Wednesday, March 21, 2012

Puppet, Chef, CFEngine

10 reasons to Choose Puppet over Chef:
Sean OMeara (OpsCode) Comparing CFEngine/Puppet/Chef:
When and Where Ordering Matters:


  • stuff” that is configured across machines to enable an application or service:
    • operating system baselines, 
    • kernel settings, 
    • disk mounts, 
    • OS user accounts, 
    • directories, 
    • symlinks, 
    • software installations, 
    • configuration files, 
    • running processes, etc
  • Services running in an Infrastructure need to communicate with each other, and do so via networks. This means that Infrastructure has a topology - yet another thing to manage. 
  • Automated services need maintenance.   Once turned on, it takes input, does something useful, then leaves logs and other data in it’s wake 
  • Arrangement of software installation, configuration, and the running state of a process. 
  • Maintenance is performed in a control loop, where an agent comes around at regular intervals inspecting it’s parts and fixing anything that’s broken.
  • Automated Configuration Management - hosting policy. 
  • The agents that build and maintain systems pull down blueprints and set to work building our automatons. 
  • Systems configure themselves by downloading policy from the server.

  • convergence based configuration management tools inspired by CFEngine 
  • stand alone discovery agents (facter) 
  • Puppet clients connect to the Puppet server where configuration is determined based on a certificate CN 
  • Statements in Puppet are convergent operators, in that they are declarative (and therefore idempotent), and convergent in that they check a resource’s state before taking any action. 
  • A catalog of serialized configuration data is shipped back to the client for execution.
  • This catalog is computed based on the contents of the manifests stored on the server, as well as a collection of facts collected from the clients. 
  • Puppet facts, like CFEngine hard classes, are discoverable things about a node such as OS version, hostname, kernel version, network information, etc 
  • Non-optimally ordered execution will usually work itself out after repeated Puppet runs
  • Resources make up the basic atoms of a system, and the precise configuration of each must be defined. 
  • If a resource is defined twice in a manifest with conflicting states, Puppet refuses to run. 
  • Ordering can be specified though require statements that set up relations between resources. These are used to build a directed graph, which Puppet sorts topologicallyand uses to determine the final ordering. If a resource in a chain fails for some reason, dependent resources down the graph will be skipped 
  • Fact, Resource, Manifest (.pp)

  • Adam Jacob
  • convergence based configuration management tools inspired by CFEngine 
  • stand alone discovery agents (ohai)
  • RESTful APIs 
  • has a lot more in common with CFEngine  than Puppet does
  • copies policy from the server and evaluates it on the edges 
  • recipe is a collection of convergent resource statements (like CFEngine's prommise bundle)
  • Chef run list - CFEngine bundlesequence
  • makes it easy to reason about what’s going on when writing infrastructure as code 
  • Imperative programming (ruby) and declarative interface
  • Configurable immunity, convergent operators
  • Imperative ordering of declarative statements give the best of both worlds
  • Convergence in systems automation speak means "bringing the system closer to correct with each action you take" 
  • Server, Client, Node, Ohai, Cookbooks, Libraries, Recipe, Attribute, Resource, Provider, Platform , Notification Handlers, Exception Handlers, run list

  • Mark Burgess
  • Configurable immunity
  • proved that it is NOT necessary to erase, or baseline a system and reconstruct it using a unique set of commands 
  • The `clever' aspect of CFEngine is to find an approximation to determinism within a framework of incomplete certainty 
  • policy is copied and evaluated on the edges 
  • based on promise theory 
  • Promises provide a declarative interface to resources under management, which has the remarkably handy attribute of being idempotent 
  • "Promises can be constant, but the recipe of actions, procedures and responses needed to realize a promise might change from moment to moment, if the environment changes."
  • Convergent maintenance refers to the continuous repair of a system towards a desired state 
  • Convergence in a larger system of promises can take multiple runs if things are processed in a non-optimal order  
  • configuration file (.cf), BundleSequence, inputs, promise bundle,