我还在学习厨师。我已经引导并将我的服务器模板上传到远程存储库。但我想知道将nodes目录添加到remote存储库是否安全,因为它包含确切的服务器passwords
这是一个示例节点
{
"environment":"production",
"authorization": {
"sudo": {
// The password for the depliy user is set in data_bags/users/deploy.json
// and should be generated using:
// openssl passwd -1 "plaintextpassword"
"users": ["deploy", "vagrant"]
}
},
"vagrant" : {
"exclusions" : [],
"name" : "rails-postgres-redis1",
"ip" : "192.168.50.4"
},
"rbenv":{
"rubies": [
"2.1.2"
],
"global" : "2.1.2",
"gems": {
"2.1.2" : [
{"name":"bundler"}
]
}
},
"monit": {
"notify_emails" : ["email@example.com"],
"enable_emails" : false,
"web_interface" : {
// the plaintext monit username and password
"allow" : ["your_username","your_password"]
},
"mailserver" : {
"host" : "mailserver.example.com",
"port" : "999",
"username" : "your_username",
"password" : "your_password",
"hostname" : "the_hostname"
}
},
"postgresql" : {
"password" : {
// this should be generated with:
// openssl passwd -1 "plaintextpassword"
// currently test
"postgres" : "$1$mMK9HNoN$r42n7Q8fKsZabbknlT1Zt1"
}
},
"run_list":
[
"role[server]",
"role[nginx-server]",
"role[postgres-server]",
"role[rails-app]",
"role[redis-server]",
]
}
由于密码可见,这样添加是否安全?
如果它应该在gitignore然后在稍后阶段如果我们从远程仓库克隆那么我们需要从头开始引导服务器,因为没有节点目录存在吗?
有更好的方法还是我错过了什么?
答案 0 :(得分:1)
您不需要复制节点json文件来引导节点。安全数据应来自Chef Vault / Hashicorp Vault /任何其他安全存储。非机密数据可以是配方/包装配方/角色/环境/等的一部分,其可以存储在存储库中。如果您确实拥有特定于单个节点的数据,则可以在引导过程中使用-j传递它们。