Ansible要求从其他组var到Ansible Vault的密码

时间:2019-02-20 13:33:56

标签: ansible ansible-2.x ansible-inventory ansible-vault

我对ansible有疑问。 我有几个group_vars文件夹,在此文件夹中,有一个由ansible-vault加密的文件,其prod和test之间的密码不同:

├── group_vars
│   ├── app1_prod
│   │   ├── application.yml <- Ancryptes by Ansible Vault prod pass
│   │   └── service.yml
│   ├── app1_test
│   │   ├── application.yml <- Ancryptes by Ansible Vault test pass
│   │   └── service.yml
│   ├── app2_prod
│   │   ├── application.yml <- Ancryptes by Ansible Vault prod pass
│   │   └── service.yml
│   └── app2_test
│       ├── application.yml <- Ancryptes by Ansible Vault test pass
│       └── service.yml

我的库存文件如下:

[test_hosts]
test_host1
test_host2

[prod_hosts]
prod_host1
prod_host2

[app1_test:children]
test_hosts

[app2_test:children]
test_hosts

[app1_prod:children]
prod_hosts

[app2_prod:children]
prod_hosts

当我运行剧本命令时:

ansible-playbook app1_playbook.yml -i ./inventory/hosts -l app1_test -u ssh_user -k --vault-password-file path_to_vault_key 

我收到错误消息,说文件的密码错误,并指向prod和其他组中的文件:

Decryption failed on ansible/group_vars/app1_prod/application.yml

我不知道该如何解决。

1 个答案:

答案 0 :(得分:0)

我个人认为您的库存结构是一个坏主意。我不宽容PROD和TEST服务器位于同一个清单中,我认为没有充分的理由。

我会像这样重组您的系统:

├── prod
│   ├── ansible.cfg
│   ├── group_vars
│   │   ├── app1
│   │   │   ├── application.yml <- Ancryptes by Ansible Vault prod pass
│   │   │   └── service.yml
│   │   ├── app2
│   │   │   ├── application.yml <- Ancryptes by Ansible Vault prod pass
│   │   │   └── service.yml
├── test
│   ├── ansible.cfg
│   ├── group_vars
│   │   ├── app1
│   │   │   ├── application.yml <- Ancryptes by Ansible Vault prod pass
│   │   │   └── service.yml
│   │   ├── app2
│   │   │   ├── application.yml <- Ancryptes by Ansible Vault prod pass
│   │   │   └── service.yml

当然还有两个主机文件:

产品:

[hosts]
prod_host1
prod_host2

[app1:children]
hosts

[app2:children]
hosts

测试:

[hosts]
test_host1
test_host2

[app1:children]
hosts

[app2:children]
hosts

在每个清单目录中都有一个带有行的ansible.cfg文件:

inventory      = .
vault_password_file = /path/to/vault_password_file
remote_user = ssh_user
ask_pass = True

(最好将/etc/ansible/ansible.cfg复制到清单目录并更改需要更改的内容。)

设置完成后,进入prodtest目录,然后从那里执行剧本。当然,您需要指定剧本的路径:

cd prod
ansible-playbook /path/to/playbooks/app_playbook.yml

cd test
ansible-playbook /path/to/playbooks/app_playbook.yml

相信我,通过库存分离可以使生活更加轻松。

祝你好运!