Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status


rundeck (56) Versions 4.0.1

Installs and configures Rundeck 2.x

cookbook 'rundeck', '= 4.0.1', :supermarket
cookbook 'rundeck', '= 4.0.1'
knife supermarket install rundeck
knife supermarket download rundeck
Quality 33%

Rundeck Cookbook

Build Status
Cookbook Version

Installs and configures a Rundeck 2.0 server with Chef integration via the chef-rundeck.gem. Projects in rundeck can be dynamically configured via data bag items using search. Linux and Windows client nodes are supported. The cookbook has optional support for Active Directory and LDAP.



  • Chef 11+

Because of the heavy use of search, this recipe will not work with Chef Solo, as it cannot do any searches without a server.

This cookbook relies on multiple data bags. See Data Bag below.


  • Debian 7+
  • Ubuntu 12.04+
  • RHEL 5+
  • Windows 7 Enterprise (managed node)
  • Windows 2008 R2 (managed node)
  • Mac OS X (managed node)

Notes: This cookbook has been tested on the listed platforms. It may work on other platforms with or without modification.
In RHEL / CentOS, SELinux is enabled by default. Because it blocks apache mod_proxy , disable, or add an exception to, selinux.


  • Java
  • Apache2
  • Sudo
  • Runit



Linux default attributes for all rundeck managed nodes and server

  • node['rundeck']['user'] - Rundeck username (linux), default 'rundeck'
  • node['rundeck']['user_home'] - Rundeck user home directory (linux), default '/home/rundeck'

  • node['rundeck']['framework']['properties'] - Use to set additional config in the template

  • node['rundeck']['rundeck_databag_secure'] - Rundeck secure data bag item for all keys and passwords, default 'secure'

  • node['rundeck']['rundeck_databag'] - Rundeck configuration data bag for secure data, default 'rundeck'

  • node['rundeck']['rundeck_projects_databag'] - Rundeck project configuration data bag. Used for project creating and chef-rundeck. default 'rundeck_projects'

  • node['rundeck']['rundeck_databag_aclpolicies'] - Aclpolicies databag. Default is 'nil'. Example aclpolicy databag can be found in test/integration/default/data_bags/rundeck/aclpolicies.json

  • node['rundeck']['session_timeout'] - Number of minutes a rundeck session will last, before having to login again, default '30'

  • node['rundeck']['use_ssl'] - Whether or not to use SSL for the apache vhost, default false

  • node['rundeck']['use_inbuilt_ssl'] - Whether or not to use the inbuilt SSL for rundeck server. Default false

    Note: If using this option the file needs to be generated by a wrapper cookbook. A sample template can be found in this repo. Check rundeck documentation for more details.

  • node['rundeck']['ssl']['port'] - Use while using inbuilt SSL. Default 4443

  • node['rundeck']['cert']['name'] - SSL certificate name. Certificate files should be named this .key and .crt, default node['rundeck']['hostname']

  • node['rundeck']['cert']['ca_name'] - SSL CA certificate name. If this and use_ssl are set, a certificate authority file is used in the apache vhost. CA certificate files should be named this .crt, default 'nil'

  • node['rundeck']['cert']['cookbook'] - The cookbook to copy the SSL certificates from, default 'rundeck'

  • node['rundeck']['webcontext'] - The URI portion of the rundeck server, default '/', you can set it to '/rundeck' if your webserver is handling other tasks besides rundeck.

  • node['rundeck']['grails_server_url'] - The URL of the rundeck server, default 'http://#{node['rundeck']['hostname']}#{node['rundeck']['webcontext']}', or 'https://#{node['rundeck']['hostname']}#{node['rundeck']['webcontext']}' if use_ssl is set.

  • node['rundeck']['grails_port'] - The port to be used as part of the rundeck url in grails.

