Rundeck is a server application you host on a system you designate a central administrative control point. Internally, Rundeck stores job definitions and execution history in a relational database. Output from command and job executions is saved on disk but can be forwarded to remote stores like S3 or Logstash.
Rundeck distributed command execution is performed using a pluggable node execution layer that defaults to SSH but plugins allow you to use other means like MCollective, Salt, WinRM, or your custom method. Rundeck server configuration includes settings to define the outbound user allowed by the remote hosts. Remote machines are not required to make connections back to the server.
The Rundeck application itself is a Java-based webapp. The application provides both graphical interface and network interfaces used by the Rundeck shell tools.
Access to the Rundeck application requires a login and password. The default Rundeck installation uses a flat file user directory containing a set of default logins. Logins are defined in terms of a username and password as well as one or more user groups. An alternative configuration to the flat file user directory, is LDAP (e.g., ActiveDirectory) but Rundeck authentication and authorization is customizable via JAAS. Users must also be authorized to perform actions like define a job or execute one. This is controlled by an access control facility that reads policy files defined by the Rundeck administrator. Privilege is granted if a user's group membership meets the requirements of the policy.
Two installation methods are supported:
System package: RPM and Debian packaging is intended for managed installation and provides robust tools that integrate with your environment, man pages, shell tool set in your path, init.d startup and shutdown.
Launcher: The launcher is intended for quick setup, to get you running right away. Perfect for bootstrapping a project or trying a new feature.
Rundeck can also install as a WAR file into an external container like Tomcat.
Assuming the system requirements are met, Rundeck can be installed either from source, system package or via the launcher.
The following operating systems are known to support Rundeck:
Root (or Administrator on Windows) is not required or recommended. We recommend using a dedicated user account such as "rundeck".
If there is need for root access, please set up the Rundeck user to have access via sudo.
Rundeck is a Java-Servlet based server and therefore requires the Java runtime.
The install process requires that the latest version of Java 1.7 be installed. Both the Open JDK and Sun/Oracle JVMs can be used. You must have the JAVA_HOME environment variable defined in your environment before running the launcher. The RPM will use the java found on your path. See Setting JAVA_HOME if you want to run a different version of java.
Verify your Java version to check it meets the requirement:
$ java -version
java version "1.7.0_55" OpenJDK Runtime Environment (rhel-220.127.116.11.el6_5-x86_64 u55-b13) OpenJDK 64-Bit Server VM (build 24.51-b03, mixed mode)
When the server starts, it binds to several TCP ports by default:
To check if the ports are free on a Unix host, run:
$ netstat -an | egrep '4440|4443'
If the ports are in use on the server, you will see output similar to below:
tcp46 0 0 *.4440 *.* LISTEN
The installation procedures describe how to choose different ports, if there is a conflict.
In addition, TCP port 22 (by default) needs to be open on the clients for SSH.
Clients should be set up to allow the Rundeck server user to connect to the clients using SSH via public-key authentication. It should not prompt for a password. See Configure remote machine for SSH in the Administration chapter.
There are various ways for installing SSH on Windows; we recommend Cygwin.
Checkout the sources from GitHub
You can build either the launcher jar (self-running archive), or a RPM.
Build the RPM:
To build clean:
Documentation can be built using:
make clean docs. Documentation build requires pandoc. The RPM build depends on the the documentation as well.
Note, the java JRE must be installed. Install any JRE that is 1.7+.
If you want to install Rundeck on Linux via a binary installer, you can generally do so through the RPM tool that comes with your distribution.
# rpm -i rundeck-2.1.0.noarch.rpm
To install it using yum, first install the yum repo package and then run yum install:
# rpm -Uvh http://rundeck.org/latest.rpm # yum install rundeck
Use the launcher as an alternative to a system package:
Define RDECK_BASE environment variable to the location of the install
export RDECK_BASE=$HOME/rundeck; # or where you like it
Create the directory for the installation.
mkdir -p $RDECK_BASE
Copy the launcher jar to the installation directory.
cp rundeck-launcher-2.0.0.jar $RDECK_BASE
Change directory and run the jar.
cd $RDECK_BASE java -XX:MaxPermSize=256m -Xmx1024m -jar rundeck-launcher-2.0.0.jar
Wait for the Started message.
2010-11-19 13:35:51.127::INFO: Started SocketConnector@0.0.0.0:4440
Update your shell environment
If you get an error message that resembles the one below, you probably are using an unsupported Java version.
