Section 5 Flashcards
how do you use ansible-vault for secure variables?
Sensitive data is stored as values in variables in a separate variable file.
The variable file is encrypted
While accessing the variable file from a playbook you enter a password to decrypt
Create a password file
use the password in it to create a playbook name secret.yml
run the playbook
run the playbook with you manually typing in the password
touch /root/.passfile
chmod 600 /root/passfile
ansible-vault –vault-password-file=/root/.passfile secret.yml
ansible-playbook –vault-password-file=/root/.passfile secret.yml
ansible-playbook –ask-vault-pass secret.yml
ansible-playbook –vault-id @prompt
How do you encrypt a playbook?
ansible-vault encrypt this.yml
How do you decrypt a playbook
ansible-vault decrypt this.yml
How do you change the password on a playbook
ansible-vault rekey this.yml
How do you edit an encrypted playbook
ansible-vault edit this.yml
What options do you have in terms of encryption if you playbook utilizes other encrypted file with the same password?
What about when all vaulted files have different passwords
ansible-playbook –ask-vault-pass’’
What are vault-ids?
use them in a playbook by creating two variable files with vault-ids, give them two separate password files and run the playbook
How do you manually enter passwords for all the encrypted files that have vault-ids?
Vault-ids are given to multiple files you want to use with different passwords in your playbook.
The vauld-ids, let ansible know what password file corresponds to the encrypted file you specify.
cd vars/
ansible-vault create common_one –vault-id sercret1@/path/to/passfile
package: httpd (contents of common_one)
ansible-vault create common_two –vault-id sercret2@/path/to/passfile
cd ../
vi test.yml
- name: test
hosts: all
var_files:- vars/common_one
- vars/common_two
ansible-playbook test.yml \
– vault-id sercret1@/path/to/passfile
– vault-id sercret2@/path/to/passfile
TO MANUALLY ENTER PASSWORDS AS THEY COME IN
ansible-playbook test.yml –vault-id @prompt
do both –ask-vault-pass and –vault-password-file try to not only decrypt the playbook but also the encrypted files in said playbook?
Yes, if the encrypted files have the same password this would run the playbook successfully
What is the best place to store encrypted variables vs plain text variables
in project directory
host_vars/ansible1/vars <- plain text
host_vars/ansible1/vault <- encrypted
group_vars/web_servers/vars <- plain text
group_vars/web_servers/vault <- encrypted
How do you turn the output of a command/module into a variable?
What keys does this use?
register
KEYS:
cmd - the command that was used
rc - return code
stderr - error message generated by the command
stderr_lines - error messages shown by line
stdout - command output
stdout_lines
register.stdout_lines
When would you use loops vs a list?
list - you can use this for a module like yum because it will go through the list:
yum:
name:
- this
- that
You would use a loop with service: since it can’t iterate through your list
What is the general structure for a loop? What are the commands you need?
name: “{{ item }}”
(loop will have the same indentation as the module itself since it isn’t a child of it. Name will still be a child though, of course)
loop:
- item1
- item2
- item3
When should you use a loop?
When the module doesn’t offer supports for providing lists as values. Look at the module’s documentation
Loop through a list to start services for httpd and nmap
- name: Service
hosts: ansible2
tasks:- name: Service
service:
name: “{{ item }}”
state: started
loop:- httpd
- firewalld
- name: Service
Create a variable called ‘services’ and start the services listed in it via a loop
- name: Service
hosts: ansible2
vars:
services:
- httpd
- firewalld
tasks:- name: Service
service:
name: “{{ item }}”
state: started
loop: “{{ services }}”
- name: Service
Create a file with multivalued variables. You should have a variable named ‘users’ and the should contain three items of linda lisa and anna. These will have usernames, homedirectories and shells for the users. Import the variable file and loop through user creation for the users.
users:
- username: linda
homedir: /home/linda
shell: /bin/bash
- username: lisa
homedir: /home/lisa
shell: /bin/bash - username: anna
homedir: /home/linda
shell: /bin/bash
- name: Create Users
hosts: ansible2
vars_files:- vars/user-dictionary.yml
tasks: - name: Create Users
user:
name: “{{ item[‘username’] }}”
home: “{{ item[‘homedir’] }}”
shell: “{{ item[‘shell’] }}”
loop: “{{ users }}”
Here we can see that users is what it’s looping through, so it’s looping through the list of dictionaries. First it goes to the first list item and grabs the username, homedir, and shell, next it goes back to the top and goes through the second item in the list, etc.
- vars/user-dictionary.yml
Can you loop through dictionaries?
No, it has to be a list/array, but you can loop through a list/array of dictionaries/hashes
What is the old method of looping through items:
with_items: instead of loop:
