Difference between revisions of "Install Rundeck on RockyLinux with Ansible"
Jump to navigation
Jump to search
(Created page with "Install rundeck on Alma Linux 8 =HARDWARE= * CPU: 2 * MEM: 4GB * DISK: 50GB * INSTALL TYPE: MINIMAL * SELINUX: ENFORCED =SETUP NOTES= ==Setup Ansible== You will need this a...") |
|||
Line 1: | Line 1: | ||
− | + | Setup Rundeck with native Ansible integration for Windows and Linux with Dynamic Inventory | |
+ | * OS: Alma Linux 8.6 | ||
+ | * Hostname: rundeck01.domain.tld | ||
+ | * vMemory: 6GB | ||
+ | * vDisk: 40GB | ||
+ | * vCPU: 6 | ||
− | = | + | =SETUP RUNDECK SERVER= |
− | * | + | * vi /etc/ansible/playbooks/setup-rundeck.yml |
− | * | + | <pre> |
− | * | + | --- |
− | * | + | - hosts: rundeck01.domain.tld |
− | * | + | vars: |
+ | rundeck_admin_pass: xxxxxx | ||
+ | roles: | ||
+ | - role: joe-speedboat.rundeck | ||
+ | tasks: | ||
+ | - name: install firewalld | ||
+ | yum: | ||
+ | name: firewalld | ||
+ | state: present | ||
+ | - name: start firewalld | ||
+ | service: | ||
+ | name: firewalld | ||
+ | enabled: yes | ||
+ | state: started | ||
+ | - name: open http port on firewalld | ||
+ | firewalld: | ||
+ | service: http | ||
+ | permanent: true | ||
+ | state: enabled | ||
+ | - name: open https port on firewalld | ||
+ | firewalld: | ||
+ | service: https | ||
+ | permanent: true | ||
+ | state: enabled | ||
+ | - name: enable firewalld | ||
+ | service: | ||
+ | name: firewalld | ||
+ | enabled: yes | ||
+ | state: restarted | ||
+ | ... | ||
+ | </pre> | ||
+ | |||
+ | ansible -m shell -a id rundeck01.domain.tld | ||
+ | ansible-playbook setup-rundeck.yml | ||
+ | |||
+ | * Test webUI login | ||
+ | |||
+ | ==BASIC SETUP== | ||
+ | |||
+ | echo '#!/bin/sh | ||
+ | cp -av "$1" "$1.$(date +%Y%m%H%M%S)" | ||
+ | ' > /usr/local/bin/backup | ||
+ | chmod 755 /usr/local/bin/backup | ||
+ | |||
+ | dnf -y install epel-release | ||
+ | dnf -y install git wget curl rsync vim | ||
+ | |||
+ | ==SETUP ANSIBLE== | ||
+ | dnf -y install python38-pip python38 sshpass | ||
+ | |||
+ | <pre> | ||
+ | su - rundeck | ||
+ | python3.8 -m pip install --user ansible | ||
+ | |||
+ | echo '#ANSIBLE SETUP | ||
+ | export PATH=$HOME/.local/bin:$HOME/bin:$PATH | ||
+ | ' >> $HOME/.bashrc | ||
+ | |||
+ | ln -s $HOME/.local/bin $HOME/bin | ||
+ | cat /etc/skel/.bash_profile > $HOME/.bash_profile | ||
+ | exit | ||
+ | </pre> | ||
+ | |||
+ | chown -R root.rundeck /etc/ansible | ||
+ | chmod -R ug+rwX /etc/ansible | ||
+ | |||
+ | <pre> | ||
+ | su - rundeck | ||
+ | cd /etc/ansible | ||
+ | rm -fv hosts | ||
+ | ansible-config init --disabled > ansible.cfg | ||
+ | sed -i 's/^.host_key_checking=.*/host_key_checking=False/' ansible.cfg | ||
+ | # sed -i 's/^.remote_user=.*/remote_user=rundeck-ops/' ansible.cfg | ||
+ | # sed -i 's/^.become=.*/become=True/' ansible.cfg | ||
+ | sed -i 's#^.inventory=.*#inventory=/etc/ansible/inventory #' ansible.cfg | ||
+ | sed -i 's#^.collections_path=.*#collections_path=/etc/ansible/collections:/usr/share/ansible/collections#' ansible.cfg | ||
