We''d been tossing around ideas on node configuration management and two tools seemed to have popped out: cfengine (http://www.cfengine.org/) and puppet (http://reductivelabs.com/trac/puppet/). I was wondering if anyone has any input on how these two stack up against each other and if there''s any preferences on one over the other. -- "A simile is not a lie, unless it is a bad simile." - Christopher John Francis Boone
On Wed, May 21, 2008 at 09:11:08AM -0400, Makia Minich wrote:> We''d been tossing around ideas on node configuration management and two > tools seemed to have popped out: cfengine (http://www.cfengine.org/) and > puppet (http://reductivelabs.com/trac/puppet/). I was wondering if anyone > has any input on how these two stack up against each other and if there''s > any preferences on one over the other.I use Cfengine daily, but haven''t had a chance to check out puppet yet - I do however read about it a lot :) Cfengine: - very widely used - mature - Cfengine 2.X does little to abstract out concepts - Cfengine 3.X will fix some of that - started as research project - C code Puppet: - newer - developed in direct response to address weaknesses in Cfengine - being deployed by RedHat as their config management product of choice - very actively developer by a wide community - more of a basis on abstraction - Ruby As an example, in Cfengine, the normal mode of operation to configure nss_ldap would be to push out the exact file /etc/ldap.conf to you node. In puppet, there would be a description of what the LDAP configuration should look like. There''s also a third contender to consider: bcfg2. If pressed, I''d say it''s more in the vein of Puppet than Cfengine. It''s got some nifty features not yet present in puppet. It''s a project out of Argonne, and IIRC, was designed expressly with large clusters in mind. More info at: http://www.bcfg2.org http://trac.mcs.anl.gov/projects/bcfg2/wiki/Doc%3AArchitecture Again, I''ve only used Cfengine to this point ... but Puppet and bcfg2 offer enough that I''ll be looking at them Real Soon Now. (And of course there''s always LCFG or SmartFrog is you''re a masochist...) -jkl -- Josh Lothian <lothian at ornl.gov> High Performance Computing Systems Administrator National Center for Computational Sciences Oak Ridge National Laboratory Bldg: 5600-D209 Phone: 865.241.5563
HI There was a panel on this at last years LISA conference. I was at SC and missed it unfortunately. There''s no recording of it on the usenix site. :( My wife went but said she didn''t think the puppet guy did a great job of presenting. I''ve used cfengine for several years and have only glanced at puppet. Both seem to be about equally capable. I''ve had folks tell me puppet wasn''t as flexible and I''ve had people tell me that cfengine was too complicated. Puppet has an advantage for users who want a support contract. Cfengine seems to have more market penetration. Tough call. I think which technology you use is probably less important than how you implement it. Sean Makia Minich wrote:> We''d been tossing around ideas on node configuration management and two > tools seemed to have popped out: cfengine (http://www.cfengine.org/) and > puppet (http://reductivelabs.com/trac/puppet/). I was wondering if > anyone has any input on how these two stack up against each other and if > there''s any preferences on one over the other. >
On Wed, May 21, 2008 at 09:11:08AM -0400, Makia Minich wrote:> We''d been tossing around ideas on node configuration management and two > tools seemed to have popped out: cfengine (http://www.cfengine.org/) and > puppet (http://reductivelabs.com/trac/puppet/). I was wondering if anyone > has any input on how these two stack up against each other and if there''s > any preferences on one over the other.I use Cfengine daily, but haven''t had a chance to check out puppet yet - I do however read about it a lot :) Cfengine: - very widely used - mature - Cfengine 2.X does little to abstract out concepts - Cfengine 3.X will fix some of that - started as research project - C code Puppet: - newer - developed in direct response to address weaknesses in Cfengine - being deployed by RedHat as their config management product of choice - very actively developer by a wide community - more of a basis on abstraction - Ruby As an example, in Cfengine, the normal mode of operation to configure nss_ldap would be to push out the exact file /etc/ldap.conf to you node. In puppet, there would be a description of what the LDAP configuration should look like. There''s also a third contender to consider: bcfg2. If pressed, I''d say it''s more in the vein of Puppet than Cfengine. It''s got some nifty features not yet present in puppet. It''s a project out of Argonne, and IIRC, was designed expressly with large clusters in mind. More info at: http://www.bcfg2.org http://trac.mcs.anl.gov/projects/bcfg2/wiki/Doc%3AArchitecture Again, I''ve only used Cfengine to this point ... but Puppet and bcfg2 offer enough that I''ll be looking at them Real Soon Now. (And of course there''s always LCFG or SmartFrog is you''re a masochist...) -jkl -- Josh Lothian <lothian at ornl.gov> High Performance Computing Systems Administrator National Center for Computational Sciences Oak Ridge National Laboratory Bldg: 5600-D209 Phone: 865.241.5563
