What is Rundeck?
Rundeck is an open-source software Job scheduler and Run Book Automation system for automating routine processes across development and production environments. It combines task scheduling, multi-node command execution, workflow orchestration and logs everything that happens.
In this tutorial, we are going to show you how to add a Windows host and manage it using the Rundeck Winrm plugin that uses WinRM to connect to Windows Hosts and execute commands with a Basic or Kerberos authentication over HTTP / HTTPS.
This tutorial assumes that you have already installed Rundeck, if you don’t have it installed yet, you can check out this tutorial : How to install and configure Rundeck on CentOS 7 / RHEL 7
Step 1./ Download and Install Rundeck Winrm plugin
– Go to following link here and download the last Rundeck Winrm plugin using the following command:
# wget https://github.com/rundeck-plugins/rundeck-winrm-plugin/releases/download/v1.3.4/rundeck-winrm-plugin-1.3.4.jar -P /var/lib/rundeck/libext/
– Make sure to change all the file under the /var/lib/rundeck/libext/ directory to the Rundeck user:
# chown -R rundeck. /var/lib/rundeck/libext/
– Restart the Rundeck daemon as below:
# /etc/init.d/rundeckd restart
Step 2./ Configure a Windows Server for WinRM
– On the remote host, open a PowerShell using the Run as Administrator option and execute the following commands to enable the WinRM :
PS C:\Users\Administrator.YALLALABS> winrm qc WinRM already is set up to receive requests on this machine. WinRM is not set up to allow remote access to this machine for management. The following changes must be made: Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine. Enable the WinRM firewall exception. Make these changes [y/n]? y WinRM has been updated for remote management. Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine. WinRM firewall exception enabled.
PS C:\Users\Administrator.YALLALABS> winrm set winrm/config/service/Auth '@{Basic="true"}'
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
PS C:\Users\Administrator.YALLALABS> winrm set winrm/config/client/Auth '@{Basic="true"}'
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
PS C:\Users\Administrator.YALLALABS> winrm set winrm/config/service '@{AllowUnencrypted="true"}'
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
– As we said before we will use Kerberos authentication means that we will use Windows domain accounts. we need to add a domain user account to the administrators group on the remote host.
Step.3/ Configure Kerberos on the Rundeck Server
– To use Windows domain accounts to access the remote host, we need to configure Kerberos on our Rundeck server, we have two options:
Kerberos authentication requires you to edit the kb5.conf file or to set up some Java System Properties in the /etc/rundeck/profile file to define which domains map to which Domain Controllers.
– In this example, we are going to configure the /etc/rundeck/profile file to define our Domain Controllers. Make sure to replace the values with the name of your domain/realm and the hostname of your domain controller as below.
# vi /etc/rundeck/profile ################# BEFORE ################################### RDECK_JVM="-Drundeck.jaaslogin=$JAAS_LOGIN \ -Djava.security.auth.login.config=$JAAS_CONF \ -Dloginmodule.name=$LOGIN_MODULE \ -Drdeck.config=$RDECK_CONFIG \ -Drundeck.server.configDir=$RDECK_SERVER_CONFIG \ -Dserver.datastore.path=$RDECK_SERVER_DATA/rundeck \ -Drundeck.server.serverDir=$RDECK_INSTALL \ -Drdeck.projects=$RDECK_PROJECTS \ -Drdeck.runlogs=$RUNDECK_LOGDIR \ -Drundeck.config.location=$RDECK_CONFIG_FILE \ -Djava.io.tmpdir=$RUNDECK_TEMPDIR \ -Drundeck.server.workDir=$RUNDECK_WORKDIR \ -Dserver.http.port=$RDECK_HTTP_PORT \ -Drdeck.base=$RDECK_BASE" # ################# AFTER ##################################### RDECK_JVM="-Drundeck.jaaslogin=$JAAS_LOGIN \ -Djava.security.krb5.realm=YOUR_DOMAIN \ -Djava.security.krb5.kdc=YOUR_DOMAIN_CONTROLLER_IP \ -Djava.security.auth.login.config=$JAAS_CONF \ -Dloginmodule.name=$LOGIN_MODULE \ -Drdeck.config=$RDECK_CONFIG \ -Drundeck.server.configDir=$RDECK_SERVER_CONFIG \ -Dserver.datastore.path=$RDECK_SERVER_DATA/rundeck \ -Drundeck.server.serverDir=$RDECK_INSTALL \ -Drdeck.projects=$RDECK_PROJECTS \ -Drdeck.runlogs=$RUNDECK_LOGDIR \ -Drundeck.config.location=$RDECK_CONFIG_FILE \ -Djava.io.tmpdir=$RUNDECK_TEMPDIR \ -Drundeck.server.workDir=$RUNDECK_WORKDIR \ -Dserver.http.port=$RDECK_HTTP_PORT \ -Drdeck.base=$RDECK_BASE" #
Step 4./ Create a Key Storage
Rundeck’s Key Storage is a set of functionality that allows you to securely store private keys, public keys, passwords, and other secrets for use in your Rundeck jobs. We need to configure the Key Storage of our project. This option is a way to save the password of the authentication user of our remote machine, without having to pass the password directly in the resources.xml file
– Click on the upper right setting in Rundeck Server and go to Key Storage
In Key Type select Password option, in Enter Text set the password of the your domain user account, Storage path is optional, you can set a folder name for password storage, and the Name is the name of the file in which to store the desired password. Enter all the details and click the save button.
