Puppet-hiera-Function lookup() 没有找到值-Windows
Puppet-hiera-Function lookup() did not find a value-Windows
我安装了 dsc 模块并使用 puppet 将 AD 用户添加到域控制器。当将密码硬编码为纯文本时,下面的代码可以正常工作。是否有可能以某种方式加密这些密码。
我读到 hiera-eyaml 是解决这个问题的方法,所以我加密了密码
[root@PUPPET puppet]# /opt/puppetlabs/puppet/bin/eyaml encrypt -p
Enter password: **********
string: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAl/+uUACl6WpGAnA1sSqEuTp39SVYfHc7J0BMvC+a2C0YzQg1V]
然后将该加密通行证存储在 /etc/common.eyaml 文件中(在 hiera 配置文件中指定)
/opt/puppetlabs/puppet/bin/eyaml edit /etc/common.eyaml
我可以成功解密文件:
/opt/puppetlabs/puppet/bin/eyaml decrypt -f /etc/common.eyaml
然后我指定了对清单文件的加密传递
/etc/puppetlabs/code/environments/production/manifests/site.pp:
dsc_xADUser {'FirstUser':
dsc_ensure => 'present',
dsc_domainname => 'ad.contoso.com',
dsc_username => 'tfl',
dsc_userprincipalname => 'tfl@ad.contoso.com',
dsc_password => {
'user' => 'Administrator@ad.contoso.com',
'password' => Sensitive('pass')
},
dsc_passwordneverexpires => true,
dsc_domainadministratorcredential => {
'user' => 'Administrator@ad.contoso.com',
'password' => Sensitive(lookup('password'))
},
}
在 windows 节点上我得到错误
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Function lookup() did not find a value for the name 'password' on node windows.example.com
Hiera 配置文件:
cat /etc/puppetlabs/puppet/hiera.yaml
---
# Hiera 5 Global configuration file
---
version: 5
defaults:
datadir: data
data_hash: yaml_data
hierarchy:
- name: "Eyaml hierarchy"
lookup_key: eyaml_lookup_key # eyaml backend
paths:
- "/etc/common.eyaml"
options:
pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"
cat /etc/common.eyaml
password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAl/+uUACl6WpGAnA1sSqEuTp39SVYfHc7J0BMvC+a2C0YzQg1V]
我是 Puppet 的新手,这个 hiera 让我很困惑
对于初学者来说,您的 Hiera 配置文件中存在拼写错误。数据的路径应该是:
paths:
- "/etc/common.eyaml"
修复后,您需要从 Hiera 检索值。这是使用 puppet lookup function 执行的。由于您在单个数据文件中有一个键值对,因此可以使用最少数量的参数执行此操作。
dsc_xADUser {'FirstUser':
dsc_ensure => 'present',
dsc_domainname => 'ad.contoso.com',
dsc_username => 'tfl',
dsc_userprincipalname => 'tfl@ad.contoso.com',
dsc_password => {
'user' => 'Administrator@ad.contoso.com',
'password' => Sensitive('pass')
},
dsc_passwordneverexpires => true,
dsc_domainadministratorcredential => {
'user' => 'Administrator@ad.contoso.com',
'password' => lookup('string'),
},
}
但是,您也确实想从您的日志和报告中编辑该密码。您可能希望将该密码字符串包装在 Sensitive data type.
中
'password' => Sensitive(lookup('string')),
您似乎已经在为作为字符串传入的其他密码执行此操作 pass。
所有这一切的旁注是,Puppet 在版本 6 中对从 Vault 和 Conjur 进行的查找检索提供了内在支持,因此这将很快成为最佳实践,而不是 hiera-eyaml。
Ufff,经过多次努力终于成功了:
cat /etc/puppetlabs/puppet/hiera.yaml
---
version: 5
defaults:
datadir: data
data_hash: yaml_data
hierarchy:
- name: "Eyaml hierarchy"
lookup_key: eyaml_lookup_key # eyaml backend
paths:
- "nodes/%{trusted.certname}.yaml"
- "windowspass.eyaml"
options:
pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem
创建的密码:
/opt/puppetlabs/puppet/bin/eyaml encrypt -l 'password' -s 'Pass' --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
将其添加到 /etc/puppetlabs/puppet/data/windowspass.eyaml 文件:
/opt/puppetlabs/puppet/bin/eyaml edit windowspass.eyaml --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
cat /etc/puppetlabs/puppet/data/windowspass.eyaml
---
password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAUopetXenh/+DN1+VesIZUI5y4k3kOTn2xa5uBrtGZP3GvGqoWfwAbYsfeNApjeMG+lg93/N/6mE9T59DPh]
测试解密:
/opt/puppetlabs/puppet/bin/eyaml decrypt -f windowspass.eyaml --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
按照 Matt 的建议,将 windowspass.eyaml 的内容映射到清单文件
'password' => Sensitive(lookup('password'))
调试命令对我帮助很大:
