1 Setup Rundeck
- 4vCPU
- 8 GB Memory
- 50 GB HDD
vi setup-rundeck.yml
---------------------------------
---
- hosts: srundeck01.domain.local
vars:
rundeck_admin_pass: ***
# more vars as needed: look into role defaults
roles:
- role: joe-speedboat.rundeck
tasks:
- name: install firewalld
yum:
name: firewalld
state: present
- name: start firewalld
service:
name: firewalld
enabled: yes
state: started
- name: open https port on firewalld
firewalld:
service: https
permanent: true
state: enabled
- name: enable firewalld
service:
name: firewalld
enabled: yes
state: restarted
...
---------------------------------
ansible -m shell -a id srundeck01.domain.local
ansible-playbook setup-rundeck.yml
- Now test rundeck login as admin with your WebBrowser
2 COMPANY specific settings
sed -i 's/^mirrorlist=\(.*\)/# mirrorlist=\1/' /etc/yum.repos.d/*.repo
sed -i 's/^#baseurl=/baseurl=/' /etc/yum.repos.d/*.repo
3 General settings
echo '#!/bin/sh
cp -av "$1" "$1.$(date +%Y%m%H%M%S)"
' > /usr/local/bin/backup
chmod 755 /usr/local/bin/backup
4 Ansible installation
# root user
dnf -y remove ansible-collection-ansible-posix ansible
dnf -y install python38-pip python38 git wget curl rsync vim sshpass
# rundeck user
python3.8 -m pip install --user ansible
echo '#ANSIBLE SETUP
export PATH=$HOME/.local/bin:$HOME/bin:$PATH
' >> $HOME/.bashrc
ln -s $HOME/.local/bin $HOME/bin
cat /etc/skel/.bash_profile > $HOME/.bash_profile
exit
# root user
chown -R rundeck.rundeck /etc/ansible
chmod -R u+rwX,go-rwx /etc/ansible
# rundeck user
cd /etc/ansible
rm -fv hosts
ansible-config init --disabled > ansible.cfg
sed -i 's/^.host_key_checking=.*/host_key_checking=False/' ansible.cfg
# sed -i 's/^.remote_user=.*/remote_user=rundeck-ops/' ansible.cfg
# sed -i 's/^.become=.*/become=True/' ansible.cfg
sed -i 's#^.inventory=.*#inventory=/etc/ansible/inventory #' ansible.cfg
sed -i 's#^.collections_path=.*#collections_path=/etc/ansible/collections:/usr/share/ansible/collections#' ansible.cfg
sed -i 's#^.roles_path=.*#roles_path=/etc/ansible/roles#' ansible.cfg
sed -i 's#^.interpreter_python=.*#interpreter_python=auto_silent#' ansible.cfg
mkdir /etc/ansible/inventory/group_vars
vim /etc/ansible/inventory/group_vars/all.yml
----------
ansible_become: True
ansible_user: deploy_rundeck_prod
----------
5 USE AND PROTECT ANSIBLE VARS WITH VAULT
# root user
curl https://raw.githubusercontent.com/joe-speedboat/shell.scripts/master/vault-unlock.sh > $HOME/bin/vault-unlock.sh
chown rundeck.rundeck $HOME/bin/vault-unlock.sh
chmod 700 $HOME/bin/vault-unlock.sh
sed -i "s#^.vault_password_file=.*#vault_password_file=$HOME/bin/vault-unlock.sh#" ansible.cfg
# we do not start this services after reboot, we do this with vault unlock
systemctl disable rundeckd nginx
vim /usr/local/sbin/init-rundeck-and-ansible.sh
----------
#!/bin/bash
echo
echo Feed the ssh private key passphrase for rundeck
echo "Hashi Vault > linuxeng_kv > application_user > ansible_vault_pw@srundeck01.domain.local"
sudo -u rundeck --login echo
echo
echo INFO: re/starting rundeck + nginx service
systemctl restart rundeckd nginx
echo
echo
echo All done
echo Now login to rundeck webUI:
echo .Test the inventory
echo .Test AdHoc command
----------
chmod 700 /usr/local/sbin/init-rundeck-and-ansible.sh
echo '
#FEED ANSIBLE VAULT AND SSH-KEY PASSWORD after reboot
cmd: init-rundeck-and-ansible.sh
' >> /etc/motd
# rundeck user
echo '. $HOME/bin/vault-unlock.sh -b' > ~/.bashrc
6 ZABBIX CHECK FOR LOCKED VAULTS
# root user
vim /etc/zabbix/zabbix_agent2.d/rundeck-ssh-add.conf
----------
AllowKey=system.run[sudo --login -u rundeck ssh-add -l]
DenyKey=system.run[*]
----------
chown root.zabbix /etc/zabbix/zabbix_agent2.d/rundeck-ssh-add.conf
chmod 640 /etc/zabbix/zabbix_agent2.d/rundeck-ssh-add.conf
vim /etc/sudoers.d/zabbix_agent_checks
----------
Defaults:zabbix !requiretty
Cmnd_Alias ZABBIX_CMD = /bin/bash -c ssh-add -l
zabbix ALL=(rundeck) NOPASSWD:ZABBIX_CMD
----------
systemctl restart zabbix-agent2
systemctl status zabbix-agent2
* Create Zabbix Check Item
Name: ssh-agent
Type: Zabbix Agent
Key: system.run["sudo --login -u rundeck ssh-add -l"]
Type: Text
Preprocessing:
Name: Regular Expression
Search: .*(RSA|ERROR).*
Replace: \1
Type: Text
* Create Zabbix Trigger for this Item
Name: Rundeck is locked
Severity: Disaster
Expression: last(/srundeck01.domain.local/system.run["sudo --login -u rundeck ssh-add -l"])="ERROR"
Allow manual close: FALSE
Description:
Ansible Vault and SSH keys on host are locked.