+ | sed -i 's#^.roles_path=.*#roles_path=/etc/ansible/roles#' ansible.cfg | ||
+ | sed -i 's#^.interpreter_python=.*#interpreter_python=auto_silent#' ansible.cfg | ||
+ | |||
+ | mkdir /etc/ansible/inventory/group_vars | ||
+ | </pre> | ||
+ | |||
+ | * vim /etc/ansible/inventory/group_vars/all.yml | ||
+ | # Ansible Linux client defaults | ||
+ | become: True | ||
+ | ansible_user: rundeck-ops | ||
+ | |||
+ | |||
+ | * vim /etc/ansible/inventory/win.yml | ||
+ | <pre> | ||
+ | all: | ||
+ | hosts: | ||
+ | children: | ||
+ | win: | ||
+ | hosts: | ||
+ | win01: | ||
+ | </pre> | ||
+ | |||
+ | * vim /etc/ansible/inventory/group_vars/win.yml | ||
+ | <pre> | ||
+ | ansible_user: winrm | ||
+ | ansible_password: xxxxxx | ||
+ | ansible_connection: winrm | ||
+ | ansible_winrm_server_cert_validation: ignore | ||
+ | ansible_shell_type: powershell | ||
+ | </pre> | ||
+ | |||
+ | ansible-galaxy role install joe-speedboat.ansible_ospatch | ||
+ | ls -l /etc/ansible/roles/joe-speedboat.ansible_ospatch | ||
+ | |||
+ | ansible-galaxy collection install community.mysql | ||
+ | ls -l /etc/ansible/collections/ansible_collections/community/mysql | ||
+ | |||
+ | |||
+ | ==USE AND PROTECT ANSIBLE VARS WITH VAULT== | ||
+ | |||
+ | sed -i 's#^.vault_password_file=.*#vault_password_file=/etc/ansible/vault_unlock#' ansible.cfg | ||
+ | |||
+ | * create vault unlock helper which can store passwords until next reboot | ||
+ | <pre> | ||
+ | echo '#!/bin/bash | ||
+ | NAME=vault | ||
+ | PW_CNT=$(keyctl search @u user $NAME 2>/dev/null | wc -l) | ||
+ | if [ $PW_CNT -lt 1 ] | ||
+ | then | ||
+ | read -s -p 'Feed vault password: ' PASS | ||
+ | keyctl add user $NAME "$PASS" @u | ||
+ | else | ||
+ | keyctl print $(keyctl search @u user $NAME 2>/dev/null) | ||
+ | fi' > /etc/ansible/vault_unlock | ||
+ | </pre> | ||
+ | |||
+ | chmod 700 /etc/ansible/vault_unlock | ||
+ | |||
+ | /etc/ansible/vault_unlock | ||
+ | Feed and remember the password for vault<br> | ||
+ | Call it again to get the password shown | ||
+ | |||
+ | * Create motd hint | ||
+ | <pre> | ||
+ | echo ' | ||
+ | #FEED ANSIBLE VAULT PASSWORD after reboot | ||
+ | cmd: sudo -u rundeck --login /etc/ansible/vault_unlock | ||
+ | ' >> /etc/motd | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | cat /etc/ansible/inventory/group_vars/win.yml | ||
+ | See it is plain | ||
+ | |||
+ | * cryp your sensible data | ||
+ | ansible-vault encrypy /etc/ansible/inventory/group_vars/win.yml | ||
+ | |||
+ | |||
+ | cat /etc/ansible/inventory/group_vars/win.yml | ||
+ | It is crypted now | ||
+ | |||
+ | * Edit it | ||
+ | ansible-vault edit /etc/ansible/inventory/group_vars/win.yml | ||
− | |||
− | == | + | ==FREEIPA INVENTORY== |
− | + | ||
− | curl - | + | su - rundeck |
+ | curl https://raw.githubusercontent.com/joe-speedboat/ansible.idm-inventory/main/inventory/freeipa.py > inventory/freeipa.py | ||
+ | chmod 700 inventory/freeipa.py | ||
− | |||
<pre> | <pre> | ||
