Install Rundeck on Ubuntu 24.04 / Debian 13

Rundeck is an open-source runbook automation and job scheduling platform that gives operations teams a single place to define, build, and safely hand off procedures. It connects to remote nodes over SSH or WinRM, runs commands or scripts across them, and logs every execution for audit purposes. Rundeck is maintained by PagerDuty and available in both a free Community edition and a commercial Enterprise edition.

Original content from computingforgeeks.com - post 4680

This guide walks through installing Rundeck 5.x on Ubuntu 24.04 LTS or Debian 13 from the official package repository. We cover Java setup, core configuration, firewall rules, LDAP authentication, remote node management, and an Nginx reverse proxy with SSL termination.

Prerequisites

Before starting, make sure the following requirements are met:

• A server running Ubuntu 24.04 LTS or Debian 13 with at least 4GB RAM (8GB recommended for production)
• Root or sudo access
• A DNS name or static IP pointing to the server
• Port 4440/TCP open for the Rundeck web UI
• Port 22/TCP open for SSH access to managed nodes

Step 1: Install Java on Ubuntu 24.04 / Debian 13

Rundeck requires Java 11 or Java 17 runtime. The project recommends Azul Zulu OpenJDK, but the default OpenJDK packages from Ubuntu/Debian repositories work fine. Install OpenJDK 17 with the following command:

sudo apt update && sudo apt install -y openjdk-17-jre-headless

After installation completes, verify the Java version:

java -version

The output should confirm OpenJDK 17 is active:

openjdk version "17.0.14" 2025-01-21
OpenJDK Runtime Environment (build 17.0.14+7-Ubuntu-124.04)
OpenJDK 64-Bit Server VM (build 17.0.14+7-Ubuntu-124.04, mixed mode, sharing)

Step 2: Install Rundeck from Official Repository

Rundeck provides an official Debian/Ubuntu repository managed through packagecloud. The fastest way to set it up is with their bootstrap script, which imports the GPG key and creates the repository file in one step.

Run the repository setup script:

curl https://raw.githubusercontent.com/rundeck/packaging/main/scripts/deb-setup.sh 2> /dev/null | sudo bash -s rundeck

If you prefer to configure the repository manually, import the GPG key and add the repository source:

curl -L https://packages.rundeck.com/pagerduty/rundeck/gpgkey | sudo apt-key add -

Create the repository file:

sudo vi /etc/apt/sources.list.d/rundeck.list

Add the following lines:

deb https://packages.rundeck.com/pagerduty/rundeck/any/ any main
deb-src https://packages.rundeck.com/pagerduty/rundeck/any/ any main

Now install Rundeck:

sudo apt update
sudo apt install -y rundeck

Verify the installed version:

dpkg -l rundeck | grep rundeck

You should see the Rundeck package listed with version 5.x:

ii  rundeck   5.19.0-20260203   all   Rundeck - Job Scheduler and Runbook Automation

Step 3: Configure Rundeck

Rundeck stores its configuration in two main files under /etc/rundeck/. The first is rundeck-config.properties which controls the application settings, and the second is framework.properties which defines the server identity and connection defaults. Refer to the official Rundeck documentation for the full list of configuration options.

Configure rundeck-config.properties

Open the main configuration file:

sudo vi /etc/rundeck/rundeck-config.properties

Update grails.serverURL to match your server’s hostname or IP address. Replace rundeck.example.com with your actual domain or server IP:

# Base URL for the Rundeck web application
grails.serverURL=http://rundeck.example.com:4440

# Database configuration (default uses H2 embedded database)
# For production, switch to MySQL or PostgreSQL:
# dataSource.driverClassName = org.mariadb.jdbc.Driver
# dataSource.url = jdbc:mysql://localhost/rundeck?autoReconnect=true&useSSL=false
# dataSource.username = rundeck
# dataSource.password = rundeck_password

# Session timeout in seconds (default 3600 = 1 hour)
server.servlet.session.timeout=3600

The grails.serverURL value is critical – Rundeck uses it for generating links in emails, webhooks, and API responses. It must match the URL users type in their browser.

Configure framework.properties

Open the framework configuration file:

sudo vi /etc/rundeck/framework.properties

Update the server identity settings to match your hostname:

# Server identity
framework.server.name = rundeck.example.com
framework.server.hostname = rundeck.example.com
framework.server.port = 4440
framework.server.url = http://rundeck.example.com:4440

# SSH defaults for remote node execution
framework.ssh.keypath = /var/lib/rundeck/.ssh/id_rsa
framework.ssh.user = rundeck

# Logging level
framework.log.dispatch.console.format = %-5p %c{1}: %m%n

Make sure framework.server.url matches the grails.serverURL value you set earlier.

