Docker Configuration Reference
Docker Configuration Reference
Tips
Check out the Docker Zoo for configuration examples in Docker Compose! These examples cover common configuration scenarios including
connecting to each supported database.
Security
Environment variables
Locally run jobs run as the rundeck user, the same as the server, and may carry the environment variables used when starting the server. By default all environment variables starting with RUNDECK_ are unset before starting Rundeck. See RUNDECK_ENVARS_UNSETALL and RUNDECK_ENVARS_UNSETS below for unset options.
SSH Keys
You can provide private ssh keys by mounting them into /home/rundeck/.ssh:$ docker run --name some-rundeck -v /home/protip/.ssh:/home/rundeck/.ssh rundeck/rundeck
Kubernetes users may wish to mount a private key in through the secrets system. See Kubernetes documentation Use-Case: Pod with ssh keys for details.
Rundeck Key Storage can be used to provide ssh keys to the ssh plugin as well.
Control JVM heap allocation
$ docker run -m 1024m
The JVM is configured to use cgroup information to set the max heap allocation size. The RAM percentage is set to 75 by default, so the JVM will utilize up to about 3/4 the container limit. See JVM_MAX_RAM_PERCENTAGE for information on changing this.
Key Store Security
By default keystorage is set to use the database, and the encryption converters are disabled. To enable encryption, supply a password for one or both of the default converters:
RUNDECK_STORAGE_CONVERTER_1_CONFIG_PASSWORD=supersecret
RUNDECK_CONFIG_STORAGE_CONVERTER_1_CONFIG_PASSWORD=supersecretNote: It is not recommended to enable/disable encryption after initial project setup! Refer to the docs for more information.
User Authentication
NOTE: For extra reference and clarity, refer to the official docs.
For example configurations check out the Zoo.
Default
The default setup utilizes the /home/rundeck/server/config/realm.properties file. Mount or otherwise replace this file to manage further users through this method.
JAAS
There is initial support for composing the JAAS modules talk about in the docks. The convention for listing the modules to use in environment variables:
RUNDECK_JAAS_MODULES_0=JettyCombinedLdapLoginModule
RUNDECK_JAAS_MODULES_1=PropertyFileLoginModuleConfig keys are located under:
RUNDECK_JAAS_LDAP_*
RUNDECK_JAAS_FILE_*By convention the module name matches the name in the docs, and the config keys match
the config options listed in the docs uppercase, and all one word.
To configure the LDAP module as sufficient, required, requisite, optional, you can use:
RUNDECK_JAAS_LDAP_FLAGFor further reference, please check this documentation
Extending Configuration
See the Extending Configuration
for complete details on extending the Docker application configuration.
Environment Variables
It is possible to use Environment Variables to configure Rundeck. The templates here are included in both versions of Rundeck.
Note: Some Enterprise settings may not be documented here. Check the template files for the latest updates
RUNDECK_ENVARS_UNSETALL=true
Unsets all environment variables starting with RUNDECK_ before starting Rundeck. Set to false
to utilize the RUNDECK_ENVARS_UNSETS option.
RUNDECK_ENVARS_UNSETS
Set to a space-separated list of environment variables to unset before starting Rundeck.
Basic
JVM_MAX_RAM_PERCENTAGE=75
The JVM will use x% of the max RAM for heap. For example, a setting of 50 will cause the JVM to utilize up to half the container limit for heap. The default is set to 75.
RUNDECK_SERVER_UUID
Identifies Rundeck instances when multiple are running in the same cluster. While hard-coded to a default for getting started, this should be set manually for more advanced configurations.
RUNDECK_GRAILS_URL=http://127.0.0.1:4440
Controls the base URL the app will use for links, redirects, etc. This is the URL users will use to access the site.
RUNDECK_SERVER_CONTEXTPATH=/
Set to path Rundeck is running under(i.e. http://localhost/rundeck). Useful if running Rundeck behind a reverse proxy under a path on the hostname.
RUNDECK_SERVER_FORWARDED=false
Set to true if running behind a reverse proxy. X-Forwarded-Proto header must be set if running behind a TLS terminating proxy.
RUNDECK_GRAILS_UPLOAD_MAXSIZE
Controls both the maxFileSize and maxRequest for the grails controller config and maxsize for the Rundeck fileUploadService tempfile config.
The internal default is approximately 25Mib or 26214400.
RUNDECK_SERVER_ADDRESS=0.0.0.0
This is the address or hostname the application will attempt to bind to within the container.
RUNDECK_DATABASE_URL
Defaults to jdbc:h2:file:/home/rundeck/server/data/grailsdb;DB_CLOSE_ON_EXIT=FALSE. The default configuration utilizes an h2 file for data storage.