Windows default attributes for all rundeck managed nodes

  • node['rundeck']['windows']['user'] - Windows user to create, default 'rundeck'
  • node['rundeck']['windows']['group'] - Windows user group to add the 'rundeck' user to, default 'Administrators'
  • node['rundeck']['server_url'] - Due to a bug in some cases on rundeck, if this is filled out a bad login may occur. Some instances this may need to be set to other values or even nil. This will control the serverUrl in the config.
  • node['rundeck']['log_level'] - Debug level for rundeck (ERR,WARN,INFO,VERBOSE,DEBUG), default INFO
  • node['rundeck']['rss_enabled'] - true/false for RSS support


Chef rundeck integration service attributes

  • node['rundeck']['chef_config'] - Chef-Rundeck client configuration, default '/etc/chef/rundeck.rb'

  • node['rundeck']['chef_rundeck_url'] - Chef-Rundeck URL, default 'http://chef.hostdomain:9980'

  • node['rundeck']['chef_rundeck_port'] - Chef-Rundeck binds to port, default '9980'

  • node['rundeck']['chef_rundeck_host'] - Chef-Rundeck binds to address, default ''

  • node['rundeck']['chef_rundeck_cachetime'] - Number of seconds for Chef-Rundeck to cache the answer from the Chef server, default '30'

  • node['rundeck']['chef_rundeck_partial_search'] - Chef-Rundeck enabled to use partial search (Chef 11 only), default 'false'

  • node['rundeck']['chef_webui_url'] - Chef Server Web UI URL, default ''

  • node['rundeck']['chef_url'] - Chef Server API URL, default ''

  • node['rundeck']['project_config'] - Generated project configuration from data bags, default '/etc/chef/chef-rundeck.json'

  • node['rundeck']['chef_rundeck_gem'] - Use a custom version of the chef-rundeck gem (eg. local version), default 'nil' uses the gem repo by default


Attributes that configure and manage the installation of the Rundeck server

  • node['rundeck']['configdir'] - Configuration directory, default '/etc/rundeck'
  • node['rundeck']['basedir'] - Rundeck installation directory, default '/var/lib/rundeck'
  • node['rundeck']['exec_logdir'] - Directory where rundeck stores execution logs. Deafult is "#{node['rundeck']['basedir']}/logs"
  • node['rundeck']['datadir'] - Rundeck project directory, default '/var/rundeck'
  • node['rundeck']['tokens_file'] - File containing user API tokens (e.g. '/etc/rundeck/'), default is nil (not set)
  • node['rundeck']['deb']['package'] - Package file name to install, used in the building of the URL
  • node['rundeck']['deb']['options'] - dpkg install options, default false
  • node['rundeck']['url'] - URL for the deb file to download and install, default "{node['rundeck']['deb']['package']}"
  • node['rundeck']['checksum'] - Checksum for the deb
  • node['rundeck']['rpm']['repo']['url'] - URL for the yum repo location, default ""
  • node['rundeck']['rpm']['repo']['gpgkey'] - URL for gpg key for yum repo authentication, default ""
  • node['rundeck']['rpm']['repo']['gpgcheck'] - Whether to perform gpg check on package, default True
  • node['rundeck']['rpm']['version'] = RPM download name, from
  • node['rundeck']['jaas'] - Use built in internal file, or a different one (options 'activedirectory', default 'internal')
  • node['rundeck']['default_role'] - Require users to be a member of this role for Rundeck access, default 'user'
  • node['rundeck']['security_roles'] - Array containing additional security roles for which Rundeck will attempt to validate membership. For an explanation of this, see the Rundeck documentation.
  • node['rundeck']['hostname'] - VIP or server address for the service, default ''
  • node['rundeck']['port'] - Internal server port for the service, default '4440'
  • node['rundeck']['email'] - Email address, default ''
  • node['rundeck']['restart_on_config_change'] - When true, rundeck will restart on any configuration file change. (even if a job is running) default 'false'
  • node['rundeck']['jvm_mem'] - JVM memory arguments, default '-XX:MaxPermSize=256m -Xmx1024m -Xms256m'

