Chapter 28

暗号化 : vault

y_mrok
y_mrok
2021.10.17に更新
このチャプターの目次

説明

この章の説明はこのリンクをクリックしてください。

演習問題

ユーザーアカウトをファイル「 accounts.txt 」から読み込み、管理対象ノードに登録するプレイブックです。

hosts.yml
---
all:
  hosts:
    ebisugawa:
group_varas/all.yml
---
ansible_user: vagrant
ansible_password: vagrant
host_vars/ebisugawa.yml
---
ansible_host: 192.168.111.103
accounts.yml
---
accounts:
  - name: taro
    password: pass@taro
  - name: jiro
    password: pass@jiro
regist_account.yml
---
- name: Register an account.
  hosts: all
  gather_facts: no
  become: yes

  vars_files:
    - accounts.yml

  tasks:
    - name: Create a user account.
      ansible.builtin.user:
        user: "{{ item['name'] }}"
        password: "{{ item['password'] | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}"
      loop:
        "{{ accounts }}"

Q1. ファイル「 accounts.yml 」全体を暗号化し、プレイブックを実行してください。暗号化時のパスフレーズは各自で設定してください。

解答
  1. ファイル「 accounts.yml 」を暗号化
y_mrok@ctrl:~/code/chap28$ ansible-vault encrypt accounts.yml
New Vault password: 
Confirm New Vault password: 
Encryption successful
y_mrok@ctrl:~/code/chap28$
  1. 暗号化した結果を確認
y_mrok@ctrl:~/code/chap28$ cat accounts.yml
$ANSIBLE_VAULT;1.1;AES256
62643863393339613866633836346231313839323262323139666166343466636439323665303363
6235363333656338313936366630643636373933393437330a303862386561363031666239376562
35323934623037393138303136623761653834343863643832306232383662393130333839383138
6265663161313264300a323366633166346461636234666239643032653031343766636434356263
36323361323337303837373634303437343336663361636537653932383638353136613938643961
32376239353436306662653431663361653463666264633233333966613232653864306235613135
61386134613962663634376165326538323538393065386562316330363937363563336535353635
37393063396632396531343666633330346335383363356130383035613764313133376435666166
3363
y_mrok@ctrl:~/code/chap28$
  1. プレイブックを実行
y_mrok@ctrl:~/code/chap28$ ansible-playbook -i hosts.yml --ask-vault-password regist_account.yml 
Vault password: 

PLAY [Register an account.] **************************************************************************************************************************

TASK [Create a user account.] ************************************************************************************************************************
changed: [ebisugawa] => (item={'name': 'taro', 'password': 'pass@taro'})
changed: [ebisugawa] => (item={'name': 'jiro', 'password': 'pass@jiro'})

PLAY RECAP *******************************************************************************************************************************************
ebisugawa                  : ok=1    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

