Bonjour,
Voici comment installer RunDeck sur RHEL.
Installer les dépendances :
yum install -y java-11-openjdk nginx mariadb-server wget
systemctl enable --now nginx mariadb
Configurer MariaDB :
mysql_secure_installation
mysql -u root -p
CREATE DATABASE rundeck CHARACTER SET utf8mb4 COLLATE utf8mb4_bin;
CREATE USER 'rundeck'@localhost IDENTIFIED BY 'my_password';
GRANT ALL PRIVILEGES ON rundeck.* TO 'rundeck'@localhost IDENTIFIED BY 'my_password';
FLUSH PRIVILEGES;
EXIT
Installer MariaDB/J Connector :
mkdir -p /var/lib/rundeck/lib
cd /var/lib/rundeck/lib
wget https://dlm.mariadb.com/2531428/Connectors/java/connector-java-3.0.8/mariadb-java-client-3.0.8.jar
Installer RunDeck :
nano /etc/yum.repos.d/rundeck.repo
[rundeck]
name=rundeck
baseurl=https://packages.rundeck.com/pagerduty/rundeck/rpm_any/rpm_any/$basearch
repo_gpgcheck=1
gpgcheck=0
enabled=1
gpgkey=https://packages.rundeck.com/pagerduty/rundeck/gpgkey
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300
yum install -y rundeck
systemctl enable rundeckd
tail -f /var/log/rundeck/service.log
Configurer RunDeck :
nano /etc/rundeck/rundeck-config.properties
dataSource.url = jdbc:h2:file:/var/lib/rundeck/data/rundeckdb;DB_CLOSE_ON_EXIT=FALSE;NON_KEYWORDS=MONTH,HOUR,MINUTE,YEAR,SECONDS
vers
dataSource.driverClassName = org.mariadb.jdbc.Driver
dataSource.url = jdbc:mysql://localhost/rundeck?autoReconnect=true&useSSL=false
dataSource.username = rundeck
dataSource.password = my_password
grails.serverURL=http://localhost:4440 vers grails.serverURL=https://mon.domaine.com
a la fin du fichier : /etc/rundeck/rundeck-config.properties
# Email
grails.mail.default.from=rundeck@domaine.com
grails.mail.host=smtp.domaine.com
grails.mail.port=25
grails.mail.username=
grails.mail.password=
nano /etc/rundeck/framework.properties
framework.server.name = localhost
framework.server.hostname = localhost
framework.server.port = 4440
framework.server.url = http://localhost:4440
vers
framework.server.name = mon.domaine.com
framework.server.hostname = mon.domaine.com
framework.server.port = 4440
framework.server.url = https://mon.domaine.com
Editer le profile rundeck : (Optionnel)
nano /etc/rundeck/profile
Overwrite le profile runddeck : (Optionnel)
nano /etc/sysconfig/rundeckd
Configurer Nginx :
nano /etc/nginx/conf.d/rundeck.conf
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name rundeck.my_domain.com;
access_log /var/log/nginx/rundeck-access.log;
error_log /var/log/nginx/rundeck-error.log error;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 200M;
# SSL Configuration
ssl_certificate /root/.ssl/rundeck.my_domain.com.crt;
ssl_certificate_key /root/.ssl/rundeck.my_domain.com.key;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers on;