− | + | echo '# FreeIPA Ansible Inventory Auth | |
+ | export freeipaserver=directory01.domain.tld | ||
+ | export freeipauser=rundeck-bind | ||
+ | export freeipapassword=xxxxx | ||
+ | ' >> $HOME/.bashrc | ||
+ | </pre> | ||
+ | |||
+ | . $HOME/.bashrc | ||
+ | python3.8 -m pip install --user python_freeipa | ||
+ | |||
+ | |||
+ | |||
+ | ==FREEIPA AUTH== | ||
− | + | * vim /etc/rundeck/multiauth.conf | |
− | |||
</pre> | </pre> | ||
+ | multiauth { | ||
− | == | + | com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient |
+ | debug="true" | ||
+ | contextFactory="com.sun.jndi.ldap.LdapCtxFactory" | ||
+ | providerUrl="ldaps://directory01.domain.tld:636" | ||
+ | bindDn="uid=rundeck-bind,cn=users,cn=accounts,dc=domain,dc=tld" | ||
+ | bindPassword="xxx" | ||
+ | authenticationMethod="simple" | ||
+ | forceBindingLogin="true" | ||
+ | userBaseDn="cn=users,cn=accounts,dc=domain,dc=tld" | ||
+ | userRdnAttribute="uid" | ||
+ | userIdAttribute="uid" | ||
+ | userPasswordAttribute="userPassword" | ||
+ | userObjectClass="posixAccount" | ||
+ | userLastNameAttribute="sn" | ||
+ | userFirstNameAttribute="givenName" | ||
+ | userEmailAttribute="mail" | ||
+ | |||
+ | roleBaseDn="cn=groups,cn=accounts,dc=domain,dc=tld" | ||
+ | roleNameAttribute="cn" | ||
+ | roleMemberAttribute="member" | ||
+ | roleObjectClass="groupOfNames" | ||
+ | cacheDurationMillis="300000" | ||
+ | reportStatistics="true"; | ||
+ | |||
+ | org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required | ||
+ | debug="true" | ||
+ | file="/etc/rundeck/realm.properties"; | ||
+ | }; | ||
+ | </pre> | ||
+ | |||
+ | chown root.rundeck /etc/rundeck/multiauth.conf | ||
+ | chmod 640 /etc/rundeck/multiauth.conf | ||
+ | |||
+ | |||
+ | * vim /etc/rundeck/rundeck-config.properties | ||
+ | rundeck.security.syncLdapUser=true | ||
+ | |||
+ | |||
+ | * vim /etc/sysconfig/rundeckd | ||
+ | JAAS_LOGIN=true | ||
+ | LOGIN_MODULE=multiauth | ||
+ | JAAS_CONF=/etc/rundeck/multiauth.conf | ||
+ | |||
+ | * vim /etc/rundeck/ansibleadmin.aclpolicy | ||
<pre> | <pre> | ||
− | + | description: Admin, all access. | |
− | + | context: | |
− | + | project: '.*' # all projects | |
− | + | for: | |
− | + | resource: | |
− | + | - allow: '*' # allow read/create all kinds | |
+ | adhoc: | ||
+ | - allow: '*' # allow read/running/killing adhoc jobs | ||
+ | job: | ||
+ | - allow: '*' # allow read/write/delete/run/kill of all jobs | ||
+ | node: | ||
+ | - allow: '*' # allow read/run for all nodes | ||
+ | by: | ||
+ | group: ansibleadmin | ||
+ | |||
--- | --- | ||
− | + | ||
− | + | description: Admin, all access. | |
− | + | context: | |
− | + | application: 'rundeck' | |
− | + | for: | |
− | + | resource: | |
− | + | - allow: '*' # allow create of projects | |
− | + | project: | |
− | + | - allow: '*' # allow view/admin of all projects | |
− | - | + | project_acl: |
− | + | - allow: '*' # allow admin of all project-level ACL policies | |
− | + | storage: | |
− | + | - allow: '*' # allow read/create/update/delete for all /keys/* storage content | |
