Compare commits
7 Commits
085676f21b
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| 937581135b | |||
| 3c887edaf7 | |||
| 45e712f424 | |||
| fd06067120 | |||
| ea46ff1517 | |||
| 868737a915 | |||
| e5d21d0e6a |
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@@ -0,0 +1 @@
|
||||
.idea
|
||||
9
LICENSE
9
LICENSE
@@ -1,9 +0,0 @@
|
||||
MIT License
|
||||
|
||||
Copyright (c) <year> <copyright holders>
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
162
README.md
162
README.md
@@ -1,3 +1,161 @@
|
||||
# rundeck
|
||||
# Rundeck Docker Compose files
|
||||
|
||||
Docker Rundeck deployment instructions
|
||||
Docker Compose files to spin up an instance of Rundeck.
|
||||
|
||||
# How to run
|
||||
|
||||
Add a `COMPOSE_ENV` file and save its location as a shell variable along with the location where this repo lives, here for example `/opt/containers/rundeck` plus all other variables. At [env/fqdn_context.env.example](env/fqdn_context.env.example) you'll find an example environment file.
|
||||
|
||||
When everything's ready start Rundeck with Docker Compose, otherwise head down to [Initial setup](#initial-setup) first.
|
||||
|
||||
## Environment
|
||||
|
||||
```
|
||||
export COMPOSE_DIR='/opt/containers/rundeck'
|
||||
export COMPOSE_CTX='ux_vilnius'
|
||||
export COMPOSE_PROJECT='rundeck-'"${COMPOSE_CTX}"
|
||||
export COMPOSE_FILE="${COMPOSE_DIR}"'/compose.yaml'
|
||||
export COMPOSE_ENV=<add accordingly>
|
||||
```
|
||||
|
||||
## Context
|
||||
|
||||
On your deployment machine create the necessary Docker context to connect to and control the Docker daemon on whatever target host you'll be using, for example:
|
||||
```
|
||||
docker context create fully.qualified.domain.name --docker 'host=ssh://root@fully.qualified.domain.name'
|
||||
```
|
||||
|
||||
## Pull
|
||||
|
||||
Pull images from Docker Hub verbatim.
|
||||
|
||||
```
|
||||
docker compose --project-name "${COMPOSE_PROJECT}" --file "${COMPOSE_FILE}" --env-file "${COMPOSE_ENV}" --profile 'full' pull
|
||||
```
|
||||
|
||||
## Copy to target
|
||||
|
||||
Copy images to target Docker host, that is assuming you deploy to a machine that itself has no network route to reach Docker Hub or your private registry of choice. Copying in its simplest form involves a local `docker save` and a remote `docker load`. Consider the helper mini-project [quico.space/Quico/copy-docker](https://quico.space/Quico/copy-docker) where [copy-docker.sh](https://quico.space/Quico/copy-docker/src/branch/main/copy-docker.sh) allows the following workflow:
|
||||
|
||||
```
|
||||
images="$(docker compose --project-name "${COMPOSE_PROJECT}" --file "${COMPOSE_FILE}" --env-file "${COMPOSE_ENV}" --profile 'full' config | grep -Pi -- 'image:' | awk '{print $2}' | sort | uniq)"
|
||||
while IFS= read -u 10 -r image; do
|
||||
copy-docker "${image}" fully.qualified.domain.name
|
||||
done 10<<<"${images}"
|
||||
```
|
||||
|
||||
## Start
|
||||
|
||||
```
|
||||
docker --context 'fully.qualified.domain.name' compose --project-name "${COMPOSE_PROJECT}" --file "${COMPOSE_FILE}" --env-file "${COMPOSE_ENV}" --profile 'full' up --detach
|
||||
```
|
||||
|
||||
## Clean-up
|
||||
|
||||
```
|
||||
docker --context 'fully.qualified.domain.name' system prune -af
|
||||
docker system prune -af
|
||||
```
|
||||
|
||||
# Initial setup
|
||||
|
||||
We're assuming you run Docker Compose workloads with ZFS-based bind mounts. ZFS management, creating a zpool and setting adequate properties for its datasets is out of scope of this document.
|
||||
|
||||
## Datasets
|
||||
|
||||
Create ZFS datasets and set permissions as needed.