Step 4: Start and Enable Rundeck Service

Reload the systemd daemon, then start and enable the Rundeck service so it survives reboots:

sudo systemctl daemon-reload
sudo systemctl enable --now rundeckd

Rundeck takes 30-60 seconds to fully start on first boot. Check the service status:

sudo systemctl status rundeckd

The output should show the service as active and running:

● rundeckd.service - Rundeck Server
     Loaded: loaded (/etc/systemd/system/rundeckd.service; enabled; preset: enabled)
     Active: active (running) since Sat 2026-03-22 10:15:32 UTC; 30s ago
   Main PID: 12345 (java)
      Tasks: 45 (limit: 4915)
     Memory: 512.0M
        CPU: 28.432s
     CGroup: /system.slice/rundeckd.service
             └─12345 java -Drundeck.jaaslogin=true ...

You can also watch the startup log to confirm Rundeck is ready to accept connections:

sudo tail -f /var/log/rundeck/service.log

Wait until you see the “Started Application” message before accessing the web UI.

Step 5: Access the Rundeck Web Interface

Once the service is running, open your browser and navigate to your server’s address on port 4440:

http://your-server-ip:4440

Log in with the default credentials:

• Username: admin
• Password: admin

Change the default admin password immediately after the first login. To update it from the command line, edit the realm properties file:

sudo vi /etc/rundeck/realm.properties

Find the admin line and change the password:

# Format: username:password,role1,role2
admin:YourStrongPassword,user,admin,architect,deploy,build

Restart the Rundeck service after changing the password:

sudo systemctl restart rundeckd

Step 6: Add Remote Nodes to Rundeck

Rundeck manages remote servers (called nodes) through SSH. To add nodes, you first need to generate an SSH key pair for the rundeck user and distribute the public key to each target server.

Generate an SSH key for the rundeck service account:

sudo -u rundeck ssh-keygen -t ed25519 -f /var/lib/rundeck/.ssh/id_ed25519 -N ""

Copy the public key to each remote node you want to manage. Replace 10.0.1.10 with the actual IP of your target server:

sudo -u rundeck ssh-copy-id -i /var/lib/rundeck/.ssh/id_ed25519.pub [email protected]

If you generated an ed25519 key, update the SSH key path in /etc/rundeck/framework.properties:

framework.ssh.keypath = /var/lib/rundeck/.ssh/id_ed25519

Next, define remote nodes in a resource model file. Rundeck reads node definitions from XML or YAML files. Edit the default resources file for your project:

sudo vi /var/lib/rundeck/projects/MyProject/etc/resources.xml

Add node entries for your remote servers:

<?xml version="1.0" encoding="UTF-8"?>
<project>
  <node name="web-server-01"
        hostname="10.0.1.10"
        username="deploy"
        description="Web application server"
        tags="web,production"
        osFamily="unix"
        osName="Linux" />

  <node name="db-server-01"
        hostname="10.0.1.20"
        username="deploy"
        description="Database server"
        tags="database,production"
        osFamily="unix"
        osName="Linux" />
</project>

Verify connectivity to the remote node by running a test command from the Rundeck server:

sudo -u rundeck ssh -i /var/lib/rundeck/.ssh/id_ed25519 [email protected] hostname

Step 7: Create and Run Rundeck Jobs

Jobs are the core of Rundeck – they define what commands or scripts to run, on which nodes, and on what schedule. You can create jobs through the web UI or by importing YAML/XML definitions.

To create a job via the web interface:

• Log into the Rundeck web UI and select or create a project
• Click Jobs in the left sidebar, then Create a New Job
• Give the job a name and optional description
• Under Workflow, add steps – choose “Command” for simple commands or “Script” for multi-line scripts
• Under Nodes, select which nodes should execute the job (filter by tags, hostname, or OS)
• Optionally set a Schedule using cron syntax for recurring execution
• Click Create to save the job

You can also define jobs as YAML files and import them. Here is an example job definition that checks disk usage on all production servers:

- defaultTab: nodes
  description: Check disk usage on production servers
  executionEnabled: true
  name: Check Disk Usage
  nodeFilterEditable: false
  nodefilters:
    filter: 'tags: production'
  sequence:
    commands:
    - exec: df -h --output=source,pcent,target | grep -v tmpfs
    keepgoing: false
    strategy: node-first
  schedule:
    month: '*'
    time:
      hour: '08'
      minute: '00'
      seconds: '0'
    weekday:
      day: '*'
    year: '*'

Import the job file from the command line using the Rundeck CLI (rd):

rd jobs load -p MyProject -f check-disk-usage.yaml -F yaml

Step 8: Configure LDAP/Active Directory Authentication

For production environments, you should integrate Rundeck with your existing LDAP or Active Directory server instead of relying on the flat-file realm.properties. Rundeck uses JAAS (Java Authentication and Authorization Service) for this.