RUNDECK_DATABASE_MIGRATE_ONSTART
This will configure the setting for grails.plugin.databasemigration.updateOnStart used in Upgrading to the 3.4. Defaults to true.
RUNDECK_SERVER_SESSION_TIMEOUT=86400
This will increase the session timeout to 24h, enabling users to stay logged in longer.
Database
RUNDECK_DATABASE_DRIVER
Set this if using an alternative backend from h2.
org.postgresql.Driverorg.mariadb.jdbc.Drivercom.mysql.jdbc.Driver(Must download the jar. It is not bundled with Rundeck.)
RUNDECK_DATABASE_USERNAMERUNDECK_DATABASE_PASSWORD
Logging
RUNDECK_LOGGING_STRATEGY=CONSOLE
The default console strategy configures log4j to send all output to stdout to be collected by the container logging driver.
Set to FILE to log into /home/rundeck/server/logs .
RUNDECK_LOGGING_AUDIT_ENABLED
Set to anything enables audit logging. This can be very verbose so use with caution.
Key Storage
RUNDECK_STORAGE_PROVIDER_#_[[TYPE|PATH]|CONFIG_[...]]RUNDECK_STORAGE_CONVERTER_#_[[TYPE|PATH]|CONFIG_[...]]
Configuration options for key storage providers and converts. These map to the Storage Facility Docs.
Authentication
RUNDECK_PREAUTH_ENABLED=falseRUNDECK_PREAUTH_ATTRIBUTE_NAME=REMOTE_USER_GROUPSRUNDECK_PREAUTH_DELIMITER=,RUNDECK_PREAUTH_USERNAME_HEADER=X-Forwarded-UuidRUNDECK_PREAUTH_ROLES_HEADER=X-Forwarded-RolesRUNDECK_PREAUTH_REDIRECT_LOGOUT=falseRUNDECK_PREAUTH_REDIRECT_URL=/oauth2/sign_in
Configuration options for using the preauthenticated mode.
RUNDECK_TOKENS_FILE
Specify location of a static tokens file. See configuration file reference for details.
Security Headers
RUNDECK_SECURITY_HTTPHEADERS_ENABLED=trueRUNDECK_SECURITY_HTTPHEADERS_PROVIDER_XCTO_ENABLED=trueRUNDECK_SECURITY_HTTPHEADERS_PROVIDER_XXSSP_ENABLED=trueRUNDECK_SECURITY_HTTPHEADERS_PROVIDER_XFO_ENABLED=trueRUNDECK_SECURITY_HTTPHEADERS_PROVIDER_CACHECONTROL_ENABLED=trueRUNDECK_SECURITY_HTTPHEADERS_PROVIDER_CSP_ENABLED=trueRUNDECK_SECURITY_HTTPHEADERS_PROVIDER_CSP_CONFIG_INCLUDEXCSPHEADER=falseRUNDECK_SECURITY_HTTPHEADERS_PROVIDER_CSP_CONFIG_INCLUDEXWKCSPHEADER=falseRUNDECK_SECURITY_HTTPHEADERS_PROVIDER_CSP_CONFIG_POLICY
Controls for CSP and other security headers.
RUNDECK_MAIL_SMTP_HOSTRUNDECK_MAIL_SMTP_PORTRUNDECK_MAIL_SMTP_USERNAMERUNDECK_MAIL_SMTP_PASSWORDRUNDECK_MAIL_FROM
Default from address.
RUNDECK_MAIL_DEFAULT_TEMPLATE_SUBJECTRUNDECK_MAIL_DEFAULT_TEMPLATE_FILERUNDECK_MAIL_DEFAULT_TEMPLATE_LOG_FORMATTEDRUNDECK_MAIL_PROPS
Mail properties that get passed through to Grails. For example, to use StartTLS(required by many servers including AWS SES), ["mail.smtp.starttls.enable":"true","mail.smtp.port":"587"].
Thread Pools
RUNDECK_QUARTZ_THREADPOOL_THREADCOUNT
Set the threadCount value to the max number of threads you want to run concurrently. If not set, default to 10.
Enterprise Environment Variables
RUNDECK_SERVER_TAGS
Authentication
RUNDECK_SECURITY_DBLOGIN_ENABLEDRUNDECK_SECURITY_DBLOGIN_CREATEADMINUSERANDROLESRUNDECK_SECURITY_DBLOGIN_ADMINUSERNAME=rdadminRUNDECK_SECURITY_DBLOGIN_ADMINPASSWORD
Okta
RUNDECK_PLUGIN_OKTAGROUPSOURCE_ENABLED=falseRUNDECK_PLUGIN_OKTAGROUPSOURCE_APITOKENRUNDECK_PLUGIN_OKTAGROUPSOURCE_OKTAHOSTNAMERUNDECK_PLUGIN_OKTAGROUPSOURCE_INCLUDEGROUPTYPES=APP_GROUP
SSO Options
RUNDECK_SECURITY_OAUTH_ENABLED=falseRUNDECK_SSO_LOGINBUTTON_ENABLED=trueRUNDECK_SSO_LOGINBUTTON_TITLE=Login With SSORUNDECK_SSO_LOGINBUTTON_URL=oauth/okta
OAUTH
For oauth configuration below replace XXXX with the provider name(ie okta).
