Deploying simian client package

119 views
Skip to first unread message

ca...@wildwoodprograms.org

unread,
Mar 20, 2013, 2:51:45 PM3/20/13
to simian-...@googlegroups.com
Hello everyone,

I have Simian working great on one client. I'm now thinking about way to deploy it to all my clients. I'm thinking that ARD of Meraki would be best for this, but I'm a bit confused as to how the client certificates work. Do I need a unique certificate for each client? Does that mean I'll have to create unique installers for each client? I cannot just deploy the same package to every client? Seems like a lot of work just to get the client installed. Is there a process that makes this easier?

Thanks,
Chris

Justin McWilliams

unread,
Mar 20, 2013, 5:53:41 PM3/20/13
to simian-...@googlegroups.com
Chris,

Within Google, we use Puppet for configuration management, and our
Simian instance just re-uses Puppet's certificates. Simian itself
doesn't have any way of distributing certificates built in. Though
creating unique installers _would_ work, it's obviously an
administrative nightmare and not very secure (certs in an install?).

That said, after certs are initially distributed, Simian is designed
to re-use the /usr/local/simian configs and certs instead of
overwriting them, so you _can_ reuse the same package on every client.

So bootstrapping is the only issue here. If anyone has a script for
deployment of certs using ARD, SSH, or otherwise, we'd be happy to
share it on our project page...

Even though I didn't provide a solution, does this at least help you
move forward?

- Justin
> --
> You received this message because you are subscribed to the Google Groups
> "Simian Discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to simian-discus...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

ca...@wildwoodprograms.org

unread,
Mar 21, 2013, 11:32:21 AM3/21/13
to simian-...@googlegroups.com
Thanks Justin,

It does help a little. It looks like I'll have to look into puppet as that seems to be the only realistic option right now. I'm certainly not going to create unique installers for each client. I realize the security and reporting issues, but would 2 clients with the same certificate work? I just tried this and it seems to be fine, except simian only sees 1 client obviously. Could these 2 clients download the same software update?

Thanks again,
Chris

John Randolph

unread,
Mar 21, 2013, 11:36:48 AM3/21/13
to simian-...@googlegroups.com
On Thu, Mar 21, 2013 at 11:32 AM, <ca...@wildwoodprograms.org> wrote:
> Thanks Justin,
>
> It does help a little. It looks like I'll have to look into puppet as that
> seems to be the only realistic option right now. I'm certainly not going to
> create unique installers for each client. I realize the security and
> reporting issues, but would 2 clients with the same certificate work? I just
> tried this and it seems to be fine, except simian only sees 1 client
> obviously. Could these 2 clients download the same software update?
>
> Thanks again,
> Chris
>

Hi Chris,

Yes, you can probably just share ssl credentials. However we haven't
tested this, there could be some part of the code where we depend on
unique ssl certs for identity etc.

The wiki gives some shell to copy/paste to package certs for you:
https://code.google.com/p/simian/wiki/SimianAndCertificates

Cheers
John
--
John Randolph -- Google New York

Justin McWilliams

unread,
Mar 21, 2013, 12:38:48 PM3/21/13
to simian-...@googlegroups.com
On Thu, Mar 21, 2013 at 11:32 AM, <ca...@wildwoodprograms.org> wrote:
> Thanks Justin,
>
> It does help a little. It looks like I'll have to look into puppet as that
> seems to be the only realistic option right now. I'm certainly not going to
> create unique installers for each client. I realize the security and
> reporting issues, but would 2 clients with the same certificate work? I just
> tried this and it seems to be fine, except simian only sees 1 client
> obviously. Could these 2 clients download the same software update?

TL;DR: I would definitely not recommend using the same cert on
multiple clients, even though it may work to some extent.

To confirm what John suspected, we definitely do use the cert to
identify hosts. This is why your two hosts show as the same on
Simian. While this may continue to work, reporting will be messed up
(as all clients will update the same Computer object in the database.
Also, it _may_ cause user-facing issues as well; it's possible that
one client reports some state, that state is cached, then used to
inform a decision (manifest generation, for example) for a different
client.

Ben Mabbott

unread,
Apr 12, 2013, 7:34:10 PM4/12/13
to simian-...@googlegroups.com
Just got through with our deployment, and this was definitely the part we wrestled with the most. We don't use Puppet, and were planning to distribute the simian package via ARD, so our goal was to use ARD to distribute the certs as well.

Armed with the procedure on the wiki (https://code.google.com/p/simian/wiki/SimianAndCertificates) and a text file containing all of our client serial numbers, we used the provided scripts to create a tar file for each client based on its serial number. We then placed those on an internal apache server for distribution. Now we just needed a shell script we could send out with ARD that would grab the tar file for a particular client and unpack it. Since we keyed off of the serial number to name the tar files, we needed our script to lookup the serial number of the client. Fortunately we were also planning to distribute Puppet's Facter package (https://puppetlabs.com/puppet/related-projects/facter/), which Simian can use to lookup attributes such as the hostname, so that they don't need to be included in the config file installed on each client. Facter can also easily produce the client's serial number. So, here's what we ended up with:

#!/bin/bash


host="$(facter sp_serial_number).tgz"


cd /private


curl http://path/to/certs/$host | tar zxv


Note that this is not terribly secure, the certs are sitting out there for anyone on our network who knows where to look. If that's a concern for you, you might want to look at using something like scp instead of plain old http.

Going forward, we're including the Simian and Facter packages in our images, as they aren't client specific. The script to grab the certs gets run post image, and we're in business.

-Ben

Justin McWilliams

unread,
Apr 13, 2013, 2:34:09 PM4/13/13
to simian-...@googlegroups.com
Thanks for sharing your progress with us, Ben!  I'm glad you figured out a way to deploy the client and certs to your machines.  I'm guessing one cannot directory list /path/to/certs/, so in order to obtain a tar you'd still need to know a valid serial number.  Still, I'd highly suggest deleting the tar files after clients have downloaded their certs, but it sound like you're already aware of the security issues around this.

Let us know how Simian works for you, after a bit of real-world use.  We're hoping to release a new version soon, which has an administrative UI for the recent Munki functionality of installing Apple Updates in the background or setting force_install_after_date.  We have this working internally, so it's just a matter of polishing it and open sourcing.

- Justin
Reply all
Reply to author
Forward
0 new messages