Chapter 8

Quick Reference

In this chapter

<nav id="TableOfContents" aria-label="Chapter sections"> <ul> <li><a href="#file-paths--configuration-locations">File Paths & Configuration Locations</a> <ul> <li><a href="#rundeck-configuration">Rundeck Configuration</a></li> <li><a href="#rundeck-data--runtime">Rundeck Data & Runtime</a></li> <li><a href="#log-files">Log Files</a></li> <li><a href="#apache--ssl">Apache / SSL</a></li> <li><a href="#mariadb">MariaDB</a></li> </ul> </li> <li><a href="#port-reference">Port Reference</a></li> <li><a href="#essential-commands">Essential Commands</a> <ul> <li><a href="#service-management">Service Management</a></li> <li><a href="#log-inspection">Log Inspection</a></li> <li><a href="#rundeck-cli-rd">Rundeck CLI (rd)</a></li> <li><a href="#database-backup">Database Backup</a></li> <li><a href="#ansible-troubleshooting">Ansible Troubleshooting</a></li> <li><a href="#selinux">SELinux</a></li> <li><a href="#ssl-certificate">SSL Certificate</a></li> </ul> </li> <li><a href="#vault-variable-reference">Vault Variable Reference</a></li> <li><a href="#useful-api-endpoints">Useful API Endpoints</a></li> <li><a href="#official-documentation-links">Official Documentation Links</a></li> </ul> </nav>

What you’ll accomplish: Have a single reference page for every file path, port, command, and configuration location in your Rundeck deployment — the page you’ll bookmark and come back to.

File Paths & Configuration Locations

Rundeck Configuration

File	Path	Purpose
Main config	`/etc/rundeck/rundeck-config.properties`	Database connection, server URL, feature flags, encryption
Framework config	`/etc/rundeck/framework.properties`	Server URL, port, SSH defaults
Local users	`/etc/rundeck/realm.properties`	Username/password/role definitions
Auth modules	`/etc/rundeck/jaas-loginmodule.conf`	Authentication chain (local file, LDAP)
JVM options	`/etc/sysconfig/rundeckd`	Heap size, LDAP flags, SSL flags
Logging config	`/etc/rundeck/log4j2.properties`	Log levels and appender configuration
Admin ACL	`/etc/rundeck/admin.aclpolicy`	Default admin access policy
Custom ACL	`/etc/rundeck/operators.aclpolicy`	Operator role access policy
SSL keystore	`/etc/rundeck/ssl/ssl.properties`	Keystore/truststore paths (direct SSL only)

Rundeck Data & Runtime

Path	Contents
`/var/lib/rundeck/`	Runtime home directory
`/var/lib/rundeck/lib/`	JDBC driver JARs (MariaDB JDBC connector)
`/var/lib/rundeck/libext/`	Plugin JARs (Ansible plugin)
`/var/lib/rundeck/logs/`	Job execution output logs
`/var/lib/rundeck/projects/`	Project-level configuration and resources
`/var/lib/rundeck/.ssh/`	SSH keys for the rundeck user
`/var/lib/rundeck/inventory/`	Ansible inventory files
`/var/lib/rundeck/.ansible.cfg`	Ansible config for the rundeck user

Log Files

Path	Contents
`/var/log/rundeck/service.log`	Main application log
`/var/log/rundeck/rundeck.api.log`	API request log
`/var/log/rundeck/rundeck.audit.log`	Audit trail (who did what)
`/var/log/httpd/error_log`	Apache reverse proxy errors
`/var/log/httpd/access_log`	Apache request log

Apache / SSL

Path	Purpose
`/etc/httpd/conf.d/rundeck-proxy.conf`	Reverse proxy virtual host
`/etc/pki/tls/certs/rundeck.example.com.crt`	SSL certificate
`/etc/pki/tls/private/rundeck.example.com.key`	SSL private key

MariaDB

Path	Purpose
`/etc/my.cnf.d/rundeck.cnf`	Tuned MariaDB config for Rundeck
`/var/lib/mysql/`	Database data files

Port Reference

Port	Protocol	Direction	Service	Notes
443	TCP	Inbound	Apache httpd (HTTPS)	User-facing; SSL termination
4440	TCP	Loopback	Rundeck HTTP	Internal only; Apache proxies to this
4443	TCP	Loopback	Rundeck HTTPS (direct SSL)	Only if not using reverse proxy
3306	TCP	Loopback	MariaDB	Bind to 127.0.0.1; loopback only
22	TCP	Outbound	SSH	Rundeck to managed nodes