y_mrok@ctrl:~/code/chap28$
  1. 管理対象ノードのファイル「 /etc/passwd 」で実行結果を確認
y_mrok@ctrl:~/code/chap28$ ansible all -i hosts.yml -a "cat /etc/passwd"
ebisugawa | CHANGED | rc=0 >>
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
landscape:x:110:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
taro:x:1002:1002::/home/taro:/bin/sh
jiro:x:1003:1003::/home/jiro:/bin/sh
y_mrok@ctrl:~/code/chap28$
  1. 管理対象ノードのファイル「 /etc/passwd 」で実行結果を確認
y_mrok@ctrl:~/code/chap28$ ansible all -i hosts.yml -b -a "cat /etc/shadow"
ebisugawa | CHANGED | rc=0 >>
root:*:18865:0:99999:7:::
daemon:*:18865:0:99999:7:::
bin:*:18865:0:99999:7:::
sys:*:18865:0:99999:7:::
sync:*:18865:0:99999:7:::
games:*:18865:0:99999:7:::
man:*:18865:0:99999:7:::
lp:*:18865:0:99999:7:::
mail:*:18865:0:99999:7:::
news:*:18865:0:99999:7:::
uucp:*:18865:0:99999:7:::
proxy:*:18865:0:99999:7:::
www-data:*:18865:0:99999:7:::
backup:*:18865:0:99999:7:::
list:*:18865:0:99999:7:::
irc:*:18865:0:99999:7:::
gnats:*:18865:0:99999:7:::
nobody:*:18865:0:99999:7:::
systemd-network:*:18865:0:99999:7:::
systemd-resolve:*:18865:0:99999:7:::
systemd-timesync:*:18865:0:99999:7:::
messagebus:*:18865:0:99999:7:::
syslog:*:18865:0:99999:7:::
_apt:*:18865:0:99999:7:::
tss:*:18865:0:99999:7:::
uuidd:*:18865:0:99999:7:::
tcpdump:*:18865:0:99999:7:::
sshd:*:18865:0:99999:7:::
landscape:*:18865:0:99999:7:::
pollinate:*:18865:0:99999:7:::
vagrant:$6$oiQov9A2OeQA2VWI$ojEXrXB.hV4.vtizK5vigPzxnR03HenxUQ8b0FYcTGhXT42qbqTud/QxwthEFo7B7Me18q8KzFbA4JkqRAxYT/:18865:0:99999:7:::
systemd-coredump:!!:18916::::::
ubuntu:!:18916:0:99999:7:::
lxd:!:18916::::::
taro:$6$38236$oUyeY5clKg7hBDIhYxv2nlKe2QGLaL.jDjoASzZjz21/KPnksBy4/r19VdHyqVQ9osZO.5jYaMFe6grh6NnfT0:18917:0:99999:7:::
jiro:$6$38236$0uDdajT3YRYPvn2Q8NL0C2eh8IGvCKTLbHVikmBXNapw.zH6bXbJS6PG4Afou/quakME5jZOOSgHUmYTZWRtu.:18917:0:99999:7:::
y_mrok@ctrl:~/code/chap28$ 

Q2. ファイル「 accounts.yml 」のパスワード部分だけを暗号化し、プレイブックを実行してください。暗号化時のパスフレーズは各自で設定してください。

解答
  1. それぞれのパスワードを暗号化 ※パスフレーズは同じ値を使用する
y_mrok@ctrl:~/code/chap28$ ansible-vault encrypt_string pass@taro
New Vault password: 
Confirm New Vault password: 
!vault |
          $ANSIBLE_VAULT;1.1;AES256
          37383035393338323533366438373435393265633835613532616465613166373738363736383764
          3166386565653130663638633939396564626135613734350a656262396363383235646639353735
          61623731653137396266343764613063383264326635393764333939616130303730616466303661
          6130343431336661340a353861393261616233616333653665326432613736613538343030653565
          3066
Encryption successful
y_mrok@ctrl:~/code/chap28$ ansible-vault encrypt_string pass@jiro
New Vault password: 
Confirm New Vault password: 
!vault |
          $ANSIBLE_VAULT;1.1;AES256
          30386164393962326135316436613833626664363266623238666563653563373930343039616532
          3835346565323839373939396338356636393432303362650a653263366632316235396333663761
          36303761323435343437616337663065343130646430323835396136626334646232336439373037
          6266353035666338610a353766396131353166396163616530653832626662363738666637313866
          6139
Encryption successful
y_mrok@ctrl:~/code/chap28$ 
  1. ファイル「 accounts.yml 」内のパスワードを暗号化した文字列に置換
  2. パスワードを暗号化した結果を確認
y_mrok@ctrl:~/code/chap28$ cat accounts.yml
---
accounts:
  - name: taro
    password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          37383035393338323533366438373435393265633835613532616465613166373738363736383764
          3166386565653130663638633939396564626135613734350a656262396363383235646639353735
          61623731653137396266343764613063383264326635393764333939616130303730616466303661
          6130343431336661340a353861393261616233616333653665326432613736613538343030653565
          3066
  - name: jiro
    password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          30386164393962326135316436613833626664363266623238666563653563373930343039616532
          3835346565323839373939396338356636393432303362650a653263366632316235396333663761
          36303761323435343437616337663065343130646430323835396136626334646232336439373037
          6266353035666338610a353766396131353166396163616530653832626662363738666637313866
          6139y_mrok@ctrl:~/code/chap28$ 
y_mrok@ctrl:~/code/chap28$ 
  1. プレイブックを実行
y_mrok@ctrl:~/code/chap28$ ansible-playbook -i hosts.yml --ask-vault-password regist_account.yml 
Vault password: 

