Install Rundeck on RockyLinux with Ansible
Revision as of 16:46, 25 October 2022 by Chris (talk | contribs) (→USE AND PROTECT ANSIBLE VARS WITH VAULT)
Contents
1 Setup Rundeck
- 4vCPU
- 8 GB Memory
- 50 GB HDD
vi setup-rundeck.yml
---------------------------------
---
- hosts: srundeck01.domain.local
vars:
rundeck_admin_pass: ***
# more vars as needed: look into role defaults
roles:
- role: joe-speedboat.rundeck
tasks:
- name: install firewalld
yum:
name: firewalld
state: present
- name: start firewalld
service:
name: firewalld
enabled: yes
state: started
- name: open https port on firewalld
firewalld:
service: https
permanent: true
state: enabled
- name: enable firewalld
service:
name: firewalld
enabled: yes
state: restarted
...
---------------------------------
ansible -m shell -a id srundeck01.domain.local
ansible-playbook setup-rundeck.yml
- Now test rundeck login as admin with your WebBrowser
2 COMPANY specific settings
sed -i 's/^mirrorlist=\(.*\)/# mirrorlist=\1/' /etc/yum.repos.d/*.repo sed -i 's/^#baseurl=/baseurl=/' /etc/yum.repos.d/*.repo
3 General settings
echo '#!/bin/sh cp -av "$1" "$1.$(date +%Y%m%H%M%S)" ' > /usr/local/bin/backup chmod 755 /usr/local/bin/backup
4 Ansible installation
# root user dnf -y remove ansible-collection-ansible-posix ansible dnf -y install python38-pip python38 git wget curl rsync vim sshpass # rundeck user python3.8 -m pip install --user ansible echo '#ANSIBLE SETUP export PATH=$HOME/.local/bin:$HOME/bin:$PATH ' >> $HOME/.bashrc ln -s $HOME/.local/bin $HOME/bin cat /etc/skel/.bash_profile > $HOME/.bash_profile exit # root user chown -R rundeck.rundeck /etc/ansible chmod -R u+rwX,go-rwx /etc/ansible # rundeck user cd /etc/ansible rm -fv hosts ansible-config init --disabled > ansible.cfg sed -i 's/^.host_key_checking=.*/host_key_checking=False/' ansible.cfg # sed -i 's/^.remote_user=.*/remote_user=rundeck-ops/' ansible.cfg # sed -i 's/^.become=.*/become=True/' ansible.cfg sed -i 's#^.inventory=.*#inventory=/etc/ansible/inventory #' ansible.cfg sed -i 's#^.collections_path=.*#collections_path=/etc/ansible/collections:/usr/share/ansible/collections#' ansible.cfg sed -i 's#^.roles_path=.*#roles_path=/etc/ansible/roles#' ansible.cfg sed -i 's#^.interpreter_python=.*#interpreter_python=auto_silent#' ansible.cfg mkdir /etc/ansible/inventory/group_vars vim /etc/ansible/inventory/group_vars/all.yml ---------- ansible_become: True ansible_user: deploy_rundeck_prod ----------
5 USE AND PROTECT ANSIBLE VARS WITH VAULT
# root user dnf -y install keyutils # we do not start this services after reboot, we do this with vault unlock systemctl disable rundeckd nginx vim /usr/local/sbin/init-rundeck-and-ansible.sh ---------- #!/bin/bash echo echo Feed the ssh private key passphrase for rundeck echo "Hashi Vault > linuxeng_kv > application_user > ansible_vault_pw@srundeck01.domain.local" sudo -u rundeck --login echo echo echo INFO: re/starting rundeck + nginx service systemctl restart rundeckd nginx echo echo echo All done echo Now login to rundeck webUI: echo .Test the inventory echo .Test AdHoc command ---------- chmod 700 /usr/local/sbin/init-rundeck-and-ansible.sh echo ' #FEED ANSIBLE VAULT AND SSH-KEY PASSWORD after reboot cmd: init-rundeck-and-ansible.sh ' >> /etc/motd # rundeck user echo '. $HOME/bin/vault-unlock.sh -b' >> ~/.bashrc curl https://raw.githubusercontent.com/joe-speedboat/shell.scripts/master/vault-unlock.sh > $HOME/bin/vault-unlock.sh chown rundeck.rundeck $HOME/bin/vault-unlock.sh chmod 700 $HOME/bin/vault-unlock.sh sed -i "s#^.vault_password_file=.*#vault_password_file=$HOME/bin/vault-unlock.sh#" /etc/ansible/ansible.cfg
6 ZABBIX CHECK FOR LOCKED VAULTS
# root user
vim /etc/zabbix/zabbix_agent2.d/rundeck-ssh-add.conf
----------
AllowKey=system.run[sudo --login -u rundeck ssh-add -l]
DenyKey=system.run[*]
----------
chown root.zabbix /etc/zabbix/zabbix_agent2.d/rundeck-ssh-add.conf
chmod 640 /etc/zabbix/zabbix_agent2.d/rundeck-ssh-add.conf
vim /etc/sudoers.d/zabbix_agent_checks
----------
Defaults:zabbix !requiretty
Cmnd_Alias ZABBIX_CMD = /bin/bash -c ssh-add -l
zabbix ALL=(rundeck) NOPASSWD:ZABBIX_CMD
----------
systemctl restart zabbix-agent2
systemctl status zabbix-agent2
* Create Zabbix Check Item
Name: ssh-agent
Type: Zabbix Agent
Key: system.run["sudo --login -u rundeck ssh-add -l"]
Type: Text
Preprocessing:
Name: Regular Expression
Search: .*(RSA|ERROR).*
Replace: \1
Type: Text
* Create Zabbix Trigger for this Item
Name: Rundeck is locked
Severity: Disaster
Expression: last(/srundeck01.domain.local/system.run["sudo --login -u rundeck ssh-add -l"])="ERROR"
Allow manual close: FALSE
Description:
Ansible Vault and SSH keys on host are locked.
