Install Rundeck on RockyLinux with Ansible

From Bitbull Wiki
Revision as of 05:48, 28 June 2022 by Chris (talk | contribs)
Jump to navigation Jump to search

Setup Rundeck with native Ansible integration for Windows and Linux with Dynamic Inventory

  • OS: Alma Linux 8.6
  • Hostname: rundeck01.domain.tld
  • vMemory: 6GB
  • vDisk: 40GB
  • vCPU: 6

1 SETUP RUNDECK SERVER

  • vi /etc/ansible/playbooks/setup-rundeck.yml
---
- hosts: rundeck01.domain.tld
  vars:
    rundeck_admin_pass: xxxxxx
  roles:
  - role: joe-speedboat.rundeck
  tasks:
  - name: install firewalld
    yum:
      name: firewalld
      state: present
  - name: start firewalld
    service:
      name: firewalld
      enabled: yes
      state: started
  - name: open http port on firewalld
    firewalld:
      service: http
      permanent: true
      state: enabled
  - name: open https port on firewalld
    firewalld:
      service: https
      permanent: true
      state: enabled
  - name: enable firewalld
    service:
      name: firewalld
      enabled: yes
      state: restarted
...

ansible -m shell -a id rundeck01.domain.tld
ansible-playbook setup-rundeck.yml
  • Test webUI login

1.1 BASIC SETUP

echo '#!/bin/sh
cp -av "$1" "$1.$(date +%Y%m%H%M%S)"
' > /usr/local/bin/backup
chmod 755 /usr/local/bin/backup

dnf -y install epel-release
dnf -y install git wget curl rsync vim

1.2 SETUP ANSIBLE

dnf -y install python38-pip python38 sshpass

su - rundeck
python3.8 -m pip install --user ansible
 
echo '#ANSIBLE SETUP
export PATH=$HOME/.local/bin:$HOME/bin:$PATH
' >> $HOME/.bashrc
 
ln -s $HOME/.local/bin $HOME/bin
cat /etc/skel/.bash_profile > $HOME/.bash_profile
exit

chown -R root.rundeck /etc/ansible
chmod -R ug+rwX /etc/ansible

su - rundeck
cd /etc/ansible
rm -fv hosts
ansible-config init --disabled > ansible.cfg
sed -i 's/^.host_key_checking=.*/host_key_checking=False/' ansible.cfg
# sed -i 's/^.remote_user=.*/remote_user=rundeck-ops/' ansible.cfg
# sed -i 's/^.become=.*/become=True/' ansible.cfg
sed -i 's#^.inventory=.*#inventory=/etc/ansible/inventory #' ansible.cfg
sed -i 's#^.collections_path=.*#collections_path=/etc/ansible/collections:/usr/share/ansible/collections#' ansible.cfg
sed -i 's#^.roles_path=.*#roles_path=/etc/ansible/roles#' ansible.cfg
sed -i 's#^.interpreter_python=.*#interpreter_python=auto_silent#' ansible.cfg

mkdir /etc/ansible/inventory/group_vars
  • vim /etc/ansible/inventory/group_vars/all.yml
# Ansible Linux client defaults
become: True
ansible_user: rundeck-ops


  • vim /etc/ansible/inventory/win.yml
all:
  hosts:
  children:
    win:
      hosts:
        win01:
  • vim /etc/ansible/inventory/group_vars/win.yml
ansible_user: winrm
ansible_password: xxxxxx
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
ansible_shell_type: powershell

ansible-galaxy role install joe-speedboat.ansible_ospatch
ls -l /etc/ansible/roles/joe-speedboat.ansible_ospatch

ansible-galaxy collection install community.mysql 
ls -l /etc/ansible/collections/ansible_collections/community/mysql


1.3 USE AND PROTECT ANSIBLE VARS WITH VAULT

sed -i 's#^.vault_password_file=.*#vault_password_file=/etc/ansible/vault_unlock#' ansible.cfg
  • create vault unlock helper which can store passwords until next reboot
echo '#!/bin/bash
NAME=vault
PW_CNT=$(keyctl search @u user $NAME 2>/dev/null | wc -l)
if [ $PW_CNT -lt 1 ]
then
   read -s -p 'Feed vault password: ' PASS
   keyctl add user $NAME  "$PASS" @u
else
   keyctl print $(keyctl search @u user $NAME 2>/dev/null)
fi' > /etc/ansible/vault_unlock

chmod 700 /etc/ansible/vault_unlock

/etc/ansible/vault_unlock

Feed and remember the password for vault
Call it again to get the password shown

  • Create motd hint
echo '
#FEED ANSIBLE VAULT PASSWORD after reboot
   cmd: sudo -u rundeck --login /etc/ansible/vault_unlock
' >> /etc/motd



cat /etc/ansible/inventory/group_vars/win.yml

See it is plain

  • cryp your sensible data
ansible-vault encrypy /etc/ansible/inventory/group_vars/win.yml



cat /etc/ansible/inventory/group_vars/win.yml

It is crypted now

  • Edit it

ansible-vault edit /etc/ansible/inventory/group_vars/win.yml


1.4 FREEIPA INVENTORY

su - rundeck
curl https://raw.githubusercontent.com/joe-speedboat/ansible.idm-inventory/main/inventory/freeipa.py > inventory/freeipa.py
chmod 700 inventory/freeipa.py

echo '# FreeIPA Ansible Inventory Auth
export freeipaserver=directory01.domain.tld
export freeipauser=rundeck-bind
export freeipapassword=xxxxx
' >> $HOME/.bashrc

