我开发了一项任务,只需在远程主机上执行命令:
- name: generate ssl
shell: ./example.sh
args:
chdir: /tmp/example-pki-scripts
example.sh文件按顺序执行一些脚本:https://github.com/floragunncom/search-guard-ssl/tree/master/example-pki-scripts
然后当我在远程主机上部署此任务时,出现以下错误:
fatal: [efk1]: FAILED! => {
"changed": true,
"cmd": "./example.sh",
"delta": "0:00:00.213500",
"end": "2017-01-20 12:02:10.703895",
"failed": true,
"invocation": {
"module_args": {
"_raw_params": "./example.sh",
"_uses_shell": true,
"chdir": "/tmp/example-pki-scripts",
"creates": null,
"executable": null,
"removes": null,
"warn": true
},
"module_name": "command"
},
"rc": 127,
"start": "2017-01-20 12:02:10.490395",
"stderr": "Generating a 2048 bit RSA private key\n.+++\n.......+++\nwriting new private key to 'ca/root-ca/private/root-ca.key'\n-----\nUsing configuration from etc/root-ca.conf\nCheck that the request matches the signature\nSignature ok\nCertificate Details:\n Serial Number: 1 (0x1)\n Validity\n Not Before: Jan 20 11:02:10 2017 GMT\n Not After : Jan 20 11:02:10 2027 GMT\n Subject:\n domainComponent = com\n domainComponent = example\n organizationName = Example Com Inc.\n organizationalUnitName = Example Com Inc. Root CA\n commonName = Example Com Inc. Root CA\n X509v3 extensions:\n X509v3 Key Usage: critical\n Certificate Sign, CRL Sign\n X509v3 Basic Constraints: critical\n CA:TRUE\n X509v3 Subject Key Identifier: \n EB:DC:70:FA:90:59:4A:C3:09:E3:73:80:92:E0:EE:70:9A:77:48:62\n X509v3 Authority Key Identifier: \n keyid:EB:DC:70:FA:90:59:4A:C3:09:E3:73:80:92:E0:EE:70:9A:77:48:62\n\nCertificate is to be certified until Jan 20 11:02:10 2027 GMT (3652 days)\n\nWrite out database with 1 new entries\nData Base Updated\nGenerating a 2048 bit RSA private key\n..............................................................................+++\n......................+++\nwriting new private key to 'ca/signing-ca/private/signing-ca.key'\n-----\nUsing configuration from etc/root-ca.conf\nCheck that the request matches the signature\nSignature ok\nCertificate Details:\n Serial Number: 2 (0x2)\n Validity\n Not Before: Jan 20 11:02:10 2017 GMT\n Not After : Jan 20 11:02:10 2027 GMT\n Subject:\n domainComponent = com\n domainComponent = example\n organizationName = Example Com Inc.\n organizationalUnitName = Example Com Inc. Signing CA\n commonName = Example Com Inc. Signing CA\n X509v3 extensions:\n X509v3 Key Usage: critical\n Certificate Sign, CRL Sign\n X509v3 Basic Constraints: critical\n CA:TRUE, pathlen:0\n X509v3 Subject Key Identifier: \n 19:19:0A:28:78:33:A8:04:A9:5F:62:81:CA:3D:9F:8A:1F:97:00:6F\n X509v3 Authority Key Identifier: \n keyid:EB:DC:70:FA:90:59:4A:C3:09:E3:73:80:92:E0:EE:70:9A:77:48:62\n\nCertificate is to be certified until Jan 20 11:02:10 2027 GMT (3652 days)\n\nWrite out database with 1 new entries\nData Base Updated\n./gen_root_ca.sh: line 72: keytool: command not found",
"stdout": "Root CA generated\nSigning CA generated",
"stdout_lines": [
"Root CA generated",
"Signing CA generated"
],
"warnings": []
}
所以你可以看到问题是第72行:找不到keytool:命令,但是当我在本地机器上执行相同的脚本example.sh时,它会生成ssl键,没有问题。
ansible卡住的确切行是:
cat ca/root-ca.pem | keytool \
-import \
-v \
-keystore truststore.jks \
-storepass $TS_PASS \
-noprompt -alias root-ca-chain
答案 0 :(得分:4)
使用脚本中keytool
可执行文件的完整路径。
Ansible使用非交互式非登录shell会话,并且shell不会为交互/登录会话提供相同的rc文件,因此PATH
的值不同。
其他解决方案包括:在PATH
delaraction中手动指定environment
,或在调用bash
时包装命令。