Thanks for this write-up it''s quite helpful. It seems that the biggest issue with puppet right now is that it doesn''t seem to be widely used (at least by people actually deploying large systems, no matter what redhat or marketing might want you to think). I think for now, we''d probably be good to start with CFEngine and get a good basis for it, but keep an eye on puppet (or moreso on people''s adoption of it) to see how to move forward. Josh Lothian wrote:> On Wed, May 21, 2008 at 09:11:08AM -0400, Makia Minich wrote: >> We''d been tossing around ideas on node configuration management and two >> tools seemed to have popped out: cfengine (http://www.cfengine.org/) and >> puppet (http://reductivelabs.com/trac/puppet/). I was wondering if anyone >> has any input on how these two stack up against each other and if there''s >> any preferences on one over the other. > > I use Cfengine daily, but haven''t had a chance to check out puppet yet - > I do however read about it a lot :) > > Cfengine: > - very widely used > - mature > - Cfengine 2.X does little to abstract out concepts > - Cfengine 3.X will fix some of that > - started as research project > - C code > > Puppet: > - newer > - developed in direct response to address weaknesses in Cfengine > - being deployed by RedHat as their config management product of choice > - very actively developer by a wide community > - more of a basis on abstraction > - Ruby > > As an example, in Cfengine, the normal mode of operation to configure > nss_ldap would be to push out the exact file /etc/ldap.conf to you node. > In puppet, there would be a description of what the LDAP configuration > should look like. > > There''s also a third contender to consider: bcfg2. If pressed, I''d say > it''s more in the vein of Puppet than Cfengine. It''s got some nifty > features not yet present in puppet. It''s a project out of Argonne, > and IIRC, was designed expressly with large clusters in mind. > > More info at: > > http://www.bcfg2.org > http://trac.mcs.anl.gov/projects/bcfg2/wiki/Doc%3AArchitecture > > Again, I''ve only used Cfengine to this point ... but Puppet and bcfg2 > offer enough that I''ll be looking at them Real Soon Now. > > (And of course there''s always LCFG or SmartFrog is you''re a masochist...) > > -jkl >-- "A simile is not a lie, unless it is a bad simile." - Christopher John Francis Boone
Yeah, from what I''ve seen CFengine gets more use. Puppet seems like an interesting project, but it might be best to just watch it for now and see how it progresses. Perhaps what we should focus on (for now) is if there''s a way to ease the setup of cfengine, perhaps help it be a little less complicated (perhaps). seanb wrote:> HI > There was a panel on this at last years LISA conference. I was at SC > and missed it unfortunately. There''s no recording of it on the usenix > site. :( My wife went but said she didn''t think the puppet guy did a > great job of presenting. > I''ve used cfengine for several years and have only glanced at puppet. > Both seem to be about equally capable. I''ve had folks tell me puppet > wasn''t as flexible and I''ve had people tell me that cfengine was too > complicated. Puppet has an advantage for users who want a support > contract. Cfengine seems to have more market penetration. Tough call. I > think which technology you use is probably less important than how you > implement it. > > Sean > > > Makia Minich wrote: >> We''d been tossing around ideas on node configuration management and two >> tools seemed to have popped out: cfengine (http://www.cfengine.org/) and >> puppet (http://reductivelabs.com/trac/puppet/). I was wondering if >> anyone has any input on how these two stack up against each other and if >> there''s any preferences on one over the other. >> > > _______________________________________________ > Linux_hpc_swstack mailing list > Linux_hpc_swstack at lists.lustre.org > http://lists.lustre.org/mailman/listinfo/linux_hpc_swstack-- "A simile is not a lie, unless it is a bad simile." - Christopher John Francis Boone
HI So here''s my ramblings about how we''ve used cfengine in the past. The same techniques should be doable in puppet. This isn''t meant to say this is the only way to do it, it''s just what has worked for us. The specifics of the implementation aren''t as important as the philosophy behind them. I''d love to see how other people are implementing config management. We try to focus on the layout looking simple. We build a directory for each type of machine we have. (We don''t use cfengine classes for the most part as they seem to confuse people.) Each of the type directories has subdirs consisting of "common" files, that are the same on all machines of that type, and machine specific files in directories named with that hosts FQDN. Under each of these trees we reproduce the relevant parts of the "/" filesystem of the machines. Here''s an example: /my_cfengine_repo/type_webserver/common/etc/..... .../var/..... .../foo.bar.com/etc/.... .../var/.... .../blah.bar.com/etc/... .../var/...... .../type_nfs_server/common/etc/.... Into the directory structure we include copies of all the files we control with cfengine (for example /etc/passwd). We put as much as we can in the common directories. We use RCS on the files for version control. All the cf scripts are small and modular (as opposed to ye olde single giant cfengine script). They pretty much just look through the appropriate tree structure and put whole files into place with the proper permissions etc. We keep the scripts in a directory and link to them from within each type of machines subdirectories according to which scripts that type needs. The scripts preferentially use the FQDN versions of files only falling back to common when no FQDN version exists. With this layout, it''s pretty easy for a sysadmin (even a pretty new one) to understand the state of a system. We try very hard to keep everything transparent (we avoid classes and edit lines in scripts as much as possible). We avoid doing system management on the nodes themselves. Everything should be controled via cfengine or some similar tool (on linux we use kickstart and yum as well). One big bonus of doing it this way is that if you lose a hard drive at 3am, your most junior sysadmin can bring the box back into the exact same state it was in prior to the failure without having to call the senior guy. (Personally I think that is the number one reason our senior guys implemented cfengine this way.) Sean Makia Minich wrote:> Yeah, from what I''ve seen CFengine gets more use. Puppet seems like an > interesting project, but it might be best to just watch it for now and > see how it progresses. > > Perhaps what we should focus on (for now) is if there''s a way to ease > the setup of cfengine, perhaps help it be a little less complicated > (perhaps). >