Install Rundeck on RockyLinux with Ansible
Jump to navigation
Jump to search
Setup Rundeck with native Ansible integration for Windows and Linux with Dynamic Inventory
- OS: Alma Linux 8.6
- Hostname: rundeck01.domain.tld
- vMemory: 6GB
- vDisk: 40GB
- vCPU: 6
Contents
1 SETUP RUNDECK SERVER
- vi /etc/ansible/playbooks/setup-rundeck.yml
--- - hosts: rundeck01.domain.tld vars: rundeck_admin_pass: xxxxxx roles: - role: joe-speedboat.rundeck tasks: - name: install firewalld yum: name: firewalld state: present - name: start firewalld service: name: firewalld enabled: yes state: started - name: open http port on firewalld firewalld: service: http permanent: true state: enabled - name: open https port on firewalld firewalld: service: https permanent: true state: enabled - name: enable firewalld service: name: firewalld enabled: yes state: restarted ...
ansible -m shell -a id rundeck01.domain.tld ansible-playbook setup-rundeck.yml
- Test webUI login
1.1 BASIC SETUP
echo '#!/bin/sh cp -av "$1" "$1.$(date +%Y%m%H%M%S)" ' > /usr/local/bin/backup chmod 755 /usr/local/bin/backup
dnf -y install epel-release dnf -y install git wget curl rsync vim
1.2 SETUP ANSIBLE
dnf -y install python38-pip python38 sshpass
su - rundeck python3.8 -m pip install --user ansible echo '#ANSIBLE SETUP export PATH=$HOME/.local/bin:$HOME/bin:$PATH ' >> $HOME/.bashrc ln -s $HOME/.local/bin $HOME/bin cat /etc/skel/.bash_profile > $HOME/.bash_profile exit
chown -R root.rundeck /etc/ansible chmod -R ug+rwX /etc/ansible
su - rundeck cd /etc/ansible rm -fv hosts ansible-config init --disabled > ansible.cfg sed -i 's/^.host_key_checking=.*/host_key_checking=False/' ansible.cfg # sed -i 's/^.remote_user=.*/remote_user=rundeck-ops/' ansible.cfg # sed -i 's/^.become=.*/become=True/' ansible.cfg sed -i 's#^.inventory=.*#inventory=/etc/ansible/inventory #' ansible.cfg sed -i 's#^.collections_path=.*#collections_path=/etc/ansible/collections:/usr/share/ansible/collections#' ansible.cfg sed -i 's#^.roles_path=.*#roles_path=/etc/ansible/roles#' ansible.cfg sed -i 's#^.interpreter_python=.*#interpreter_python=auto_silent#' ansible.cfg mkdir /etc/ansible/inventory/group_vars
- vim /etc/ansible/inventory/group_vars/all.yml
# Ansible Linux client defaults become: True ansible_user: rundeck-ops
- vim /etc/ansible/inventory/win.yml
all: hosts: children: win: hosts: win01:
- vim /etc/ansible/inventory/group_vars/win.yml
ansible_user: winrm ansible_password: xxxxxx ansible_connection: winrm ansible_winrm_server_cert_validation: ignore ansible_shell_type: powershell
ansible-galaxy role install joe-speedboat.ansible_ospatch ls -l /etc/ansible/roles/joe-speedboat.ansible_ospatch
ansible-galaxy collection install community.mysql ls -l /etc/ansible/collections/ansible_collections/community/mysql
1.3 USE AND PROTECT ANSIBLE VARS WITH VAULT
sed -i 's#^.vault_password_file=.*#vault_password_file=/etc/ansible/vault_unlock#' ansible.cfg
- create vault unlock helper which can store passwords until next reboot
echo '#!/bin/bash NAME=vault PW_CNT=$(keyctl search @u user $NAME 2>/dev/null | wc -l) if [ $PW_CNT -lt 1 ] then read -s -p 'Feed vault password: ' PASS keyctl add user $NAME "$PASS" @u else keyctl print $(keyctl search @u user $NAME 2>/dev/null) fi' > /etc/ansible/vault_unlock
chmod 700 /etc/ansible/vault_unlock
/etc/ansible/vault_unlock
Feed and remember the password for vault
Call it again to get the password shown
- Create motd hint
echo ' #FEED ANSIBLE VAULT PASSWORD after reboot cmd: sudo -u rundeck --login /etc/ansible/vault_unlock ' >> /etc/motd
cat /etc/ansible/inventory/group_vars/win.yml
See it is plain
- cryp your sensible data
ansible-vault encrypy /etc/ansible/inventory/group_vars/win.yml
cat /etc/ansible/inventory/group_vars/win.yml
It is crypted now
- Edit it
ansible-vault edit /etc/ansible/inventory/group_vars/win.yml
1.4 FREEIPA INVENTORY
su - rundeck curl https://raw.githubusercontent.com/joe-speedboat/ansible.idm-inventory/main/inventory/freeipa.py > inventory/freeipa.py chmod 700 inventory/freeipa.py
echo '# FreeIPA Ansible Inventory Auth export freeipaserver=directory01.domain.tld export freeipauser=rundeck-bind export freeipapassword=xxxxx ' >> $HOME/.bashrc
. $HOME/.bashrc python3.8 -m pip install --user python_freeipa
1.5 FREEIPA AUTH
- vim /etc/rundeck/multiauth.conf
