Difference between revisions of "Install Rundeck on RockyLinux with Ansible"
Jump to navigation
Jump to search
(Created page with "Install rundeck on Alma Linux 8 =HARDWARE= * CPU: 2 * MEM: 4GB * DISK: 50GB * INSTALL TYPE: MINIMAL * SELINUX: ENFORCED =SETUP NOTES= ==Setup Ansible== You will need this a...") |
|||
| Line 1: | Line 1: | ||
| − | + | Setup Rundeck with native Ansible integration for Windows and Linux with Dynamic Inventory | |
| + | * OS: Alma Linux 8.6 | ||
| + | * Hostname: rundeck01.domain.tld | ||
| + | * vMemory: 6GB | ||
| + | * vDisk: 40GB | ||
| + | * vCPU: 6 | ||
| − | = | + | =SETUP RUNDECK SERVER= |
| − | * | + | * vi /etc/ansible/playbooks/setup-rundeck.yml |
| − | * | + | <pre> |
| − | * | + | --- |
| − | * | + | - hosts: rundeck01.domain.tld |
| − | * | + | vars: |
| + | rundeck_admin_pass: xxxxxx | ||
| + | roles: | ||
| + | - role: joe-speedboat.rundeck | ||
| + | tasks: | ||
| + | - name: install firewalld | ||
| + | yum: | ||
| + | name: firewalld | ||
| + | state: present | ||
| + | - name: start firewalld | ||
| + | service: | ||
| + | name: firewalld | ||
| + | enabled: yes | ||
| + | state: started | ||
| + | - name: open http port on firewalld | ||
| + | firewalld: | ||
| + | service: http | ||
| + | permanent: true | ||
| + | state: enabled | ||
| + | - name: open https port on firewalld | ||
| + | firewalld: | ||
| + | service: https | ||
| + | permanent: true | ||
| + | state: enabled | ||
| + | - name: enable firewalld | ||
| + | service: | ||
| + | name: firewalld | ||
| + | enabled: yes | ||
| + | state: restarted | ||
| + | ... | ||
| + | </pre> | ||
| + | |||
| + | ansible -m shell -a id rundeck01.domain.tld | ||
| + | ansible-playbook setup-rundeck.yml | ||
| + | |||
| + | * Test webUI login | ||
| + | |||
| + | ==BASIC SETUP== | ||
| + | |||
| + | echo '#!/bin/sh | ||
| + | cp -av "$1" "$1.$(date +%Y%m%H%M%S)" | ||
| + | ' > /usr/local/bin/backup | ||
| + | chmod 755 /usr/local/bin/backup | ||
| + | |||
| + | dnf -y install epel-release | ||
| + | dnf -y install git wget curl rsync vim | ||
| + | |||
| + | ==SETUP ANSIBLE== | ||
| + | dnf -y install python38-pip python38 sshpass | ||
| + | |||
| + | <pre> | ||
| + | su - rundeck | ||
| + | python3.8 -m pip install --user ansible | ||
| + | |||
| + | echo '#ANSIBLE SETUP | ||
| + | export PATH=$HOME/.local/bin:$HOME/bin:$PATH | ||
| + | ' >> $HOME/.bashrc | ||
| + | |||
| + | ln -s $HOME/.local/bin $HOME/bin | ||
| + | cat /etc/skel/.bash_profile > $HOME/.bash_profile | ||
| + | exit | ||
| + | </pre> | ||
| + | |||
| + | chown -R root.rundeck /etc/ansible | ||
| + | chmod -R ug+rwX /etc/ansible | ||
| + | |||
| + | <pre> | ||
| + | su - rundeck | ||
| + | cd /etc/ansible | ||
| + | rm -fv hosts | ||
| + | ansible-config init --disabled > ansible.cfg | ||
| + | sed -i 's/^.host_key_checking=.*/host_key_checking=False/' ansible.cfg | ||
| + | # sed -i 's/^.remote_user=.*/remote_user=rundeck-ops/' ansible.cfg | ||
| + | # sed -i 's/^.become=.*/become=True/' ansible.cfg | ||
| + | sed -i 's#^.inventory=.*#inventory=/etc/ansible/inventory #' ansible.cfg | ||
