Rundeck is yet another Automation Server written in Java worth checking it out!

Preamble:

In our goal to reach DevOPs Nirvana many tools and processes must be well established to enable our autonomous and continuous deployment of new codes or patches to thousands and thousands of servers. In our past tutorials we have learned how to install Jenkins as our CI/CD tool, Artifactory as our binary repository manager, now in this tutorial we will learn how to install Rundeck, which is an automation software with a GUI that helps automate routine operational procedures in datacenters or multi cloud environments.

alt text

Why use Rundeck:

Rundeck is built specifically to turn any operations procedure into a repeatable and secure service that can be accessed securely via a Web GUI or API. A key concept in Rundeck’s design is the idea of a Node. Nodes let you describe your infrastructure and environments, giving you a view of hosts and services. Below are some of the features that make Rundeck a good automation tool to consider:

  • Rundeck can execute steps across any remote nodes/servers

  • Rundeck enables you to execute, track, and audit ad-hoc commands in addition to saved jobs

  • Rundeck makes it easy to define and execute multiple types of workflows

  • Rundeck jobs have built-in error handling features

  • Rundeck logs all activity and sends out notifications

  • Rundeck gives you access control policies that know about your environments

  • Rundeck can integrate nicely with Jenkins and other automation tools like Ansible

    alt text

Now that we are convinced that Rundeck is an automation tool that can be part of our process, let’s move forward to learn how to deploy it under an Nginx secured proxy.

Installing Pre-requisites

Set hostname and update CentOS 7 Server:

1
2
3
hostnamectl set-hostname rundeck.example.com
yum update
yum upgrade

Install the required repository:

1
2
3
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
yum install https://downloads.ulyaoth.net/rpm/ulyaoth-latest.centos.x86_64.rpm

Install Rundeck repository:

1
rpm -Uvh http://repo.rundeck.org/latest.rpm

Install Vim Editor:

yum install vim

Create rundeck user with sudo Rights:

1
2
3
useradd rundeck
passwd rundeck
usermod -a -G wheel rundeck

Installing OpenSSL:

1
2
yum install ulyaoth-openssl1.1.0
echo 'export PATH=/usr/local/ulyaoth/ssl/openssl1.1.0/bin:$PATH' >> /etc/profile

Steps to install Rundeck

Switch user to the rundeck user and run all following commands using sudo:

su - rundeck

Install Java:

sudo yum install java-1.8.0-openjdk

Install Rundeck:

1
2
3
4
sudo yum install rundeck
sudo systemctl enable rundeckd
sudo systemctl start rundeckd
sudo systemctl status rundeckd

Installing MariaDB Server:

1
2
3
4
sudo yum install mariadb-server
sudo systemctl start mariadb
sudo systemctl enable mariadb
sudo systemctl status mariadb

Create Rundeck Database:

1
2
3
4
5
6
7
8
sudo mysql_secure_installation
sudo mysql -u root -p
create database rundeckdb charset=utf8mb4;
create user [email protected];
set password for [email protected]= password("MyStrongPassword");
grant all privileges on rundeckdb.* to [email protected] identified by 'MyStrongPassword';
flush privileges;
exit;

Configure Rundeck Database:

1
2
3
cd /etc/rundeck
sudo cp rundeck-config.properties rundeck-config.properties.bak
sudo vim rundeck-config.properties

And add in the following in the configuration file:

1
2
3
dataSource.url = jdbc:mysql://localhost/rundeckdb?autoReconnect=true
dataSource.username=rundeckuser
dataSource.password=MyStrongPassword

Configure the Firewall - Optional:

1
2
firewall-cmd --zone=public --add-port=4440/tcp --permanent
firewall-cmd --reload

Restart Rundeck:

1
2
sudo systemctl stop rundeckd
sudo systemctl start rundeckd

With your Browser:

Go to http://ip-addre:4440 To verify if rundeck is working

Install and Configure Nginx as a Secured Reverse Proxy:

Install Nginx:

1
2
3
4
yum install ulyaoth-nginx
systemctl enable nginx
systemctl start nginx
systemctl status nginx

Installing Lets-Encrypt:

1
2
3
4
5
yum install letsencrypt
which letsencrypt
systemctl stop nginx
systemctl status nginx
/usr/bin/letsencrypt certonly --standalone

Create the DH Key:

sudo openssl dhparam -out /etc/letsencrypt/live/rundeck.example.com/dhparam.pem 2048

Create a Virtual Host:

vim /etc/nginx/conf.d/rundeck.example.com.conf

And paste in the following code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
upstream rundeck {
server 127.0.0.1:4440 fail_timeout=0;
}
server {
listen 80 http2;
listen [::]:80 ipv6only=on http2;
server_name rundeck.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl ipv6only=on http2;
server_name rundeck.example.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/rundeck.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rundeck.example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/rundeck.example.com/fullchain.pem;
ssl_dhparam /etc/letsencrypt/live/rundeck.example.com/dhparam.pem;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EECDH+AES";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; reload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
access_log /var/log/nginx/rundeck.access.log;
error_log /var/log/nginx/rundeck.error.log;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect http:// https://;
proxy_pass http://rundeck;
# Required for new HTTP-based CLI
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_buffering off; # Required for HTTP-based CLI to work over SSL
}
}

Restart Nginx:

1
2
3
nginx -t
systemctl stop nginx
systemctl start nginx

Configure Rundeck for standard web proxy headers:

1
2
cp /etc/rundeck/framework.properties /etc/rundeck/framework.properties.bak
vim /etc/rundeck/framework.properties

And set the following

1
2
3
4
framework.server.name = "rundeck.example.com"
framework.server.hostname = rundeck.example.com
framework.server.port = 4440
framework.server.url = https://rundeck.example.com

Next enable https:

vim /etc/rundeck/rundeck-config.properties

And set the following

1
grails.serverURL=https://rundeck.example.com

Restart again Rundeck:

1
2
systemctl stop rundeckd
systemctl start rundeckd

Login at Rundeck:

Go the website and login with default credentials

1
2
3
https://rundeck.example.com/
username: admin
password: admin

alt text

Additional Resources

Comments