Step 5./ Add a Windows Node to your Project
– Open the resources.xml file present at your project folder and add below entry to add the windows remote host node to resource list.
<node name="ylcwsrv02" description="A File Server node." tags="File Server" hostname="192.168.1.11" username="winrmuser" osFamily="Windows" osName="Microsoft Windows Server 2012 R2 Standard" osArch="amd64" node-executor="overthere-winrm" winrm-auth-type="kerberos" winrm-protocol="http" winrm-cmd="CMD" winrm-kerberos-debug="true" winrm-domain="YALLALABS.LOCAL" winrm-password-storage-path="keys/winrmuser.password"> </node>
name: Specify the node name of the remote server
hostname: Remote host node, can be the ip address and include port number the default port are 5985/5986 (http/https).
username: Remote username to get access to the remote host
winrm-cmd: Execute commands using Cmd or PowerShell
winrm-password-storage-path: Specifies a Key Storage Path to look up the authentication password from
winrm-protocol: Determine the protocol to use, can be http or https
winrm-auth-type: Type of authentication to use, can be basic or kerberos
winrm-domain: Kerberos domain
Step 6./ Execute Test commands
To test the functionality we are going to run a simple command ” ipconfig ” on the remote host
We hope this tutorial was enough Helpful. If you need more information, or have any questions, just comment below and we will be glad to assist you!
15 comments
Hi,
I followed steps mentioned in the above article to configure a windows node with Rundeck. However, I am running into below error. Can you please help me out here.
Error:
“com.xebialabs.overthere.winrm.WinRmRuntimeIOException: Login failure sending message on https://[hostname]:5986/wsman error: Receive timed out”
I am not able to understand why there is a timeout here while connecting. As a part of my further debugging, I have tried telnet(ing) on the host and it works fine. Below is the output of the same.
> telnet hostname 5896
Trying machine_ip…
Connected to hostname.
Escape character is ‘^]’.
Connection closed by foreign host.
To check if correct ports are open on windows machine, I used below commands and things appears fine there as well.
> winrm enum winrm/config/listener
> netstat -nab
I am stuck here.
Waiting for a reply.
Thanks
RD
Hi Rajat,
Did you modified the
/etc/rundeck/profile
by adding the following lines (replace the YOUR_DOMAIN by your domain and YOUR_DOMAIN_CONTROLLER_IP by the ip address of your domain controller)-Djava.security.krb5.realm=YOUR_DOMAIN \
-Djava.security.krb5.kdc=YOUR_DOMAIN_CONTROLLER_IP \
I saw that you are using https as winrm-protocol, check the default values of the plugin should match the values of the host in the
resources.xml
could you please check the log of rundeck server also.
Hi,
Thanks for your post. I am trying to add windows node and running ipconfig command from rundeck ui.
I am getting below error.
[overther-winrm:remote-ip] failed: winrm error: unexcepted HTTP response on http://ip:5985/wsman: (401).
I followed all your steps , still I am getting error, Kindly help me on this If you have any idea where i am making mistake
Hi samba,
Chech the configuration of winrm on ur remote windows node and make sure there’s no firewall blocks
Thanks for your reply. I have turned off all firewalls, still getting same error.
Hi,
what winrm plugin version are you using ? try to download the latest one .
HI,
We also tried the same steps to add windows node and running ipconfig command from rundeck UI but getting the same error.
[overthere-winrm:epouat.yatraonline.local] failed: WinRM Error: Unexpected HTTP response on http://epouat.yatraonline.local:5985/wsman: (401)
12:27:54 Failed: WinRMProtocolError: WinRM Error: Unexpected HTTP response on http://epouat.yatraonline.local:5985/wsman: (401)
12:27:54 192.168.24.160 Execution failed: 102 in project MoTest: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [epouat: WinRMProtocolError: WinRM Error: Unexpected HTTP response on http://epouat.yatraonline.local:5985/wsman: (401) + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, Node failures: {epouat=[WinRMProtocolError: WinRM Error: Unexpected HTTP response on http://epouat.yatraonline.local:5985/wsman: (401) + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, status: failed]
WinRM is properly configured on Windows server and we are able to access the server from PSSession PowerShell command.
Could you please share any resolution on this..
Hi,
It could be a problem of DNS resolution, try to use the ip instead.
Hi,
All went ok by following the instructions here except that the node does not show up. double checked and restarted RunDeck.
Any suggestions?
Hi Travis,
Under the project directory you have to create the
resources.xml
, check theproject.properties
file thatresources.source.1.config.file
property is mapping to yourresources.xml
file path.Or you can use the Web UI by
1- Go to Projects –> Select your project.
2- Project Settings –> Edit Nodes –> Configure Nodes.
3- Add Sources –> Add
resources.xml
file path.Hope you can fix it now.
Hi Lotfi,
we would like to leave the encryption on the destination host enabled (AllowUnencrypted = false). Do you have a solution for the problem (Rundesk on CentOS 7)? I haven’t found a way yet. Thank you very much for your great article!
Regards,
Thoren.
Hi Thoren,
Sorry for the late reply, we never tried that in before and honestly following the official Rundeck WinRM Plugin guide, i guess it’s a bit difficult to set the value to false.
Hi Lotfi,
This is super helpful. I was able to add windows node and execute ‘CMD’ commands but is there any way to set the Powershell as a default executor. I tried winrm-cmd=”Powershell” but didn’t work.
Thank you,
Jay Shrestha
Hi,
Sorry for the late reply, to make sure that it the project configuration file is set to Powershell from the web gui
Try with winrm-cmd=”PowerShell” on node definition