Puppet, Chef or CFEngine?
Dan Dubovik
dandubo at gmail.com
Wed Nov 9 16:24:18 MST 2011
We currently use puppet. We have used it for quite some time, and just
revisited our configuration management system, to see if it was still the
right way to go.
In looking at Chef, CFEngine and Puppet, we decided to stick with Puppet.
The cost of changing over a number of extremely complex systems to a new
management service was simply too high, for minimal (if any) gain.
On the topic of user management, while a shell script may be easier /
faster in the short term, over time (and once an environment is
sufficiently large) it can result in an inconsistent environment. Servers
can be down, unresponsive, have some random failure, and if not immediately
and manually remediated, you end up with users on servers that shouldn't
be, missing users on others, and old passwords on yet others.
Using Puppet, you can either maintain /etc/{passwd|group|shadow} (wouldn't
personally do this, but it is an option, so included here in the interest
of being complete), or you can use the 'user' and 'group' resource type (
http://docs.puppetlabs.com/references/stable/type.html#user) to maintain
users across the environment. This is if you need / want to continue using
local users. Personally, I'm with Bryan, and prefer a central
authentication method, as it resolves many of the problems you would have
with local users, and provides for an easier method of auditing user
accounts.
-- Dan.
On Tue, Nov 8, 2011 at 7:43 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:
> Thanks to all who responded.
> I believe this is an excellent subject for a blog after about 10,000 lab
> testing package comparison hours!
> Laugh!
>
> On Tue, Nov 8, 2011 at 9:34 AM, Bryan O'Neal <
> Bryan.ONeal at theonealandassociates.com> wrote:
>
>> Personal opinion - for large scale use with many people maintaining
>> different sections puppet is one of the best - however it is really
>> only good for file management. Since nearly everything on a linux
>> system is a file, this should not be a problem. As for user management
>> - I am still under the opinion on that (unless you are a pure Linux
>> environment) this should be solved by using Active Directory for
>> authentication and pam for access mismanagement. (if you don't want to
>> integrate your services with pam they probably have a simple
>> configuration file that controls access management that could be
>> handled by puppet just as easily)
>> Chef is more extensible with access to a full ruby stack - however
>> unless you have a very small group of well coordinated developers who
>> insist on adhering to standards you will rapidly find your
>> provisioning code will become unwieldy and almost useless as you
>> inheritances start overriding key portions without notice as to why or
>> what section did what. In the rite hands the flexibly is an asset that
>> may help solve key problems. In the wrong hands it will propagate
>> problems whose effect compound over time until the entire system is
>> scraped.
>>
>> Disclaimer - I know very little regarding this compared to others. I
>> use puppet, write manifests, build systems, etc. I am not responsible
>> for the engineering.
>>
>> On Sun, Nov 6, 2011 at 3:56 PM, Ed <plug at 0x1b.com> wrote:
>> > On Sat, Nov 5, 2011 at 4:59 PM, James Mcphee <jmcphe at gmail.com> wrote:
>> >> I am also looking at implementing one of these at some point in the
>> near
>> >> future. The standard scripts over ssh is simple and relatively well
>> >> controlled, but teaching new people how to use them and maintaining
>> them in
>> >> a sane fashion is troublesome. I've used a few HP, Dell, Sun, and IBM
>> >> config products in the past and they were all bad enough I went back to
>> >> scripts in no time.
>> >>
>> >> On Nov 5, 2011 11:33 AM, "Lisa Kachold" <lisakachold at obnosis.com>
>> wrote:
>> >>>
>> >>> Can anyone chime in on using enterprise mass systems configuration and
>> >>> management tools?
>> >>>
>> >>> What are you using? Chef, Puppet or CFEngine and why?
>> >>>
>> >
>> > I like CFengine - the task based focus is on "promises" and the
>> > install is painless. The only ruff spot I could point to is with
>> > application updates - the interface to yum is less polished than some
>> > - updates work if you work on them as groups vs particular apps. There
>> > are many promises online and in the maillists for particular tasks. I
>> > think there is even a starter pack on github somewhere. CFengine fits
>> > well into ITIL and managing IT - lots of IT - and it has it's own
>> > directory in /var too! ;)
>> >
>> > The RH world has worked with Cobbler plus Puppet - this is getting
>> > tighter with Puppet plus TheForman and Pulp - if I remember the
>> > roadmap.
>> > ---------------------------------------------------
>> > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> > To subscribe, unsubscribe, or to change your mail settings:
>> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
>
> --
> (602) 791-8002 Android
> (623) 239-3392 Skype
> (623) 688-3392 Google Voice
> **
> HomeSmartInternational.com
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20111109/59ce2ed0/attachment.html>
More information about the PLUG-discuss
mailing list