See the SSO Documentation for more information.
RUNDECK_SECURITY_OAUTH_XXXX_CLIENTIDRUNDECK_SECURITY_OAUTH_XXXX_CLIENTSECRETRUNDECK_SECURITY_OAUTH_XXXX_ACCESSTOKENURIRUNDECK_SECURITY_OAUTH_XXXX_USERAUTHORIZATIONURIRUNDECK_SECURITY_OAUTH_XXXX_USERINFOURIRUNDECK_SECURITY_OAUTH_XXXX_JWKSETURIRUNDECK_SECURITY_OAUTH_XXXX_AUTOCONFIGURLRUNDECK_SECURITY_OAUTH_XXXX_CUSTOMREDIRECTURIRUNDECK_SECURITY_OAUTH_XXXX_AUTHORITYPROPERTYRUNDECK_SECURITY_OAUTH_XXXX_AUTHORITYKEYSRUNDECK_SECURITY_OAUTH_XXXX_AUTHORITYASCOMMASEPARATEDSTRINGRUNDECK_SECURITY_OAUTH_XXXX_PRINCIPLEKEYSRUNDECK_SECURITY_OAUTH_XXXX_CLIENTAUTHENTICATIONSCHEMARUNDECK_SECURITY_OAUTH_XXXX_SCOPE
Cluster
RUNDECK_PLUGIN_CLUSTER_HEARTBEAT_CONSIDERDEAD=180RUNDECK_PLUGIN_CLUSTER_AUTOTAKEOVER_ENABLED=trueRUNDECK_PLUGIN_CLUSTER_AUTOTAKEOVER_POLICY=anyRUNDECK_PLUGIN_CLUSTER_AUTOTAKEOVER_CONFIG_ALLOWEDRUNDECK_PLUGIN_CLUSTER_AUTOTAKEOVER_DELAY=30RUNDECK_PLUGIN_CLUSTER_AUTOTAKEOVER_SLEEP=30
RUNDECK_PLUGIN_CLUSTER_REMOTEEXECUTION_ENABLED=trueRUNDECK_PLUGIN_CLUSTER_REMOTEEXECUTION_POLICY=RandomRUNDECK_PLUGIN_CLUSTER_REMOTEEXECUTION_PREFERREDTAGS=*RUNDECK_PLUGIN_CLUSTER_REMOTEEXECUTION_ACTIVEONLY=true
RUNDECK_PLUGIN_CLUSTER_RECOVEREXECUTIONS_ENABLED=trueRUNDECK_PLUGIN_CLUSTER_RECOVEREXECUTIONS_POLICY=AnyRUNDECK_PLUGIN_CLUSTER_RECOVEREXECUTIONS_DELAY=60RUNDECK_PLUGIN_CLUSTER_RECOVEREXECUTIONS_SLEEP=180
Toggle Remote Abort feature, which forwards an abort request to the cluster member which is processing the Execution (Enabled by default).
RUNDECK_PLUGIN_CLUSTER_REMOTEABORT_ENABLED=false
Execution Log Storage
S3
RUNDECK_PLUGIN_EXECUTIONFILESTORAGE_NAME
Set to com.rundeck.rundeckpro.amazon-s3
RUNDECK_PLUGIN_EXECUTIONFILESTORAGE_S3_BUCKETRUNDECK_PLUGIN_EXECUTIONFILESTORAGE_S3_REGIONRUNDECK_PLUGIN_EXECUTIONFILESTORAGE_S3_PATHRUNDECK_PLUGIN_EXECUTIONFILESTORAGE_S3_AWSACCESSKEYIDRUNDECK_PLUGIN_EXECUTIONFILESTORAGE_S3_AWSSECRETKEY
Warning
It is recommended to use ec2 instance roles or another credential chain source if possible.
RUNDECK_PLUGIN_EXECUTIONFILESTORAGE_S3_ENDPOINTRUNDECK_PLUGIN_EXECUTIONFILESTORAGE_S3_PATHSTYLE=falseRUNDECK_PLUGIN_EXECUTIONFILESTORAGE_S3_ALLOWDELETE