./lib/pki-authority: line 77: declare: -g: invalid option

[yujunz]

TASK [debops.pki : Initialize PKI authorities] ***** failed: [vbox -> localhost] => (item={u'subdomain': u'root-ca', u'name': u'root', u'subject': [u'o=Vagrant-ubuntu-trusty-64 Certificate Authority']}) => {"changed": true, "cmd": ["./lib/pki-authority", "init", "--name", "root", "--default-sign-base", "365", "--root-sign-multiplier", "12", "--ca-sign-multiplier", "10", "--cert-sign-multiplier", "3"], "delta": "0:00:00.030746", "end": "2016-04-21 13:50:51.097910", "failed": true, "item": {"name": "root", "subdomain": "root-ca", "subject": ["o=Vagrant-ubuntu-trusty-64 Certificate Authority"]}, "rc": 2, "start": "2016-04-21 13:50:51.067164", "stderr": "./lib/pki-authority: line 77: declare: -g: invalid option\ndeclare: usage: declare [-afFirtx] [-p] [name[=value] ...]", "stdout": "", "stdout_lines": [], "warnings": []} failed: [vbox -> localhost] => (item={u'subdomain': u'domain-ca', u'name': u'domain', u'issuer_name': u'root', u'subject': [u'o=Vagrant-ubuntu-trusty-64', u'ou=Domain CA']}) => {"changed": true, "cmd": ["./lib/pki-authority", "init", "--name", "domain", "--default-sign-base", "365", "--root-sign-multiplier", "12", "--ca-sign-multiplier", "10", "--cert-sign-multiplier", "3"], "delta": "0:00:00.029932", "end": "2016-04-21 13:50:51.378080", "failed": true, "item": {"issuer_name": "root", "name": "domain", "subdomain": "domain-ca", "subject": ["o=Vagrant-ubuntu-trusty-64", "ou=Domain CA"]}, "rc": 2, "start": "2016-04-21 13:50:51.348148", "stderr": "./lib/pki-authority: line 77: declare: -g: invalid option\ndeclare: usage: declare [-afFirtx] [-p] [name[=value] ...]", "stdout": "", "stdout_lines": [], "warnings": []}

[drybjed]

This error means that your Ansible Controller host has too old bash. The pki-authority scriipt executed on Ansible Controller requires at least bash 4.3. You either should upgrade the bash on your system, or create a VM that will be used as Ansible Controller with required bash version. For example, using Debian Jessie should be sufficient.

[yujunz]

Thanks. It could be. I'm using bash 3.2.57 under MacOSX

➜  openzero-debops git:(master) bash --version
GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin15)
Copyright (C) 2007 Free Software Foundation, Inc.

[ypid]

@zhang-yujun Where you able to identify the problem?

[yujunz]

@ypid Not understanding your question. I'm using ansible-pki in MacOSX. The default bash version is 3.2.57

[ypid]

You opened this issue describing a problem you had/have? with this role. Some time has past now and I would like to know if it really was your old version of bash causing the problems and if you could resolve this. In case it is your bash version, a assertion in the role might be a good idea to catch such problems early and give better hints.

[yujunz]

@ypid I see. Thanks for getting back to me.

Sorry, but I don't have the environment for verify this issue for now. I'll let you know once I confirm it.

[drybjed]

I'm afraid that this issue will persist on MacOS X due to use of ancient bash as the default on this platform. I suppose that this warrants the rewrite of at least pki-authority script to Python, however my concerns with this is amount of shell-outs to the OpenSSL/GnuTLS utilities that would be needed. Or maybe the script could just use Python libraries for these operations? I don't use MacOS X, so I'm not sure about the different versions of the librariies that are available, and judging by bash that might be important as well.

[ypid]

@drybjed What do you think about an assert at the top of the role to check if bash is recent enough.

[drybjed]

Sounds good to me. debops.dhparam role has something similar.