|
||||
|
||||
* Parent dateset
|
||||
```
|
||||
export "$(grep -Pi -- '^CONTEXT=' "${COMPOSE_ENV}")"
|
||||
zfs create -o canmount=off zpool/data/opt
|
||||
zfs create -o mountpoint=/opt/docker-data zpool/data/opt/docker-data
|
||||
```
|
||||
|
||||
* Container-specific datasets
|
||||
```
|
||||
zfs create -p 'zpool/data/opt/docker-data/rundeck-'"${CONTEXT}"'/rundeck/config'
|
||||
zfs create -p 'zpool/data/opt/docker-data/rundeck-'"${CONTEXT}"'/rundeck/data'
|
||||
zfs create -p 'zpool/data/opt/docker-data/rundeck-'"${CONTEXT}"'/postgres/data'
|
||||
```
|
||||
|
||||
* Create subdirs
|
||||
```
|
||||
mkdir '/opt/docker-data/rundeck-'"${CONTEXT}"'/rundeck/config/projects'
|
||||
mkdir '/opt/docker-data/rundeck-'"${CONTEXT}"'/rundeck/data/'{'data','logs'}
|
||||
```
|
||||
|
||||
* Change ownership
|
||||
```
|
||||
chown -R 999 '/opt/docker-data/rundeck-'"${CONTEXT}"'/postgres/'*
|
||||
chown -R 1000 '/opt/docker-data/rundeck-'"${CONTEXT}"'/rundeck/'*
|
||||
```
|
||||
|
||||
## Additional files
|
||||
|
||||
### Rundeck settings in `realm.properties`
|
||||
|
||||
At the very least override Rundeck's default `realm.properties` file with one of your own and set a username and a password for local login. Default credentials will otherwise be `admin:admin`. Per [Rundeck's manual on Jetty and JAAS authentication section "PropertyFileLoginModule"](https://docs.rundeck.com/docs/administration/security/authentication.html#propertyfileloginmodule) you're going to need Rundeck's `rundeck.war` file to create a bcrypt hash for your password. Run the official Rundeck Docker image in a throwaway container like so where `rundeck/rundeck:4.13.0` is an example version you want to use:
|
||||
```
|
||||
docker run \
|
||||
--rm \
|
||||
--tty \
|
||||
--interactive \
|
||||
--entrypoint bash \
|
||||
rundeck/rundeck:5.9.0 \
|
||||
-c 'java -jar /home/rundeck/rundeck.war --encryptpwd Jetty'
|
||||
```
|
||||
This will download `rundeck/rundeck:5.9.0` if needed and open up something along the lines of:
|
||||
```
|
||||
Required values are marked with: *
|
||||
Username (Optional, but necessary for Crypt encoding):
|
||||
```
|
||||
Type your desired username, type `<Enter>` and then your plain text password followed by `<Enter>` again. The whole exchange may look like this:
|
||||
```
|
||||
Required values are marked with: *
|
||||
Username (Optional, but necessary for Crypt encoding):
|
||||
my-username
|
||||
*Value To Encrypt (The text you want to encrypt):
|
||||
t0psecr3t
|
||||
|
||||
==ENCRYPTED OUTPUT==
|
||||
bcrypt: BCRYPT:$2a$10$jMWQvKbjpmBrKdA0Qi0/n.UvHot1F7Cvf7/Avlv9afknHpbvT6j7y
|
||||
obfuscate: OBF:1z0f18qk1xtp1vgv1t331vfz1xtt18qq1z0f
|
||||
md5: MD5:962aefc8c283c13e13d9c990dafdfba9
|
||||
crypt: CRYPT:myS5y0c4wMQts
|
||||
```
|
||||
Put a single line into an otherwise empty `/opt/docker-data/rundeck-'"${COMPOSE_CTX}"'/rundeck/config/realm.properties`:
|
||||
```
|
||||
my-username: BCRYPT:$2a$10$jMWQvKbjpmBrKdA0Qi0/n.UvHot1F7Cvf7/Avlv9afknHpbvT6j7y,user,admin
|
||||
```
|
||||
The account `my-username` will have roles `user` and `admin` and it'll be the only existing account when Rundeck starts.
|
||||
|
||||
### SSH `known_hosts` file
|
||||
|
||||
Place an empty `known_hosts` file at `/opt/docker-data/rundeck-'"${COMPOSE_CTX}"'/rundeck/config/known_hosts`. Feel free to optionally prefill it with SSH public host keys.
|
||||
|
||||
When done head back up to [How to run](#how-to-run).
|
||||
|
||||
# Development
|
||||
|
||||
## Conventional commits
|
||||
|
||||
This project uses [Conventional Commits](https://www.conventionalcommits.org/) for its commit messages.