Please login as root and execute: init-rundeck-and-ansible.sh
7 FREEIPA INVENTORY
# rundeck user
curl https://raw.githubusercontent.com/joe-speedboat/ansible.idm-inventory/main/inventory/freeipa.py > inventory/freeipa.py
chmod 700 inventory/freeipa.py
python3.8 -m pip install --user python_freeipa
echo '# FreeIPA Ansible Inventory Auth
# FreeIPA Ansible Inventory Auth
export freeipaserver=freeipa01.domain.local
export freeipauser='svc_bind_rundeck_prod'
export freeipapassword='******'
' >> $HOME/.bashrc
8 RUNDECK FREEIPA AUTH
vim /etc/rundeck/multiauth.conf
--------------------------------
multiauth {
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldaps://freeipa01.domain.local:636 ldaps://freeipa02.domain.local:636"
ldapsVerifyHostname="false"
bindDn="uid=svc_bind_rundeck_prod,cn=users,cn=accounts,dc=domain,dc=local"
bindPassword="******"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="cn=users,cn=accounts,dc=domain,dc=local"
userRdnAttribute="uid"
userIdAttribute="uid"
userPasswordAttribute="userPassword"
userObjectClass="posixAccount"
userLastNameAttribute="sn"
userFirstNameAttribute="givenName"
userEmailAttribute="mail"
roleBaseDn="cn=groups,cn=accounts,dc=domain,dc=local"
roleNameAttribute="cn"
roleMemberAttribute="member"
roleObjectClass="groupOfNames"
cacheDurationMillis="300000"
reportStatistics="true";
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
debug="true"
file="/etc/rundeck/realm.properties";
};
--------------------------------
chown root.rundeck /etc/rundeck/multiauth.conf
chmod 640 /etc/rundeck/multiauth.conf
vim /etc/rundeck/rundeck-config.properties
--------------------------------
rundeck.security.syncLdapUser=true
--------------------------------
vim /etc/sysconfig/rundeckd
--------------------------------
JAAS_LOGIN=true
LOGIN_MODULE=multiauth
JAAS_CONF=/etc/rundeck/multiauth.conf
--------------------------------
vim /etc/rundeck/ansibleadm.aclpolicy
-------------------------------
description: FreeIPA Rundeck Admin, all access.
context:
project: '.*' # all projects
for:
resource:
- allow: '*' # allow read/create all kinds
adhoc:
- allow: '*' # allow read/running/killing adhoc jobs
job:
- allow: '*' # allow read/write/delete/run/kill of all jobs
node:
- allow: '*' # allow read/run for all nodes
by:
group: rundeckadm
---
description: FreeIPA Rundeck Admin, all access.
context:
application: 'rundeck'
for:
resource:
- allow: '*' # allow create of projects
project:
- allow: '*' # allow view/admin of all projects
project_acl:
- allow: '*' # allow admin of all project-level ACL policies
storage:
- allow: '*' # allow read/create/update/delete for all /keys/* storage content
by:
group: rundeckadm
-----------------------------
chown root.rundeck /etc/rundeck/ansibleadm.aclpolicy
chmod 640 /etc/rundeck/ansibleadm.aclpolicy
echo | openssl s_client -showcerts -connect freeipa01.domain.local:636 > /etc/rundeck/ssl/idm.pem
vim /etc/rundeck/ssl/idm.pem # remove comments
cp -av /etc/pki/ca-trust/extracted/java/cacerts /etc/pki/ca-trust/extracted/java/cacerts.orig
keytool -import -alias idm -file /etc/rundeck/ssl/idm.pem -keystore /etc/pki/ca-trust/extracted/java/cacerts -storepass changeit
keytool -import -alias idm -file /etc/rundeck/ssl/idm.pem -keystore /etc/rundeck/ssl/truststore -storepass adminadmin
chown rundeck.rundeck /etc/rundeck/ssl/*
9 RUNDECK ANSIBLE PROJECT EXAMPLE
PROJECT: ansible
--------------------------------------------------------
Detail:
Project Name: ansible
Label: ansible_linux_ssh
Execution History Clean:
Enable: [X]
User Interface :
Job Group Expansion Level: 9
Default Node Executor:
Type: Ansible Ad-Hoc Node Executor
Executable: /bin/bash
Windows Executable: powershell.exe
Ansible config file path: /etc/ansible/ansible.cfg
Default File Copier:
Type: local
We just use native ansible, this is not needed
PROJECT: ansible > Edit Nodes > Sources > Add
--------------------------------------------------------
Type: Ansible Resource Model Source
Ansible config file path: /etc/ansible/ansible.cfg
10 BUGS & FIXES
- Error Msg: /bin/sh: /tmp/0-1-localhost-dispatch-script.tmp.sh: Permission denied
echo '
# ----------------------------------------------------------------
# CUSTOM VALUES
# ----------------------------------------------------------------
framework.file-copy-destination-dir = ~/
' >> /etc/rundeck/framework.properties
systemctl restart rundeckd