我安装了dsc模块,并使用puppet将AD用户添加到域控制器。当将密码硬编码为纯文本时,下面的代码运行良好。有可能以某种方式加密这些密码吗。
我读到hiera eyaml是解决方案,所以我加密了密码
[root@PUPPET puppet]# /opt/puppetlabs/puppet/bin/eyaml encrypt -p
Enter password: **********
string: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAl/+uUACl6WpGAnA1sSqEuTp39SVYfHc7J0BMvC+a2C0YzQg1V]
然后将加密的通行证存储在/etc/common.eyaml文件(在hiera配置文件中指定(中
/opt/puppetlabs/puppet/bin/eyaml edit /etc/common.eyaml
我可以成功解密文件:
/opt/puppetlabs/puppet/bin/eyaml decrypt -f /etc/common.eyaml
然后我指定加密传递到清单文件
/etc/putpletlabs/code/environments/production/manifests/site.pp:
dsc_xADUser {'FirstUser':
dsc_ensure => 'present',
dsc_domainname => 'ad.contoso.com',
dsc_username => 'tfl',
dsc_userprincipalname => 'tfl@ad.contoso.com',
dsc_password => {
'user' => 'Administrator@ad.contoso.com',
'password' => Sensitive('pass')
},
dsc_passwordneverexpires => true,
dsc_domainadministratorcredential => {
'user' => 'Administrator@ad.contoso.com',
'password' => Sensitive(lookup('password'))
},
}
在windows节点上,我得到错误
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Function lookup() did not find a value for the name 'password' on node windows.example.com
层次结构配置文件:
cat /etc/puppetlabs/puppet/hiera.yaml
---
# Hiera 5 Global configuration file
---
version: 5
defaults:
datadir: data
data_hash: yaml_data
hierarchy:
- name: "Eyaml hierarchy"
lookup_key: eyaml_lookup_key # eyaml backend
paths:
- "/etc/common.eyaml"
options:
pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"
cat /etc/common.eyaml
password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAl/+uUACl6WpGAnA1sSqEuTp39SVYfHc7J0BMvC+a2C0YzQg1V]
我是Puppet的新手,这个等级让我很困惑
对于初学者来说,Hiera配置文件中有一个拼写错误。数据的路径应该是:
paths:
- "/etc/common.eyaml"
修复后,您需要从Hiera中检索值。这是通过木偶查找功能执行的。由于在单个数据文件中有一个键值对,因此可以使用最少数量的参数来执行此操作。
dsc_xADUser {'FirstUser':
dsc_ensure => 'present',
dsc_domainname => 'ad.contoso.com',
dsc_username => 'tfl',
dsc_userprincipalname => 'tfl@ad.contoso.com',
dsc_password => {
'user' => 'Administrator@ad.contoso.com',
'password' => Sensitive('pass')
},
dsc_passwordneverexpires => true,
dsc_domainadministratorcredential => {
'user' => 'Administrator@ad.contoso.com',
'password' => lookup('string'),
},
}
但是,您也确实希望从日志和报告中编辑该密码。您可能希望将该密码字符串包装在敏感数据类型中。
'password' => Sensitive(lookup('string')),
您似乎已经在为另一个作为字符串pass传入的密码执行此操作了。
所有这些的一个附带说明是,Puppet在版本6中对Vault和Conjur的查找检索有内在的支持,因此这将很快成为最佳实践,而不是hiera eyaml。
Ufff,经过多次努力终于成功了:
cat /etc/puppetlabs/puppet/hiera.yaml
---
version: 5
defaults:
datadir: data
data_hash: yaml_data
hierarchy:
- name: "Eyaml hierarchy"
lookup_key: eyaml_lookup_key # eyaml backend
paths:
- "nodes/%{trusted.certname}.yaml"
- "windowspass.eyaml"
options:
pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem
创建密码:
/opt/puppetlabs/puppet/bin/eyaml encrypt -l 'password' -s 'Pass' --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
将其添加到/etc/puppetlabs/puppet/data/windowspass.eyaml文件:
/opt/puppetlabs/puppet/bin/eyaml edit windowspass.eyaml --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
cat /etc/puppetlabs/puppet/data/windowspass.eyaml
---
password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAUopetXenh/+DN1+VesIZUI5y4k3kOTn2xa5uBrtGZP3GvGqoWfwAbYsfeNApjeMG+lg93/N/6mE9T59DPh]
测试解密:
/opt/puppetlabs/puppet/bin/eyaml decrypt -f windowspass.eyaml --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
正如Matt所建议的,将windowspass.eyaml的内容映射到清单文件
'password' => Sensitive(lookup('password'))
调试命令帮了我很多:
puppet master --debug --compile windows.example.com --environment=production
感谢大家,特别是马特