Configuration (mis)management or why I hate puppet, ansible, salt, etc.

&gt; So that ladies and gentlemen is why I hate anything and everything that uses YAML or some other weird custom DSL to do the obvious.<p>Sure, because I would trust a random clueless programmer to do system administration or to even know what is necessary there. Your rant is totally justified.<p>&gt; Everything that seems intuitive and obvious to me is either an anti-pattern or straight-up impossible to do with any of those tools.<p>The same can be said about functional languages from a perspective of imperative programmer. You just don&#x27;t understand the paradigm. There&#x27;s really nothing to brag about here.<p>&gt; Somehow I’m the only one that ended up with the right set of experiences that taught me to avoid all the things these tools champion.<p>Yes, somehow you&#x27;re the only one smart out there. All the other people are just plain stupid.<p>&gt; [...] but not before a whole bunch of hair is lost trying to figure out why some snippet of YAML is not creating the right unix user (this by the way has happened more than enough times now that I’ve stopped counting).<p>As previously, there&#x27;s nothing to brag about. You just don&#x27;t understand the paradigm.

&gt; The stuff I had built at my first job taught me that my intuitions about software systems in general were mostly correct<p>Oh boy. Here we go.<p>&gt; The guy that had built this part was pretty smart .. He probably should have trusted his intuitions a bit more and not bowed to peer pressure<p>Or maybe he knew enough to understand how Puppet could fit into the overall architecture and strategy at this company that is now the second company you&#x27;ve ever worked for.<p>&gt; Why the fuck are build&#x2F;ops folks making decisions about how the application should be deployed and configured?<p>Because that&#x27;s what build&#x2F;ops folks are there to do, and congratulations, you&#x27;ve just discovered dev ops. Not every application is nginx, node.js, and mongodb running on a single VM. Sometimes deployments get complicated.<p>&gt; How is it that these things are obvious to me but not obvious to others?<p>Wow.<p>This person hates on Puppet for &quot;reasons&quot; and decries all configuration management tools as awful pieces of garbage, then says Chef is great while consistently asserting that people are sheep for using configuration management tools, then throws in digs at Ansible and Salt with absolutely no context. It seems like he&#x2F;she extrapolated one bad example of one Puppet use case into a general flaw with the whole lot. It&#x27;s like he&#x2F;she drove a Pinto for a bit, had trouble going around one corner one time, and deduces that all motor vehicles are bad and anyone who drives a car is an idiot.

Yup.<p>I&#x27;m trying to create a build-and-configuration-management system for distributed embedded systems development.<p>The product will have some physical components with embedded software, and some back-end components running on some sort of server somewhere. Some of the embedded devices may be networked. Some may not.<p>I want to use Continuous Integration to ensure that the front &amp; back end (and all the various testing tools) play nice together, and Continuous Deployment to reduce the risk of manual missteps.<p>So ... I&#x27;m trying to create the build scripts that build the system components (including cross-compiling the embedded SW), run tests and deploy the various components to UAT &#x2F; HIL &#x2F; SIL &amp; simulation environments, orchestrate overnight and over-the-weekend simulation runs &amp; generally provide tools to help manage deployment -- I also want to make the whole thing enforce DO-178B-style process compliance, requirements traceability etc.. etc...<p>Most of this is done in Python, &#x27;cos I want to be able to reproduce the process on my workstation. Moreover, I want it to be portable (Linux, OSX &amp; Windows), location-agnostic (works in any directory), and free from all but the most essential dependencies.

You can run Puppet in a decentralised way:<p><pre><code> sudo puppet apply --verbose --debug --modulepath=.&#x2F;system system.pp </code></pre> You can also use BASH&#x2F;Python whatever <i>with</i> Puppet and still take advantage of Puppet&#x27;s declarative semantics if that&#x27;s what you need:<p><pre><code> exec { &quot;install_node&quot;: require =&gt; Package[[&quot;build-essential&quot;, &quot;openssl&quot;, &quot;libssl-dev&quot;, &quot;pkg-config&quot;]], command =&gt; &quot;${settings::modulepath}&#x2F;main&#x2F;install_node.sh v0.12.7&quot;, creates =&gt; &quot;&#x2F;usr&#x2F;local&#x2F;bin&#x2F;node&quot;, logoutput =&gt; true, timeout =&gt; 1800 }</code></pre>

On another blog I read a very wise notion, which captured the underpinnings which are &quot;wrong&quot; with tools like ansible&#x2F;salt&#x2F;puppet.<p>You can verify that something is set, but this guarantees nothing about the things you haven&#x27;t set.<p>Now, this is fine if you purely use the above tools as provisioning, i.e. run the configuration tools on an immutable image. However, often these configuration tools are run on long running machines. And then we&#x27;re back to pets vs. cattle. With all the faults and difficulties of Docker - at least it does that right.