| + | sed -i 's#^.collections_path=.*#collections_path=/etc/ansible/collections:/usr/share/ansible/collections#' ansible.cfg | ||
| + | sed -i 's#^.roles_path=.*#roles_path=/etc/ansible/roles#' ansible.cfg | ||
| + | sed -i 's#^.interpreter_python=.*#interpreter_python=auto_silent#' ansible.cfg | ||
| + | |||
| + | mkdir /etc/ansible/inventory/group_vars | ||
| + | </pre> | ||
| + | |||
| + | * vim /etc/ansible/inventory/group_vars/all.yml | ||
| + | # Ansible Linux client defaults | ||
| + | become: True | ||
| + | ansible_user: rundeck-ops | ||
| + | |||
| + | |||
| + | * vim /etc/ansible/inventory/win.yml | ||
| + | <pre> | ||
| + | all: | ||
| + | hosts: | ||
| + | children: | ||
| + | win: | ||
| + | hosts: | ||
| + | win01: | ||
| + | </pre> | ||
| + | |||
| + | * vim /etc/ansible/inventory/group_vars/win.yml | ||
| + | <pre> | ||
| + | ansible_user: winrm | ||
| + | ansible_password: xxxxxx | ||
| + | ansible_connection: winrm | ||
| + | ansible_winrm_server_cert_validation: ignore | ||
| + | ansible_shell_type: powershell | ||
| + | </pre> | ||
| + | |||
| + | ansible-galaxy role install joe-speedboat.ansible_ospatch | ||
| + | ls -l /etc/ansible/roles/joe-speedboat.ansible_ospatch | ||
| + | |||
| + | ansible-galaxy collection install community.mysql | ||
| + | ls -l /etc/ansible/collections/ansible_collections/community/mysql | ||
| + | |||
| + | |||
| + | ==USE AND PROTECT ANSIBLE VARS WITH VAULT== | ||
| + | |||
| + | sed -i 's#^.vault_password_file=.*#vault_password_file=/etc/ansible/vault_unlock#' ansible.cfg | ||
| + | |||
| + | * create vault unlock helper which can store passwords until next reboot | ||
| + | <pre> | ||
| + | echo '#!/bin/bash | ||
| + | NAME=vault | ||
| + | PW_CNT=$(keyctl search @u user $NAME 2>/dev/null | wc -l) | ||
| + | if [ $PW_CNT -lt 1 ] | ||
| + | then | ||
| + | read -s -p 'Feed vault password: ' PASS | ||
| + | keyctl add user $NAME "$PASS" @u | ||
| + | else | ||
| + | keyctl print $(keyctl search @u user $NAME 2>/dev/null) | ||
| + | fi' > /etc/ansible/vault_unlock | ||
| + | </pre> | ||
| + | |||
| + | chmod 700 /etc/ansible/vault_unlock | ||
| + | |||
| + | /etc/ansible/vault_unlock | ||
| + | Feed and remember the password for vault<br> | ||
| + | Call it again to get the password shown | ||
| + | |||
| + | * Create motd hint | ||
| + | <pre> | ||
| + | echo ' | ||
| + | #FEED ANSIBLE VAULT PASSWORD after reboot | ||
| + | cmd: sudo -u rundeck --login /etc/ansible/vault_unlock | ||
| + | ' >> /etc/motd | ||
| + | </pre> | ||
| + | |||
| + | |||
| + | cat /etc/ansible/inventory/group_vars/win.yml | ||
| + | See it is plain | ||
| + | |||
| + | * cryp your sensible data | ||
| + | ansible-vault encrypy /etc/ansible/inventory/group_vars/win.yml | ||
| + | |||
| + | |||
| + | cat /etc/ansible/inventory/group_vars/win.yml | ||
| + | It is crypted now | ||
| + | |||
| + | * Edit it | ||
| + | ansible-vault edit /etc/ansible/inventory/group_vars/win.yml | ||
| − | |||
| − | == | + | ==FREEIPA INVENTORY== |
| − | + | ||
| − | curl - | + | su - rundeck |
| + | curl https://raw.githubusercontent.com/joe-speedboat/ansible.idm-inventory/main/inventory/freeipa.py > inventory/freeipa.py | ||
| + | chmod 700 inventory/freeipa.py | ||
| − | |||
<pre> | <pre> | ||
| − | + | echo '# FreeIPA Ansible Inventory Auth | |
| + | export freeipaserver=directory01.domain.tld | ||
| + | export freeipauser=rundeck-bind | ||
| + | export freeipapassword=xxxxx | ||
| + | ' >> $HOME/.bashrc | ||
| + | </pre> | ||
| + | |||
| + | . $HOME/.bashrc | ||
| + | python3.8 -m pip install --user python_freeipa | ||
| + | |||
| + | |||
| + | |||
| + | ==FREEIPA AUTH== | ||
| − | + | * vim /etc/rundeck/multiauth.conf | |
| − | |||
</pre> | </pre> | ||
| + | multiauth { | ||
| − | == | + | com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient |
| + | debug="true" | ||
| + | contextFactory="com.sun.jndi.ldap.LdapCtxFactory" | ||
| + | providerUrl="ldaps://directory01.domain.tld:636" | ||
| + | bindDn="uid=rundeck-bind,cn=users,cn=accounts,dc=domain,dc=tld" | ||
| + | bindPassword="xxx" | ||
| + | authenticationMethod="simple" | ||
| + | forceBindingLogin="true" | ||
| + | userBaseDn="cn=users,cn=accounts,dc=domain,dc=tld" | ||
| + | userRdnAttribute="uid" | ||
| + | userIdAttribute="uid" | ||
| + | userPasswordAttribute="userPassword" | ||
| + | userObjectClass="posixAccount" | ||
| + | userLastNameAttribute="sn" | ||
| + | userFirstNameAttribute="givenName" | ||
| + | userEmailAttribute="mail" | ||
| + | |||
| + | roleBaseDn="cn=groups,cn=accounts,dc=domain,dc=tld" | ||
| + | roleNameAttribute="cn" | ||
| + | roleMemberAttribute="member" | ||
| + | roleObjectClass="groupOfNames" | ||
| + | cacheDurationMillis="300000" | ||
| + | reportStatistics="true"; | ||
| + | |||
| + | org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required | ||
| + | debug="true" | ||
| + | file="/etc/rundeck/realm.properties"; | ||
| + | }; | ||
| + | </pre> | ||
| + | |||
| + | chown root.rundeck /etc/rundeck/multiauth.conf | ||
| + | chmod 640 /etc/rundeck/multiauth.conf | ||
| + | |||
| + | |||
| + | * vim /etc/rundeck/rundeck-config.properties | ||
| + | rundeck.security.syncLdapUser=true | ||
| + | |||
| + | |||
| + | * vim /etc/sysconfig/rundeckd | ||
| + | JAAS_LOGIN=true | ||
| + | LOGIN_MODULE=multiauth | ||
| + | JAAS_CONF=/etc/rundeck/multiauth.conf | ||
| + | |||
| + | * vim /etc/rundeck/ansibleadmin.aclpolicy | ||
<pre> | <pre> | ||
| − | + | description: Admin, all access. | |
| − | + | context: | |
| − | + | project: '.*' # all projects | |
| − | + | for: | |
| − | + | resource: | |
| − | + | - allow: '*' # allow read/create all kinds | |
| + | adhoc: | ||
| + | - allow: '*' # allow read/running/killing adhoc jobs | ||
| + | job: | ||
| + | - allow: '*' # allow read/write/delete/run/kill of all jobs | ||
| + | node: | ||
| + | - allow: '*' # allow read/run for all nodes | ||
| + | by: | ||
| + | group: ansibleadmin | ||
| + | |||
--- | --- | ||
| − | + | ||
| − | + | description: Admin, all access. | |
| − | + | context: | |
| − | + | application: 'rundeck' | |
| − | + | for: | |
| − | + | resource: | |
| − | + | - allow: '*' # allow create of projects | |
| − | + | project: | |
| − | + | - allow: '*' # allow view/admin of all projects | |
