[LRUG] Idempotency vs the cloud
Gareth Rushgrove
gareth at morethanseven.net
Thu Jul 18 00:19:21 PDT 2013
On 17 Jul 2013 23:14, "Paul Battley" <pbattley at gmail.com> wrote:
>
> On 17 July 2013 22:22, Gareth Rushgrove <gareth at morethanseven.net> wrote:
> > Running puppet/chef/whatever every x minutes doesn't just have the
> > ability to change things to be how you described them, it has the
> > ability to tell you that something in the world is different to how
> > you think it should be.
>
> I'm a bit sceptical of this claim. I know that's what everyone would
> like their configuration management system to be doing, and if it were
> true it would save a lot of problems, but what everyone really does is
> start with an off the shelf distro and configure parts of the system
> to meet their desired spec, leaving the bulk of it to the underlying
> distro. That will tell you if the parts of the system you've
> configured have diverged, but unless I've missed something, that seems
> to leave a whole lot of blind spots. I'm not saying that's not useful,
> but Puppet[0] isn't really an intrusion detection system.
>
> If you were to set up Linux from Scratch using Puppet etc., then you
> probably could get a pretty complete overall view of this, but I think
> you'd need a combine harvester, the ability to warp time, and
> near-infinite patience to shave that yak.
>
Better that yak than the keep my spreadsheets up to date yak.
The advantage you have with the rest of the OS is tools like auditd tend to
already do a good job, and everything is a package and dpkg (or yum or
whatever) will tell you about changes pretty easily.
Having said that there are a few tools that will generate (horrible) puppet
code from everything installed on a machine. I've certainly met folks from
huge companies who use Puppet this way, though I wouldn't recommend going
there if you're just starting out and you're not audited.
G
> Paul.
>
> [0]: For Puppet, read "configuration management system of your choice"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20130718/84c9b2f1/attachment-0003.html>
More information about the Chat
mailing list