PLAY [Register an account.] **************************************************************************************************************************

TASK [Create a user account.] ************************************************************************************************************************
changed: [ebisugawa] => (item={'name': 'taro', 'password': 'pass@taro'})
changed: [ebisugawa] => (item={'name': 'jiro', 'password': 'pass@jiro'})

PLAY RECAP *******************************************************************************************************************************************
ebisugawa                  : ok=1    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

y_mrok@ctrl:~/code/chap28$ 
  1. 管理対象ノードのファイル「 /etc/passwd 」で実行結果を確認
y_mrok@ctrl:~/code/chap28$ ansible all -i hosts.yml -a "cat /etc/passwd"
ebisugawa | CHANGED | rc=0 >>
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
landscape:x:110:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
taro:x:1002:1002::/home/taro:/bin/sh
jiro:x:1003:1003::/home/jiro:/bin/sh
y_mrok@ctrl:~/code/chap28$ 
  1. 管理対象ノードのファイル「 /etc/passwd 」で実行結果を確認
y_mrok@ctrl:~/code/chap28$ ansible all -i hosts.yml -b -a "cat /etc/shadow"
ebisugawa | CHANGED | rc=0 >>
root:*:18865:0:99999:7:::
daemon:*:18865:0:99999:7:::
bin:*:18865:0:99999:7:::
sys:*:18865:0:99999:7:::
sync:*:18865:0:99999:7:::
games:*:18865:0:99999:7:::
man:*:18865:0:99999:7:::
lp:*:18865:0:99999:7:::
mail:*:18865:0:99999:7:::
news:*:18865:0:99999:7:::
uucp:*:18865:0:99999:7:::
proxy:*:18865:0:99999:7:::
www-data:*:18865:0:99999:7:::
backup:*:18865:0:99999:7:::
list:*:18865:0:99999:7:::
irc:*:18865:0:99999:7:::
gnats:*:18865:0:99999:7:::
nobody:*:18865:0:99999:7:::
systemd-network:*:18865:0:99999:7:::
systemd-resolve:*:18865:0:99999:7:::
systemd-timesync:*:18865:0:99999:7:::
messagebus:*:18865:0:99999:7:::
syslog:*:18865:0:99999:7:::
_apt:*:18865:0:99999:7:::
tss:*:18865:0:99999:7:::
uuidd:*:18865:0:99999:7:::
tcpdump:*:18865:0:99999:7:::
sshd:*:18865:0:99999:7:::
landscape:*:18865:0:99999:7:::
pollinate:*:18865:0:99999:7:::
vagrant:$6$oiQov9A2OeQA2VWI$ojEXrXB.hV4.vtizK5vigPzxnR03HenxUQ8b0FYcTGhXT42qbqTud/QxwthEFo7B7Me18q8KzFbA4JkqRAxYT/:18865:0:99999:7:::
systemd-coredump:!!:18916::::::
ubuntu:!:18916:0:99999:7:::
lxd:!:18916::::::
taro:$6$38236$oUyeY5clKg7hBDIhYxv2nlKe2QGLaL.jDjoASzZjz21/KPnksBy4/r19VdHyqVQ9osZO.5jYaMFe6grh6NnfT0:18917:0:99999:7:::
jiro:$6$38236$0uDdajT3YRYPvn2Q8NL0C2eh8IGvCKTLbHVikmBXNapw.zH6bXbJS6PG4Afou/quakME5jZOOSgHUmYTZWRtu.:18917:0:99999:7:::
y_mrok@ctrl:~/code/chap28$