Welcome, Guest Login

Rundeck Enterprise Support Center

PowerShell Plugins

Last Updated: Jan 23, 2017 04:48PM PST

Overview

Applicability

These plugins are only applicable to RUNDECK PRO deployments on Windows Servers.

 

There are two plugins:

  • File Copier: Copies files to the remote node for execution by the Node Executor. This plugin would be used to execute any Script steps in your workflows, or to copy your own files stored on the RUNDECK PRO host.

  • Node Executor: Executes the command and script steps.

 

The plugins can be enabled in the Project Configuration page by selecting the Powershell Node Executor and Powershell File Copier as the default Node Executor and File Copiers.


Authentication Types

Authentication can happen in two ways, via trusted domain account or by username and password.

 

Hosts in Trusted Domain

When all hosts are in a trusted domain, remote execution requires just the username to access the remote hosts. Authentication will be made to the remote nodes as the domain user account that is executing the Rundeck server process.

 

Username and Password

If all hosts are not in a trusted domain, both username and password are required to access the remote hosts.


Plugin Configuration


Trusted Domain authentication will be used by default, unless a username and password are configured to be used.

You can configure the plugins to use a password via the Key Storage facility when accessing remote hosts.

  • password storage - using a password that is stored in the Key Storage facility.

You can either configure the password or password storage path at a project-wide level, or on a per-node basis.

 

Password Storage

 

Passwords can be stored securely in the RUNDECK PRO Keystore facility. These passwords can be stored in a tree like structure to help you organize them any way you wish. The passwords can be referenced using an attribute named “password-storage-path”. When RUNDECK needs the password, it looks up the file as referenced by the storage path, reads, decrypts, and passes the value to the plugins.

 

Node Configuration


Each host is configurable via “nodes” in the project resource model. Nodes are defined in terms of attributes.

Attributes

  • hostname: The hostname of the remote node accessible to the Rundeck server host.

  • username: The login account name to the remote host.

  • password-storage-path: The path to the file containing the password in the keystore. This path will start with “keys/”.

  • connectionUri: Alternate connection parameters as a URI. e.g. “https://hostname:port”


Example resource model definitions

 

The following example show a node defined using the XML format.

 

Note the password-storage-path attribute referencing the key path.

 <node name="winhost123"

       hostname="xxx.xxx.xxx.xxx"

       username="myaccount"

       password-storage-path="keys/winhost123.passwd" .../>

 

Project Configuration

 

The Password storage path can be configured at the project level.  In the Project Configuration page, set the Password Storage Path to a key path.  The path can contain references to information from the node or user who is executing the command, for example:

 

keys/nodes/${node.name}.password

 

or

 

keys/users/${job.username}.password

 

WinRM Setting to use Powershell Plugin


In order to connect rundeck with remotes windows nodes, it is necessary to set WinRM in both, the server and the remotes nodes.


On the rundeck server:


winrm quickconfig
winrm set winrm/config/client @{TrustedHosts="*"}

 

On the remotes nodes


winrm quickconfig
‚Äčwinrm set winrm/config/service/Auth @{Basic="true"}
winrm set winrm/config/service @{AllowUnencrypted="true"}
winrm set winrm/config/winrs @{MaxMemoryPerShellMB="1024"}

 

Other setting

 
  • To enable the execution of remote command


Set-ExecutionPolicy RemoteSigned
 

  • To enable permission to a user to execute remote command:


Set-PSSessionConfiguration -ShowSecurityDescriptorUI -Name Microsoft.PowerShell
 

  • Increase the concurrent shell issue:


set-item wsman:\localhost\shell\maxshellsperuser 50


Troubleshooting

 
  • If you get "Access is denied" error when you try to access to a shared folder on the remote node, it is possible that you must use the CredSSP autentication

http://support.rundeck.com/customer/portal/articles/2522223-enable-credssp-authentication-windows

Then, you can define the authentication type like:

<node name="XXXXX" description="Windows Server 2012" tags="Win2012" hostname="XXXXX" osArch="amd64" osFamily="windows" osName="Windows Server 2012" osVersion="6.3" username="rundeckuser@Domain.Local" password-storage-path="keys/xxxxx" ps-authentication-type="CredSSP" />
 
  • If you get  this error, you have to change the network category:

 

WinRM service is already running on this machine.

WSManFault

   Message

       ProviderFault

           WSManFault

               Message = WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to either Domain or Private and try again.

Error number:  -2144108183 0x80338169

WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to either Domain or Private and try again.

Workaround using PowerShell as Administrator User:


(to get the InterfaceIndex)
Get-NetConnectionProfile

Set-NetConnectionProfile -InterfaceIndex [INTERFAZ_INDEX] -NetworkCategory Private

 
  • It could be necessary to change the user’s log-on in tomcat service when the remote connection does not work:

 

 

For further information about winrm and powershell plug-in see:

 
1fb43f9155a47800b95738aff7e657fc@rundeck.desk-mail.com
http://assets2.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete