差異處

這裏顯示兩個版本的差異處。

--- tech:ansible [2023/09/03 00:47] – jonathan
+++ tech:ansible [2023/12/29 17:40] (目前版本) – jonathan
@@ 行 44: / 行 44: @@
 </file>
   * 簡單驗證 <cli>
-$ ansible all -i test.yaml --list-hosts
+$ ansible all -i inventory.yaml --list-hosts
   hosts (2):
     aac
@@ 行 87: / 行 87: @@
       when: reboot_required_file.stat.exists
 </file>
-  * 執行命令 <cli>
+  * 驗證執行命令(**加上 --check**) <cli>
 ansible-playbook -i inventory.yaml upgrade.yaml -e ansible_python_interpreter=/usr/bin/python --check
 </cli>執行結果<cli>
@@ 行 123: / 行 123: @@
 </cli>
+===== 常見問題 =====
+==== 1. 如何對 ansible_ssh_pass 這類登入密碼進行加密 ====
+  * 使用 ansible-vault encrypt_string 登入密碼 --ask-vault-pass 方式來對要保護的密碼 Exp. MyPassword 產生加密, 並以 KeyPass 當解密密碼<cli>
+$ ansible-vault encrypt_string MyPassword --ask-vault-pass
+New Vault password: KeyPass
+Confirm New Vault password: KeyPass
+!vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          63613230353861653733633761663630643564323330613263343061656163383731386364666366
+          3430303131616563616634386130613461636433383730360a663130653463313465623837373335
+          61336333643663343535396339633165653334336236363032613130636537336664646535666666
+          3863306137663763610a313034383233626563336365303431313564316338653363636432386438
+Encryption successful
+</cli>
+  * 將這加密後的內容取代 ansible_ssh_pass 原本的明碼部分 Exp. <file>
+:
+  hosts:
+    aac:
+      ansible_host: 192.168.11.249
+      ansible_ssh_pass: "MyPassword"
+:
+</file>改成<file>
+:
+  hosts:
+    aac:
+      ansible_host: 192.168.11.249
+      ansible_ssh_pass: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          63613230353861653733633761663630643564323330613263343061656163383731386364666366
+          3430303131616563616634386130613461636433383730360a663130653463313465623837373335
+          61336333643663343535396339633165653334336236363032613130636537336664646535666666
+          3863306137663763610a313034383233626563336365303431313564316338653363636432386438
+:
+</file>
+  * 然後執行 ansible-playbook 後面必須加上 **--ask-vault-pass** 才會彈出讓你輸入解密密碼 Exp. KeyPass<cli>
+$ ansible-playbook -i inventory.yaml upgrade.yaml --ask-vault-pass
+Vault password: KeyPass
+PLAY [servers] ******************************************************************************************************************************************************************************
+TASK [Gathering Facts] **********************************************************************************************************************************************************************
+ok: [nuc]
+:
+</cli>
+  * 也可以執行 ansible-playbook 後面加上 **--vault-password-file** 指定解密密碼檔案 Exp. .vault_pass<cli>
+$ ansible-playbook -i inventory.yaml upgrade.yaml --vault-password-file ./.vault_pass
+</cli>
 ===== 參考網址 =====
   * https://docs.ansible.com/ansible/latest/inventory_guide/intro_inventory.html
@@ 行 128: / 行 177: @@
   * https://blog.yowko.com/ansible-bypass-fingerprint-check/
   * https://stackoverflow.com/questions/51622712/ansible-requires-python-apt-but-its-already-installed
+  * https://stackoverflow.com/questions/21870083/specify-sudo-password-for-ansible
+  * https://stackoverflow.com/questions/51771994/how-do-i-use-an-encrypted-variable-ansible-ssh-pass-in-an-ini-file
+  * https://stackoverflow.com/questions/30209062/ansible-how-to-encrypt-some-variables-in-an-inventory-file-in-a-separate-vault
+  * https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data
-{{tag>自動化 大量部署}}
+{{tag>ansible 自動化 大量部署}}