Deploying JSS with Puppet & Vagrant

tscopp
New Contributor

Good Morning Citizens,

I recently had the pleasure of attending the JAMF CJA (highly recommended) and while largely enlightening it occurred to me that the vast majority of configuration tasks required to bring up the JSS could be automated. Being a huge fan of Puppet I set to work developing a module that would ease the deployment of the JSS and enable more efficient testing.

To a large extent this module scratches my own itch. I run JSS services for my team at UC Berkeley and consider any hands-on interaction with my servers or services to be a legitimate bug. Employing a modern toolset (config management [pupppet], revision control [git], continuous integration [jenkins], local development [vagrant]) allows for an entirely congruent configuration and deployment process when developing locally or deploying in production. If there’s interest in our configuration and deployment methodology I’d be more than happy to delve deeper into it.

The initial goal was to create a module that could pass CJA certification. I haven’t quite hit the mark but I’ve made significant progress. At present the puppet-jss module is capable of…

What It Does
- Deploy the JSS webapp in multi-context, clustered or multi-context clustered mode.
- Deploy, configure, and secure(ish) MySQL, create the necessary databases, restricted grants, and users.
- Deploy MySQL and JSS to the same or different hosts and maintain firewalls on all systems.
- Configure the majority of JSS configuration values (full list below).
- Determine as many JSS configuration values dyamically or in accordance with “best practices.”

What It Doesn’t (yet)
- Distribution Points
- Gracefully handle HTTPS
- Allow activation code*

  • Technically the module allows the operator to pass in an activation code however I haven’t yet divined how JAMF populates the user table, leaving you in a running state with no locally configured users. I could scrape and parrot back some static values but that seems hacky and I think I can do better. If anyone can provide guidance here I’d be infinitely appreciative.

In developing this puppet module I’ve also created a development environment and workflow that anyone can check out and use. A single command will result in a locally running JSS (by default @ ${ip}:8080/production) patiently awaiting activation key.

For example:

git clone git@github.com:tscopp/puppet-jss.git
unzip JSSInstallationX.X.zip
cp JSSInstallation/JSS Components/ROOT.war puppet-jss/modules/jss/files/
cd puppet-jss

All in one, multicontext — http://${ip}:8080/production, http://${ip}/development

vagrant up default

Separate hosts — http://${ip}:8081/development

vagrant up db
vagrant up jss

Clustered — http://${ip}:8082/production, http://${ip}:8083/production

vagrant up db
vagrant up jss01
vagrant up jss02

More information about the project and vagrant development environment can be found @ https://github.com/tscopp/puppet-jss/ and the puppet module can be downloaded directly @ https://forge.puppetlabs.com/tscopp/jss/.

Parameters and Defaults

jss::context{'all_the_values':
activation_code='',
api=true,
context='',
db_addr='localhost',
db_min_pool='5',
db_max_pool='90',
db_port='3306',
db_passwd='${context}passwd',
db_user='${context}user',
http=true,
https=false,
http_port='8080',
http_proxy_port='8443',
institution_name='',
keystore_path='/var/lib/tomcat7/keystore.jks',
keystore_pass='',
log_path='/var/lib/tomcat7/logs',
tomcat_dir='/var/lib/tomcat7',
tomcat_max_threads='450',
user_enrollment=true,
war='ROOT.war',
war_url=''){ }
jss::db('all_the_values':
context='',
db_addr='localhost',
db_name=$context,
db_user=${context}user,
db_passwd=${context}pw,
db_port='3306',
db_root_password='supersecure',
jss_addr='localhost',
tomcat_dir='/var/lib/tomcat7') { }

Thanks for reading, hopefully this will prove useful to someone out there.

Tim Scoppetta
tscopp.com
github.com/tscopp
forge.puppet.com/tscopp

5 REPLIES 5

davidacland
Honored Contributor II

Thanks for this. It will help get me a bitmore familiar with the two tools.

I've been using modified mixtures of JSS manager and JSS migration utility before so will be good to add this to my tool set.

lisacherie
Contributor II

Wow nice work :)

jchurch
Contributor II

this is interesting. i havent tried using puppet for something like this. although i used the "JSS-in-a-box" script before and it worked well. my link text

franton
Valued Contributor III

You're welcome @jchurch !

@tscopp I applaud your efforts with Puppet and Vagrant. If you want an idea how to do things purely with bash script (for your own reference), please have a look at my own work as mentioned above. You can find it here .

I've also a companion project I need to do more work on.JSS-Config-In-A-Box

franton
Valued Contributor III

FYI I'm not bothering with the activation code being pre-populated. That section of the JSS setup also configures other things in the background and I'm content to let it do that (e.g. the internal certificate server) on it's own.