|
||||
|
||||
### Commit types
|
||||
|
||||
Commit _types_ besides `fix` and `feat` are:
|
||||
|
||||
- `refactor`: Keeping functionality while streamlining or otherwise improving function flow
|
||||
- `docs`: Documentation for project or components
|
||||
|
||||
### Commit scopes
|
||||
|
||||
The following _scopes_ are known for this project. A Conventional Commits commit message may optionally use one of the following scopes or none:
|
||||
|
||||
- `rundeck`: A change to how the `rundeck` service component works
|
||||
- `postgres`: A change to how the `postgres` service component works
|
||||
- `build`: Build-related changes such as `Dockerfile` fixes and features.
|
||||
- `mount`: Volume or bind mount-related changes.
|
||||
- `net`: Networking, IP addressing, routing changes
|
||||
- `meta`: Affects the project's repo layout, file names etc.
|
||||
|
||||
11
common-settings.yaml
Normal file
11
common-settings.yaml
Normal file
@@ -0,0 +1,11 @@
|
||||
services:
|
||||
common-settings:
|
||||
environment:
|
||||
TZ: "${TIMEZONE:-Etc/UTC}"
|
||||
logging:
|
||||
driver: "json-file"
|
||||
options:
|
||||
max-size: "10m"
|
||||
max-file: "10"
|
||||
compress: "true"
|
||||
restart: "${RESTARTPOLICY:-always}"
|
||||
77
compose.yaml
Normal file
77
compose.yaml
Normal file
@@ -0,0 +1,77 @@
|
||||
services:
|
||||
rundeck:
|
||||
image: "rundeck/rundeck:${RUNDECK_VERSION}"
|
||||
container_name: "rundeck-rundeck-${CONTEXT}"
|
||||
networks:
|
||||
rundeck-default:
|
||||
profiles: ["full", "rundeck"]
|
||||
depends_on:
|
||||
postgres:
|
||||
condition: "service_started"
|
||||
ulimits:
|
||||
nproc: "${ULIMIT_NPROC:-65535}"
|
||||
nofile:
|
||||
soft: "${ULIMIT_NPROC:-65535}"
|
||||
hard: "${ULIMIT_NPROC:-65535}"
|
||||
mem_limit: "4g"
|
||||
extends:
|
||||
file: "common-settings.yaml"
|
||||
service: "common-settings"
|
||||
ports:
|
||||
- "${RUNDECK_PORT}:4440"
|
||||
volumes:
|
||||
- "/opt/docker-data/rundeck-${CONTEXT}/rundeck/data/data:/home/rundeck/server/data"
|
||||
- "/opt/docker-data/rundeck-${CONTEXT}/rundeck/data/logs:/home/rundeck/var/logs"
|
||||
- "/opt/docker-data/rundeck-${CONTEXT}/rundeck/config/projects:/home/rundeck/projects"
|
||||
- "/opt/docker-data/rundeck-${CONTEXT}/rundeck/config/realm.properties:/home/rundeck/server/config/realm.properties"
|
||||
- "/opt/docker-data/rundeck-${CONTEXT}/rundeck/config/known_hosts:/home/rundeck/.ssh/known_hosts"
|
||||
environment:
|
||||
RUNDECK_DATABASE_DRIVER: "org.postgresql.Driver"
|
||||
RUNDECK_DATABASE_USERNAME: "${POSTGRES_USER}"
|
||||
RUNDECK_DATABASE_PASSWORD: "${POSTGRES_PASSWORD}"
|
||||
RUNDECK_DATABASE_URL: "jdbc:postgresql://postgres/${POSTGRES_DB}?autoReconnect=true&useSSL=false&allowPublicKeyRetrieval=true"
|
||||
RUNDECK_GRAILS_URL: "${RUNDECK_GRAILS_URL}"
|
||||
RUNDECK_SERVER_FORWARDED: 'true'
|
||||
