Rundeck howto and examples

Quoting rundeck.org : Rundeck is an Open Source process automation and command orchestration tool with a web console. As I understand it, it’s a fork of Control Tier : www.controltier.org I’m usually all for the command-line, but you have to admit the devs have done a pretty good job regarding the web console. The documentation is pretty good as well. No need to install agents on your servers. It works over SSH. You just need to deploy a dedicated public SSH key and you’re done (see ssh-copy-id). This post should help you install and configure Rundeck in under 15 minutes. It covers configuration of email, SSL, authentication against Active Directory and explains how you can store your node definitions from a URL. Installation on Red Hat : basically a single RPM with no deps. You just need a working java. OpenJDK is working fine. Email configuration (apparently not documented) : Edit /etc/rundeck/rundeck-config.properties

grails.mail.host=smtp.example.org
grails.mail.port=25
grails.mail.default.from=rundeck@example.org

Enabling SSL on the web console (self-signed) : See http://rundeck.org/docs/administration/ssl.html Basically :

cd /etc/rundeck/ssl keytool -keystore keystore -alias rundeck -genkey -keyalg RSA -keypass password -storepass password
cp /etc/rundeck/ssl/keystore /etc/rundeck/ssl/truststore

/etc/rundeck/framework.properties :

framework.server.url = https://localhost:4443
framework.rundeck.url = https://localhost:4443
framework.server.port = 4443

Under /etc/rundeck/profile uncomment :

export RDECK_JVM="$RDECK_JVM -Drundeck.ssl.config=/etc/rundeck/ssl/ssl.properties -Dserver.https.port=4443"

Enabling LDAP against Active Directory for authentication :/etc/rundeck/profile :

export RDECK_JVM="-Djava.security.auth.login.config=/etc/rundeck/jaas-ldap.conf \
    -Dloginmodule.name=ldap \
    -Drdeck.config=/etc/rundeck \
    -Drdeck.base=/etc/rundeck \
    -Drundeck.server.configDir=/etc/rundeck \
    -Dserver.datastore.path=/var/lib/rundeck/data \
    -Drundeck.server.serverDir=/var/lib/rundeck \
    -Drdeck.projects=/var/rundeck/projects \
    -Drdeck.runlogs=/var/lib/rundeck/logs \
    -Drundeck.config.name=/etc/rundeck/rundeck-config.properties \
    -Djava.io.tmpdir=$RUNDECK_TEMPDIR"

/etc/rundeck/jaas-ldap.conf :

ldap {
    com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required
    debug="true"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    providerUrl="ldap://intranet.example.org:389"
    bindDn="cn=queryldapaccount,ou=tech,ou=company,dc=intranet,dc=example,dc=org"
    bindPassword="xxx"
    authenticationMethod="simple"
    forceBindingLogin="true"
    userBaseDn="ou=company,dc=intranet,dc=example,dc=org"
    userRdnAttribute="sAMAccountName"
    userIdAttribute="sAMAccountName"
    userPasswordAttribute="unicodePwd"
    userObjectClass="user"
    roleBaseDn="OU=groups,OU=company,DC=intranet,DC=example,DC=org"
    roleNameAttribute="cn"
    roleMemberAttribute="member"
    roleObjectClass="group"
    cacheDurationMillis="300000"
    reportStatistics="true";
};

Configuring authorization : You have the YAML file /etc/rundeck/admin.aclpolicy The following gives full access to Rundeck for members of rundeck_superadmin group, and limits execution of jobs under the group PRD/system for members of rundeck_admin. For “groups”, see LDAP configuration, under roleBaseDn.

description: Super Admin, all access.
context:
  project: '.*' # all projects
for:
  resource:
    - allow: '*' # allow read/create all kinds
  adhoc:
    - allow: '*' # allow running/killing adhoc jobs
  job:
    - allow: '*' # allow read/write/delete/run/kill of all jobs
  node:
    - allow: '*' # allow read/run for all nodes
by:
  group: [rundeck_superadmin]

---

description: Super Admin, all access.
context:
  application: 'rundeck'
for:
  resource:
    - allow: '*' # allow create of projects
  project:
    - allow: '*' # allow view/admin of all projects
by:
  group: [rundeck_superadmin]

---

description: Admin can run jobs under the PRD/system group.
context:
  project: '.*' # all projects
for:
  resource:
    - equals:
        kind: job
      allow: [read]
    - equals:
        kind: node
      allow: [read,create,update,refresh] 
    - equals:
        kind: event
      allow: [read,create] 
  adhoc:
    - allow: [read] 
  job:
    - equals:
        group: 'DEV'
      allow: [read]
    - equals:
        group: 'STAGING'
      allow: [read]
    - equals:
        group: 'PRD/cron'
      allow: [read]
    - equals:
        group: 'PRD/system'
      allow: [read, run, kill]
  node:
    - allow: [read,run] 
by:
  group: [rundeck_admin]
---
description: Admin Application level access control, applies to creating/deleting projects, admin of user profiles, viewing projects and reading system information.
context:
  application: 'rundeck'
for:
  resource:
    - equals:
        kind: project
      allow: [read]
    - equals:
        kind: system
      allow: [read] # allow read of system info
    - equals:
        kind: user
      allow: [read] # allow modify user profiles
  project:
    - match:
        name: '.*'
      allow: [read]
by:
  group: [rundeck_admin]

<?xml version="1.0" encoding="UTF-8"?>
<!-- 20121203 17:41:12 -->
<project>
<node name="node1.intranet.example.org" type="Node"
description="Node description"
hostname="node1.intranet.example.org"
username="root"
osFamily="RHEL"
osVersion="6"
osArch="64"
tags="EXAMPLE, OWNER, STAGING, WWW, ROOM_BXL, RACK10, PDU10_02"
file-copy-destination-dir="/var/tmp/"
/>
</project>

file-copy-destination-dir="/var/tmp/"