到 prod 主机组中,用户密码来自pw_manager变量,用户附加组是opsmgr
■ 用户密码使用 SHA512 hash
[student@workstation ansible]$ cp ../files/14/user_list.yml .
[student@workstation ansible]$ cat user_list.yml
users:
- name: bob
job: developer
- name: sally
job: manager
- name: fred
job: developer
[student@workstation ansible]$ cat users.yml
---
- name: create user
hosts: all
vars_files:
- locker.yml
- user_list.yml
tasks:
- name: create group devops
group:
name: devops
state: present
when: ansible_hostname in groups['dev'] or ansible_hostname in groups['test']
- name: create group opsmgr
group:
name: opsmgr
state: present
when: ansible_hostname in groups['prod']
- name: create user for dev and test
user:
name: "{{ item.name }}"
groups: devops
password: "{{ pw_developer | password_hash('sha512') }}"
loop: "{{ users }}"
when: ( ansible_hostname in groups['dev'] or ansible_hostname in groups['test'] ) and item.job == 'developer'
- name: create user for prod
user:
name: "{{ item.name }}"
groups: opsmgr
password: "{{ pw_manager | password_hash('sha512') }}"
loop: "{{ users }}"
when: ansible_hostname in groups['prod'] and item.job == 'manager'
[student@workstation ansible]$ ansible-playbook users.yml --vault-password-file=secret.txt
[student@workstation ansible]$ ansible dev,test -m shell -a 'id bob;id fred'
[student@workstation ansible]$ ansible prod -m shell -a 'id sally'
也可以采用以下方式写users.yml
---
- name: create user in dev and test
hosts: dev,test
vars_files:
- locker.yml
- user_list.yml
tasks:
- name: create group devops
group:
name: devops
state: present
- name: create user for dev and test
user:
name: "{{ item.name }}"
groups: devops
password: "{{ pw_developer | password_hash('sha512') }}"
loop: "{{ users }}"
when: item.job == 'developer'
- name: create user in prod
hosts: prod
vars_files:
- locker.yml
- user_list.yml
tasks:
- name: create group opsmgr
group:
name: opsmgr
state: present
- name: create user for prod
user:
name: "{{ item.name }}"
groups: opsmgr
password: "{{ pw_manager | password_hash('sha512') }}"
loop: "{{ users }}"
when: item.job == 'manager'
测试结果:
请为 expense.yml 文件修改 vault 密码, 要求如下:
[student@workstation ansible]$ cp ../files/15/expense.yml .
[student@workstation ansible]$ ansible-vault view expense.yml
Vault password: #veryimportant
Nothing at all, HeiHei.
[student@workstation ansible]$ ansible-vault rekey expense.yml
Vault password: #veryimportant
New Vault password: #notveryimportant
Confirm New Vault password: #notveryimportant
Rekey successful
[student@workstation ansible]$ ansible-vault view expense.yml
Vault password: #notveryimportant
Nothing at all, HeiHei.