puppet master --debug --compile windows.example.com --environment=production
谢谢大家,尤其是马特
我安装了 dsc 模块并使用 puppet 将 AD 用户添加到域控制器。当将密码硬编码为纯文本时,下面的代码可以正常工作。是否有可能以某种方式加密这些密码。
我读到 hiera-eyaml 是解决这个问题的方法,所以我加密了密码
[root@PUPPET puppet]# /opt/puppetlabs/puppet/bin/eyaml encrypt -p
Enter password: **********
string: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAl/+uUACl6WpGAnA1sSqEuTp39SVYfHc7J0BMvC+a2C0YzQg1V]
然后将该加密通行证存储在 /etc/common.eyaml 文件中(在 hiera 配置文件中指定)
/opt/puppetlabs/puppet/bin/eyaml edit /etc/common.eyaml
我可以成功解密文件:
/opt/puppetlabs/puppet/bin/eyaml decrypt -f /etc/common.eyaml
然后我指定了对清单文件的加密传递
/etc/puppetlabs/code/environments/production/manifests/site.pp:
dsc_xADUser {'FirstUser':
dsc_ensure => 'present',
dsc_domainname => 'ad.contoso.com',
dsc_username => 'tfl',
dsc_userprincipalname => 'tfl@ad.contoso.com',
dsc_password => {
'user' => 'Administrator@ad.contoso.com',
'password' => Sensitive('pass')
},
dsc_passwordneverexpires => true,
dsc_domainadministratorcredential => {
'user' => 'Administrator@ad.contoso.com',
'password' => Sensitive(lookup('password'))
},
}
在 windows 节点上我得到错误
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Function lookup() did not find a value for the name 'password' on node windows.example.com
Hiera 配置文件:
cat /etc/puppetlabs/puppet/hiera.yaml
---
# Hiera 5 Global configuration file
---
version: 5
defaults:
datadir: data
data_hash: yaml_data
hierarchy:
- name: "Eyaml hierarchy"
lookup_key: eyaml_lookup_key # eyaml backend
paths:
- "/etc/common.eyaml"
options:
pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"
cat /etc/common.eyaml
password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAl/+uUACl6WpGAnA1sSqEuTp39SVYfHc7J0BMvC+a2C0YzQg1V]
我是 Puppet 的新手,这个 hiera 让我很困惑
对于初学者来说,您的 Hiera 配置文件中存在拼写错误。数据的路径应该是:
paths:
- "/etc/common.eyaml"
修复后,您需要从 Hiera 检索值。这是使用 puppet lookup function 执行的。由于您在单个数据文件中有一个键值对,因此可以使用最少数量的参数执行此操作。
dsc_xADUser {'FirstUser':
dsc_ensure => 'present',
dsc_domainname => 'ad.contoso.com',
dsc_username => 'tfl',
dsc_userprincipalname => 'tfl@ad.contoso.com',
dsc_password => {
'user' => 'Administrator@ad.contoso.com',
'password' => Sensitive('pass')
},
dsc_passwordneverexpires => true,
dsc_domainadministratorcredential => {
'user' => 'Administrator@ad.contoso.com',
'password' => lookup('string'),
},
}
但是,您也确实想从您的日志和报告中编辑该密码。您可能希望将该密码字符串包装在 Sensitive data type.
中'password' => Sensitive(lookup('string')),
您似乎已经在为作为字符串传入的其他密码执行此操作 pass。
所有这一切的旁注是,Puppet 在版本 6 中对从 Vault 和 Conjur 进行的查找检索提供了内在支持,因此这将很快成为最佳实践,而不是 hiera-eyaml。
Ufff,经过多次努力终于成功了:
cat /etc/puppetlabs/puppet/hiera.yaml
---
version: 5
defaults:
datadir: data
data_hash: yaml_data
hierarchy:
- name: "Eyaml hierarchy"
lookup_key: eyaml_lookup_key # eyaml backend
paths:
- "nodes/%{trusted.certname}.yaml"
- "windowspass.eyaml"
options:
pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem
创建的密码:
/opt/puppetlabs/puppet/bin/eyaml encrypt -l 'password' -s 'Pass' --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
将其添加到 /etc/puppetlabs/puppet/data/windowspass.eyaml 文件:
/opt/puppetlabs/puppet/bin/eyaml edit windowspass.eyaml --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
cat /etc/puppetlabs/puppet/data/windowspass.eyaml
---
password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAUopetXenh/+DN1+VesIZUI5y4k3kOTn2xa5uBrtGZP3GvGqoWfwAbYsfeNApjeMG+lg93/N/6mE9T59DPh]
测试解密:
/opt/puppetlabs/puppet/bin/eyaml decrypt -f windowspass.eyaml --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
按照 Matt 的建议,将 windowspass.eyaml 的内容映射到清单文件
'password' => Sensitive(lookup('password'))
调试命令对我帮助很大:
puppet master --debug --compile windows.example.com --environment=production
谢谢大家,尤其是马特