multiauth {
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient debug="true" contextFactory="com.sun.jndi.ldap.LdapCtxFactory" providerUrl="ldaps://directory01.domain.tld:636" bindDn="uid=rundeck-bind,cn=users,cn=accounts,dc=domain,dc=tld" bindPassword="xxx" authenticationMethod="simple" forceBindingLogin="true" userBaseDn="cn=users,cn=accounts,dc=domain,dc=tld" userRdnAttribute="uid" userIdAttribute="uid" userPasswordAttribute="userPassword" userObjectClass="posixAccount" userLastNameAttribute="sn" userFirstNameAttribute="givenName" userEmailAttribute="mail"
roleBaseDn="cn=groups,cn=accounts,dc=domain,dc=tld" roleNameAttribute="cn" roleMemberAttribute="member" roleObjectClass="groupOfNames" cacheDurationMillis="300000" reportStatistics="true";
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required debug="true" file="/etc/rundeck/realm.properties";
};
chown root.rundeck /etc/rundeck/multiauth.conf chmod 640 /etc/rundeck/multiauth.conf
- vim /etc/rundeck/rundeck-config.properties
rundeck.security.syncLdapUser=true
- vim /etc/sysconfig/rundeckd
JAAS_LOGIN=true LOGIN_MODULE=multiauth JAAS_CONF=/etc/rundeck/multiauth.conf
- vim /etc/rundeck/ansibleadmin.aclpolicy
description: Admin, all access. context: project: '.*' # all projects for: resource: - allow: '*' # allow read/create all kinds adhoc: - allow: '*' # allow read/running/killing adhoc jobs job: - allow: '*' # allow read/write/delete/run/kill of all jobs node: - allow: '*' # allow read/run for all nodes by: group: ansibleadmin --- description: Admin, all access. context: application: 'rundeck' for: resource: - allow: '*' # allow create of projects project: - allow: '*' # allow view/admin of all projects project_acl: - allow: '*' # allow admin of all project-level ACL policies storage: - allow: '*' # allow read/create/update/delete for all /keys/* storage content by: group: ansibleadmin
chown root.rundeck /etc/rundeck/ansibleadmin.aclpolicy chmod 640 /etc/rundeck/ansibleadmin.aclpolicy
echo | openssl s_client -showcerts -connect directory01.domain.tld:636 > /etc/rundeck/ssl/directory01_ldaps.pem vim /etc/rundeck/ssl/directory01_ldaps.pem # remove comments cp -av /etc/pki/ca-trust/extracted/java/cacerts /etc/pki/ca-trust/extracted/java/cacerts.orig keytool -import -alias directory01.domain.tld -file /etc/rundeck/ssl/directory01_ldaps.pem -keystore /etc/pki/ca-trust/extracted/java/cacerts -storepass changeit
keytool -import -alias directory01.domain.tld -file /etc/rundeck/ssl/directory01_ldaps.pem -keystore /etc/rundeck/ssl/truststore -storepass adminadmin chown rundeck.rundeck /etc/rundeck/ssl/*
1.6 PROTECT SSH PRIVATE KEY
dnf -y install keychain su - ansible ssh-keygen -p # change passphrase
echo '# remember ssh passphrase until next reboog keychain -Q -q ~/.ssh/id_rsa < /dev/null [ -f $HOME/.keychain/$HOSTNAME-sh ] && source $HOME/.keychain/$HOSTNAME-sh ' >> $HOME/.bashrc
echo '#!/bin/bash echo echo Now feed the ssh private key passphrase for rundeck sudo -u rundeck --login exit echo echo INFO: restarting rundeck service systemctl restart rundeckd echo echo echo All done echo Now login to rundeck webUI: echo .Test the inventory echo .Test AdHoc command ' > /usr/local/sbin/init-rundeck-and-ansible.sh
chmod 700 /usr/local/sbin/init-rundeck-and-ansible.sh
echo ' #FEED RUNDECKs SSH PASSPHRASE AFTER EACH REBOOT cmd: init-rundeck-and-ansible.sh ' >> /etc/motd
reboot
1.7 RUNDECK PROJECT: ansible
Detail: Project Name: ansible Label: ansible_linux_ssh Execution History Clean: Enable: [X] User Interface : Job Group Expansion Level: 9 Default Node Executor: Type: Ansible Ad-Hoc Node Executor Executable: /bin/bash Windows Executable: powershell.exe Ansible config file path: /etc/ansible/ansible.cfg Default File Copier: Type: local We just use native ansible, this is not needed
- PROJECT: ansible > Edit Nodes > Sources > Add
- Type: Ansible Resource Model Source
- Ansible config file path: /etc/ansible/ansible.cfg
1.8 BUGS & FIXES
- Error Msg: /bin/sh: /tmp/0-1-localhost-dispatch-script.tmp.sh: Permission denied
echo ' # ---------------------------------------------------------------- # User Defined Values # ---------------------------------------------------------------- framework.file-copy-destination-dir = ~/ ' >> /etc/rundeck/framework.properties systemctl restart rundeckd