Multiple domains and Nodes inside a project

[mezam]

Hello, I have installed RD 4.8 CE on a Windows 2019 server + MariaDB. Service is a Windows integrated. My team and I manage only Windows  servers. This Rundeck server is also the present PowerShell server used to manage the Windows environments, so WinRM already set and working since time.

I've been playing with Rundeck jobs since few days, and set up also few simple ones successfully. I would need now some advice on strategies to adopt when it comes to multiple domains. Our environment is small but it has 3 different domains (from different forests). The list of nodes are json files pulled from a directory scan. Unfortunately the option of using a local admin account for all servers is not allowed. So, we need to use three different accounts/passwords to successfully authenticate against all servers. 

1. Is this possible inside the same job?
2. I read of a resources.xml file that should tell for each node in a project how to connect. But in my E:\rundeck\projects directory I don't see any project folders at all (although I created few projects). I hope that by creating the present json files with the right attributes can facilitate this? Or can someone please shade some light or provide links to knowledge on this? 
3. I launched a test job against some servers and I added username/password for one of the 3 domains in the Default Node Executor (WinRM Python) configuration. When I launch a simple powershell command I get a failure on all servers. The error:   Failed: IOFailure: [WinRMPython] Cannot run program "python": CreateProcess error=2, The system cannot find the file specified. Maybe the WinRM python plugin needs to be told where python is installed on the Windows Rundeck server?

many many thanks again!

.g

[mezam]

regarding point 3 above, I have Python 3.10 embedded in the rundeck folder whose path is listed in the system PATHS in windows. I have changed the pyWinRM settings to use python3 but error remains the same:

Failed: IOFailure: [WinRMPython] Cannot run program "python3": CreateProcess error=2, The system cannot find the file specified

[mezam]

in this Reiner advices:   "... From the Rundeck server side, make sure that the python 3 executable path is well defined on the “Python Interpreter” textbox."  But in the WinRM Node Executor Python page, the Python Interpreter field is a dropdown where I can select only 3 options. I cannot enter anything, it's not a text box

[rac...@rundeck.com]

Hi,

Regarding your questions:

1. You can pass the account name/password options to your model source, that's called "job level authentication", take a look at this.

2. Latest Rundeck versions don't create that directory. Now, all projects are created in the backend :-) You can generate your resources.xml / resources.yaml manually using the model source, take a look.

3. Make sure to install python3 correctly in your system (and make sure Rundeck can reach the Python3 installation), regarding the last post and for security reasons, that "feature" was changed here.

Greetings.

[mezam]

I removed the embedded python and installed python 3.9 via a stardard setup. The project kept throwing the same error, so I created a new project and here the python executable is picked up. However, it still does not go. I've installed via pip the pywinrm package:

pip list
Package            Version
------------------ ---------
pywinrm            0.4.3

The error on each node is:

while on the rundeck server is:

from the Windows rundeck server we normally manage the whole Windows infrastructure via WinRM, which is already enabled and working since time.

[rac...@rundeck.com]

I recreated a similar environment using the Python 3.11 on a Windows with Rundeck 4.8.0 box, I obtained the Python 3 wizard from here.

To test:

1. Install the Python 3.10/3.11 on the same Rundeck Windows box, just make sure that the user that launch rundeck can reach and execute the “python” program (you can test it opening a new PowerShell terminal and type the “python” command, you will see a typical python prompt). Also, make sure to mark the “Add to PATH” checkbox in the installation process.

2. Install the plugin dependeces: In a administator PowerShell terminal just execute: pip install pywinrm urllib3 requests.

3. Configure the windows box to receive WinRM connections following this.

4. Delete the localhost model source and then, Add the following XML file model source, check the content:

<?xml version="1.0" encoding="UTF-8"?>
<project>
<node name="Hostname" 
      description="Windows Server" 
      tags="windows" 
      hostname="localhost" 
      osArch="amd64" 
      osFamily="windows" 
      osName="Windows Server 2012 R2" 
      osVersion="6.3" 
      username="myuser" 
      winrm-password-storage-path="keys/winpasswd"
      winrm-authtype="basic"/>
</project>

1. Add the “myuser” windows password on the Rundeck keystorage, “keys/winpasswd” path on my example.

2. In the Project Settings > System Configuration > Node Executor tab, select “Python” (not “Python 3”), this is the default Python 3.10/3.11 interpreter in Windows systems.

3. Dispatch any command via WinRM to the new local Windows node.

Hope it helps! :-)

​

[rac...@rundeck.com]

Hi Mezam, check the 2nd step on my previous post. Thanks.

Greetings.