Exception in thread "main" java.lang.UnsupportedClassVersionError: Bad version number in .class file
See the startup and shutdown section for instructions on using the
rundeckd shell tool to manage the rundeck launcher process.
The launcher jar can take a number of options to specify how the server should start. If you execute with a "-h" you will see the usage information:
java -XX:MaxPermSize=256m -Xmx1024m -jar rundeck-launcher-2.1.0.jar -h
usage: java [JAVA_OPTIONS] -jar rundeck-launcher.jar [-c PATH] [-d] [--installonly] [-s PATH] [-b PATH] [-p PATH] [-h] [-x PATH] [--skipinstall] [--serverdir PATH] [--datadir PATH] Run the rundeck server, installing the necessary components if they do not exist. --skipinstall Skip the extraction of the utilities from the launcher. --installonly Perform installation only and do not start the server. -b,--basedir <PATH> The basedir -c,--configdir <PATH> The location of the configuration. -d Show debug information -h,--help Display this message. -p,--projectdir <PATH> The location of Rundeck's project data. -s,--sbindir <PATH> The install directory for the tools used by administrators. -x,--bindir <PATH> The install directory for the tools used by users.
These options can be used to customize the directories used by the launcher. By default all the directories are organized by convention within the current working directory where the launcher jar is located.
You can also customize the launcher behavior by using some java system properties.
Specify these properties using the normal
-Dproperty=value commandline options to the
server.http.portThe HTTP port to use for the server, default "4440"
server.https.portThe HTTPS port to use or the server, default "4443"
server.http.hostAddress/hostname to listen on, default is all addresses "0.0.0.0"
server.hostnameHostname to use for the server, default is the system hostname
server.web.contextWeb context path to use, such as "/rundeck". Default is "/".
rdeck.baseRundeck Basedir to use, default is the directory containing the launcher jar
server.datastore.pathPath to server datastore dir
default.user.nameUsername for default user account to create
default.user.passwordPassword for default user account to create
rundeck.jaaslogin"true/false" - if true, enable JAAS login. If false, use the realm.properties file for login information.
loginmodule.nameCustom JAAS loginmodule name to use
loginmodule.conf.nameName of a custom JAAS config file, located in the server's config dir.
rundeck.config.nameName of a custom rundeck config file, located in the server's config dir.
rundeck.ssl.configPath to the SSL config properties file to enable SSL. If not set, SSL is not enabled.
rundeck.jetty.connector.forwardedtrue/false. Set to true to enable support for "X-forwarded-*" headers which may be sent by a front-end proxy to the rundeck server. See Using an SSL Terminated Proxy.
rundeck.jetty.connector.ssl.excludedProtocolsComma-separated list of SSL protocols to disable. Default: 'SSLv3'. See Disabling SSL Protocols.
rundeck.jetty.connector.ssl.includedProtocolsComma-separated list of SSL protocols to include. Default is based on available protocols. See Disabling SSL Protocols.
rundeck.jetty.connector.ssl.excludedCipherSuitesComma-separated list of Cipher suites to disable. No default. See Disabling SSL Protocols.
rundeck.jetty.connector.ssl.includedCipherSuitesComma-separated list of Cipher suites to enable. Default is based on available cipher suites. See Disabling SSL Protocols.
For more information about using SSL, see Configuring Rundeck for SSL.
Rundeck supports a number of user directory configurations. By default, the installation uses a file based directory, but connectivity to LDAP is also available. See Administration - Authentication.
The Rundeck installation process will have defined a set of temporary logins useful during the getting started phase.
user: Has access to run commands and jobs but unable to modify job definitions. Password: "user"
admin: Belongs to the "admin" group and is automatically granted the "admin" and "user" role privileges. Password: "admin"
If you installed Rundeck using the RPM installation method, it will have created a unix group called "rundeck".
$ groups rundeck rundeck : rundeck
It also made several log files writable to members of the "rundeck" group.
$ ls -l /var/log/rundeck/command.log
-rw-rw-r-- 1 rundeck rundeck 588 Dec 2 11:24 /var/log/rundeck/command.log
If you want to use the Rundeck shell tools, be sure to add that group to the necessary user accounts.
Rundeck shell tool users that do not belong to group, rundeck, will get error messages like so:
log4j:ERROR setFile(null,true) call failed. java.io.FileNotFoundException: /var/log/rundeck/command.log (Permission denied)
Consult the usermod command to modify a user account.