Content is available under Creative Commons Attribution.


Why agent based software deployment engines are better then agent-less


Leroy was created based on over 10 years of experience using different software deployment automation tools. The very earliest version of Leroy was SSH based and completely agent-less. After using leroy in this way for a few years, some limitations were realized with this method:

What’s the answer ?
Use a secured agent !

Leroy uses a secure agent that trusts the controller. Should a host be hacked where an agent resides, all the hacker will reveal is the ip address and port of the controller which under normal circumstances is not listening. The controller only listens on its TCP port when a deployment is happening. Agents poll for this ip/port in the background waiting for it to come online.

This also creates a very expected connection situation for the controller. We also know what version our agents are and we have the ability to update them. Additionally, by having an agent we can also embed a powerful and common python scripting language which works on almost all platforms. Along with python, we include common functions needed for deployment automation, such as checking if a port is still listening, or has started listening, or polling a url to see if a string exists. If we choose to continue to use agent-less, these doors would not be opened to us. Leroy agents can be run as root, if desired. The agent does not listen on any ports and offers no tangible security concerns.

The Leroy agent has no significant overhead. It does not require, nor want a java run-time environment, or any run-time environment since the agent is a simple compiled binary and uses about 4 Meg of ram. Another important reason for an agent is that different operating systems act very differently when dealing with even the most simplest things like transferring and writing files to disk, and executing commands. Without a tight hold of the OS from a C++ perspective some tweaking may be nearly impossible to deal with using an agent-less model.

We can not prevent a mix of different operating systems in our computing environment these days. I am sure that Red Hat has Microsoft windows servers in their organization that they heavily depend on, as well as Microsoft has linux they depend on as well. Some companies, especially government contractors can not get away from things like AIX and Irix. True deployment automation needs to support as much of these platforms as possible. When dealing with so many, it makes more sense to write a standard all platforms can use, rather then changing myself to support all the differences I want to be able to inter-operate with.

Leroy is available for download at:

Leave a Reply

by: Epic Force