Ansible keytool:找不到命令

时间:2017-02-13 12:08:40

标签: ansible elastic-stack

我开发了一项任务,只需在远程主机上执行命令:

- name: generate ssl
  shell: ./example.sh
  args:
    chdir: /tmp/example-pki-scripts

example.sh文件按顺序执行一些脚本:https://github.com/floragunncom/search-guard-ssl/tree/master/example-pki-scripts

然后当我在远程主机上部署此任务时,出现以下错误:

fatal: [efk1]: FAILED! => {
    "changed": true,
    "cmd": "./example.sh",
    "delta": "0:00:00.213500",
    "end": "2017-01-20 12:02:10.703895",
    "failed": true,
    "invocation": {
        "module_args": {
            "_raw_params": "./example.sh",
            "_uses_shell": true,
            "chdir": "/tmp/example-pki-scripts",
            "creates": null,
            "executable": null,
            "removes": null,
            "warn": true
        },
        "module_name": "command"
    },
    "rc": 127,
    "start": "2017-01-20 12:02:10.490395",
    "stderr": "Generating a 2048 bit RSA private key\n.+++\n.......+++\nwriting new private key to 'ca/root-ca/private/root-ca.key'\n-----\nUsing configuration from etc/root-ca.conf\nCheck that the request matches the signature\nSignature ok\nCertificate Details:\n        Serial Number: 1 (0x1)\n        Validity\n            Not Before: Jan 20 11:02:10 2017 GMT\n            Not After : Jan 20 11:02:10 2027 GMT\n        Subject:\n            domainComponent           = com\n            domainComponent           = example\n            organizationName          = Example Com Inc.\n            organizationalUnitName    = Example Com Inc. Root CA\n            commonName                = Example Com Inc. Root CA\n        X509v3 extensions:\n            X509v3 Key Usage: critical\n                Certificate Sign, CRL Sign\n            X509v3 Basic Constraints: critical\n                CA:TRUE\n            X509v3 Subject Key Identifier: \n                EB:DC:70:FA:90:59:4A:C3:09:E3:73:80:92:E0:EE:70:9A:77:48:62\n            X509v3 Authority Key Identifier: \n                keyid:EB:DC:70:FA:90:59:4A:C3:09:E3:73:80:92:E0:EE:70:9A:77:48:62\n\nCertificate is to be certified until Jan 20 11:02:10 2027 GMT (3652 days)\n\nWrite out database with 1 new entries\nData Base Updated\nGenerating a 2048 bit RSA private key\n..............................................................................+++\n......................+++\nwriting new private key to 'ca/signing-ca/private/signing-ca.key'\n-----\nUsing configuration from etc/root-ca.conf\nCheck that the request matches the signature\nSignature ok\nCertificate Details:\n        Serial Number: 2 (0x2)\n        Validity\n            Not Before: Jan 20 11:02:10 2017 GMT\n            Not After : Jan 20 11:02:10 2027 GMT\n        Subject:\n            domainComponent           = com\n            domainComponent           = example\n            organizationName          = Example Com Inc.\n            organizationalUnitName    = Example Com Inc. Signing CA\n            commonName                = Example Com Inc. Signing CA\n        X509v3 extensions:\n            X509v3 Key Usage: critical\n                Certificate Sign, CRL Sign\n            X509v3 Basic Constraints: critical\n                CA:TRUE, pathlen:0\n            X509v3 Subject Key Identifier: \n                19:19:0A:28:78:33:A8:04:A9:5F:62:81:CA:3D:9F:8A:1F:97:00:6F\n            X509v3 Authority Key Identifier: \n                keyid:EB:DC:70:FA:90:59:4A:C3:09:E3:73:80:92:E0:EE:70:9A:77:48:62\n\nCertificate is to be certified until Jan 20 11:02:10 2027 GMT (3652 days)\n\nWrite out database with 1 new entries\nData Base Updated\n./gen_root_ca.sh: line 72: keytool: command not found",
    "stdout": "Root CA generated\nSigning CA generated",
    "stdout_lines": [
        "Root CA generated",
        "Signing CA generated"
    ],
    "warnings": []
}

所以你可以看到问题是第72行:找不到keytool:命令,但是当我在本地机器上执行相同的脚本example.sh时,它会生成ssl键,没有问题。

ansible卡住的确切行是:

cat ca/root-ca.pem | keytool \
    -import \
    -v \
    -keystore truststore.jks   \
    -storepass $TS_PASS  \
    -noprompt -alias root-ca-chain

1 个答案:

答案 0 :(得分:4)

使用脚本中keytool可执行文件的完整路径。

Ansible使用非交互式非登录shell会话,并且shell不会为交互/登录会话提供相同的rc文件,因此PATH的值不同。

其他解决方案包括:在PATH delaraction中手动指定environment,或在调用bash时包装命令。