Security
1. Ansible Vault - Maxfiy Ma'lumotlarni Himoyalash
Ansible Vault nima?
Ansible Vault - bu maxfiy ma'lumotlarni (parollar, API kalitlar, sertifikatlar) shifrlash va xavfsiz saqlash tizimi. Bu production environment larda eng muhim security component hisoblanadi.
Vault ning asosiy maqsadlari:
- Credential protection - parollarni ochiq ko'rinishda saqlamaslik
- Source control safety - Git repository da shifrli ma'lumotlar
- Team collaboration - xavfsiz ma'lumot ulashish
- Compliance - security standards ga muvofiqlik
- Audit trail - kim, qachon access qilganini kuzatish
Vault ning ishlash printsiplari:
Encryption algoritm:
- AES-256 encryption standartidan foydalanadi
- PBKDF2 key derivation function
- HMAC-SHA256 authentication
- Salt har bir file uchun unique
Key management:
- Password-based - oddiy parol orqali
- File-based - key fayldan
- Script-based - external script orqali
- Multiple vaults - turli key lar bilan
Vault Commands:
Yangi vault fayl yaratish:
# Interaktiv parol bilan
ansible-vault create secrets.yml
# Parolni fayldan o'qish
ansible-vault create --vault-password-file vault_pass.txt secrets.yml
# Vault ID bilan
ansible-vault create --vault-id production@prompt secrets.yml
Mavjud faylni encrypt qilish:
# Oddiy file ni vault ga aylantirish
ansible-vault encrypt database_passwords.yml
# Backup yaratish bilan
ansible-vault encrypt --output encrypted_secrets.yml plain_secrets.yml
Vault faylni o'qish/ko'rish:
# Faylni decrypt qilib ko'rish
ansible-vault view secrets.yml
# Cat kabi ishlatish
ansible-vault view secrets.yml | grep mysql_password
Vault faylni edit qilish:
# Encrypt qilingan faylni tahrirlash
ansible-vault edit secrets.yml
# Vi/nano da ochiladi, saqlaganda avtomatik encrypt qilinadi
Vault faylni decrypt qilish:
# Butunlay decrypt qilish
ansible-vault decrypt secrets.yml
# Boshqa fayl nomida saqlash
ansible-vault decrypt --output plain_secrets.yml secrets.yml
Parolni o'zgartirish:
# Vault parolini yangilash
ansible-vault rekey secrets.yml
# Yangi parol fayldan
ansible-vault rekey --new-vault-password-file new_pass.txt secrets.yml
Vault fayllarini playbook da ishlatish:
Oddiy ishlatish:
# secrets.yml (vault file)
---
$ANSIBLE_VAULT;1.1;AES256
66386139653...encrypted content...
# playbook.yml
---
- name: Deploy application with secrets
hosts: webservers
vars_files:
- secrets.yml
tasks:
- name: Configure database
mysql_db:
name: myapp
login_password: "{{ mysql_root_password }}"
Playbook ishga tushirish:
# Parol so'rash bilan
ansible-playbook playbook.yml --ask-vault-pass
# Parol fayldan
ansible-playbook playbook.yml --vault-password-file vault_pass.txt
# Multiple vault IDs
ansible-playbook playbook.yml --vault-id dev@prompt --vault-id prod@vault_pass.txt
Mixed vault va plain variables:
# group_vars/production.yml
---
# Plain variables
app_name: mywebapp
database_host: db.production.com
# Vault variables
database_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
66386139653265363266636631356134613...
api_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
35623764313133373365386366646631653...
Best Practices:
1. Vault fayl tashkil etish:
# secrets/production.yml
---
# Database credentials
mysql_root_password: "super_secret_password"
mysql_app_password: "app_database_password"
# API keys
aws_access_key: "AKIA..."
aws_secret_key: "secret_key..."
github_token: "ghp_..."
# SSL certificates
ssl_private_key: |
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC7...