Please login as root and execute: init-rundeck-and-ansible.sh
7 FREEIPA INVENTORY
# rundeck user curl https://raw.githubusercontent.com/joe-speedboat/ansible.idm-inventory/main/inventory/freeipa.py > inventory/freeipa.py chmod 700 inventory/freeipa.py python3.8 -m pip install --user python_freeipa echo '# FreeIPA Ansible Inventory Auth # FreeIPA Ansible Inventory Auth export freeipaserver=freeipa01.domain.local export freeipauser='svc_bind_rundeck_prod' export freeipapassword='******' ' >> $HOME/.bashrc
8 RUNDECK FREEIPA AUTH
vim /etc/rundeck/multiauth.conf
--------------------------------
multiauth {
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldaps://freeipa01.domain.local:636 ldaps://freeipa02.domain.local:636"
ldapsVerifyHostname="false"
bindDn="uid=svc_bind_rundeck_prod,cn=users,cn=accounts,dc=domain,dc=local"
bindPassword="******"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="cn=users,cn=accounts,dc=domain,dc=local"
userRdnAttribute="uid"
userIdAttribute="uid"
userPasswordAttribute="userPassword"
userObjectClass="posixAccount"
userLastNameAttribute="sn"
userFirstNameAttribute="givenName"
userEmailAttribute="mail"
roleBaseDn="cn=groups,cn=accounts,dc=domain,dc=local"
roleNameAttribute="cn"
roleMemberAttribute="member"
roleObjectClass="groupOfNames"
cacheDurationMillis="300000"
reportStatistics="true";
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
debug="true"
file="/etc/rundeck/realm.properties";
};
--------------------------------
chown root.rundeck /etc/rundeck/multiauth.conf
chmod 640 /etc/rundeck/multiauth.conf
vim /etc/rundeck/rundeck-config.properties
--------------------------------
rundeck.security.syncLdapUser=true
--------------------------------
vim /etc/sysconfig/rundeckd
--------------------------------
JAAS_LOGIN=true
LOGIN_MODULE=multiauth
JAAS_CONF=/etc/rundeck/multiauth.conf
--------------------------------
vim /etc/rundeck/ansibleadm.aclpolicy
-------------------------------
description: FreeIPA Rundeck Admin, all access.
context:
project: '.*' # all projects
for:
resource:
- allow: '*' # allow read/create all kinds
adhoc:
- allow: '*' # allow read/running/killing adhoc jobs
job:
- allow: '*' # allow read/write/delete/run/kill of all jobs
node:
- allow: '*' # allow read/run for all nodes
by:
group: rundeckadm
---
description: FreeIPA Rundeck Admin, all access.
context:
application: 'rundeck'
for:
resource:
- allow: '*' # allow create of projects
project:
- allow: '*' # allow view/admin of all projects
project_acl:
- allow: '*' # allow admin of all project-level ACL policies
storage:
- allow: '*' # allow read/create/update/delete for all /keys/* storage content
by:
group: rundeckadm
-----------------------------
chown root.rundeck /etc/rundeck/ansibleadm.aclpolicy
chmod 640 /etc/rundeck/ansibleadm.aclpolicy
echo | openssl s_client -showcerts -connect freeipa01.domain.local:636 > /etc/rundeck/ssl/idm.pem
vim /etc/rundeck/ssl/idm.pem # remove comments
cp -av /etc/pki/ca-trust/extracted/java/cacerts /etc/pki/ca-trust/extracted/java/cacerts.orig
keytool -import -alias idm -file /etc/rundeck/ssl/idm.pem -keystore /etc/pki/ca-trust/extracted/java/cacerts -storepass changeit
keytool -import -alias idm -file /etc/rundeck/ssl/idm.pem -keystore /etc/rundeck/ssl/truststore -storepass adminadmin
chown rundeck.rundeck /etc/rundeck/ssl/*
9 RUNDECK ANSIBLE PROJECT EXAMPLE
PROJECT: ansible
--------------------------------------------------------
Detail:
Project Name: ansible
Label: ansible_linux_ssh
Execution History Clean:
Enable: [X]
User Interface :
Job Group Expansion Level: 9
Default Node Executor:
Type: Ansible Ad-Hoc Node Executor
Executable: /bin/bash
Windows Executable: powershell.exe
Ansible config file path: /etc/ansible/ansible.cfg
Default File Copier:
Type: local
We just use native ansible, this is not needed
PROJECT: ansible > Edit Nodes > Sources > Add
--------------------------------------------------------
Type: Ansible Resource Model Source
Ansible config file path: /etc/ansible/ansible.cfg
10 BUGS & FIXES
- Error Msg: /bin/sh: /tmp/0-1-localhost-dispatch-script.tmp.sh: Permission denied
echo ' # ---------------------------------------------------------------- # CUSTOM VALUES # ---------------------------------------------------------------- framework.file-copy-destination-dir = ~/ ' >> /etc/rundeck/framework.properties systemctl restart rundeckd