. $HOME/.bashrc
python3.8 -m pip install --user python_freeipa


1.5 FREEIPA AUTH

  • vim /etc/rundeck/multiauth.conf

multiauth { 

 com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient
   debug="true"
   contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
   providerUrl="ldaps://directory01.domain.tld:636"
   bindDn="uid=rundeck-bind,cn=users,cn=accounts,dc=domain,dc=tld"
   bindPassword="xxx"
   authenticationMethod="simple"
   forceBindingLogin="true"
   userBaseDn="cn=users,cn=accounts,dc=domain,dc=tld"
   userRdnAttribute="uid"
   userIdAttribute="uid"
   userPasswordAttribute="userPassword"
   userObjectClass="posixAccount"
   userLastNameAttribute="sn"
   userFirstNameAttribute="givenName"
   userEmailAttribute="mail"

   roleBaseDn="cn=groups,cn=accounts,dc=domain,dc=tld"
   roleNameAttribute="cn"
   roleMemberAttribute="member"
   roleObjectClass="groupOfNames"
   cacheDurationMillis="300000"
   reportStatistics="true";

 org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
   debug="true"
   file="/etc/rundeck/realm.properties";

}; 

chown root.rundeck /etc/rundeck/multiauth.conf
chmod 640 /etc/rundeck/multiauth.conf


  • vim /etc/rundeck/rundeck-config.properties
rundeck.security.syncLdapUser=true


  • vim /etc/sysconfig/rundeckd
JAAS_LOGIN=true
LOGIN_MODULE=multiauth
JAAS_CONF=/etc/rundeck/multiauth.conf
  • vim /etc/rundeck/ansibleadmin.aclpolicy
description: Admin, all access.
context:
  project: '.*' # all projects
for:
  resource:
    - allow: '*' # allow read/create all kinds
  adhoc:
    - allow: '*' # allow read/running/killing adhoc jobs
  job: 
    - allow: '*' # allow read/write/delete/run/kill of all jobs
  node:
    - allow: '*' # allow read/run for all nodes
by:
  group: ansibleadmin

---

description: Admin, all access.
context:
  application: 'rundeck'
for:
  resource:
    - allow: '*' # allow create of projects
  project:
    - allow: '*' # allow view/admin of all projects
  project_acl:
    - allow: '*' # allow admin of all project-level ACL policies
  storage:
    - allow: '*' # allow read/create/update/delete for all /keys/* storage content
by:
  group: ansibleadmin

chown root.rundeck /etc/rundeck/ansibleadmin.aclpolicy
chmod 640 /etc/rundeck/ansibleadmin.aclpolicy



echo | openssl s_client -showcerts -connect directory01.domain.tld:636 > /etc/rundeck/ssl/directory01_ldaps.pem
vim /etc/rundeck/ssl/directory01_ldaps.pem # remove comments
cp -av /etc/pki/ca-trust/extracted/java/cacerts /etc/pki/ca-trust/extracted/java/cacerts.orig
keytool -import -alias directory01.domain.tld -file /etc/rundeck/ssl/directory01_ldaps.pem -keystore /etc/pki/ca-trust/extracted/java/cacerts -storepass changeit

keytool -import -alias directory01.domain.tld -file /etc/rundeck/ssl/directory01_ldaps.pem -keystore /etc/rundeck/ssl/truststore -storepass adminadmin
chown rundeck.rundeck /etc/rundeck/ssl/*

1.6 PROTECT SSH PRIVATE KEY

dnf -y install keychain
su - ansible
ssh-keygen -p # change passphrase

echo '# remember ssh passphrase until next reboog
keychain -Q -q ~/.ssh/id_rsa < /dev/null
[ -f $HOME/.keychain/$HOSTNAME-sh ] && source $HOME/.keychain/$HOSTNAME-sh
' >> $HOME/.bashrc

echo '#!/bin/bash
echo
echo Now feed the ssh private key passphrase for rundeck
sudo -u rundeck --login exit
echo
echo INFO: restarting rundeck service
systemctl restart rundeckd
echo
echo
echo All done
echo Now login to rundeck webUI:
echo .Test the inventory 
echo .Test AdHoc command
' > /usr/local/sbin/init-rundeck-and-ansible.sh

chmod 700 /usr/local/sbin/init-rundeck-and-ansible.sh

echo '
#FEED RUNDECKs SSH PASSPHRASE AFTER EACH REBOOT
   cmd: init-rundeck-and-ansible.sh
' >> /etc/motd

reboot

1.7 RUNDECK PROJECT: ansible

Detail:
   Project Name: ansible
   Label: ansible_linux_ssh
Execution History Clean: 
   Enable: [X]
User Interface :
   Job Group Expansion Level: 9
Default Node Executor:
  Type: Ansible Ad-Hoc Node Executor
     Executable: /bin/bash
     Windows Executable: powershell.exe
     Ansible config file path: /etc/ansible/ansible.cfg
Default File Copier:
  Type: local
  We just use native ansible, this is not needed
  • PROJECT: ansible > Edit Nodes > Sources > Add
  • Type: Ansible Resource Model Source
  • Ansible config file path: /etc/ansible/ansible.cfg


1.8 BUGS & FIXES

  • Error Msg: /bin/sh: /tmp/0-1-localhost-dispatch-script.tmp.sh: Permission denied
echo '
# ----------------------------------------------------------------
# User Defined Values 
# ----------------------------------------------------------------
framework.file-copy-destination-dir = ~/
' >> /etc/rundeck/framework.properties

systemctl restart rundeckd
Retrieved from "http://www.bitbull.ch/wiki/index.php?title=Install_Rundeck_on_RockyLinux_with_Ansible&oldid=5554"