-----END PRIVATE KEY-----
ssl_certificate: |
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAKL0w8Z5V3dWMA0GCSqGSIb3DQEBCwUA...
-----END CERTIFICATE-----
2. Directory structure:
project/
├── group_vars/
│ ├── all/
│ │ ├── common.yml # Plain variables
│ │ └── vault.yml # Encrypted secrets
│ ├── production/
│ │ ├── main.yml
│ │ └── vault.yml
│ └── staging/
│ ├── main.yml
│ └── vault.yml
├── host_vars/
├── vault_passwords/
│ ├── dev_vault_pass.txt
│ ├── staging_vault_pass.txt
│ └── prod_vault_pass.txt
└── playbooks/
3. Vault ID strategy:
# Multiple environments uchun
ansible-vault create --vault-id dev@prompt secrets_dev.yml
ansible-vault create --vault-id staging@prompt secrets_staging.yml
ansible-vault create --vault-id prod@prompt secrets_prod.yml
# Playbook da ishlatish
ansible-playbook site.yml \
--vault-id dev@vault_passwords/dev_pass.txt \
--vault-id prod@vault_passwords/prod_pass.txt
4. Environment variables:
# Vault parolni environment variable da
export ANSIBLE_VAULT_PASSWORD_FILE=vault_pass.txt
# Multiple vault IDs
export ANSIBLE_VAULT_IDENTITY_LIST="dev@dev_pass.txt,prod@prod_pass.txt"
# Vault editor
export EDITOR=vim
Security considerations:
Vault password management:
- Parollarni source control ga qo'ymaslik
- Strong password policy - minimal 20 character, complex
- Regular password rotation - 3-6 oyda bir o'zgartirish
- Access control - kim vault ga access qila oladi
File permissions:
# Vault password files uchun
chmod 600 vault_pass.txt
chown $USER:$USER vault_pass.txt
# Vault fayllar uchun
chmod 644 secrets.yml
2. Become & Privilege Escalation
Become tizimi nima?
Become - bu Ansible ning privilege escalation tizimi bo'lib, oddiy foydalanuvchi sifatida ulanib, kerak bo'lganda admin huquqlarini olish imkonini beradi.
Asosiy tushunchalar:
- become - privilege escalation yoqish/o'chirish
- become_method - qaysi usul ishlatish (sudo, su, doas va boshqalar)
- become_user - qaysi foydalanuvchi sifatida ishlash
- become_password - privilege escalation uchun parol
Become methods:
sudo (eng keng tarqalgan):
# Global level - playbook uchun
- name: Install packages
hosts: webservers
become: yes
become_method: sudo
become_user: root
tasks:
- name: Install nginx
apt:
name: nginx
state: present
Task level:
tasks:
- name: Install package (requires root)
apt:
name: nginx
state: present
become: yes
- name: Create user directory (no privilege needed)
file:
path: /home/user/app
state: directory
# become: no (default)
su method:
- name: Use su instead of sudo
hosts: servers
become: yes
become_method: su
become_user: root
become_password: "{{ root_password }}"
doas (OpenBSD style):
- name: Using doas
hosts: openbsd_servers
become: yes
become_method: doas
become_user: root
pbrun/pfexec (Enterprise):
# PowerBroker uchun
become_method: pbrun
# Solaris uchun
become_method: pfexec
Become configuration:
ansible.cfg da global settings:
[defaults]
become = True
become_method = sudo
become_user = root
become_ask_pass = False
[privilege_escalation]
become = True
become_method = sudo
become_user = root
become_ask_pass = False
Inventory da host/group level:
[webservers]
web1.example.com ansible_become=yes ansible_become_user=root
web2.example.com ansible_become=yes ansible_become_method=su
[webservers:vars]
ansible_become=yes
ansible_become_method=sudo
ansible_become_user=root
Sudo configuration (sudoers):