− | + | by: | |
− | . | + | group: ansibleadmin |
− | + | </pre> | |
− | + | ||
+ | chown root.rundeck /etc/rundeck/ansibleadmin.aclpolicy | ||
+ | chmod 640 /etc/rundeck/ansibleadmin.aclpolicy | ||
+ | |||
+ | |||
+ | echo | openssl s_client -showcerts -connect directory01.domain.tld:636 > /etc/rundeck/ssl/directory01_ldaps.pem | ||
+ | vim /etc/rundeck/ssl/directory01_ldaps.pem # remove comments | ||
+ | cp -av /etc/pki/ca-trust/extracted/java/cacerts /etc/pki/ca-trust/extracted/java/cacerts.orig | ||
+ | keytool -import -alias directory01.domain.tld -file /etc/rundeck/ssl/directory01_ldaps.pem -keystore /etc/pki/ca-trust/extracted/java/cacerts -storepass changeit | ||
+ | |||
+ | keytool -import -alias directory01.domain.tld -file /etc/rundeck/ssl/directory01_ldaps.pem -keystore /etc/rundeck/ssl/truststore -storepass adminadmin | ||
+ | chown rundeck.rundeck /etc/rundeck/ssl/* | ||
+ | |||
+ | ==PROTECT SSH PRIVATE KEY== | ||
+ | dnf -y install keychain | ||
+ | su - ansible | ||
+ | ssh-keygen -p # change passphrase | ||
+ | |||
+ | echo '# remember ssh passphrase until next reboog | ||
+ | keychain -Q -q ~/.ssh/id_rsa < /dev/null | ||
+ | [ -f $HOME/.keychain/$HOSTNAME-sh ] && source $HOME/.keychain/$HOSTNAME-sh | ||
+ | ' >> $HOME/.bashrc | ||
+ | |||
+ | <pre> | ||
+ | echo '#!/bin/bash | ||
+ | echo | ||
+ | echo Now feed the ssh private key passphrase for rundeck | ||
+ | sudo -u rundeck --login exit | ||
+ | echo | ||
+ | echo INFO: restarting rundeck service | ||
+ | systemctl restart rundeckd | ||
+ | echo | ||
+ | echo | ||
+ | echo All done | ||
+ | echo Now login to rundeck webUI: | ||
+ | echo .Test the inventory | ||
+ | echo .Test AdHoc command | ||
+ | ' > /usr/local/sbin/init-rundeck-and-ansible.sh | ||
+ | </pre> | ||
+ | |||
+ | chmod 700 /usr/local/sbin/init-rundeck-and-ansible.sh | ||
+ | |||
+ | echo ' | ||
+ | #FEED RUNDECKs SSH PASSPHRASE AFTER EACH REBOOT | ||
+ | cmd: init-rundeck-and-ansible.sh | ||
+ | ' >> /etc/motd | ||
+ | |||
+ | reboot | ||
+ | |||
+ | ==RUNDECK PROJECT: ansible== | ||
+ | <pre> | ||
+ | Detail: | ||
+ | Project Name: ansible | ||
+ | Label: ansible_linux_ssh | ||
+ | Execution History Clean: | ||
+ | Enable: [X] | ||
+ | User Interface : | ||
+ | Job Group Expansion Level: 9 | ||
+ | Default Node Executor: | ||
+ | Type: Ansible Ad-Hoc Node Executor | ||
+ | Executable: /bin/bash | ||
+ | Windows Executable: powershell.exe | ||
+ | Ansible config file path: /etc/ansible/ansible.cfg | ||
+ | Default File Copier: | ||
+ | Type: local | ||
+ | We just use native ansible, this is not needed | ||
</pre> | </pre> | ||
− | + | * PROJECT: ansible > Edit Nodes > Sources > Add | |
− | + | :* Type: Ansible Resource Model Source | |
+ | :* Ansible config file path: /etc/ansible/ansible.cfg | ||
− | == | + | ==BUGS & FIXES== |
− | |||
− | |||
− | |||
− | |||
− | + | * Error Msg: /bin/sh: /tmp/0-1-localhost-dispatch-script.tmp.sh: Permission denied | |
− | * | + | <pre> |
− | + | echo ' | |
