There are two possible ways to do it:
1. [Recommended] - Provision a fresh agent during the instance provisioning
Do *not* include the agent as part of the 'gold image'. Instead, just add a script to the server post provisioning which will install the agent, assign its name and its chosen policy (Dome9 Security Group). Use Chef, Puppet or AWS User Data for that...
This is basically the same command line that you generate during the manual add server process:
wget -q -O - 'https://secure.dome9.com/download/linuxinstallscript?pairkey=<MY PAIRING KEY>&secgroups=<MYSG>&servername=<MY_SERVER_NAME>' | sh
Consider this user data script:
#!/bin/sh echo "auto installing dome9 agent" name=`wget -qO- http://169.254.169.254/latest/meta-data/instance-id` wget -q -O - "https://secure.dome9.com/download/linuxinstallscript?pairkey=<MY PAIRING KEY>&secgroups=<MY_SG>&servername=$name" | sh >> /var/log/d9_auto_install.log
Note that we have used double quotes instead of single quote for the wget command (so it will evaluate the name parameter).
Also note that in this example I have used the instance-id from the metadata. Alternatively you can choose the hostname.
You can even append some prefix in order to make the name more meaningful:
name="MY_PREFIX_`wget -qO- http://169.254.169.254/latest/meta-data/hostname`"
Some customers prefer to place this script in the /etc/rc.local initialization script. This is ok to do as this script is smart enough to know that the agent is already installed, so in this case it will try to perform an upgrade instead of installation (upon system reboot).
This is a Powershell script that should be executed on the target Windows machine.
You need to fill two placeholders: D9_PAIRKEY , D9_SECGROUPS
If you are running on AWS you could push this script as part of the 'User Data' when launching the instance. Just make sure to put it inside <powershell> </powershell> tags to signal AWS this is a Powershell script that needs to be run.
2. [Obsolete, not recommended] - Cloning a machine with an active paired agent
Important!!! Shut down the Dome9 Agent before cloning (Windows-> go to services and stop dome9 agent service. Linux-> run sudo dome9d stop)
Why? Some service providers require to have connectivity to the instance during the provisioning process (especially valid for Windows servers on AWS). Servers with hardened firewall policies might not be able to be launched. This is not a Dome9 specific issue - but usually Dome9 agent enforces very strict firewall policies.
After the Dome9 agent is down (and emergency policy / backup FW policy is applied) you can clone the machine with the agent.
The agent will start automatically on the new machines.
In this case all servers will share the same identity in the Dome9 system. This will work for basic use-cases (servers will get firewall policies) but will limit other functionality (server accessibility detection, quick access leases (using push technology), File Integrity Monitoring and some future functionality)
If you plan to retire the old server, simply uninstall the agent from the old server prior to deleting the old server. Do not Delete the agent from the Dome9 GUI.
If you plan to keep both servers, we recommend to reset the agent on the new server and provide it with new identity. for that we'll:
sudo dome9d stop sudo rm /var/lib/dome9/run.conf sudo rm /var/lib/dome9/client.pem
Now, pair the blank agent with:
sudo dome9d pair -k your_customer_pairing_key