Ansible user uchun sudo setup:
# /etc/sudoers.d/ansible
ansible ALL=(ALL) NOPASSWD: ALL
# Yoki specific commands uchun
ansible ALL=(ALL) NOPASSWD: /usr/bin/apt-get, /usr/bin/systemctl, /usr/bin/service
Security best practices:
# Minimal permissions
ansible ALL=(ALL) NOPASSWD: /usr/bin/apt-get install *, /usr/bin/systemctl restart nginx
# Time-based sudo
ansible ALL=(ALL) NOPASSWD: ALL
Defaults:ansible timestamp_timeout=5
# Sudo logging
Defaults:ansible log_input, log_output
Defaults:ansible logfile="/var/log/sudo-ansible.log"
Password handling:
Vault bilan sudo password:
# vault.yml da
---
ansible_become_password: "{{ sudo_password }}"
# playbook da
- name: Tasks requiring sudo
hosts: servers
become: yes
vars_files:
- vault.yml
tasks:
- name: Install package
package:
name: htop
state: present
Command line da:
# Sudo parolni so'rash
ansible-playbook playbook.yml --ask-become-pass
# Vault va sudo parol
ansible-playbook playbook.yml --ask-vault-pass --ask-become-pass
Conditional become:
Task level conditions:
tasks:
- name: Install package on Ubuntu
apt:
name: nginx
state: present
become: yes
when: ansible_os_family == "Debian"
- name: Install package on CentOS
yum:
name: nginx
state: present
become: yes
when: ansible_os_family == "RedHat"
- name: User-level task
file:
path: "{{ ansible_user_dir }}/backup"
state: directory
# No become needed
Block level become:
tasks:
- name: System configuration block
block:
- name: Install packages
package:
name: "{{ item }}"
state: present
loop:
- nginx
- mysql-server
- name: Start services
service:
name: "{{ item }}"
state: started
loop:
- nginx
- mysql
become: yes
- name: User-level configurations
block:
- name: Create user configs
template:
src: user_config.j2
dest: "{{ ansible_user_dir }}/.config/app.conf"
# No become needed
3. Credential va SSH Boshqaruvi
SSH Authentication Methods:
1. SSH Key-based authentication (Recommended):
Key generation:
# Control node da
ssh-keygen -t rsa -b 4096 -C "ansible@company.com"
ssh-keygen -t ed25519 -C "ansible-deployment-key"
# Public key ni copy qilish
ssh-copy-id -i ~/.ssh/ansible_key.pub user@target-server
# Manual copy
cat ~/.ssh/ansible_key.pub | ssh user@server 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys'
Inventory da SSH key specification:
[webservers]
web1.example.com ansible_ssh_private_key_file=~/.ssh/web1_key
web2.example.com ansible_ssh_private_key_file=~/.ssh/web2_key
[databases]
db1.example.com ansible_ssh_private_key_file=~/.ssh/db_key
db2.example.com ansible_ssh_private_key_file=~/.ssh/db_key
[webservers:vars]
ansible_user=deploy
ansible_ssh_private_key_file=~/.ssh/ansible_key
SSH agent bilan:
# SSH agent ishga tushirish
eval $(ssh-agent)
# Key larni agent ga qo'shish
ssh-add ~/.ssh/ansible_key
ssh-add ~/.ssh/web_deploy_key
ssh-add ~/.ssh/db_admin_key
# Agent da mavjud key lar
ssh-add -l
2. Password-based authentication:
Inventory da parol saqlash:
[servers]
server1.example.com ansible_user=admin ansible_password=secret123
# Yoki vault bilan
[servers:vars]
ansible_user=admin
ansible_password={{ vault_server_password }}
Command line da:
# SSH parolni so'rash
ansible-playbook playbook.yml --ask-pass
# Connection va become parollarni so'rash
ansible-playbook playbook.yml --ask-pass --ask-become-pass
SSH Configuration Optimization:
SSH client configuration (~/.ssh/config):
# Global SSH settings
Host *
ServerAliveInterval 60