# See https://hstspreload.org/ before uncommenting the line below.
# add_header Strict-Transport-Security "max-age=15768000; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header Content-Security-Policy "frame-ancestors 'self'";
add_header X-Frame-Options DENY;
add_header Referrer-Policy same-origin;
location / {
proxy_pass http://localhost:4440;
proxy_set_header Host $host;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
}
Changer de mot de passe :
nano /etc/rundeck/realm.properties
admin:admin,user,admin,architect,deploy,build
vers
admin:my_password,user,admin,architect,deploy,build
Ajouter un Node :
nano /etc/rundeck/resources.yml
node1:
nodename: node1
hostname: node1
description: ''
username: agent
osFamily: unix
chown rundeck: /etc/rundeck/resources.yml
Installer un PyWinRM :
Installer les dépendances :
yum install -y gcc krb5-devel krb5-workstation
Installer Python 3.9 :
yum install -y python39 python39-devel
alternatives --set python3 /usr/bin/python3.9
alternatives --set pip3 /usr/bin/pip3.9
ln -sf /usr/bin/pip3.9 /usr/local/bin/pip3
Mise à jour Python pip :
pip3 install setuptools-rust
pip3 install --upgrade pip
Install de PyWinRM pour Kerberos :
su rundeck
pip3 install wheel
pip3 install pywinrm[kerberos]
pip3 install requests-kerberos
pip3 install pexpect
Ajouter une Authentification AD :
nano /etc/rundeck/jaas-activedirectory.conf
activedirectory {
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldaps://mon_ip:636"
bindDn="cn=rundeck,ou=AD,ou=ServiceAccounts,ou=CORPORATE,dc=my_domain,dc=fr"
bindPassword="My_Password"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="dc=my_domain,dc=fr"
userRdnAttribute="sAMAccountName"
userIdAttribute="sAMAccountName"
userPasswordAttribute="unicodePwd"
userObjectClass="user"
roleBaseDn="ou=Rundeck,ou=Apps,ou=Groups,ou=AD,dc=my_domain,dc=fr"
roleNameAttribute="cn"
roleMemberAttribute="member"
roleObjectClass="group"
cacheDurationMillis="300000"
reportStatistics="true";
};
chown rundeck: /etc/rundeck/jaas-activedirectory.conf
chmod 640 /etc/rundeck/jaas-activedirectory.conf
Modifier le mode d'Authentification :
nano /etc/rundeck/profile
JAAS_CONF="${JAAS_CONF:-$RDECK_CONFIG/jaas-loginmodule.conf}"
LOGIN_MODULE="${LOGIN_MODULE:-RDpropertyfilelogin}"
vers
JAAS_CONF="${JAAS_CONF:-$RDECK_CONFIG/jaas-activedirectory.conf}"
LOGIN_MODULE="activedirectory"
Configurer le groupe d'authentification Admin :
nano /etc/rundeck/rundeck_admin.aclpolicy
description: Admin, all access.
context:
project: '.*' # all projects
for:
resource:
- allow: '*' # allow read/create all kinds
adhoc:
- allow: '*' # allow read/running/killing adhoc jobs
job:
- allow: '*' # allow read/write/delete/run/kill of all jobs
node:
- allow: '*' # allow read/run for all nodes
by:
group: rundeck_admin
---
description: Admin, all access.
context:
application: 'rundeck'
for:
resource:
- allow: '*' # allow create of projects
project:
- allow: '*' # allow view/admin of all projects
project_acl:
- allow: '*' # allow admin of all project-level ACL policies
storage:
- allow: '*' # allow read/create/update/delete for all /keys/* storage content
by:
group: rundeck_admin
Configurer le groupe d'authentification User :
nano /etc/rundeck/rundeck_user.aclpolicy
description: Standard Users project level access control.
context:
project: '.*' # all projects
for:
resource:
- equals:
kind: job
allow: [read] # allow read jobs
- equals:
kind: node
allow: [read] # allow refresh node sources
- equals:
kind: event
allow: [read] # allow read/read events
adhoc:
- allow: [read] # allow read adhoc jobs
job:
- allow: [read] # allow read of all jobs
node:
- allow: [read] # allow read for nodes
by:
group: rundeck_users
---
description: A
context:
application: 'rundeck'
for:
resource:
- equals:
kind: project
allow: [read] # allow read of projects
- equals:
kind: system
allow: [read] # allow read executions
- equals:
kind: system_acl
allow: [read] # allow reading system ACL files
project:
- match:
name: '.*'
allow: [read] # allow read access of all projects or use 'admin'
project_acl:
- match:
name: '.*'
allow: [read] # allow reading project-specific ACL files
storage:
- allow: [read] # allow read access for /ssh-key/* storage content
by:
group: rundeck_ad_user
chown rundeck: /etc/rundeck/{rundeck_admin.aclpolicy,rundeck_user.aclpolicy}
chmod 640 /etc/rundeck/{rundeck_admin.aclpolicy,rundeck_user.aclpolicy}
Relancer Rundeck :
systemctl restart rundeckd
Installer Ansible :
yum install -y ansible-core