[mezam]

Thanks Reiner, here's the output of the pip command:

PS C:\Windows\system32> pip install pywinrm urllib3 requests
Requirement already satisfied: pywinrm in e:\python\python39\lib\site-packages (0.4.3)
Requirement already satisfied: urllib3 in e:\python\python39\lib\site-packages (1.26.13)
Requirement already satisfied: requests in e:\python\python39\lib\site-packages (2.28.1)
Requirement already satisfied: requests-ntlm>=1.1.0 in e:\python\python39\lib\site-packages (from pywinrm) (1.1.0)
Requirement already satisfied: xmltodict in e:\python\python39\lib\site-packages (from pywinrm) (0.13.0)
Requirement already satisfied: six in e:\python\python39\lib\site-packages (from pywinrm) (1.16.0)
Requirement already satisfied: charset-normalizer<3,>=2 in e:\python\python39\lib\site-packages (from requests) (2.1.1)
Requirement already satisfied: idna<4,>=2.5 in e:\python\python39\lib\site-packages (from requests) (3.4)
Requirement already satisfied: certifi>=2017.4.17 in e:\python\python39\lib\site-packages (from requests) (2022.12.7)
Requirement already satisfied: cryptography>=1.3 in e:\python\python39\lib\site-packages (from requests-ntlm>=1.1.0->pywinrm) (38.0.4)
Requirement already satisfied: ntlm-auth>=1.0.2 in e:\python\python39\lib\site-packages (from requests-ntlm>=1.1.0->pywinrm) (1.5.0)
Requirement already satisfied: cffi>=1.12 in e:\python\python39\lib\site-packages (from cryptography>=1.3->requests-ntlm>=1.1.0->pywinrm) (1.15.1)
Requirement already satisfied: pycparser in e:\python\python39\lib\site-packages (from cffi>=1.12->cryptography>=1.3->requests-ntlm>=1.1.0->pywinrm) (2.21)
WARNING: You are using pip version 22.0.4; however, version 22.3.1 is available.
You should consider upgrading via the 'E:\Python\Python39\python.exe -m pip install --upgrade pip' command.

Basically, they were already installed. I also double checked point 1 and 3 in your post. Point 1 confirmed, and point 3 too, but I doubt this has anything to do with the remote node. I created the kinit.ini file and placed it in C:\Windows\ but again I doubt this is the culprit for those python errors. I don't know what else to try.. urllib3 is already the latest version

[rac...@rundeck.com]

Hi Mezam,

Related to this: "I created the kinit.ini file and placed it in C:\Windows\ but again I doubt this is the culprit for those python errors. I don't know what else to try.. urllib3 is already the latest version".

If you're using Kerberos auth, please follow this. Check the extra dependencies needed by Kerberos auth. Also, keep in mind the transport method in your node definition.

Regards!

[mezam]

Hello Reiner, thanks! 

Dependancies installed. In spite of pexpect being installed (as confirmed by pip install -l), I get:

[ERROR ] pexpect not installed, try: pip install pexpect (winrm-exec.py:242)[root]

Failed: NonZeroResultCode: [WinRMPython] Result code: 1

I also rebooted the server, but in vain. Here's the resource model xml file I'm playing with:

<?xml version="1.0" encoding="UTF-8"?>

<project>

<node name="fqdn"

      description="Windows Server"
      tags="windows"

      hostname="serverName"
      osArch="amd64"
      osFamily="windows"
      osName="Windows Server 2019"
      osVersion="10"
      username="user@domain"
      winrm-port="5985"
      winrm-shell="powershell"
      winrm-password-storage-path="keys/project/TEST4/rundRsmPw"
      winrm-authtype="kerberos"/>
</project>

If I use a local administrator and change the  winrm-authtype to basic it works. But unfortunately it really is not an option in our environment.

[mezam]

considering that rundeck runs on SYSTEM, I even tried to install pexpect using SYSTEM but it says it's already installed:

C:\Windows\system32>pip install pexpect
Requirement already satisfied: pexpect in e:\python\python39\lib\site-packages (4.8.0)
Requirement already satisfied: ptyprocess>=0.5 in e:\python\python39\lib\site-packages (from pexpect) (0.7.0)

WARNING: You are using pip version 22.0.4; however, version 22.3.1 is available.
You should consider upgrading via the 'E:\Python\Python39\python.exe -m pip install --upgrade pip' command.

C:\Windows\system32>whoami
nt authority\system

[rac...@rundeck.com]

Hi Mezam,

Weird issue, could you try using pip3 instead pip? Probably you're working in an environment with multiple python installations on the same machine.

Regards.

[mezam]

I've checked, no other Python setups present on the system. The only one was an embedded setup but no environment variables pointing to it. It was removed. If I use pip3 I get again the "Requirement already satisfied" message. And if I use python3 I get:

Failed: IOFailure: [WinRMPython] Cannot run program "python3": CreateProcess error=2, The system cannot find the file specified

In fact the 3.9 version installed uses python.exe. 

I have the impression that rundeck runs better on Linux but unfortunately I cannot get rid of this Windows server, at least not for a while. 

I'll try to upgrade Python to 3.11...don't know what else to do... 

[mezam]

the culprit could be the Try at line 63 of  winrm-check.py:

try:

import pexpect

if hasattr(pexpect, 'spawn'):
    argspec = getargspec(pexpect.spawn.__init__)
    if 'echo' in argspec.args:
        HAS_PEXPECT = True
except ImportError as e:
HAS_PEXPECT = False

argspec is not being assigned the expected value. I'm not sure upgrading python will help. I'll try anyway...

[mezam]

https://github.com/rundeck-plugins/py-winrm-plugin/issues/79 

[rac...@rundeck.com]

Good catch Mezam, thanks to add your research. It seems an old issue.

Issue Acknowledged.

[mezam]

Hello, does anybody know if this has been fixed in later Windows releases? So to decide if to update or not... many thanks

[mezam]

I've just upgraded to the rundeck version 4.17 and now it works. I don't know when and in which earlier version this was fixed, but it was. Confirmed also by a wireshark capture.