Rundeck + OpenLDAP + PostgreSQL (pgAdmin + Apache Directory Studio + VNC server)
For this article we will use Cloud9 with EC2 instance (t3.medium), workspace which you can share with others (ie. to get support).
We will access our solution via "desktop gateway" - VNC docker container running inside virtual network.
At the bottom is available video version of this tutorial.
Preparation
Create network
docker network create --driver bridge pink --subnet 172.30.0.0/16
Resize system partition from 10GB to 20GB.
2.1. Change size of EC2 EBS volume via console or cmd line tool
2.2. Extend a Linux file system after resizing a volume doing following steps (if it doesn't work, here you can read about the details https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/recognize-expanded-volume-linux.html).sudo growpart /dev/nvme0n1 1 sudo resize2fs /dev/nvme0n1p1
VNC
Run docker container and open URL (Preview > Preview Running Application). For better experience use your preferred resolution and open VNC URL outside of C9 editor (in browser new window or tab). Password is optional, no one but you will have access to docker containers (in default EC2 configuration when running via Cloud9).
docker run \ -it \ --name vnc \ -p 8080:80 \ -v /dev/shm:/dev/shm \ --net pink \ -e RESOLUTION=800x600 \ -e VNC_PASSWORD=Upd4t34lm4n4ch \ --ip 172.30.0.13 \ -d dorowu/ubuntu-desktop-lxde-vnc
Download Apache Directory Studio (https://directory.apache.org/studio/downloads.html) application if you want use GUI for OpenLDAP configuration.
To run it, download and install JRE
sudo apt-get update && sudo apt-get install default-jre -y
OpenLDAP
Run OpenLDAP container
docker run \ -it \ --name ldap \ --hostname ldap \ --net pink \ --ip 172.30.0.14 \ --restart unless-stopped \ -e 'LDAP_ORGANISATION=ACME' \ -e 'LDAP_DOMAIN=acme.it' \ -e 'LDAP_ADMIN_PASSWORD=123' \ -d osixia/openldap:1.2.1
Sign in using credentials
login: cn=admin,dc=acme,dc=it password: 123
Create "superadmin" role using posixGroup object class
cn=superadmin,ou=rundeck,ou=roles,dc=acme,dc=it
Create new user "John Doe" using posixAccount and inetOrgPerson, set password to "123"
cn=John Doe,ou=users,dc=acme,dc=it
Add attribute "memberUid" to "superadmin" role
cn=John Doe,ou=users,dc=acme,dc=it
PostgreSQL
Create volume for database files
docker volume create var_lib_postgresql_data_pgdata
Run PostgreSQL docker container
docker run \ --hostname postgres \ --name postgres \ -it \ --ip 172.30.0.11 \ --restart unless-stopped \ --net pink \ -e POSTGRES_PASSWORD=123 \ -e PGDATA=/var/lib/postgresql/data/pgdata \ --mount source=var_lib_postgresql_data_pgdata,target=/var/lib/postgresql/data/pgdata \ -d postgres:12.3
Create user "rundeck" with password "123" and database "rundeck". You can accomplish this step later using pgAdmin.
pgAdmin
Create volume for data
docker volume create var_lib_pgadmin
Run pgAdmin docker container and access it via VNC container using browser with URL http://pgadmin
docker run \ -it \ --hostname pgadmin \ --name pgadmin \ --mount source=var_lib_pgadmin,target=/var/lib/pgadmin \ --ip 172.30.0.12 \ --restart unless-stopped \ --net pink \ -e '[email protected]' \ -e 'PGADMIN_DEFAULT_PASSWORD=123' \ -d dpage/pgadmin4
Rundeck
To persist /home/rundeck/etc directory we will run docker container, copy files, delete container and run it again with mounted directory. Next we will map container user UID to the host user UID to avoid permissions error after files modification in host. Last step is acl file modification, where we will change "admin" group/role to "superadmin".
Run Rundeck
docker run -it --name rundeck -d rundeck/rundeck:3.2.8
Copy folder "/home/rundeck/etc" to "/home/ec2-user/environment/etc"
docker cp -a -L rundeck:/home/rundeck/etc /home/ec2-user/environment
Delete container
docker rm -f rundeck
Run Rundeck container and access it via VNC container using browser with URL http://rundeck:4440
docker run \ -it \ --name rundeck \ --hostname rundeck \ --net pink \ --ip 172.30.0.15 \ --restart unless-stopped \ --mount type=bind,source=/home/ec2-user/environment/etc,target=/home/rundeck/etc \ -e 'RUNDECK_GRAILS_URL=http://rundeck:4440' \ -e 'RUNDECK_DATABASE_DRIVER=org.postgresql.Driver' \ -e 'RUNDECK_DATABASE_URL=jdbc:postgresql://postgres/rundeck?autoReconnect=true&useSSL=false' \ -e 'RUNDECK_DATABASE_USERNAME=rundeck' \ -e 'RUNDECK_DATABASE_PASSWORD=123' \ -e 'RUNDECK_JAAS_MODULES_0=JettyCombinedLdapLoginModule' \ -e 'RUNDECK_JAAS_LDAP_PROVIDERURL=ldap://ldap:389' \ -e 'RUNDECK_JAAS_LDAP_BINDDN=cn=admin,dc=acme,dc=it' \ -e 'RUNDECK_JAAS_LDAP_BINDPASSWORD=123' \ -e 'RUNDECK_JAAS_LDAP_USERBASEDN=ou=users,dc=acme,dc=it' \ -e 'RUNDECK_JAAS_LDAP_ROLEBASEDN=ou=rundeck,ou=roles,dc=acme,dc=it' \ -e 'RUNDECK_JAAS_LDAP_ROLEOBJECTCLASS=posixGroup' \ -e 'RUNDECK_JAAS_LDAP_ROLEMEMBERATTRIBUTE=memberUid' \ -e 'RUNDECK_JAAS_LDAP_ROLENAMEATTRIBUTE=cn' \ -d rundeck/rundeck:3.2.8
Change UID for container user "rundeck" from "1000" to "501" and reflect changes to files and dirs.
docker exec -ti -u root rundeck bash usermod -u 501 rundeck find / -user 1000 -exec chown -h rundeck {} \; exit
Restart container
docker restart rundeck
Modify host file mounted in container ~/environment/etc/admin.aclpolicy and change two "admin" occurrences to "superadmin".
Now you can successfully login - open url http://rundeck:4440 via browser in vnc container
Video (steps visualization)
Video is also available on d.tube.
Appendix
Watch video about Rundeck authentication (AD, OpenLDAP) and ACL
For the PostgreSQL database, I can recommend odbc driver for postgresql.