Edit the JAAS login configuration file:

sudo vi /etc/rundeck/jaas-loginmodule.conf

Replace the default PropertyFileLoginModule with an LDAP module. Here is an example for Active Directory:

RDpropertyfilelogin {
  com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required
    debug="true"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    providerUrl="ldap://dc01.example.com:389"
    bindDn="CN=rundeck-svc,OU=Service Accounts,DC=example,DC=com"
    bindPassword="ServiceAccountPassword"
    authenticationMethod="simple"
    forceBindingLogin="true"
    userBaseDn="OU=Users,DC=example,DC=com"
    userRdnAttribute="sAMAccountName"
    userIdAttribute="sAMAccountName"
    userPasswordAttribute="unicodePwd"
    userObjectClass="user"
    roleBaseDn="OU=Groups,DC=example,DC=com"
    roleNameAttribute="cn"
    roleMemberAttribute="member"
    roleObjectClass="group"
    cacheDurationMillis="300000"
    reportStatistics="true"
    supplementalRoles="user"
    nestedGroups="true";
};

For OpenLDAP, the main differences are the attribute names. Use uid instead of sAMAccountName for userRdnAttribute and userIdAttribute, and groupOfNames or posixGroup for roleObjectClass.

After saving the JAAS configuration, map LDAP groups to Rundeck roles by editing the ACL policies. Create or edit a policy file:

sudo vi /etc/rundeck/rundeck-admins.aclpolicy

Add a policy that grants admin access to members of your LDAP admin group:

description: Admin access for LDAP admins group
context:
  application: 'rundeck'
for:
  project:
    - allow: '*'
  storage:
    - allow: '*'
by:
  group: 'RundeckAdmins'

---
description: Admin access for LDAP admins group (project context)
context:
  project: '.*'
for:
  resource:
    - allow: '*'
  adhoc:
    - allow: '*'
  job:
    - allow: '*'
  node:
    - allow: '*'
by:
  group: 'RundeckAdmins'

Restart Rundeck to apply the LDAP configuration:

sudo systemctl restart rundeckd

Step 9: Configure Firewall for Rundeck

Rundeck listens on port 4440 by default. If you have UFW enabled on Ubuntu or Debian, allow the Rundeck port:

sudo ufw allow 4440/tcp comment "Rundeck Web UI"
sudo ufw allow 22/tcp comment "SSH"
sudo ufw reload

Verify the firewall rules are active:

sudo ufw status numbered

You should see port 4440 listed in the allowed rules:

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere       # SSH
[ 2] 4440/tcp                   ALLOW IN    Anywhere       # Rundeck Web UI
[ 3] 22/tcp (v6)                ALLOW IN    Anywhere (v6)  # SSH
[ 4] 4440/tcp (v6)              ALLOW IN    Anywhere (v6)  # Rundeck Web UI

If you plan to use the Nginx reverse proxy setup in the next step, you can allow port 443 (HTTPS) instead and restrict port 4440 to localhost only.

Step 10: Configure SSL with Nginx Reverse Proxy

Running Rundeck behind an Nginx reverse proxy with SSL termination is the recommended approach for production. This keeps Rundeck listening on localhost while Nginx handles HTTPS traffic from clients.

Install Nginx:

sudo apt install -y nginx

Create a virtual host configuration for Rundeck:

sudo vi /etc/nginx/sites-available/rundeck.conf

Add the following Nginx configuration. Replace rundeck.example.com with your actual domain and update the SSL certificate paths:

upstream rundeck_backend {
    server 127.0.0.1:4440;
}

server {
    listen 80;
    server_name rundeck.example.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name rundeck.example.com;

    ssl_certificate /etc/ssl/certs/rundeck.example.com.crt;
    ssl_certificate_key /etc/ssl/private/rundeck.example.com.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    access_log /var/log/nginx/rundeck-access.log;
    error_log /var/log/nginx/rundeck-error.log;

    location / {
        proxy_pass http://rundeck_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket support for Rundeck's execution log streaming
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_read_timeout 600;
        proxy_connect_timeout 600;
        proxy_send_timeout 600;
    }
}

Enable the site and test the configuration:

sudo ln -s /etc/nginx/sites-available/rundeck.conf /etc/nginx/sites-enabled/
sudo nginx -t

The test command should confirm the syntax is valid:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

When using a reverse proxy, update Rundeck’s grails.serverURL to use the HTTPS URL:

sudo vi /etc/rundeck/rundeck-config.properties

Change the server URL to your HTTPS domain:

grails.serverURL=https://rundeck.example.com

Also update framework.server.url in /etc/rundeck/framework.properties to match.

Restart both services and update firewall rules:

sudo systemctl restart rundeckd
sudo systemctl enable --now nginx
sudo ufw allow 443/tcp comment "HTTPS"
sudo ufw reload

You can obtain a free SSL certificate using Let’s Encrypt with certbot. After installing certbot, run it against your Nginx configuration to automatically configure SSL.

Conclusion

You now have Rundeck installed and running on Ubuntu 24.04 or Debian 13 with the official repository, ready to manage remote nodes and schedule automated jobs. The LDAP integration and Nginx SSL proxy configuration provide a production-ready authentication and access layer.

For production hardening, switch from the default H2 database to MySQL or PostgreSQL, configure regular backup of the /var/lib/rundeck data directory, set up log rotation for /var/log/rundeck/, and consider Rundeck clustering for high availability.