The goal of this post is to setup a RunDeck server capable of running Ansible playbooks pulled from GitLab. For user access RunDeck will be integrated with Active Directory.
Ansible Install
I used pip to install Ansible because Ubuntu still uses Python2 by default.
The pip installation uses Python3 and is newer than what’s available in the repo.
We’ll install a couple dependencies as well.
sudo apt-get install python3-pip libssl-dev libkrb5-dev pip3 install ansible pywinrm[kerberos] pyvmomi
RunDeck Install
Add the repository and install.
echo "deb https://rundeck.bintray.com/rundeck-deb /" | sudo tee -a /etc/apt/sources.list.d/rundeck.list curl 'https://bintray.com/user/downloadSubjectPublicKey?username=bintray' | sudo apt-key add - sudo apt-get update sudo apt-get install rundeck
Basic Config
Edit the configuration for RunDeck to set the mail server, from address, and server URL.
sudo nano /etc/rundeck/rundeck-config.properties
grails.serverURL=https://<server_fqdn> grails.mail.host=<mail_server> grails.mail.port=25 grails.mail.default.from=<from_address> server.session.timeout=3600 server.useForwardHeaders=true
Database Config (Optional)
Using an external database is suggested for performance scaling. I’ll be using MariaDB for this configuration.
Install MariaDB and secure the install:
sudo apt-get install mariadb-server sudo mysql_secure_installation
Create the RunDeck database:
mysql -u root -p create database rundeck; grant ALL on rundeck.* to 'rundeckuser' identified by 'rundeckpassword'; exit;
Modify the RunDeck configuration:
sudo nano /etc/rundeck/rundeck-config.properties
dataSource.dbCreate=update dataSource.url=jdbc:mysql://localhost/rundeck?autoReconnect=true&useSSL=false dataSource.username=rundeckuser dataSource.password=rundeckpassword dataSource.driverClassName=com.mysql.jdbc.Driver rundeck.projectsStorageType=db
Active Directory
Create the login configuration for JAAS:
sudo nano /etc/rundeck/jaas-ldap.conf
activedirectory { rundeck.security.syncLdapUser=true com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required debug="false" contextFactory="com.sun.jndi.ldap.LdapCtxFactory" providerUrl="ldap://<domain_ctlr_fqdn>:389" bindDn="CN=QueryUser,OU=Secure,OU=Non-User,DC=domain,DC=com" bindPassword="password" authenticationMethod="simple" forceBindingLogin="true" userBaseDn="dc=mhs,dc=int" userRdnAttribute="sAMAccountName" userIdAttribute="sAMAccountName" userPasswordAttribute="unicodePwd" userObjectClass="user" roleBaseDn="OU=Rundeck,OU=SecurityGroups,DC=domain,DC=com" roleNameAttribute="cn" roleMemberAttribute="member" roleObjectClass="group" rolePrefix="rundeck_" cacheDurationMillis="300000" reportStatistics="true"; };
Modify the RunDeck environment variables to use the new configuration:
sudo nano /etc/default/rundeckd
RDECK_JVM_OPTS="-Drundeck.jaaslogin=true \ -Djava.security.auth.login.config=/etc/rundeck/jaas-ldap.conf \ -Dloginmodule.name=activedirectory"
Create the admin Security Group and add users to the group:
NGINX
Reverse Proxy
Setup access to RunDeck using Nginx reverse proxy.
Copy certificates to the server and set permissions:
sudo mkdir /opt/rundeck sudo cp server_cert.pem /opt/rundeck sudo cp server_key.pem /opt/rundeck sudo chmod 400 /opt/rundeck/*
Install NGINX:
sudo apt-get install nginx
Configure SSL settings:
sudo nano /etc/nginx/nginx.conf
# SSL Settings section ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m;
Modify the default site:
sudo nano /etc/nginx/sites-enabled/default
server { listen 80 default_server; listen [::]:80 default_server; server_name <server_fqdn>; return 301 https://<server_fqdn>; } server { listen 443 ssl; server_name <server_fqdn> keepalive_timeout 70; ssl_certificate /opt/rundeck/server_cert.pem; ssl_certificate_key /opt/rundeck/server_key.pem; root /var/www/html; location / { proxy_pass http://<server_fqdn>:4440; } }
Automatic Pull
Install PHP FastCGI process manager and Git:
sudo apt-get install php-fpm git
Configure php-fpm
to run as the rundeck
user:
sudo nano /etc/php/7.2/fpm/pool.d/www.conf
Near the top find and replace:
user = rundeck group = rundeck
Setup a project directory and give RunDeck permissions:
sudo mkdir /opt/projects sudo chown -R rundeck:rundeck /opt/projects
Clone a repo to the project directory:
cd /opt/projects sudo runuser -u rundeck -- git clone <gitlab_repo>
Create the pull request page:
sudo nano /var/www/html/pull.php
<?php $json = json_decode(file_get_contents('php://input')); $event = $json->{'object_kind'}; $project = $json->{'project'}->{'name'}; if(strcmp($event, 'push') == 0) { shell_exec("cd /opt/projects/$project && git reset --hard HEAD && git pull"); } ?>
Add a new NGINX server to the end of the default site:
sudo nano /etc/nginx/sites-enabled/default
server { listen 27000 ssl; server_name <server_fqdn>; ssl_certificate /opt/rundeck/server_cert.pem; ssl_certificate_key /opt/rundeck/server_key.pem; root /var/www/html; location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; } }
Running the Server
Restart services and start RunDeck:
sudo systemctl restart php7.2-fpm.service sudo systemctl restart nginx sudo systemctl enable nginx sudo systemctl start rundeckd sudo systemctl enable rundeckd
If all went well you should be able to access the server in your browser.
GitLab Webhook
In the Admin Area go to Settings -> Outbound Requests.
Check the box for “Allow requests to the local network from hooks and services”
In your repository go to Settings -> Integrations.
Put the URL in for the RunDeck server and PHP listener port: https:\<server_fqdn>:27000\pull.php
Enter “master” for the branch under Push Events.
Click “Add Webhook”
Commit and push a change to the repo and you should see the filesystem update in /opt/projects/<repo>
Be First to Comment