Rundeck + OpenLDAP + PostgreSQL (pgAdmin + Apache Directory Studio + VNC server)

in #rundeck4 years ago

Untitled_700x450.png

For this article we will use Cloud9 with EC2 instance (t3.medium), workspace which you can share with others (ie. to get support).
We will access our solution via "desktop gateway" - VNC docker container running inside virtual network.
At the bottom is available video version of this tutorial.

Preparation

  1. Create network

    docker network create --driver bridge pink --subnet 172.30.0.0/16
    
  2. Resize system partition from 10GB to 20GB.
    2.1. Change size of EC2 EBS volume via console or cmd line tool
    2.2. Extend a Linux file system after resizing a volume doing following steps (if it doesn't work, here you can read about the details https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/recognize-expanded-volume-linux.html).

    sudo growpart /dev/nvme0n1 1
    sudo resize2fs /dev/nvme0n1p1
    

VNC

  1. Run docker container and open URL (Preview > Preview Running Application). For better experience use your preferred resolution and open VNC URL outside of C9 editor (in browser new window or tab). Password is optional, no one but you will have access to docker containers (in default EC2 configuration when running via Cloud9).

    docker run \
    -it \
    --name vnc \
    -p 8080:80 \
    -v /dev/shm:/dev/shm \
    --net pink \
    -e RESOLUTION=800x600 \
    -e VNC_PASSWORD=Upd4t34lm4n4ch \
    --ip 172.30.0.13 \
    -d dorowu/ubuntu-desktop-lxde-vnc
    
  2. Download Apache Directory Studio (https://directory.apache.org/studio/downloads.html) application if you want use GUI for OpenLDAP configuration.

  3. To run it, download and install JRE

    sudo apt-get update && sudo apt-get install default-jre -y
    

OpenLDAP

  1. Run OpenLDAP container

    docker run \
    -it \
    --name ldap \
    --hostname ldap \
    --net pink \
    --ip 172.30.0.14 \
    --restart unless-stopped \
    -e 'LDAP_ORGANISATION=ACME' \
    -e 'LDAP_DOMAIN=acme.it' \
    -e 'LDAP_ADMIN_PASSWORD=123' \
    -d osixia/openldap:1.2.1 
    
  2. Sign in using credentials

    login: cn=admin,dc=acme,dc=it
    password: 123
    
  3. Create "superadmin" role using posixGroup object class

    cn=superadmin,ou=rundeck,ou=roles,dc=acme,dc=it
    
  4. Create new user "John Doe" using posixAccount and inetOrgPerson, set password to "123"

    cn=John Doe,ou=users,dc=acme,dc=it
    
  5. Add attribute "memberUid" to "superadmin" role

    cn=John Doe,ou=users,dc=acme,dc=it
    

PostgreSQL

  1. Create volume for database files

    docker volume create var_lib_postgresql_data_pgdata
    
  2. Run PostgreSQL docker container

    docker run \
    --hostname postgres \
    --name postgres \
    -it \
    --ip 172.30.0.11 \
    --restart unless-stopped \
    --net pink \
    -e POSTGRES_PASSWORD=123 \
    -e PGDATA=/var/lib/postgresql/data/pgdata \
    --mount source=var_lib_postgresql_data_pgdata,target=/var/lib/postgresql/data/pgdata \
    -d postgres:12.3
    
  3. Create user "rundeck" with password "123" and database "rundeck". You can accomplish this step later using pgAdmin.

pgAdmin

  1. Create volume for data

    docker volume create var_lib_pgadmin
    
  2. Run pgAdmin docker container and access it via VNC container using browser with URL http://pgadmin

    docker run \
    -it \
    --hostname pgadmin \
    --name pgadmin \
    --mount source=var_lib_pgadmin,target=/var/lib/pgadmin \
    --ip 172.30.0.12 \
    --restart unless-stopped \
    --net pink \
    -e '[email protected]' \
    -e 'PGADMIN_DEFAULT_PASSWORD=123' \
    -d dpage/pgadmin4
    

Rundeck

To persist /home/rundeck/etc directory we will run docker container, copy files, delete container and run it again with mounted directory. Next we will map container user UID to the host user UID to avoid permissions error after files modification in host. Last step is acl file modification, where we will change "admin" group/role to "superadmin".

  1. Run Rundeck

    docker run -it --name rundeck -d rundeck/rundeck:3.2.8
    
  2. Copy folder "/home/rundeck/etc" to "/home/ec2-user/environment/etc"

    docker cp -a -L rundeck:/home/rundeck/etc /home/ec2-user/environment
    
  3. Delete container

     docker rm -f rundeck
    
  4. Run Rundeck container and access it via VNC container using browser with URL http://rundeck:4440

    docker run \
    -it \
    --name rundeck \
    --hostname rundeck \
    --net pink \
    --ip 172.30.0.15 \
    --restart unless-stopped \
    --mount type=bind,source=/home/ec2-user/environment/etc,target=/home/rundeck/etc \
    -e 'RUNDECK_GRAILS_URL=http://rundeck:4440' \
    -e 'RUNDECK_DATABASE_DRIVER=org.postgresql.Driver' \
    -e 'RUNDECK_DATABASE_URL=jdbc:postgresql://postgres/rundeck?autoReconnect=true&useSSL=false' \
    -e 'RUNDECK_DATABASE_USERNAME=rundeck' \
    -e 'RUNDECK_DATABASE_PASSWORD=123' \
    -e 'RUNDECK_JAAS_MODULES_0=JettyCombinedLdapLoginModule' \
    -e 'RUNDECK_JAAS_LDAP_PROVIDERURL=ldap://ldap:389' \
    -e 'RUNDECK_JAAS_LDAP_BINDDN=cn=admin,dc=acme,dc=it' \
    -e 'RUNDECK_JAAS_LDAP_BINDPASSWORD=123' \
    -e 'RUNDECK_JAAS_LDAP_USERBASEDN=ou=users,dc=acme,dc=it' \
    -e 'RUNDECK_JAAS_LDAP_ROLEBASEDN=ou=rundeck,ou=roles,dc=acme,dc=it' \
    -e 'RUNDECK_JAAS_LDAP_ROLEOBJECTCLASS=posixGroup' \
    -e 'RUNDECK_JAAS_LDAP_ROLEMEMBERATTRIBUTE=memberUid' \
    -e 'RUNDECK_JAAS_LDAP_ROLENAMEATTRIBUTE=cn' \
    -d rundeck/rundeck:3.2.8
    
  5. Change UID for container user "rundeck" from "1000" to "501" and reflect changes to files and dirs.

    docker exec -ti -u root rundeck bash
    usermod -u 501 rundeck
    find / -user 1000 -exec chown -h rundeck {} \;
    exit
    
  6. Restart container

    docker restart rundeck
    
  7. Modify host file mounted in container ~/environment/etc/admin.aclpolicy and change two "admin" occurrences to "superadmin".

  8. Now you can successfully login - open url http://rundeck:4440 via browser in vnc container

Video (steps visualization)

Video is also available on d.tube.

Appendix

Watch video about Rundeck authentication (AD, OpenLDAP) and ACL

Sort:  

For the PostgreSQL database, I can recommend odbc driver for postgresql.