Attributes that configure SMTP settings for email notifications

  • node['rundeck']['mail']['host'] - SMTP server hostname or IP address
  • node['rundeck']['mail']['port'] - SMTP server port (default 25)
  • node['rundeck']['mail']['username'] - SMTP User name (not required)
  • node['rundeck']['mail']['password'] - SMTP User password (not required)

If you want to use encrypted databags for your windows password and/or public/private key pairs generate a secret using:
$ openssl rand -base64 512 | tr -d '\r\n' > rundeck_secret

Distribute to all systems that will work with rundeck via a recipe and set the path to that file in the following attribute

  • node['rundeck']['secret_file'] - default 'nil'

  • node['rundeck']['rdbms']['enable'] - enable RDBMS support, default false

  • node['rundeck']['rdbms']['type'] - database type, default 'mysql'

Common RDBMS Configuration

  • node['rundeck']['rdbms']['location'] - RDBMS server name
  • node['rundeck']['rdbms']['dbname'] - database name, default 'rundeckdb'
  • node['rundeck']['rdbms']['dbuser'] - database username, default 'rundeckdb'
  • node['rundeck']['rdbms']['dbpassword'] - database password
  • node['rundeck']['rdbms']['port'] - database port number, default '3306'

Oracle RDBMS Configuration

  • node['rundeck']['rdbms']['dialect'] - hibernate database dialect, default 'Oracle10gDialect'

Windows Attributes

  • node['rundeck']['windows']['winrm_auth_type'] - winrm authentication type (options 'basic' or 'kerberos', default: 'basic')
  • node['rundeck']['windows']['winrm_cert_trust'] - winrm SSL security (options 'all', 'self-signed', 'default' (trusted certs only), default: 'all')
  • node['rundeck']['windows']['winrm_hostname_trust'] - winrm hostname security (options 'all', 'strict', 'browser-compatible', default: 'all')
  • node['rundeck']['windows']['winrm_protocol'] - winrm protocol to use, either 'http' or 'https'. default: 'https'

Active Directory/LDAP Attributes

  • node['rundeck']['ldap']['provider'] - LDAP server for connection
  • node['rundeck']['ldap']['binddn'] - LDAP root bind DN. It will be ignored if node['rundeck']['ldap']['forcebindinglogin'] is true
  • node['rundeck']['ldap']['bindpwd'] - LDAP root bind password. It will be ignored if node['rundeck']['ldap']['forcebindinglogin'] is true
  • node['rundeck']['ldap']['authenticationmethod'] - LDAP authentication method
  • node['rundeck']['ldap']['forcebindinglogin'] - If true, bind as the user is authenticating, if not it bind using the root DN and perform a search to verify the user password
  • node['rundeck']['ldap']['userbasedn'] - LDAP base user DN search
  • node['rundeck']['ldap']['userrdnattribute'] - LDAP attribute name for user name
  • node['rundeck']['ldap']['useridattribute'] - LDAP attribute name to identify user
  • node['rundeck']['ldap']['userpasswordattribute'] - LDAP attribute name for user password
  • node['rundeck']['ldap']['userobjectclass'] - LDAP object class for user
  • node['rundeck']['ldap']['rolebasedn'] - LDAP base role DN search
  • node['rundeck']['ldap']['rolenameattribute'] - LDAP attribute name for role name
  • node['rundeck']['ldap']['rolememberattribute'] - LDAP attribute name that would contain the users DN
  • node['rundeck']['ldap']['['roleusernamememberattribute'] - LDAP attribute name that would contain the users' user name. If set, node['rundeck']['ldap']['rolememberattribute'] will be not used
  • node['rundeck']['ldap']['roleobjectclass'] - LDAP object class for group
  • node['rundeck']['ldap']['roleprefix'] - Prefix string to remove from role names before returning to the application
  • node['rundeck']['ldap']['cachedurationmillis'] - Duration in milliseconds of the cache of an authorization
  • node['rundeck']['ldap']['reportstatistics'] - If true, output cache statistics to the log
  • node['rundeck]['ldap]['debug'] - If true, output debug logs related to ldap to rundeck service.log. Default is true.

