Rundeck Windows Nodes Configuration

DevOps

While trying to evaluate Rundeck I came across one challenge i.e integrating rundeck windows nodes. Though rundeck work perfectly fine with non windows nodes but for windows nodes management there are not much documentation or working examples. I had tried to use the google groups for getting some info on rundeck windows nodes integration and to my surprise I got few responses but all seems to be a work around way to integrate windows nodes.

Current latest rundeck version is 2.5.1 with many different updates and new features. So in this article I will be using the latest available rundeck for all integration tasks. I had used Rundeck WinRM plugin which uses the overthere plugin  Follow below steps to integrate rundeck windows nodes for inline commands. Overthere plugin does not currently support inline script execution etc. So to workaround the limitations I have done below steps.

Summary of steps needs to be done to integrate a windows node:

1. Setup overthere plugin in rundeck server.

2. Setup/enable winrm in remote windows client.

Purpose: To execute inline commands at remote windows node via winrm

3. Setup/enable OpenSSH server in remote windows node

Purpose: For copy of files and password less login to remote server, etc.

4. Disable the administrator mode so that it won’t ask for the UAC(User Access Control) screen each time.

Purpose: To enable remote windows node commands to run in administrative mode by default.

5. Add the windows node to resource.xml

Purpose: To enable the windows server listed as a node ready to receive commands from rundeck.

6. Execute test commands to check the integration.

Purpose: To make sure windows node is properly integrated to Rundeck server

Setting Up overthere plugin in rundeck:

  1. Download the plugin from Github Overthere Plugin
  2. Login to Rundeck machine and cd to RUNDECK_BASE/libext or in this article /opt/rundeck/libext
  3. Copy the rundeck-winrm-plugin-1.3.1.jar file to the libext folder.
  4. Restart the RunDeck services to make the plugin active.

Setup/enable winrm in remote windows client:

  1. Login to the windows node machine as administrative user using remote desktop.
  2. Open command prompt in administrative mode and execute below commands one by one to enable WinRM in the windows server

winrm qc
winrm set winrm/config/client/auth @{Basic=”true”}
winrm set winrm/config/service/auth @{Basic=”true”}
winrm set winrm/config/service @{AllowUnencrypted=”true”}

C:\Windows\system32>winrm qc
WinRM already is set up to receive requests on this machine.
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:

Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
Enable the WinRM firewall exception.

Make these changes [y/n]? y

WinRM has been updated for remote management.

Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
WinRM firewall exception enabled.

C:\Windows\system32>winrm set winrm/config/client/auth @{Basic="true"}
Auth
    Basic = true
    Digest = true
    Kerberos = true
    Negotiate = true
    Certificate = true
    CredSSP = false


C:\Windows\system32>winrm set winrm/config/service/auth @{Basic="true"}
Auth
    Basic = true
    Kerberos = true
    Negotiate = true
    Certificate = false
    CredSSP = false
    CbtHardeningLevel = Relaxed


C:\Windows\system32>winrm set winrm/config/service @{AllowUnencrypted="true"}
Service
    RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
    MaxConcurrentOperations = 4294967295
    MaxConcurrentOperationsPerUser = 15
    EnumerationTimeoutms = 60000
    MaxConnections = 25
    MaxPacketRetrievalTimeSeconds = 120
    AllowUnencrypted = true
    Auth
        Basic = true
        Kerberos = true
        Negotiate = true
        Certificate = false
        CredSSP = false
        CbtHardeningLevel = Relaxed
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    IPv4Filter = *
    IPv6Filter = *
    EnableCompatibilityHttpListener = false
    EnableCompatibilityHttpsListener = false
    CertificateThumbprint

WinRM setup

Run below command to open the user and groups manager to add a user say winrmuser as the user to run the commands in remote user.

C:\Windows\system32> lusrmgr

Add a new local user winrmuser and add it to administrator group.

lusrmgr

Setup/enable OpenSSH server in remote windows node:

Follow Openssh Setup and password less authentication link for setting up open ssh server for scp copy of files and artifacts to remote windows servers. Once this is done you will be able to send files with password less authentication from your rundeck server to the remote windows machine. If you have cygwin then you can also add that to the PATH to make your windows machine more compatible with running shell scripts also, so that you wont need to rewrite the shell script to batch script to run in windows machine.

 

Disable the administrator mode in remote windows machine:

  1. Execute below commands to open the windows policies using below command and complete below steps.
    C:\Windows\system32> GPEDIT.MSC
    

    a. Go to Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> Security Options
    b. Search for below policies

    User Account Control: Admin Approval Mode for the Built-in Administrator account
    User Account Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode
    User Account Control: Run all administrators in Admin Approval Mode
    

    c. Set the policies settings as follows in the following order as per the screenshot below:

    Disabled
    Elevate without prompting
    Disabled

Disable User Access Control

Add the windows node to resource.xml :

Open the resource.xml file present at /opt/rundeck/projects/MyProject/etc folder and add below entry to add the windows node to resource list.

<node name="remote_windows_host_fqdn" connectionType="WINRM_NATIVE" node-executor="overthere-winrm" winrm-password-option="winrmPassword" winrm-protocol="http" winrm-auth-type="basic"  username="winrmuser" winrmPassword="welcome*123" description="Rundeck server node Windows" tags="" hostname="remote_windows_host_fqdn:5985" osArch="x86_64" osFamily="windows" osName="Microsoft Windows Server 2008 R2 Standard" osVersion="Microsoft Windows Server 2008 R2 Standard" />

Example:

<node name="alfa1app1.techpaste.com" connectionType="WINRM_NATIVE" node-executor="overthere-winrm" winrm-password-option="winrmPassword" winrm-protocol="http" winrm-auth-type="basic" username="winrmuser" winrmPassword="welcome*123" description="Rundeck Exxon server node Windows" tags="" hostname="alfa1app1.techpaste.com:5985" osArch="x86_64" osFamily="windows" osName="Microsoft Windows Server 2008 R2 Standard" osVersion="Microsoft Windows Server 2008 R2 Standard" />

Execute test commands to check the integration:

Create a test job with below options to authenticate and execute the remote command.

Make sure below options are checked.

Rundeck job Over Winrm

 

Add a sample command (Ex: ipconfig /all) and choose execute on remote node and select the node which you had selected while adding to resources.xml file of rundeck.

RunDeck Job Over WinRM

 

Now run the job and see if the job is successful and the output window is showing the commands output.

RunDeck Job Over WinRM

 

 

Note: Here we had a single project with multiple nodes out of which some are of windows and some were of unix nodes and rundeck server was hosted on a Linux machine. Here we had requirement of file copy, passwordless remote login to windows machine, unattended user access control and remote batch files execution, due to that reason we had to equip the remote windows host with so many pre-requisites. If you are not having any complex requirements and just want to play around creating a windows node then you can follow below url which has very simple way to integrate windows for sample command runs only. Do remember copy and other functionalities like inline script running etc, are not supported.

diegoluisi.eti.br/2015/06/linux/rundeck-how-to-add-windows-node/

In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.

3 Responses

  1. Alex M. says:

    if we have ssh server enabled on Windows, why would we need to use winrm? thanks!

  2. alexey says:

    Hi ! Just add a node, you can use my simple script! I ask only to change the options for the format when credited with an array @ data
    This is a reference to a script:
    https://github.com/alexey-pankratyev/ruby_scripts/blob/master/rundeck_customservers/prcustom.rb

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.