+ | # ---------------------------------------------------------------- | ||
+ | # User Defined Values | ||
+ | # ---------------------------------------------------------------- | ||
+ | framework.file-copy-destination-dir = ~/ | ||
+ | ' >> /etc/rundeck/framework.properties | ||
+ | |||
+ | systemctl restart rundeckd | ||
+ | </pre> | ||
− | |||
[[Category:Alma8]] | [[Category:Alma8]] | ||
[[Category:Ansible]] | [[Category:Ansible]] | ||
+ | [[Category:Linux]] |
Revision as of 05:48, 28 June 2022
Setup Rundeck with native Ansible integration for Windows and Linux with Dynamic Inventory
- OS: Alma Linux 8.6
- Hostname: rundeck01.domain.tld
- vMemory: 6GB
- vDisk: 40GB
- vCPU: 6
Contents
1 SETUP RUNDECK SERVER
- vi /etc/ansible/playbooks/setup-rundeck.yml
--- - hosts: rundeck01.domain.tld vars: rundeck_admin_pass: xxxxxx roles: - role: joe-speedboat.rundeck tasks: - name: install firewalld yum: name: firewalld state: present - name: start firewalld service: name: firewalld enabled: yes state: started - name: open http port on firewalld firewalld: service: http permanent: true state: enabled - name: open https port on firewalld firewalld: service: https permanent: true state: enabled - name: enable firewalld service: name: firewalld enabled: yes state: restarted ...
ansible -m shell -a id rundeck01.domain.tld ansible-playbook setup-rundeck.yml
- Test webUI login
1.1 BASIC SETUP
echo '#!/bin/sh cp -av "$1" "$1.$(date +%Y%m%H%M%S)" ' > /usr/local/bin/backup chmod 755 /usr/local/bin/backup
dnf -y install epel-release dnf -y install git wget curl rsync vim
1.2 SETUP ANSIBLE
dnf -y install python38-pip python38 sshpass
su - rundeck python3.8 -m pip install --user ansible echo '#ANSIBLE SETUP export PATH=$HOME/.local/bin:$HOME/bin:$PATH ' >> $HOME/.bashrc ln -s $HOME/.local/bin $HOME/bin cat /etc/skel/.bash_profile > $HOME/.bash_profile exit
chown -R root.rundeck /etc/ansible chmod -R ug+rwX /etc/ansible
su - rundeck cd /etc/ansible rm -fv hosts ansible-config init --disabled > ansible.cfg sed -i 's/^.host_key_checking=.*/host_key_checking=False/' ansible.cfg # sed -i 's/^.remote_user=.*/remote_user=rundeck-ops/' ansible.cfg # sed -i 's/^.become=.*/become=True/' ansible.cfg sed -i 's#^.inventory=.*#inventory=/etc/ansible/inventory #' ansible.cfg sed -i 's#^.collections_path=.*#collections_path=/etc/ansible/collections:/usr/share/ansible/collections#' ansible.cfg sed -i 's#^.roles_path=.*#roles_path=/etc/ansible/roles#' ansible.cfg sed -i 's#^.interpreter_python=.*#interpreter_python=auto_silent#' ansible.cfg mkdir /etc/ansible/inventory/group_vars
- vim /etc/ansible/inventory/group_vars/all.yml
# Ansible Linux client defaults become: True ansible_user: rundeck-ops
- vim /etc/ansible/inventory/win.yml
all: hosts: children: win: hosts: win01:
- vim /etc/ansible/inventory/group_vars/win.yml
ansible_user: winrm ansible_password: xxxxxx ansible_connection: winrm ansible_winrm_server_cert_validation: ignore ansible_shell_type: powershell