| − | - | + | project_acl: |
| − | + | - allow: '*' # allow admin of all project-level ACL policies | |
| − | + | storage: | |
| − | + | - allow: '*' # allow read/create/update/delete for all /keys/* storage content | |
| − | + | by: | |
| − | . | + | group: ansibleadmin |
| − | + | </pre> | |
| − | + | ||
| + | chown root.rundeck /etc/rundeck/ansibleadmin.aclpolicy | ||
| + | chmod 640 /etc/rundeck/ansibleadmin.aclpolicy | ||
| + | |||
| + | |||
| + | echo | openssl s_client -showcerts -connect directory01.domain.tld:636 > /etc/rundeck/ssl/directory01_ldaps.pem | ||
| + | vim /etc/rundeck/ssl/directory01_ldaps.pem # remove comments | ||
| + | cp -av /etc/pki/ca-trust/extracted/java/cacerts /etc/pki/ca-trust/extracted/java/cacerts.orig | ||
| + | keytool -import -alias directory01.domain.tld -file /etc/rundeck/ssl/directory01_ldaps.pem -keystore /etc/pki/ca-trust/extracted/java/cacerts -storepass changeit | ||
| + | |||
| + | keytool -import -alias directory01.domain.tld -file /etc/rundeck/ssl/directory01_ldaps.pem -keystore /etc/rundeck/ssl/truststore -storepass adminadmin | ||
| + | chown rundeck.rundeck /etc/rundeck/ssl/* | ||
| + | |||
| + | ==PROTECT SSH PRIVATE KEY== | ||
| + | dnf -y install keychain | ||
| + | su - ansible | ||
| + | ssh-keygen -p # change passphrase | ||
| + | |||
| + | echo '# remember ssh passphrase until next reboog | ||
| + | keychain -Q -q ~/.ssh/id_rsa < /dev/null | ||
| + | [ -f $HOME/.keychain/$HOSTNAME-sh ] && source $HOME/.keychain/$HOSTNAME-sh | ||
| + | ' >> $HOME/.bashrc | ||
| + | |||
| + | <pre> | ||
| + | echo '#!/bin/bash | ||
| + | echo | ||
| + | echo Now feed the ssh private key passphrase for rundeck | ||
| + | sudo -u rundeck --login exit | ||
| + | echo | ||
| + | echo INFO: restarting rundeck service | ||
| + | systemctl restart rundeckd | ||
| + | echo | ||
| + | echo | ||
| + | echo All done | ||
| + | echo Now login to rundeck webUI: | ||
| + | echo .Test the inventory | ||
| + | echo .Test AdHoc command | ||
| + | ' > /usr/local/sbin/init-rundeck-and-ansible.sh | ||
| + | </pre> | ||
| + | |||
| + | chmod 700 /usr/local/sbin/init-rundeck-and-ansible.sh | ||
| + | |||
| + | echo ' | ||
| + | #FEED RUNDECKs SSH PASSPHRASE AFTER EACH REBOOT | ||
| + | cmd: init-rundeck-and-ansible.sh | ||
| + | ' >> /etc/motd | ||
| + | |||
| + | reboot | ||
| + | |||
| + | ==RUNDECK PROJECT: ansible== | ||
| + | <pre> | ||
| + | Detail: | ||
| + | Project Name: ansible | ||
| + | Label: ansible_linux_ssh | ||
| + | Execution History Clean: | ||
| + | Enable: [X] | ||
| + | User Interface : | ||
| + | Job Group Expansion Level: 9 | ||
| + | Default Node Executor: | ||
| + | Type: Ansible Ad-Hoc Node Executor | ||
| + | Executable: /bin/bash | ||
| + | Windows Executable: powershell.exe | ||
| + | Ansible config file path: /etc/ansible/ansible.cfg | ||
| + | Default File Copier: | ||
| + | Type: local | ||
| + | We just use native ansible, this is not needed | ||
</pre> | </pre> | ||
| − | + | * PROJECT: ansible > Edit Nodes > Sources > Add | |
| − | + | :* Type: Ansible Resource Model Source | |