ServerAliveCountMax 3
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
ControlMaster auto
ControlPath ~/.ssh/control-%h-%p-%r
ControlPersist 300
# Specific hosts
Host web-servers
HostName web*.company.com
User deploy
IdentityFile ~/.ssh/web_deploy_key
Port 2222
Host db-servers
HostName db*.company.com
User dbadmin
IdentityFile ~/.ssh/db_key
Port 22
ProxyJump bastion.company.com
ansible.cfg SSH optimizations:
[ssh_connection]
ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=/tmp/ansible-ssh-%h-%p-%r
pipelining = True
timeout = 30
host_key_checking = False
Bastion/Jump Host Configuration:
SSH ProxyJump setup:
[webservers]
web1.internal.com ansible_host=10.0.1.10
web2.internal.com ansible_host=10.0.1.11
[webservers:vars]
ansible_user=deploy
ansible_ssh_common_args='-o ProxyJump=bastion.company.com'
ansible_ssh_private_key_file=~/.ssh/internal_key
SSH config bilan:
# ~/.ssh/config
Host bastion
HostName bastion.company.com
User jump_user
IdentityFile ~/.ssh/bastion_key
Host web-internal
HostName 10.0.1.*
User deploy
IdentityFile ~/.ssh/internal_key
ProxyJump bastion
Multi-factor Authentication:
SSH key + password:
- name: Connect with key and password
hosts: secure_servers
vars:
ansible_ssh_private_key_file: ~/.ssh/secure_key
ansible_password: "{{ vault_ssh_password }}"
Certificate-based authentication:
# SSH certificate yaratish
ssh-keygen -s ca_key -I certificate_id -n allowed_users user_key.pub
# Ansible da ishlatish
ansible_ssh_private_key_file: ~/.ssh/user_key
ansible_ssh_certificate_file: ~/.ssh/user_key-cert.pub
Credential Management Best Practices:
1. Key Management:
- Unique keys har bir environment/service uchun
- Regular rotation - 6-12 oyda bir yangilash
- Principle of least privilege - minimal kerakli huquqlar
- Secure storage - encrypted disk, hardware tokens
2. Access Control:
# SSH key permissions
chmod 600 ~/.ssh/private_keys/*
chmod 644 ~/.ssh/public_keys/*
chmod 700 ~/.ssh/
# Ansible vault permissions
chmod 600 vault_passwords/*
chmod 600 group_vars/*/vault.yml
3. Monitoring va Auditing:
# SSH connection logging
LogLevel INFO
SyslogFacility AUTH
# Ansible logging
export ANSIBLE_LOG_PATH=/var/log/ansible.log
# SSH session recording
# /etc/ssh/sshd_config da
ForceCommand /usr/bin/script -q -a /var/log/user-sessions/$(date +%Y%m%d-%H%M%S)-$USER.log -c $SSH_ORIGINAL_COMMAND
4. Emergency Access:
# Break-glass emergency playbook
- name: Emergency access setup
hosts: all
become: yes
vars_files:
- emergency_vault.yml
tasks:
- name: Add emergency user
user:
name: emergency
password: "{{ emergency_password | password_hash('sha512') }}"
groups: sudo
shell: /bin/bash
when: emergency_mode is defined
Troubleshooting SSH Issues:
Connection debugging:
# Verbose SSH connection
ansible webservers -m ping -vvv
# SSH manual test
ssh -v user@target-host
# SSH agent debugging
SSH_AUTH_SOCK="" ansible webservers -m ping
Common issues va solutions:
Permission denied:
- SSH key permissions
- authorized_keys file permissions
- SELinux/AppArmor policies
Host key verification failed:
- host_key_checking = False
- Manual host key acceptance
- SSH known_hosts management
Connection timeout:
- Network connectivity
- SSH daemon status
- Firewall rules
- DNS resolution
Bu comprehensive security guide Ansible ni production environment da xavfsiz tarzda ishlatish uchun barcha asosiy jihatlari qamrab oladi.