RUNDECK_LOGGING_LOGLEVEL_DEFAULT: "${RUNDECK_LOGGING_LOGLEVEL_DEFAULT:-warn}"
|
||||
RUNDECK_LOGGING_LOGLEVEL_ROOT: "${RUNDECK_LOGGING_LOGLEVEL_ROOT:-warn}"
|
||||
RUNDECK_LOGGING_LOGLEVEL_HIBERNATE: "${RUNDECK_LOGGING_LOGLEVEL_HIBERNATE:-warn}"
|
||||
RUNDECK_LOGGING_LOGLEVEL_SPRING: "${RUNDECK_LOGGING_LOGLEVEL_SPRING:-warn}"
|
||||
RUNDECK_LOGGING_LOGLEVEL_SPRINGBEAN: "${RUNDECK_LOGGING_LOGLEVEL_SPRINGBEAN:-warn}"
|
||||
RUNDECK_LOGGING_LOGLEVEL_INTERNALS: "${RUNDECK_LOGGING_LOGLEVEL_INTERNALS:-warn}"
|
||||
RUNDECK_LOGGING_LOGLEVEL_GRAILS: "${RUNDECK_LOGGING_LOGLEVEL_GRAILS:-warn}"
|
||||
RUNDECK_LOGGING_LOGLEVEL_JETTY: "${RUNDECK_LOGGING_LOGLEVEL_JETTY:-warn}"
|
||||
RUNDECK_LOGGING_AUDIT_ENABLED: "${RUNDECK_LOGGING_AUDIT_ENABLED:-}"
|
||||
TZ: "${TIMEZONE}"
|
||||
postgres:
|
||||
image: "postgres:${POSTGRES_VERSION}"
|
||||
container_name: "rundeck-postgres-${CONTEXT}"
|
||||
networks:
|
||||
rundeck-default:
|
||||
profiles: ["full", "postgres"]
|
||||
ulimits:
|
||||
nproc: "${ULIMIT_NPROC:-65535}"
|
||||
nofile:
|
||||
soft: "${ULIMIT_NPROC:-65535}"
|
||||
hard: "${ULIMIT_NPROC:-65535}"
|
||||
extends:
|
||||
file: "common-settings.yaml"
|
||||
service: "common-settings"
|
||||
ports:
|
||||
- "${POSTGRES_PORT}:5432"
|
||||
volumes:
|
||||
- "/opt/docker-data/rundeck-${CONTEXT}/postgres/data:/var/lib/postgresql/data"
|
||||
environment:
|
||||
POSTGRES_DB: "${POSTGRES_DB}"
|
||||
POSTGRES_USER: "${POSTGRES_USER}"
|
||||
POSTGRES_PASSWORD: "${POSTGRES_PASSWORD}"
|
||||
TZ: "${TIMEZONE}"
|
||||
networks:
|
||||
rundeck-default:
|
||||
name: "rundeck-${CONTEXT}"
|
||||
driver: "bridge"
|
||||
driver_opts:
|
||||
com.docker.network.enable_ipv6: "false"
|
||||
ipam:
|
||||
driver: "default"
|
||||
config:
|
||||
- subnet: "${SUBNET}"
|
||||
26
env/fqdn_context.env.example
vendored
Normal file
26
env/fqdn_context.env.example
vendored
Normal file
@@ -0,0 +1,26 @@
|
||||
CONTEXT=ux_vilnius
|
||||
POSTGRES_DB=rundeck
|
||||
POSTGRES_PASSWORD=my-password
|
||||
POSTGRES_PORT=61001
|
||||
POSTGRES_USER=rundeck
|
||||
POSTGRES_VERSION=latest
|
||||
RUNDECK_GRAILS_URL=https://fully.qualified.domain.name
|
||||
RUNDECK_LOGGING_AUDIT_ENABLED=true
|
||||
RUNDECK_PORT=61000
|
||||
RUNDECK_VERSION=5.9.0
|
||||
SUBNET=172.30.95.0/24
|
||||
TIMEZONE=Africa/Nouakchott
|
||||
|
||||
# Other available defaults
|
||||
# RESTARTPOLICY=always
|
||||
#
|
||||
# Defaults to "warn"
|
||||
# Can be for example debug, info, warn, error
|
||||
# RUNDECK_LOGGING_LOGLEVEL_DEFAULT=debug
|
||||
# RUNDECK_LOGGING_LOGLEVEL_ROOT=debug
|
||||
# RUNDECK_LOGGING_LOGLEVEL_HIBERNATE=debug
|
||||
# RUNDECK_LOGGING_LOGLEVEL_SPRING=debug
|
||||
# RUNDECK_LOGGING_LOGLEVEL_SPRINGBEAN=debug
|
||||
# RUNDECK_LOGGING_LOGLEVEL_INTERNALS=debug
|
||||
# RUNDECK_LOGGING_LOGLEVEL_GRAILS=debug
|
||||
# RUNDECK_LOGGING_LOGLEVEL_JETTY=debug
|
||||
Reference in New Issue
Block a user