Install Rundeck on Alma Linux 8 with Ansible

From Bitbull Wiki
Jump to navigation Jump to search

1 Setup Rundeck

  • 4vCPU
  • 8 GB Memory
  • 50 GB HDD
vi setup-rundeck.yml
---------------------------------
---
- hosts: srundeck01.domain.local
  vars:
    rundeck_admin_pass: ***
    # more vars as needed: look into role defaults
  roles:
  - role: joe-speedboat.rundeck
  tasks:
  - name: install firewalld
    yum:
      name: firewalld
      state: present
  - name: start firewalld
    service:
      name: firewalld
      enabled: yes
      state: started
  - name: open https port on firewalld
    firewalld:
      service: https
      permanent: true
      state: enabled
  - name: enable firewalld
    service:
      name: firewalld
      enabled: yes
      state: restarted
...
---------------------------------

ansible -m shell -a id srundeck01.domain.local
ansible-playbook setup-rundeck.yml
  • Now test rundeck login as admin with your WebBrowser

2 COMPANY specific settings

sed -i 's/^mirrorlist=\(.*\)/# mirrorlist=\1/' /etc/yum.repos.d/*.repo
sed -i 's/^#baseurl=/baseurl=/' /etc/yum.repos.d/*.repo

3 General settings

echo '#!/bin/sh
cp -av "$1" "$1.$(date +%Y%m%H%M%S)"
' > /usr/local/bin/backup
chmod 755 /usr/local/bin/backup

4 Ansible installation

# root user
dnf -y remove ansible-collection-ansible-posix ansible
dnf -y install python38-pip python38 git wget curl rsync vim sshpass

# rundeck user
python3.8 -m pip install --user ansible
echo '#ANSIBLE SETUP
export PATH=$HOME/.local/bin:$HOME/bin:$PATH
' >> $HOME/.bashrc
ln -s $HOME/.local/bin $HOME/bin
cat /etc/skel/.bash_profile > $HOME/.bash_profile
exit

# root user
chown -R rundeck.rundeck /etc/ansible
chmod -R u+rwX,go-rwx /etc/ansible

# rundeck user
cd /etc/ansible
rm -fv hosts
ansible-config init --disabled > ansible.cfg
sed -i 's/^.host_key_checking=.*/host_key_checking=False/' ansible.cfg
# sed -i 's/^.remote_user=.*/remote_user=rundeck-ops/' ansible.cfg
# sed -i 's/^.become=.*/become=True/' ansible.cfg
sed -i 's#^.inventory=.*#inventory=/etc/ansible/inventory #' ansible.cfg
sed -i 's#^.collections_path=.*#collections_path=/etc/ansible/collections:/usr/share/ansible/collections#' ansible.cfg
sed -i 's#^.roles_path=.*#roles_path=/etc/ansible/roles#' ansible.cfg
sed -i 's#^.interpreter_python=.*#interpreter_python=auto_silent#' ansible.cfg

mkdir /etc/ansible/inventory/group_vars
vim /etc/ansible/inventory/group_vars/all.yml
----------
ansible_become: True
ansible_user: deploy_rundeck_prod
----------

5 USE AND PROTECT ANSIBLE VARS WITH VAULT

# root user
dnf -y install keyutils

# we do not start this services after reboot, we do this with vault unlock
systemctl disable rundeckd nginx

vim /usr/local/sbin/init-rundeck-and-ansible.sh
----------
#!/bin/bash
echo
echo Feed the ssh private key passphrase for rundeck
echo "Hashi Vault > linuxeng_kv > application_user > ansible_vault_pw@srundeck01.domain.local"

sudo -u rundeck --login echo
echo
echo INFO: re/starting rundeck + nginx service
systemctl restart rundeckd nginx
echo
echo
echo All done
echo Now login to rundeck webUI:
echo .Test the inventory 
echo .Test AdHoc command
----------
chmod 700 /usr/local/sbin/init-rundeck-and-ansible.sh

echo '
#FEED ANSIBLE VAULT AND SSH-KEY PASSWORD after reboot
   cmd: init-rundeck-and-ansible.sh
' >> /etc/motd

# rundeck user
echo '. $HOME/bin/vault-unlock.sh -b' >> ~/.bashrc

curl https://raw.githubusercontent.com/joe-speedboat/shell.scripts/master/vault-unlock.sh > $HOME/bin/vault-unlock.sh
chown rundeck.rundeck $HOME/bin/vault-unlock.sh
chmod 700 $HOME/bin/vault-unlock.sh
sed -i "s#^.vault_password_file=.*#vault_password_file=$HOME/bin/vault-unlock.sh#" /etc/ansible/ansible.cfg

6 ZABBIX CHECK FOR LOCKED VAULTS

# root user
vim /etc/zabbix/zabbix_agent2.d/rundeck-ssh-add.conf
----------
AllowKey=system.run[sudo --login -u rundeck ssh-add -l]
DenyKey=system.run[*]
----------
chown root.zabbix /etc/zabbix/zabbix_agent2.d/rundeck-ssh-add.conf
chmod 640 /etc/zabbix/zabbix_agent2.d/rundeck-ssh-add.conf

vim /etc/sudoers.d/zabbix_agent_checks 
----------
Defaults:zabbix !requiretty
Cmnd_Alias ZABBIX_CMD = /bin/bash -c ssh-add -l
zabbix   ALL=(rundeck) NOPASSWD:ZABBIX_CMD
----------
systemctl restart zabbix-agent2
systemctl status zabbix-agent2


* Create Zabbix Check Item
  Name: ssh-agent
  Type: Zabbix Agent
  Key: system.run["sudo --login -u rundeck ssh-add -l"]
  Type: Text
  Preprocessing:
    Name: Regular Expression
    Search: .*(RSA|ERROR).*
    Replace: \1
    Type: Text

