Recently I had opportunity to configure this automation tool. In general, when it is well configured it works as a charm – it can be used to automate almost everything – starting from normal admin scripts, monitoring scripts, ending with home automation. You can write scripts in any programming language you want: Powershell, bash, Win cmd line as well as more sophisticated languages as: python or Java.

Creator of Rundeck is American company: OPS Hero. From the provider website:

Rundeck Community is built for small teams. It addresses the technical complexity of Runbook Automation for solving non-production self-service.

As installation of Rundeck is super simple and can be found here:

https://docs.rundeck.com/docs/administration/install/installing-rundeck.html#installation

However configuration of two most popular plugin executors are not so easy:

1. SSH plugin executor

a) firstly add private key to KeyStorage. Key must be in RSA format, other formats don’t work.

https://docs.rundeck.com/docs/manual/system-configs.html

b) if you want to use different keys for chosen node, add different private key to KeyStorage and add these 2 lines to chosen node acc. to this url:

ssh-keypath

username

2) WinRM plugin executor is more tricky to configure

a) ensure that: Rundeck server and clients and domain controller have valid SSL certificates (all certificates need to have private key embeded). How to embede private key into SSL cert:

https://support.code42.com/Administrator/6/Configuring/Use_OpenSSL_to_install_a_keystore

b) Remember to add Java keystore of LDAP server to Rundeck Java cacert – here is how to do it:

openssl pkcs12 -export -in <existing.cert.pem> -inkey <existing.key.pem>
   -certfile <intermediate.cert.pem> -name "<your.domain.com>"
   -out <your.domain.com>.p12

keytool -importkeystore 
   -srckeystore <your.domain.com>.p12 -srcstoretype PKCS12
   -destkeystore <your.domain.com>.jks

Rundeck Java Keystore should be stored in similar path: JAVA_HOME—> JRE –>lib—> security–> cacerts

c) the rest steps are following – they include authorization via ActiveDirectory to Rundeck (thank’s to this excelent blog: https://runops.wordpress.com/tag/rundeck/ )

On the rundeck server

winrm quickconfig
winrm quickconfig -transport:https
winrm set winrm/config/client @{TrustedHosts="*"}

#On the remote nodes

winrm quickconfig
winrm quickconfig -transport:https
​winrm set winrm/config/service/Auth @{Basic="true"}
winrm set winrm/config/service @{AllowUnencrypted="true"}
winrm set winrm/config/winrs @{MaxMemoryPerShellMB="1024"}

#Other setting-run on server and clients:

To enable the execution of remote command:

Set-ExecutionPolicy RemoteSigned

To enable permission to a user to execute remote command -please provide AD user and give him full access:

Set-PSSessionConfiguration -ShowSecurityDescriptorUI -Name Microsoft.PowerShell

Increase the concurrent shell issue:

set-item wsman:\localhost\shell\maxshellsperuser 50

Now configure AD for Rundeck:

STEP 1. CREATE Active Directory Group

In Active Directory create a new group named “rundeckusers.” Then add your users to that AD group.

STEP 2. Create jaas-activedirectory.conf file

touch /etc/rundeck/jaas-activedirectory.conf
chown rundeck:rundeck /etc/rundeck/jaas-activedirectory.conf

Enter the following configuration settings into your jaas-ldap.conf file. You will need to configure the username/password for the user which will bind to Active Directory. You will also need to configure the userBaseDn. This is the OU which recursive searches for users will be performed on. In addition, configuring the roleBaseDn. The roleBaseDn is the OU where your “rundeck” AD user group is.

activedirectory {
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required
debug=”true”
contextFactory=”com.sun.jndi.ldap.LdapCtxFactory”
providerUrl=”ldap://dc01.lab.net:389″
bindDn=”CN=testuser,OU=WAU,OU=US,DC=lab,DC=net”
bindPassword=”password”
authenticationMethod=”simple”
forceBindingLogin=”true”
userBaseDn=”ou=US,dc=lab,dc=net”
userRdnAttribute=”sAMAccountName”
userIdAttribute=”sAMAccountName”
userPasswordAttribute=”unicodePwd”
userObjectClass=”user”
roleBaseDn=”ou=US,dc=lab,dc=net”
roleNameAttribute=”cn”
roleMemberAttribute=”member”
roleObjectClass=”group”
cacheDurationMillis=”300000″
reportStatistics=”true”
supplementalRoles=”user”;
};
STEP 3. Modify /etc/rundeck/profile

You’ll need to configure / modify to two lines. Add the path to the jaas-activedirectory.conf file and the loginmodule name, “activedirectory.” The login module name is the same as the name used in the jaas-activedirectory.conf file.

export RDECK_JVM=”-Djava.security.auth.login.config=/etc/rundeck/jaas-activedirectory.conf -Dloginmodule.name=activedirectory”

STEP 4. Create file /etc/rundeck/rundeckusers.aclpolicy
Add the ACL policy below for the admin in Rundeck. The group field should be the Active Directory user group “rundeckusers.” All users in the AD group with have admin access in rundeck.

touch /etc/rundeck/rundeckusers.aclpolicy
chown rundeck:rundeck /etc/rundeck/rundeckusers.aclpolicy

description: Admin project level access control. Applies to resources within a specific project.
context:
project: ’.*’ # all projects
for:
resource:
– equals:
kind: job
allow: [create] # allow create jobs
– equals:
kind: node
allow: [read,create,update,refresh] # allow refresh node sources
– equals:
kind: event
allow: [read,create] # allow read/create events
adhoc:
– allow: [read,run,runAs,kill,killAs] # allow running/killing adhoc jobs
job:
– allow: [create,read,update,delete,run,runAs,kill,killAs] # allow create/read/write/delete/run/kill of all jobs
node:
– allow: [read,run] # allow read/run for nodes
by:
group: [rundeckusers]

---

description: Admin Application level access control, applies to creating/deleting projects, admin of user profiles, viewing projects and reading system information.
context:
application: 'rundeck’
for:
resource:
– equals:
kind: project
allow: [create] # allow create of projects
– equals:
kind: system
allow: [read] # allow read of system info
– equals:
kind: user
allow: [admin] # allow modify user profiles
project:
– match:
name: ’.’ allow: [read,import,export,configure,delete] # allow full access of all projects or use 'admin’ storage: – allow: [read,create,update,delete] # allow access for /ssh-key/ storage content

by:
group: [rundeckusers]

STEP3 . Set up properly krb5.ini file – it is a file which tells Rundeck where domain controller is. It should look like this (domain name must be in UPPERCASE):

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
.yourdomain.com = MS.DS.YOURDOMAIN.COM
yourdomain.com = MS.DS.YOURDOMAIN.COM

MS.DS.YOURDOMAIN.COM = {
  kdc = servername.ms.ds.yourdomain.com
  admin_server = servername.ms.ds.yourdomain.com
 }

More info: https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html

Unfortunatelly it is not enough – as Rundeck uses Java – you have to manually generate first Kerberos Token using these 2 commands:

kinit yourADuser@example.com

klist

And open following ports on server and nodes:

5986,5985 and ports for SMB protocol

and voila! Rundeck can use now WinRM as remote plugin executor on remote machine!