Quartz Configuration

  • node['rundeck']['quartz']['threadPoolCount'] - Quartz job threadCount. The maximum number of threads used by Rundeck for concurrent jobs by default is set to 10.

Custom Configuration

  • Custom framework configuration ( can be specified using node['rundeck']['custom_framework_config']['<custom _configuration>']
  • Custom rundeck configuration ( can be specified using node['rundeck']['custom_rundeck_config']['<custom _configuration>']
  • Custom JVM properties (profile) can be specfied using node['rundeck']['custom_jvm_properties']

Note: Using custom configuration is for advanced users.



Includes the rundeck::node_unix or rundeck::node_windows (depending on platform) recipe to configure rundeck access on the node.


Configures node the for rundeck access. Creates the user specified in node['rundeck']['user'] and manages all SSH keys (see Data Bag below) in the home directory node['rundeck']['user_home']. Default for Debian / Ubuntu systems.


Configures node the for rundeck access. Creates the user specified in node['rundeck']['windows']['user'] and manage the correct group memberships (node['rundeck']['windows']['group']) and passwords (see Data Bag below). Default for Microsoft Windows sytems.


Installs the chef-rundeck sinatra application which allows integration with a Chef server. This recipe can be used on any node including the chef server itself.


Includes rundeck::default

The server recipe sets up Apache as the web front end by default.

The recipe does the following:

  1. Determines if encrypted data bags are in use
  2. Installs rundeck, and dependent packages, required for the server
  3. Sets up configuration directories
  4. Creates SSH keys from data bag
  5. Configures winRM (if needed)
  6. Ensures 'rundeck' user owns the project directory
  7. Configures and enables the Rundeck web UI via Apache
  8. Starts the Rundeck server service
  9. Configures and registers Rundeck projects based on the data bag entries

Data Bags


Create a rundeck data bag that will contain the secrets that will be used to log into the rundeck managed nodes. The data bag can be encyrpted via a secret. If using a encrypted data bag, the secret file must be avaiable on each of the managed nodes. Example rundeck data bag item:

  "id": "secure",
  "description": "Rundeck requires credentials to execute on remote nodes",
  "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEAt3iZzG ..... -----END RSA PRIVATE KEY-----",
  "public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAA ......... f3OC9Jxe/VcFmtelcmQ== rundeck keys",
  "windows_password": "<plain text password>",
  "chef_rundeck_pem": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAx5t2uL0kAD2 ..... qTzvcb1u87qWh7rnRlHUeDQ+nI7ZBFgJK\n-----END RSA PRIVATE KEY-----"

Generate a public and private key for rundeck to manage nodes via SSH.
$ ssh-keygen -N '' -q -f /tmp/rundeck_rsa
$ cat /tmp/rundeck_rsa | awk '{ printf "%s\\n", $0 }'
W3zEq86o2+hgjwYBJQodBF8H1FOsa\nGjBkfxSrnrze8e6EYC5GV35bY+/tGsxYO/cHUvQXiMAZZIf/dGQK\n-----END RSA PRIVATE KEY-----

Copy the line returned and place in the data bag item as the private_key.

    $ cat /tmp/ | awk '{ printf "%s\\n", $0 }'
    HRM7elQHaqWY2/ rundeck@rundeckserver

Copy the line returned and place in the data bag item as the public_key.

Use knife to create a new client for Chef-Rundeck integration.
$ knife client create -a chef-rundeck -f /tmp/chef-rundeck
$ cat /tmp/chef-rundeck | awk '{ printf "%s\\n", $0 }'
-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAunxd79sbk2RLP6NRFUCf7ptPuSlhTmqPlDXJPcxjCStUoVbX\n9lcIsVH8FenscWtwReqw7ca
yCBfa+Xy7nF/HoPuULDzqIjJccHuJ\ncZC8J0MnQaZvJolodhcCYMK2B6UtRpwmn96oNKsbBBT5WU2f8dEI\n-----END RSA PRIVATE KEY-----\n

Copy the line returned and place in the data bag item as the public_key.