ansible-galaxy role install joe-speedboat.ansible_ospatch ls -l /etc/ansible/roles/joe-speedboat.ansible_ospatch
ansible-galaxy collection install community.mysql ls -l /etc/ansible/collections/ansible_collections/community/mysql
1.3 USE AND PROTECT ANSIBLE VARS WITH VAULT
sed -i 's#^.vault_password_file=.*#vault_password_file=/etc/ansible/vault_unlock#' ansible.cfg
- create vault unlock helper which can store passwords until next reboot
echo '#!/bin/bash NAME=vault PW_CNT=$(keyctl search @u user $NAME 2>/dev/null | wc -l) if [ $PW_CNT -lt 1 ] then read -s -p 'Feed vault password: ' PASS keyctl add user $NAME "$PASS" @u else keyctl print $(keyctl search @u user $NAME 2>/dev/null) fi' > /etc/ansible/vault_unlock
chmod 700 /etc/ansible/vault_unlock
/etc/ansible/vault_unlock
Feed and remember the password for vault
Call it again to get the password shown
- Create motd hint
echo ' #FEED ANSIBLE VAULT PASSWORD after reboot cmd: sudo -u rundeck --login /etc/ansible/vault_unlock ' >> /etc/motd
cat /etc/ansible/inventory/group_vars/win.yml
See it is plain
- cryp your sensible data
ansible-vault encrypy /etc/ansible/inventory/group_vars/win.yml
cat /etc/ansible/inventory/group_vars/win.yml
It is crypted now
- Edit it
ansible-vault edit /etc/ansible/inventory/group_vars/win.yml
1.4 FREEIPA INVENTORY
su - rundeck curl https://raw.githubusercontent.com/joe-speedboat/ansible.idm-inventory/main/inventory/freeipa.py > inventory/freeipa.py chmod 700 inventory/freeipa.py
echo '# FreeIPA Ansible Inventory Auth export freeipaserver=directory01.domain.tld export freeipauser=rundeck-bind export freeipapassword=xxxxx ' >> $HOME/.bashrc
. $HOME/.bashrc python3.8 -m pip install --user python_freeipa
1.5 FREEIPA AUTH
- vim /etc/rundeck/multiauth.conf
multiauth {
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient debug="true" contextFactory="com.sun.jndi.ldap.LdapCtxFactory" providerUrl="ldaps://directory01.domain.tld:636" bindDn="uid=rundeck-bind,cn=users,cn=accounts,dc=domain,dc=tld" bindPassword="xxx" authenticationMethod="simple" forceBindingLogin="true" userBaseDn="cn=users,cn=accounts,dc=domain,dc=tld" userRdnAttribute="uid" userIdAttribute="uid" userPasswordAttribute="userPassword" userObjectClass="posixAccount" userLastNameAttribute="sn" userFirstNameAttribute="givenName" userEmailAttribute="mail"
roleBaseDn="cn=groups,cn=accounts,dc=domain,dc=tld" roleNameAttribute="cn" roleMemberAttribute="member" roleObjectClass="groupOfNames" cacheDurationMillis="300000" reportStatistics="true";
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required debug="true" file="/etc/rundeck/realm.properties";
};
chown root.rundeck /etc/rundeck/multiauth.conf chmod 640 /etc/rundeck/multiauth.conf
- vim /etc/rundeck/rundeck-config.properties
rundeck.security.syncLdapUser=true
- vim /etc/sysconfig/rundeckd
JAAS_LOGIN=true LOGIN_MODULE=multiauth JAAS_CONF=/etc/rundeck/multiauth.conf
- vim /etc/rundeck/ansibleadmin.aclpolicy