| + | :* Ansible config file path: /etc/ansible/ansible.cfg | ||
| − | == | + | ==BUGS & FIXES== |
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | * Error Msg: /bin/sh: /tmp/0-1-localhost-dispatch-script.tmp.sh: Permission denied | |
| − | * | + | <pre> |
| − | + | echo ' | |
| + | # ---------------------------------------------------------------- | ||
| + | # User Defined Values | ||
| + | # ---------------------------------------------------------------- | ||
| + | framework.file-copy-destination-dir = ~/ | ||
| + | ' >> /etc/rundeck/framework.properties | ||
| + | |||
| + | systemctl restart rundeckd | ||
| + | </pre> | ||
| − | |||
[[Category:Alma8]] | [[Category:Alma8]] | ||
[[Category:Ansible]] | [[Category:Ansible]] | ||
| + | [[Category:Linux]] | ||
Revision as of 05:48, 28 June 2022
Setup Rundeck with native Ansible integration for Windows and Linux with Dynamic Inventory
- OS: Alma Linux 8.6
- Hostname: rundeck01.domain.tld
- vMemory: 6GB
- vDisk: 40GB
- vCPU: 6
Contents
1 SETUP RUNDECK SERVER
- vi /etc/ansible/playbooks/setup-rundeck.yml
---
- hosts: rundeck01.domain.tld
vars:
rundeck_admin_pass: xxxxxx
roles:
- role: joe-speedboat.rundeck
tasks:
- name: install firewalld
yum:
name: firewalld
state: present
- name: start firewalld
service:
name: firewalld
enabled: yes
state: started
- name: open http port on firewalld
firewalld:
service: http
permanent: true
state: enabled
- name: open https port on firewalld
firewalld:
service: https
permanent: true
state: enabled
- name: enable firewalld
service:
name: firewalld
enabled: yes
state: restarted
...
ansible -m shell -a id rundeck01.domain.tld ansible-playbook setup-rundeck.yml
- Test webUI login
1.1 BASIC SETUP
echo '#!/bin/sh cp -av "$1" "$1.$(date +%Y%m%H%M%S)" ' > /usr/local/bin/backup chmod 755 /usr/local/bin/backup
dnf -y install epel-release dnf -y install git wget curl rsync vim
1.2 SETUP ANSIBLE
dnf -y install python38-pip python38 sshpass
su - rundeck python3.8 -m pip install --user ansible echo '#ANSIBLE SETUP export PATH=$HOME/.local/bin:$HOME/bin:$PATH ' >> $HOME/.bashrc ln -s $HOME/.local/bin $HOME/bin cat /etc/skel/.bash_profile > $HOME/.bash_profile exit
chown -R root.rundeck /etc/ansible chmod -R ug+rwX /etc/ansible
su - rundeck cd /etc/ansible rm -fv hosts ansible-config init --disabled > ansible.cfg sed -i 's/^.host_key_checking=.*/host_key_checking=False/' ansible.cfg # sed -i 's/^.remote_user=.*/remote_user=rundeck-ops/' ansible.cfg # sed -i 's/^.become=.*/become=True/' ansible.cfg sed -i 's#^.inventory=.*#inventory=/etc/ansible/inventory #' ansible.cfg sed -i 's#^.collections_path=.*#collections_path=/etc/ansible/collections:/usr/share/ansible/collections#' ansible.cfg sed -i 's#^.roles_path=.*#roles_path=/etc/ansible/roles#' ansible.cfg sed -i 's#^.interpreter_python=.*#interpreter_python=auto_silent#' ansible.cfg mkdir /etc/ansible/inventory/group_vars
- vim /etc/ansible/inventory/group_vars/all.yml
# Ansible Linux client defaults become: True ansible_user: rundeck-ops
- vim /etc/ansible/inventory/win.yml
all:
hosts:
children:
win:
hosts:
win01:
- vim /etc/ansible/inventory/group_vars/win.yml
