Rundeck

Refer to my installation under ubuntu

Administration

Project

For every project there is a directory in

/var/rundeck/projects/

Inside there is a file with the definition of all the nodes
/var/rundeck/projects/test/etc# less resources.xml

New project

when add a new project after the creation you need to replace the file /var/rundeck/projects/projectname/etc/resources.xml in the projects changes

Add a new role/group

you need to modify the /var/lib/rundeck/exp/webapp/WEB-INF/web.xml read here the details
https://github.com/rundeck/rundeck/wiki/FAQ

Windows

instruction to configure client and server
http://www.diegoluisi.eti.br/2015/06/linux/rundeck-how-to-add-windows-node/

the module on github
https://github.com/rundeck-plugins/rundeck-winrm-plugin

Using the cli

main page for command line
http://rundeck.org/docs/man1/index.html

you can do everything from command line the most useful command is
the run command

for node in $(cat list.txt); do
  tools/bin/run -i 5f7f83-694-47-8ec4-83fe5935e7 -- -action download-the-node-write-AND-apply-ST -machine $node
done

before of that you need to configure the user for the login http://rundeck.org/docs/man1/cli-tool-authentication.html

Using the api

it is possible call the jobs using web api
First of all you need a token you can find the instruction to use here
http://rundeck.org/docs/api/#token-authentication

in my examples the token is XXXXX and the process is called puppetmaster

rundeck system info

http://jenkins.mycloud.net:8453/api/14/system/info?authtoken=XXXXXXX

list all the projects

http://jenkins.mycloud.net:8453/api/14/projects?authtoken=XXXXXXX

run a process, you need to know the id, you can find in the web part

http://jenkins.mycloud.net:8453/api/12/job/789654-5a82-4b0e-9c13-1e4a54ff/run?authtoken=XXXXXXX

list all the jobs of a project

http://jenkins.nycloud.net:8453/api/14/project/puppetmaster/jobs?authtoken=XXXXXXX

Authentication realm and ldap

doc page of rundeck http://rundeck.org/docs/jp/administration/09-authentication.html

to use ldap authentication by ssl you need to enable the keystore inside the java
here some links
https://docs.oracle.com/cd/E29585_01/PlatformServices.61x/security/src/csec_ssl_jsp_start_server.html
http://stackoverflow.com/questions/2343691/do-you-not-need-a-password-to-access-a-truststore-made-with-the-java-keytool
http://www.javacodegeeks.com/2014/07/java-keystore-tutorial.html

ldap and groups:

After a while I found the correct configuration for ldap

ldaps

the important steps to resolve the problem caused by a domain controller autosign certificate

  1. save the ldaps certificate
  2. setup in the system keytool of the jvm
  3. setup in another keytool to connect in rundeck

The connect configuration and role

~/rundeck # cat server/config/jaas-ldap.conf

activedirectory {
    com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient
      debug="true"
      contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
      providerUrl="ldaps://hostname.mycompany.net:636"
      bindDn="CN=sa-bcloud,OU=Service_Account,OU=AD_Security,OU=Administration,dc=intra,dc=corp,dc=bosslab,dc=com"
      bindPassword="SecretPasswordblablabla123"
      authenticationMethod="simple"
      forceBindingLogin="true"
      userBaseDn="dc=intra,dc=corp,dc=company,dc=com"
      userRdnAttribute="sAMAccountName"
      userIdAttribute="sAMAccountName"
      userPasswordAttribute="unicodePwd"
      userObjectClass="user"
      roleBaseDn="dc=intra,dc=corp,dc=company,dc=com"
      roleNameAttribute="cn"
      roleMemberAttribute="member"
      roleObjectClass="group"
      cacheDurationMillis="300000"
      supplementalRoles="user"
      reportStatistics="true";

   org.eclipse.jetty.plus.jaas.spi.PropertyFileLoginModule required
    debug="true"
    file="/products/software/rundeck/server/config/realm.properties";
};

the most important part is the supplementalRoles="user" , this role is applied to all the ldap users

~/rundeck # cat etc/admin.aclpolicy

description: Admin, all access.
context:
  project: '.*' # all projects
for:
  resource:
    - allow: '*' # allow read/create all kinds
  adhoc:
    - allow: '*' # allow read/running/killing adhoc jobs
  job:
    - allow: '*' # allow read/write/delete/run/kill of all jobs
  node:
    - allow: '*' # allow read/run for all nodes
by:
  group: [admin,GD-PAAS-Puppet-Users]

---

description: Admin, all access.
context:
  application: 'rundeck'
for:
  resource:
    - allow: '*' # allow create of projects
  project:
    - allow: '*' # allow view/admin of all projects
  project_acl:
    - allow: '*' # allow admin of all project-level ACL policies
  storage:
    - allow: '*' # allow read/create/update/delete for all /keys/* storage content
by:
  group: [admin,GD-PAAS-Puppet-Users]
If your role user exist and doesn't have permissions you can login inside rundeck without the error message
rundeck-role.png

you need to do the following steps

  1. click on your username on the top on the left
  2. select profile
  3. click on the "Edit Button"
  4. insert your email , first , name and last name
  5. after this you can see all the groups
rundeck-groups.png
Salvo diversa indicazione, il contenuto di questa pagina è sotto licenza Creative Commons Attribution-ShareAlike 3.0 License