description: Admin, all access. context: project: '.*' # all projects for: resource: - allow: '*' # allow read/create all kinds adhoc: - allow: '*' # allow read/running/killing adhoc jobs job: - allow: '*' # allow read/write/delete/run/kill of all jobs node: - allow: '*' # allow read/run for all nodes by: group: ansibleadmin --- description: Admin, all access. context: application: 'rundeck' for: resource: - allow: '*' # allow create of projects project: - allow: '*' # allow view/admin of all projects project_acl: - allow: '*' # allow admin of all project-level ACL policies storage: - allow: '*' # allow read/create/update/delete for all /keys/* storage content by: group: ansibleadmin
chown root.rundeck /etc/rundeck/ansibleadmin.aclpolicy chmod 640 /etc/rundeck/ansibleadmin.aclpolicy
echo | openssl s_client -showcerts -connect directory01.domain.tld:636 > /etc/rundeck/ssl/directory01_ldaps.pem vim /etc/rundeck/ssl/directory01_ldaps.pem # remove comments cp -av /etc/pki/ca-trust/extracted/java/cacerts /etc/pki/ca-trust/extracted/java/cacerts.orig keytool -import -alias directory01.domain.tld -file /etc/rundeck/ssl/directory01_ldaps.pem -keystore /etc/pki/ca-trust/extracted/java/cacerts -storepass changeit
keytool -import -alias directory01.domain.tld -file /etc/rundeck/ssl/directory01_ldaps.pem -keystore /etc/rundeck/ssl/truststore -storepass adminadmin chown rundeck.rundeck /etc/rundeck/ssl/*
1.6 PROTECT SSH PRIVATE KEY
dnf -y install keychain su - ansible ssh-keygen -p # change passphrase
echo '# remember ssh passphrase until next reboog keychain -Q -q ~/.ssh/id_rsa < /dev/null [ -f $HOME/.keychain/$HOSTNAME-sh ] && source $HOME/.keychain/$HOSTNAME-sh ' >> $HOME/.bashrc
echo '#!/bin/bash echo echo Now feed the ssh private key passphrase for rundeck sudo -u rundeck --login exit echo echo INFO: restarting rundeck service systemctl restart rundeckd echo echo echo All done echo Now login to rundeck webUI: echo .Test the inventory echo .Test AdHoc command ' > /usr/local/sbin/init-rundeck-and-ansible.sh
chmod 700 /usr/local/sbin/init-rundeck-and-ansible.sh
echo ' #FEED RUNDECKs SSH PASSPHRASE AFTER EACH REBOOT cmd: init-rundeck-and-ansible.sh ' >> /etc/motd
reboot
1.7 RUNDECK PROJECT: ansible
Detail: Project Name: ansible Label: ansible_linux_ssh Execution History Clean: Enable: [X] User Interface : Job Group Expansion Level: 9 Default Node Executor: Type: Ansible Ad-Hoc Node Executor Executable: /bin/bash Windows Executable: powershell.exe Ansible config file path: /etc/ansible/ansible.cfg Default File Copier: Type: local We just use native ansible, this is not needed
- PROJECT: ansible > Edit Nodes > Sources > Add
- Type: Ansible Resource Model Source
- Ansible config file path: /etc/ansible/ansible.cfg
1.8 BUGS & FIXES
- Error Msg: /bin/sh: /tmp/0-1-localhost-dispatch-script.tmp.sh: Permission denied
echo ' # ---------------------------------------------------------------- # User Defined Values # ---------------------------------------------------------------- framework.file-copy-destination-dir = ~/ ' >> /etc/rundeck/framework.properties systemctl restart rundeckd