Ctrlk

Deploy at Scale

Deploy the LinuxGuard agent at scale using configuration-management tools and cloud-init mechanisms across Ansible, Chef, Puppet, AWS, GCP, and Azure.

Deploying LinuxGuard at scale requires automation — scripts or configuration management tools that install and enroll agents without manual intervention on each host. Two cross-cutting concerns apply regardless of which tool you use: idempotency (the deployment is safe to run multiple times without side effects) and secrets management (API keys and tenant IDs are never hardcoded in scripts or version control).

What's in this section

  • Deploy with Ansible — Deploy the LinuxGuard agent to a fleet of Linux hosts using an Ansible role with Vault-encrypted credentials and idempotent enrollment.

  • Deploy with Chef — Deploy the LinuxGuard agent at scale using a Chef cookbook with chef-vault credentials and idempotent enroll resource.

  • Deploy with Puppet — Deploy the LinuxGuard agent at scale using a Puppet module with Hiera eyaml credentials and idempotent enroll exec.

  • Deploy with AWS EC2 User-Data — Provision the LinuxGuard agent on AWS EC2 instances at launch using user-data scripts and AWS Secrets Manager.

  • Deploy with GCP Startup Script — Provision the LinuxGuard agent on Google Compute Engine instances using startup-script metadata and Secret Manager.

  • Deploy with Azure — Provision the LinuxGuard agent on Azure Virtual Machines using cloud-init or Custom Script Extension with Key Vault credentials.

Choosing a Deployment Method

Select the deployment method that fits your existing infrastructure and tooling:

Tool
Best for
Secrets pattern
Idempotency mechanism

Ansible

Existing Ansible inventory, mixed environments

Ansible Vault (encrypt_string)

args: creates: file guard on enroll task

AWS EC2 User-Data

EC2 instances launched via Auto Scaling or CloudFormation

IAM instance profile + Secrets Manager

Agent built-in guard (user-data runs once on launch)

GCP Startup Script

Compute Engine VMs in GCP projects

Service account + Secret Manager

Explicit file guard required (startup scripts run on every boot)

Azure cloud-init / CSE

Azure VMs, including VMSS and ARM template deployments

Managed Identity + Key Vault

Agent built-in guard

Chef

Existing Chef infrastructure with Chef Infra Server

chef-vault

not_if file guard on enroll resource

Puppet

Existing Puppet infrastructure with PuppetDB

Hiera with eyaml encryption

unless file guard on enroll exec

Where to start: Already using a configuration management platform? Start with Ansible, Chef, or Puppet. Deploying new cloud VMs? Use your cloud provider's native script method: AWS, GCP, or Azure.

Enrollment Idempotency

The linuxguard-agent enroll command is safe to call on an already-enrolled server. On startup, the agent checks its own configuration: if /var/lib/linuxguard/config exists and contains a valid server ID, it prints "Server is already enrolled" and exits with code 0. No duplicate enrollment occurs.

This file is written on successful enrollment. Its existence is the reliable enrollment indicator used by configuration management tool guards.

Note: Cloud scripts (AWS, GCP, Azure) rely on the agent's built-in guard as the primary protection. CM tools (Ansible, Chef, Puppet) additionally use a file existence check on /var/lib/linuxguard/config as the when/not_if/unless condition — this produces a clean convergence run with no spurious "changed" output when the agent is already enrolled.

Prerequisites

  • A LinuxGuard API key and tenant ID (from the LinuxGuard console)

  • Network access from target hosts to packages.linuxguard.io for installation

  • Tool-specific prerequisites are documented in each individual guide

Related: Installation | Deploy with Ansible | Deploy with AWS EC2 User-Data | Deploy with GCP Startup Script | Deploy with Azure | Deploy with Chef | Deploy with Puppet

PreviousUninstallationNextDeploy with Ansible

Last updated

Was this helpful?