Press "Enter" to skip to content

RunDeck with Ansible, Active Directory, and Automatic Pull (Ubuntu 18.04)

The goal of this post is to setup a RunDeck server capable of running Ansible playbooks pulled from GitLab. For user access RunDeck will be integrated with Active Directory.

Ansible Install

I used pip to install Ansible because Ubuntu still uses Python2 by default.
The pip installation uses Python3 and is newer than what’s available in the repo.
We’ll install a couple dependencies as well.

sudo apt-get install python3-pip libssl-dev libkrb5-dev
pip3 install ansible pywinrm[kerberos] pyvmomi

RunDeck Install

Add the repository and install.

echo "deb https://rundeck.bintray.com/rundeck-deb /" | sudo tee -a /etc/apt/sources.list.d/rundeck.list
curl 'https://bintray.com/user/downloadSubjectPublicKey?username=bintray' | sudo apt-key add -
sudo apt-get update
sudo apt-get install rundeck

Basic Config

Edit the configuration for RunDeck to set the mail server, from address, and server URL.

sudo nano /etc/rundeck/rundeck-config.properties
grails.serverURL=https://<server_fqdn>
grails.mail.host=<mail_server>
grails.mail.port=25
grails.mail.default.from=<from_address>
server.session.timeout=3600
server.useForwardHeaders=true

Database Config (Optional)

Using an external database is suggested for performance scaling. I’ll be using MariaDB for this configuration.

Install MariaDB and secure the install:

sudo apt-get install mariadb-server
sudo mysql_secure_installation

Create the RunDeck database:

mysql -u root -p
create database rundeck;
grant ALL on rundeck.* to 'rundeckuser' identified by 'rundeckpassword';
exit;

Modify the RunDeck configuration:

sudo nano /etc/rundeck/rundeck-config.properties
dataSource.dbCreate=update
dataSource.url=jdbc:mysql://localhost/rundeck?autoReconnect=true&useSSL=false
dataSource.username=rundeckuser
dataSource.password=rundeckpassword
dataSource.driverClassName=com.mysql.jdbc.Driver
rundeck.projectsStorageType=db

Active Directory

Create the login configuration for JAAS:

sudo nano /etc/rundeck/jaas-ldap.conf
activedirectory {
    rundeck.security.syncLdapUser=true
    com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required
    debug="false"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    providerUrl="ldap://<domain_ctlr_fqdn>:389"
    bindDn="CN=QueryUser,OU=Secure,OU=Non-User,DC=domain,DC=com"
    bindPassword="password"
    authenticationMethod="simple"
    forceBindingLogin="true"
    userBaseDn="dc=mhs,dc=int"
    userRdnAttribute="sAMAccountName"
    userIdAttribute="sAMAccountName"
    userPasswordAttribute="unicodePwd"
    userObjectClass="user"
    roleBaseDn="OU=Rundeck,OU=SecurityGroups,DC=domain,DC=com"
    roleNameAttribute="cn"
    roleMemberAttribute="member"
    roleObjectClass="group"
    rolePrefix="rundeck_"
    cacheDurationMillis="300000"
    reportStatistics="true";
};

Modify the RunDeck environment variables to use the new configuration:

sudo nano /etc/default/rundeckd
RDECK_JVM_OPTS="-Drundeck.jaaslogin=true \
       -Djava.security.auth.login.config=/etc/rundeck/jaas-ldap.conf \
       -Dloginmodule.name=activedirectory"

Create the admin Security Group and add users to the group:

NGINX

Reverse Proxy

Setup access to RunDeck using Nginx reverse proxy.
Copy certificates to the server and set permissions:

sudo mkdir /opt/rundeck
sudo cp server_cert.pem /opt/rundeck
sudo cp server_key.pem /opt/rundeck
sudo chmod 400 /opt/rundeck/*

Install NGINX:

sudo apt-get install nginx

Configure SSL settings:

sudo nano /etc/nginx/nginx.conf
# SSL Settings section
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

Modify the default site:

sudo nano /etc/nginx/sites-enabled/default
server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name <server_fqdn>;
        return 301 https://<server_fqdn>;
}

server {
      listen 443 ssl;

      server_name         <server_fqdn>
      keepalive_timeout   70;
      ssl_certificate     /opt/rundeck/server_cert.pem;
      ssl_certificate_key /opt/rundeck/server_key.pem;

      root                /var/www/html;
      location / {
           proxy_pass    http://<server_fqdn>:4440;
      }
}

Automatic Pull

Install PHP FastCGI process manager and Git:

sudo apt-get install php-fpm git

Configure php-fpm to run as the rundeck user:

sudo nano /etc/php/7.2/fpm/pool.d/www.conf

Near the top find and replace:

user = rundeck
group = rundeck

Setup a project directory and give RunDeck permissions:

sudo mkdir /opt/projects
sudo chown -R rundeck:rundeck /opt/projects

Clone a repo to the project directory:

cd /opt/projects
sudo runuser -u rundeck -- git clone <gitlab_repo>

Create the pull request page:

sudo nano /var/www/html/pull.php
<?php
$json = json_decode(file_get_contents('php://input'));
$event = $json->{'object_kind'};
$project = $json->{'project'}->{'name'};
if(strcmp($event, 'push') == 0) {
  shell_exec("cd /opt/projects/$project && git reset --hard HEAD && git pull");
}
?>

Add a new NGINX server to the end of the default site:

sudo nano /etc/nginx/sites-enabled/default
server {
      listen 27000 ssl;
      server_name <server_fqdn>;
      ssl_certificate     /opt/rundeck/server_cert.pem;
      ssl_certificate_key /opt/rundeck/server_key.pem;
      root /var/www/html;

      location ~ \.php$ {
           include snippets/fastcgi-php.conf;
           fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
      }
}

Running the Server

Restart services and start RunDeck:

sudo systemctl restart php7.2-fpm.service
sudo systemctl restart nginx
sudo systemctl enable nginx
sudo systemctl start rundeckd
sudo systemctl enable rundeckd

If all went well you should be able to access the server in your browser.

GitLab Webhook

In the Admin Area go to Settings -> Outbound Requests.

Check the box for “Allow requests to the local network from hooks and services”

In your repository go to Settings -> Integrations.

Put the URL in for the RunDeck server and PHP listener port: https:\<server_fqdn>:27000\pull.php

Enter “master” for the branch under Push Events.

Click “Add Webhook”

Commit and push a change to the repo and you should see the filesystem update in /opt/projects/<repo>

Be First to Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: