Autoscale / Migrate/ Move / Clone / Auto Provision Instances with Dome9 Agents

In this topic:

    There are two possible ways to do it:

    1. [Recommended] - Provision a fresh agent during the instance provisioning

    Do *not* include the agent as part of the 'gold image'. Instead, just add a script to the server post provisioning which will install the agent, assign its name and its chosen policy (Dome9 Security Group). Use Chef, Puppet or AWS User Data for that...

    Linux server -

    This is basically the same command line that you generate during the manual add server process:

    PROBLEM TABLE: Import has tried to automatically correct the problem structure. Please check content.
    wget -q -O - 'https://secure.dome9.com/download/linuxinstallscript?pairkey=<MY PAIRING KEY>&secgroups=<MYSG>&servername=<MY_SERVER_NAME>' | sh
    
    

    On AWS you can utilize the user data to run this script upon instance provisioning and meta-data service to provide meaningful / dynamic agent names.

    Consider this user data script:

    PROBLEM TABLE: Import has tried to automatically correct the problem structure. Please check content.
    #!/bin/sh
    echo "auto installing dome9 agent"
    name=`wget -qO- http://169.254.169.254/latest/meta-data/instance-id`
    wget -q -O - "https://secure.dome9.com/download/linuxinstallscript?pairkey=<MY PAIRING KEY>&secgroups=<MY_SG>&servername=$name" | sh >> /var/log/d9_auto_install.log

    Note that we have used double quotes instead of single quote for the wget command (so it will evaluate the name parameter).

    Also note that in this example I have used the instance-id from the metadata. Alternatively you can choose the hostname.

    You can even append some prefix in order to make the name more meaningful:

    PROBLEM TABLE: Import has tried to automatically correct the problem structure. Please check content.
    name="MY_PREFIX_`wget -qO- http://169.254.169.254/latest/meta-data/hostname`"

    Some customers prefer to place this script in the /etc/rc.local initialization script. This is ok to do as this script is smart enough to know that the agent is already installed, so in this case it will try to perform an upgrade instead of installation (upon system reboot).

    Windows server -

    This is a Powershell script that should be executed on the target Windows machine.

    You need to fill two placeholders: D9_PAIRKEY , D9_SECGROUPS

    The script:

    PROBLEM TABLE: Import has tried to automatically correct the problem structure. Please check content.

    $tmpDir = [System.IO.Path]::GetTempPath()

    $filename = [System.IO.Path]::Combine($tmpDir, [System.IO.Path]::GetRandomFileName())

    $webclient = New-Object System.Net.WebClient

    $url = "https://secure.dome9.com/Download/File/WindowsInstaller"

    $webclient.DownloadFile($url,$filename)

    $exefilename = [System.IO.Path]::ChangeExtension($filename, ".exe");

    ren $filename $exefilename;

    $params = "/S", "/k=<D9_PAIRKEY>", "/g=<D9_SECGROUPS>";

    Invoke-Expression -Command "$exefilename $params"

    If you are running on AWS you could push this script as part of the 'User Data' when launching the instance. Just make sure to put it inside <powershell> </powershell> tags to signal AWS this is a Powershell script that needs to be run.

    2. [Obsolete, not recommended] - Cloning a machine with an active paired agent

    Important!!! Shut down the Dome9 Agent before cloning (Windows-> go to services and stop dome9 agent service. Linux-> run sudo dome9d stop)

    Why? Some service providers require to have connectivity to the instance during the provisioning process (especially valid for Windows servers on AWS). Servers with hardened firewall policies might not be able to be launched. This is not a Dome9 specific issue - but usually Dome9 agent enforces very strict firewall policies.

    After the Dome9 agent is down (and emergency policy / backup FW policy is applied) you can clone the machine with the agent.

    The agent will start automatically on the new machines.

    In this case all servers will share the same identity in the Dome9 system. This will work for basic use-cases (servers will get firewall policies) but will limit other functionality (server accessibility detection, quick access leases (using push technology), File Integrity Monitoring and some future functionality)

    I have already cloned (or moved) a running agent, what should I do?

    If you plan to retire the old server, simply uninstall the agent from the old server prior to deleting the old server. Do not Delete the agent from the Dome9 GUI.

    If you plan to keep both servers, we recommend to reset the agent on the new server and provide it with new identity. for that we'll:

    PROBLEM TABLE: Import has tried to automatically correct the problem structure. Please check content.
    sudo dome9d stop
    sudo rm /var/lib/dome9/run.conf
    sudo rm /var/lib/dome9/client.pem

    Now, pair the blank agent with:

    PROBLEM TABLE: Import has tried to automatically correct the problem structure. Please check content.
    sudo dome9d pair -k your_customer_pairing_key