Essential Commands

Service Management

# Rundeck
sudo systemctl start rundeckd
sudo systemctl stop rundeckd
sudo systemctl restart rundeckd
sudo systemctl status rundeckd

# Apache
sudo systemctl restart httpd
sudo systemctl status httpd

# MariaDB
sudo systemctl restart mariadb
sudo systemctl status mariadb

Log Inspection

# Recent Rundeck logs
sudo tail -100 /var/log/rundeck/service.log

# Follow logs in real time
sudo tail -f /var/log/rundeck/service.log

# Systemd journal (startup failures)
sudo journalctl -u rundeckd --since "1 hour ago" --no-pager

# SELinux denials
sudo ausearch -m avc -ts recent

Rundeck CLI (rd)

The rd CLI tool ships with Rundeck and provides command-line access to most operations.

# List projects
rd projects list

# List jobs in a project
rd jobs list -p homelab

# Run a job by name
rd run -p homelab -j "Rolling Service Restart" -- -service_name httpd -delay_seconds 10

# Export a project as an archive
rd projects archives export -p homelab -f homelab-backup.zip

# Import a project archive
rd projects archives import -p homelab -f homelab-backup.zip

# Get system info
rd system info

Database Backup

# Hot backup (no downtime required)
mysqldump --single-transaction -u rundeck -p rundeck_db > rundeck_backup_$(date +%Y%m%d).sql

# Restore from backup
mysql -u rundeck -p rundeck_db < rundeck_backup_20260306.sql

Ansible Troubleshooting

# Test inventory as the rundeck user
sudo -u rundeck ansible-inventory --list -i /var/lib/rundeck/inventory/hosts.yml

# Test connectivity to all nodes
sudo -u rundeck ansible all -i /var/lib/rundeck/inventory/hosts.yml -m ping

# Test SSH to a specific node
sudo -u rundeck ssh 192.168.1.51 hostname

# Check Ansible version
sudo -u rundeck ansible --version

SELinux

# Check the critical boolean
getsebool httpd_can_network_connect

# Enable it persistently
sudo setsebool -P httpd_can_network_connect on

# Check enforcement mode
getenforce

# Decode recent denials
sudo ausearch -m avc -ts recent | audit2why

SSL Certificate

# Check certificate expiration
openssl x509 -in /etc/pki/tls/certs/rundeck.example.com.crt -noout -dates

# Verify certificate matches key
openssl x509 -in /etc/pki/tls/certs/rundeck.example.com.crt -noout -modulus | md5sum
openssl rsa -in /etc/pki/tls/private/rundeck.example.com.key -noout -modulus | md5sum
# Both md5sums must match

Vault Variable Reference

Every secret used by the bundled Ansible playbook is stored in Ansible Vault. Here’s the complete list.

Variable	Purpose	Used By
`vault_rundeck_mysql_root_password`	MariaDB root password	`mysql` role (secure installation, DB creation)
`vault_rundeck_db_password`	Rundeck database user password	`mysql` role (user creation), `rundeck` role (datasource config)
`vault_rundeck_ssl_keystore_password`	Java keystore password (direct SSL only)	`rundeck` role (keystore creation, `ssl.properties`)
`vault_rundeck_storage_encryption_password`	Jasypt encryption password for key storage	`rundeck` role (`rundeck-config.properties`)
`vault_rundeck_admin_password`	Rundeck admin account password	`rundeck` role (`realm.properties`)
`vault_rundeck_ldap_bind_user`	LDAP bind DN (optional)	`rundeck` role (JAAS config)
`vault_rundeck_ldap_bind_password`	LDAP bind password (optional)	`rundeck` role (JAAS config)

Useful API Endpoints

All endpoints require authentication via X-Rundeck-Auth-Token header or session cookie. API version 14+ is recommended.

Endpoint	Method	Purpose
`/api/14/system/info`	GET	System version, health, uptime
`/api/14/project/{project}/jobs`	GET	List all jobs in a project
`/api/14/job/{id}/run`	POST	Execute a job (accepts JSON options)
`/api/14/execution/{id}`	GET	Get execution status and details
`/api/14/execution/{id}/output`	GET	Get execution log output
`/api/14/project/{project}/resources`	GET	List nodes in a project
`/api/14/tokens`	GET	List API tokens (admin only)
`/api/14/project/{project}/export`	GET	Export project as archive

Official Documentation Links

Want the automation code? Get the production-ready Ansible playbooks that deploy everything in this guide in ~10 minutes.

Get Playbooks — $14