Set a windows password if managing windows systems, the password needs to be in plain text. (see the encryption options for the rundeck data bag)

Rundeck Users

Local Rundeck users are created via the Rundeck data bag item users. Users are added into the "users" hash as in the example below:

"chef_type": "data_bag_item",
"data_bag": "rundeck",
"id": "users",
"description": "Local rundeck users",
"users": {
"admin": {
"groups": [
"password": "secrete"
"apiuser": {
"groups": [
"password": "secrete"

Encrypted Data bag - Rundeck

When using node['rundeck']['secret_file'] you will need to create a secret file for the encryption. Make sure the 'rundeck_secret' file is available on all nodes managed by rundeck.

Generate a secret file with openssl:
$ openssl rand -base64 512 | tr -d '\r\n' > /tmp/rundeck_secret

Generate the encrypted data bag:
$ knife data bag create rundeck secure --secret-file /tmp/rundeck_secret

Rundeck Projects

Create a rundeck_projects data bag that will contain the projects, and search strings, for the rundeck managed nodes to include by project.

Example rundeck_projects data bag items can be found in /test/default/data_bags/rundeck_projects/. In version 4.0.0 of this cookbook, the data bag item format has changed. As of version 4.0.0 of this cookbook, project config will be set to exactly the config described in the "project_settings" key of the data bag item. Here is an example project data bag item:

  "id": "the-project-name",
  "project_settings": {
    "project": {
      "description": "The project description",
      "nodeCache": {
        "delay": 30,
        "enabled": true
      "ssh-authentication": "password",
      "ssh-password-storage-path": "keys/service-account.password",
      "ssh.user": "service-account",
      "sudo-command-enabled": true,
      "sudo-password-storage-path": "keys/service-account.password",
      "sudo-prompt-max-timeout": 30000,
      "sudo-response-max-timeout": 30000
    "extra-config": {
      "some-key": "some-value",
      "nested-further": {
        "a": "A",
        "b": false

The data bag item above would create a project named the-project-name with the following properties:

project.description = The project description
project.nodeCache.delay = 30
project.nodeCache.enabled = true
project.ssh-authentication = password
project.ssh-password-storage-path = keys/service-account.password
project.ssh.user = service-account
project.sudo-command-enabled = true
project.sudo-password-storage-path = keys/service-account.password
project.sudo-prompt-max-timeout = 30000
project.sudo-response-max-timeout = 30000
extra-config.some-key = some-value
extra-config.nested-further.a = A
extra-config.nested-further.b = false

Pre-4.x backwards compatible project data bag item format

Previously, several config keys in the data bag item were used to generate the project config. This made too many assumptions, and greatly complicated the project creation and update functionality. If you want to maintain this data bag item format, backwards compatibility is supported if you set "old_style": true in the data bag item:

  "id": "dev-systems",
  "old_style": true,
  "hostname": "ipaddress",
  "username": "rundeck",
  "pattern": "chef_environment:dev1 OR chef_environment:dev2",
  "description": "These instances are tied to the dev-systems project in Rundeck.",
  "chef_rundeck_url" : "Optional: URL for the chef-rundeck integration endpoint"
  • hostname - attribute in the data bag item json is used when rundeck try to connect to the node (fqdn is the default)
  • username - attribute is the user to authenticate to the node with when rundeck connects
  • pattern - attribute is a search query for nodes to include in to the project in rundeck.
  • chef_rundeck_url - optional attribute is a URL to locate the resource project, if not provided node['chef_rundeck_url'] will be used.
  • project_settings - optional attribute is a map of properties that will be added to the rundeck

Rundeck Role ACL Policy

A default role acl policy is supported out of the box. You can add new acl policy files in to the configuration directory (node['rundeck']['configdir'])

Rundeck role acl policy definitions.

License & Authors

Copyright 2014-2015, Webtrends Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
See the License for the specific language governing permissions and
limitations under the License.



