[LRUG] Idempotency vs the cloud

Paul Battley pbattley at gmail.com
Thu Jul 18 14:53:56 PDT 2013


Since Gareth's obviously too humble to point it out, if you're at all
interested in this kind of stuff (which you are, since you're reading
this thread), you should sign up to his Devops Weekly email, which is
full of all kinds of useful information and links.

http://devopsweekly.com/

Paul.

On 18 July 2013 08:19, Gareth Rushgrove <gareth at morethanseven.net> wrote:
>
> On 17 Jul 2013 23:14, "Paul Battley" <pbattley at gmail.com> wrote:
>>
>> On 17 July 2013 22:22, Gareth Rushgrove <gareth at morethanseven.net> wrote:
>> > Running puppet/chef/whatever every x minutes doesn't just have the
>> > ability to change things to be how you described them, it has the
>> > ability to tell you that something in the world is different to how
>> > you think it should be.
>>
>> I'm a bit sceptical of this claim. I know that's what everyone would
>> like their configuration management system to be doing, and if it were
>> true it would save a lot of problems, but what everyone really does is
>> start with an off the shelf distro and configure parts of the system
>> to meet their desired spec, leaving the bulk of it to the underlying
>> distro. That will tell you if the parts of the system you've
>> configured have diverged, but unless I've missed something, that seems
>> to leave a whole lot of blind spots. I'm not saying that's not useful,
>> but Puppet[0] isn't really an intrusion detection system.
>>
>> If you were to set up Linux from Scratch using Puppet etc., then you
>> probably could get a pretty complete overall view of this, but I think
>> you'd need a combine harvester, the ability to warp time, and
>> near-infinite patience to shave that yak.
>>
>
> Better that yak than the keep my spreadsheets up to date yak.
>
> The advantage you have with the rest of the OS is tools like auditd tend to
> already do a good job, and everything is a package and dpkg (or yum or
> whatever) will tell you about changes pretty easily.
>
> Having said that there are a few tools that will generate (horrible) puppet
> code from everything installed on a machine. I've certainly met folks from
> huge companies who use Puppet this way, though I wouldn't recommend going
> there if you're just starting out and you're not audited.
>
> G
>
>> Paul.
>>
>> [0]: For Puppet, read "configuration management system of your choice"



More information about the Chat mailing list