ansible_user: winrm ansible_password: xxxxxx ansible_connection: winrm ansible_winrm_server_cert_validation: ignore ansible_shell_type: powershell
ansible-galaxy role install joe-speedboat.ansible_ospatch ls -l /etc/ansible/roles/joe-speedboat.ansible_ospatch
ansible-galaxy collection install community.mysql ls -l /etc/ansible/collections/ansible_collections/community/mysql
1.3 USE AND PROTECT ANSIBLE VARS WITH VAULT
sed -i 's#^.vault_password_file=.*#vault_password_file=/etc/ansible/vault_unlock#' ansible.cfg
- create vault unlock helper which can store passwords until next reboot
echo '#!/bin/bash NAME=vault PW_CNT=$(keyctl search @u user $NAME 2>/dev/null | wc -l) if [ $PW_CNT -lt 1 ] then read -s -p 'Feed vault password: ' PASS keyctl add user $NAME "$PASS" @u else keyctl print $(keyctl search @u user $NAME 2>/dev/null) fi' > /etc/ansible/vault_unlock
chmod 700 /etc/ansible/vault_unlock
/etc/ansible/vault_unlock
Feed and remember the password for vault
Call it again to get the password shown
- Create motd hint
echo ' #FEED ANSIBLE VAULT PASSWORD after reboot cmd: sudo -u rundeck --login /etc/ansible/vault_unlock ' >> /etc/motd
cat /etc/ansible/inventory/group_vars/win.yml
See it is plain
- cryp your sensible data
ansible-vault encrypy /etc/ansible/inventory/group_vars/win.yml
cat /etc/ansible/inventory/group_vars/win.yml
It is crypted now
- Edit it
ansible-vault edit /etc/ansible/inventory/group_vars/win.yml
1.4 FREEIPA INVENTORY
su - rundeck curl https://raw.githubusercontent.com/joe-speedboat/ansible.idm-inventory/main/inventory/freeipa.py > inventory/freeipa.py chmod 700 inventory/freeipa.py
echo '# FreeIPA Ansible Inventory Auth export freeipaserver=directory01.domain.tld export freeipauser=rundeck-bind export freeipapassword=xxxxx ' >> $HOME/.bashrc
. $HOME/.bashrc python3.8 -m pip install --user python_freeipa
1.5 FREEIPA AUTH
- vim /etc/rundeck/multiauth.conf
multiauth {
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient debug="true" contextFactory="com.sun.jndi.ldap.LdapCtxFactory" providerUrl="ldaps://directory01.domain.tld:636" bindDn="uid=rundeck-bind,cn=users,cn=accounts,dc=domain,dc=tld" bindPassword="xxx" authenticationMethod="simple" forceBindingLogin="true" userBaseDn="cn=users,cn=accounts,dc=domain,dc=tld" userRdnAttribute="uid" userIdAttribute="uid" userPasswordAttribute="userPassword" userObjectClass="posixAccount" userLastNameAttribute="sn" userFirstNameAttribute="givenName" userEmailAttribute="mail"
roleBaseDn="cn=groups,cn=accounts,dc=domain,dc=tld" roleNameAttribute="cn" roleMemberAttribute="member" roleObjectClass="groupOfNames" cacheDurationMillis="300000" reportStatistics="true";
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required debug="true" file="/etc/rundeck/realm.properties";
};
chown root.rundeck /etc/rundeck/multiauth.conf chmod 640 /etc/rundeck/multiauth.conf
- vim /etc/rundeck/rundeck-config.properties
rundeck.security.syncLdapUser=true
- vim /etc/sysconfig/rundeckd
JAAS_LOGIN=true LOGIN_MODULE=multiauth JAAS_CONF=/etc/rundeck/multiauth.conf
- vim /etc/rundeck/ansibleadmin.aclpolicy
description: Admin, all access.