* Create Zabbix Trigger for this Item
  Name: Rundeck is locked
  Severity: Disaster
  Expression: last(/srundeck01.domain.local/system.run["sudo --login -u rundeck ssh-add -l"])="ERROR"
  Allow manual close: FALSE
  Description:
    Ansible Vault and SSH keys on host are locked.
    Please login as root and execute: init-rundeck-and-ansible.sh

7 FREEIPA INVENTORY

# rundeck user
curl https://raw.githubusercontent.com/joe-speedboat/ansible.idm-inventory/main/inventory/freeipa.py > inventory/freeipa.py
chmod 700 inventory/freeipa.py
python3.8 -m pip install --user python_freeipa

echo '# FreeIPA Ansible Inventory Auth
# FreeIPA Ansible Inventory Auth
export freeipaserver=freeipa01.domain.local
export freeipauser='svc_bind_rundeck_prod'
export freeipapassword='******'
' >> $HOME/.bashrc

8 RUNDECK FREEIPA AUTH


vim /etc/rundeck/multiauth.conf
--------------------------------
multiauth {

  com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient
    debug="true"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    providerUrl="ldaps://freeipa01.domain.local:636 ldaps://freeipa02.domain.local:636"
    ldapsVerifyHostname="false"
    bindDn="uid=svc_bind_rundeck_prod,cn=users,cn=accounts,dc=domain,dc=local"
    bindPassword="******"
    authenticationMethod="simple"
    forceBindingLogin="true"
    userBaseDn="cn=users,cn=accounts,dc=domain,dc=local"
    userRdnAttribute="uid"
    userIdAttribute="uid"
    userPasswordAttribute="userPassword"
    userObjectClass="posixAccount"
    userLastNameAttribute="sn"
    userFirstNameAttribute="givenName"
    userEmailAttribute="mail"
    roleBaseDn="cn=groups,cn=accounts,dc=domain,dc=local"
    roleNameAttribute="cn"
    roleMemberAttribute="member"
    roleObjectClass="groupOfNames"
    cacheDurationMillis="300000"
    reportStatistics="true";

  org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
    debug="true"
    file="/etc/rundeck/realm.properties";
};
--------------------------------

chown root.rundeck /etc/rundeck/multiauth.conf
chmod 640 /etc/rundeck/multiauth.conf


vim /etc/rundeck/rundeck-config.properties
--------------------------------
rundeck.security.syncLdapUser=true
--------------------------------

vim /etc/sysconfig/rundeckd
--------------------------------
JAAS_LOGIN=true
LOGIN_MODULE=multiauth
JAAS_CONF=/etc/rundeck/multiauth.conf
--------------------------------



vim /etc/rundeck/ansibleadm.aclpolicy
-------------------------------
description: FreeIPA Rundeck Admin, all access.
context:
  project: '.*' # all projects
for:
  resource:
    - allow: '*' # allow read/create all kinds
  adhoc:
    - allow: '*' # allow read/running/killing adhoc jobs
  job: 
    - allow: '*' # allow read/write/delete/run/kill of all jobs
  node:
    - allow: '*' # allow read/run for all nodes
by:
  group: rundeckadm
---
description: FreeIPA Rundeck Admin, all access.
context:
  application: 'rundeck'
for:
  resource:
    - allow: '*' # allow create of projects
  project:
    - allow: '*' # allow view/admin of all projects
  project_acl:
    - allow: '*' # allow admin of all project-level ACL policies
  storage:
    - allow: '*' # allow read/create/update/delete for all /keys/* storage content
by:
  group: rundeckadm
-----------------------------
chown root.rundeck /etc/rundeck/ansibleadm.aclpolicy
chmod 640 /etc/rundeck/ansibleadm.aclpolicy

echo | openssl s_client -showcerts -connect freeipa01.domain.local:636 > /etc/rundeck/ssl/idm.pem
vim /etc/rundeck/ssl/idm.pem # remove comments
cp -av /etc/pki/ca-trust/extracted/java/cacerts /etc/pki/ca-trust/extracted/java/cacerts.orig
keytool -import -alias idm -file /etc/rundeck/ssl/idm.pem -keystore /etc/pki/ca-trust/extracted/java/cacerts -storepass changeit

keytool -import -alias idm -file /etc/rundeck/ssl/idm.pem -keystore /etc/rundeck/ssl/truststore -storepass adminadmin
chown rundeck.rundeck /etc/rundeck/ssl/*

9 RUNDECK ANSIBLE PROJECT EXAMPLE

PROJECT: ansible
--------------------------------------------------------
Detail:
   Project Name: ansible
   Label: ansible_linux_ssh
Execution History Clean: 
   Enable: [X]
User Interface :
   Job Group Expansion Level: 9
Default Node Executor:
  Type: Ansible Ad-Hoc Node Executor
     Executable: /bin/bash
     Windows Executable: powershell.exe
     Ansible config file path: /etc/ansible/ansible.cfg
Default File Copier:
  Type: local
  We just use native ansible, this is not needed


PROJECT: ansible > Edit Nodes > Sources > Add
--------------------------------------------------------
Type: Ansible Resource Model Source
Ansible config file path: /etc/ansible/ansible.cfg

10 BUGS & FIXES

  • Error Msg: /bin/sh: /tmp/0-1-localhost-dispatch-script.tmp.sh: Permission denied
echo '
# ----------------------------------------------------------------
# CUSTOM VALUES
# ----------------------------------------------------------------
framework.file-copy-destination-dir = ~/
' >> /etc/rundeck/framework.properties

systemctl restart rundeckd