I would like feedback on our current approach to deal with the following scenario. In vCAC, we must support provisioning 3 versions of Windows Server and 2 versions of RHEL (these VMs are provisioned by cloning OS/version-specific templates). These VMs must have a number of software agents installed on them for antivirus, backups, monitoring, asset management, etc., some of which require subsequent configuration via their associated management servers. In our current automated provisioning approach we split all required tasks into 3 phases like so:
- Pre-provisioning - In the vCAC building machine stub, we have calls to vCO workflows to: pre-create each VM in AD (so that it'll be in a specific container when it joins the domain), and to obtain its static IP and create DNS records via Infoblox.
- The approach for this phase seems reasonable to us. Any dissenting or alternative comments?
- The approach for this phase seems reasonable to us. Any dissenting or alternative comments?
- Provisioning - In each template, the guest customization spec is used to join the computer to the domain, run an embedded script that installs multiple software agents (the installers are also embedded in the templates), and perform OS updates/patching.
- We are considering the use of a Configuration Management tool, such as Puppet, to manage these servers after they are provisioned. If we adopt Puppet (or a similar tool), would it be advantageous to change our provisioning process to leverage Puppet too (assuming we have the time/ability to do so)? For example, we could remove all of the agent installers and OS patching from this phase and just install the Puppet agent. Then, we could let Puppet do agent installs/configuration and OS patching during the post-provisioning phase. This has appeal from a consistency perspective: if we intend to manage servers with Puppet, why not leverage it as early as possible in the VM lifecycle?
- Alternatively, we could have vCO workflows do agent installs/configuration and OS patching during the post-provisioning phase.
- One of my concerns in the this phase is whether we are cramming too much into the templates and their customization specs given the possible alternatives. Thoughts?
- Post-provisioning - In the vCAC machine provisioned stub, we have calls to vCO workflows to: call various management servers to configure agents that require it, call an internal system to do a vulnerability scan of the VM, create a record in our CMDB, and to send email notifications to internal support groups.
- The approach for this phase also seems reasonable to us. Any dissenting or alternative comments?
All comments from the community are welcome. Thanks.