Repository files navigation

Docker image withRundeck andAnsible.

This image configures Rundeck to use PAM authentication so we can use secure password hashes (SHA512 CRYPT) that aren't supported by JAAS (OBF, MD5 and CRYPT).

The configuration is very opinionated, and is probably not suitable as a general purpose image. The embedded H2 database is used to reduce external dependencies.

Generally nothing needs to be done when upgrading versions.However when upgrading to 4.x versions from 3.x or earlier, the following must be run against the data mount before starting the new container:

The following must be run to ensure that all the Rundeck files are owned by the correct UID/GID.

find . -uid 102 -exec chown --no-dereference 103 {} \;find . -gid 103 -exec chgrp --no-dereference 104 {} \;

Mount the yaml config file into the container at/config/config.yaml. This could be done via a Docker volume mount or Kubernetes ConfigMap.

Example:

---rundeck_uuid: "{{ inventory_hostname | to_uuid }}"rundeck_server_url: http://localhost:4440rundeck_api_auth_max_duration: "30d"rundeck_users:  - user: user1    password: $6$Q8...$...    roles: "user,admin"  - user: user2    password: $6$Q8...$...    roles: "user"  - user: user3    password: $6$Q8...$...    roles: "user,admin"rundeck_tokens:  - user: apiadmin    token: somerandomstring    role: adminrundeck_triggers_registry_rules:  - rule:      name: ^myrepo/myapp$      tag: ^develop-.*$    actions:      - rundeck MyProject appDeployAll app_group=my-app dryrun=false "image_tag=${image_tag}"

The global config (/etc/rundeck) directory is intended to be managed by the config options above and not editable at runtime.

The following volumes should be mounted externally to persist data and configuration between container restarts:

• /config - Rundeck Job and ACL configurations to load
• /var/lib/rundeck/data - Rundeck database (unless using an external database, not yet implemented in this image)
• /var/lib/rundeck/logs - Job logs
• /home/rundeck - Localhost working/home directory
• /var/rundeck - Rundeck projects
• /var/log/rundeck - Rundeck system logs

Example runtime usage:

docker run --rm -it --name rundeck -p 4440:4440 \  -v $(pwd)/config.yaml:/config/config.yaml \  -v $(pwd)/test/lib:/var/lib/rundeck \  -v $(pwd)/test/var:/var/rundeck \  -v $(pwd)/test/log:/var/log/rundeck \  quay.io/panubo/rundeck:latest

The container bootstrap does not support SSL. It is intended that this image is run behind an SSL terminating proxy such as Nginx, HAProxy or a cloud load balancer service.

For production use please use a release tag rather than thelatest floating tag.

The following plugins are installed (excluding the base plugins):

• Ansible
• EC2 Nodes
• Slack Incoming Webhook

The following tools are pre-installed in the image:

• Ansible
• Argo Workflows CLIVERSIONED
• awscli
• gcloud cli
• go-acme/lego
• helmVERSIONED
• kiwigrid/k8s-sidecar
• kubectlVERSIONED
• mozilla/sops

VERSIONED tools are not in the PATH by default. Scripts need to call the version required directly. Versions of these tools are shortened to MAJOR.MINOR so any PATCH releases can be upgraded in-place.

The directory structure looks like:

/opt├── argo-3.1│   └── bin│       └── argo├── argo-3.4│   └── bin│       └── argo├── argo-3.5│   └── bin│       └── argo├── argo-3.6│   └── bin│       └── argo├── bin│   ├── crane│   ├── h2-2.1.210.jar│   ├── h2-shell.sh│   ├── lego│   ├── oras│   ├── sops│   └── yq├── helm-3.10│   └── bin│       └── helm├── helm-3.11│   └── bin│       └── helm├── helm-3.12│   └── bin│       └── helm├── helm-3.13│   └── bin│       └── helm├── helm-3.14│   └── bin│       └── helm├── helm-3.15│   └── bin│       └── helm├── helm-3.16│   └── bin│       └── helm├── helm-3.9│   └── bin│       └── helm├── kubectl-1.25│   └── bin│       └── kubectl├── kubectl-1.26│   └── bin│       └── kubectl├── kubectl-1.27│   └── bin│       └── kubectl├── kubectl-1.28│   └── bin│       └── kubectl├── kubectl-1.29│   └── bin│       └── kubectl├── kubectl-1.30│   └── bin│       └── kubectl├── kubectl-1.31│   └── bin│       └── kubectl└── rundeck-plugins    ├── ansible-plugin-3.2.0.jar    ├── rundeck-ec2-nodes-plugin-1.6.0.jar    └── rundeck-slack-incoming-webhook-plugin-0.11.jar

Stable and production ready.

Find the latest version of Rundeck athttps://docs.rundeck.com/downloads.html