  • Project changes
    • Projects are now created and updated according to the data bag definition
    • Create projects with api rather than CLI
    • Project data bag change: projects will now be created / updated with config exactly matching what is in the "project_settings" key in the data bag item. If you want to set extra config for all projects, consider adding attributes into ['rundeck']['framework']['properties']
    • The functionality to set resources.source.1 and project.resources.file for all projects has been removed because it makes too many assumptions about projects. You can re-enable this functionality on a per-project basis by setting the "old_style" key to true in the project data bag item. See the lwrp for more information on this.
  • Use ['rundeck']['framework']['properties'] to set additional config in the template


  • Fixed issue #104 (ACL databag not being handled)
  • Support for backward compatibility of Rundeck.


  • Added LWRP User
  • Added LWRP Plugin
  • Support ACL policy file data bag
  • Support SSL certs via data bag
  • Support LDAP bindDn and password via data bag to enable encryption
  • Support RDBMS config via data bag to enable encryption
  • Add CA certs to Java truststore
  • Fix SSL so that CLI works properly and configure SSL offloading to proxy
  • Fix issue with server presenting itself on


  • Update template file for 2.6.2
  • Update downloaded deb and rpm for 2.6.2
  • Updated checksum for 2.6.2
  • Alter default loglevel
  • Change JVM memory settings to an attribute.
  • Change Apache template to work with different auth modules (commonly seen with apache 2.2->2.4)
  • winrm plugin broken in 2.6. Updating winrm plugin to version 1.3.1 from 1.1


  • upgrading to 2.6.0
  • fixing AD auth issues with forcebinding not working correctly


  • separated out apache, java, and rundeck server install, so you can install your own flavors
  • created grails variables so there more control over listening port


  • Using attributes for databag items
  • Bug fixes


  • updating to rundeck version 2.4.2-1 GA


  • added more options for LDAP configurations
  • improved the install process for the package option
  • configurable databag names
  • add a users item to rundeck data bag to allow changing of default admin password. This may be encrypted if needed.
  • remove the tie of rundeck username and group
  • chef-client v10 treats platform? as attribute instead of method in attributes file
  • Add supplemental groups to jaas-activedirectory ( This affects default['rundeck']['default_role']
  • bump default rundeck version to 2.3.2-1
  • configurable server url attributes added
  • fixed home dir creation
  • berkshelf and cookbook test updates
  • fixed platform detection for attributes on rhel and chef 10


  • updating to rundeck 2.1.2
  • removing runit from rundeck::server recipe. default init scripts work now!
  • bug fix issue #6
  • removing runit from chef-rundeck recipe. use upstart
  • Berkshelf support added


  • added support to add custom project properties via the rundeck_project databag
  • bug fixes with email settings in
  • update rundeck 2.0.3
  • Added RHEL support (thanks scottymarshall)


  • add smtp configuration to
  • update for chef-rundeck partial searches with chef 11


  • add support for multiple chef-rundeck URL


  • update rundeck 2.0.1
  • update to chef-rundeck 1.0.2
  • added a file
  • added a CONTRIBUTING file
  • adding Travis-CI integration and foodcritic support


  • update rundeck from 1.4 to 1.6


  • Move chef-rundeck URL config into the project data bags for multiple chef-rundeck URLs


  • Add support for windows via winrm


  • Add support for sudo cookbook version 2.0+


  • Add support for relational databases mysql and oracle
  • Fixed path issues and updated to latest deb


  • Address food critic warnings


  • Parameterized the rundeck.rb template


  • Updating chef-rundeck gem.


  • Initial releas

Collaborator Number Metric

4.0.1 passed this metric

Foodcritic Metric

4.0.1 failed this metric

FC017: LWRP does not notify when updated: rundeck/providers/project.rb:1
FC059: LWRP provider does not declare use_inline_resources: rundeck/providers/project.rb:1
Run with Foodcritic Version 8.2.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any

License Metric

4.0.1 failed this metric

rundeck does not have a valid open source license.
Acceptable licenses include Apache 2.0, apachev2, MIT, mit, GNU Public License 2.0, gplv2, GNU Public License 3.0, gplv3.