context:
project: '.*' # all projects
for:
resource:
- allow: '*' # allow read/create all kinds
adhoc:
- allow: '*' # allow read/running/killing adhoc jobs
job:
- allow: '*' # allow read/write/delete/run/kill of all jobs
node:
- allow: '*' # allow read/run for all nodes
by:
group: ansibleadmin
---
description: Admin, all access.
context:
application: 'rundeck'
for:
resource:
- allow: '*' # allow create of projects
project:
- allow: '*' # allow view/admin of all projects
project_acl:
- allow: '*' # allow admin of all project-level ACL policies
storage:
- allow: '*' # allow read/create/update/delete for all /keys/* storage content
by:
group: ansibleadmin
chown root.rundeck /etc/rundeck/ansibleadmin.aclpolicy chmod 640 /etc/rundeck/ansibleadmin.aclpolicy
echo | openssl s_client -showcerts -connect directory01.domain.tld:636 > /etc/rundeck/ssl/directory01_ldaps.pem vim /etc/rundeck/ssl/directory01_ldaps.pem # remove comments cp -av /etc/pki/ca-trust/extracted/java/cacerts /etc/pki/ca-trust/extracted/java/cacerts.orig keytool -import -alias directory01.domain.tld -file /etc/rundeck/ssl/directory01_ldaps.pem -keystore /etc/pki/ca-trust/extracted/java/cacerts -storepass changeit
keytool -import -alias directory01.domain.tld -file /etc/rundeck/ssl/directory01_ldaps.pem -keystore /etc/rundeck/ssl/truststore -storepass adminadmin chown rundeck.rundeck /etc/rundeck/ssl/*
1.6 PROTECT SSH PRIVATE KEY
dnf -y install keychain su - ansible ssh-keygen -p # change passphrase
echo '# remember ssh passphrase until next reboog keychain -Q -q ~/.ssh/id_rsa < /dev/null [ -f $HOME/.keychain/$HOSTNAME-sh ] && source $HOME/.keychain/$HOSTNAME-sh ' >> $HOME/.bashrc
echo '#!/bin/bash echo echo Now feed the ssh private key passphrase for rundeck sudo -u rundeck --login exit echo echo INFO: restarting rundeck service systemctl restart rundeckd echo echo echo All done echo Now login to rundeck webUI: echo .Test the inventory echo .Test AdHoc command ' > /usr/local/sbin/init-rundeck-and-ansible.sh
chmod 700 /usr/local/sbin/init-rundeck-and-ansible.sh
echo ' #FEED RUNDECKs SSH PASSPHRASE AFTER EACH REBOOT cmd: init-rundeck-and-ansible.sh ' >> /etc/motd
reboot
1.7 RUNDECK PROJECT: ansible
Detail:
Project Name: ansible
Label: ansible_linux_ssh
Execution History Clean:
Enable: [X]
User Interface :
Job Group Expansion Level: 9
Default Node Executor:
Type: Ansible Ad-Hoc Node Executor
Executable: /bin/bash
Windows Executable: powershell.exe
Ansible config file path: /etc/ansible/ansible.cfg
Default File Copier:
Type: local
We just use native ansible, this is not needed
- PROJECT: ansible > Edit Nodes > Sources > Add
- Type: Ansible Resource Model Source
- Ansible config file path: /etc/ansible/ansible.cfg
1.8 BUGS & FIXES
- Error Msg: /bin/sh: /tmp/0-1-localhost-dispatch-script.tmp.sh: Permission denied
echo ' # ---------------------------------------------------------------- # User Defined Values # ---------------------------------------------------------------- framework.file-copy-destination-dir = ~/ ' >> /etc/rundeck/framework.properties systemctl restart rundeckd
