Ask HN: Chef, Ansible, Puppet- When to Use Configuration Management?

41 点作者 fredrb大约 5 年前

I wonder where these tools fit today and how they are used. Since a lot of applications are moving to containers and Kubernetes I'm struggling to understand what's the current state these tools.

9 条评论

myu701大约 5 年前

We use Ansible for all of our legacy tech, the non-container stuff.Rather than a dev ask a server guy to make a vm, then join it to the domain, then move it to the right OU, then install anti-virus, etc. then ask a dba to install SQL server, import the database schema, setup permissions, and enable network access, we write an ansible playbook that does it all in a repeatable manner, the same way every time.You have an n-tier app with a reverse proxy load balancing for 3 web servers and 1 database server, and you want one copy of this app for dev, one for staging, and one for prod, and you want them all the same?Ansible to the rescue (or better, Terraform, which gives you more control IMO)You need one more environment for testing the changes to a new system? Add a line in Ansible and rerun the whole thing.CM systems like Ansible or Terraform let you do Infra As Code and treat your servers like cattle, not pets.A server acts weird? take out of load balancer, delete the entire VM, re-run ansible to recreate it, poof its happy again.

评论 #22892729 未加载

csdreamer7大约 5 年前

I am moving away from Chef towards Ansible.Chef even now lacks a good ad-hoc mode that makes it easy to run one liners. Little info on Puppet. Do know that Puppet uses a separate tool called Bolt for ad hoc commands, while Ansible has it built in.Chef really tries to force you to use their Chef server to really run anything. If you just want to provision a single server you needed to use an unofficial tool, knife-solo, which isn't supported anymore or chef-zero, the new tool, which lacks documentation. (So does knife-solo, but I got it to work.).The binary builds of Chef now require an EULA license agreement to use run it. Even thou the open source version is under Apache2. The annoying part is you have to place a file on every machine to keep running it. This is also not documented properly.Bad documentation was something I was hoping Chef had gotten over a long time ago.Some resources of Chef just do not work as documented and I end up using manual execute commands while Ansible's providers usually consistently works. Ansible documents which providers are by the community (and are included in the main package) and which are maintained by the Ansible team and are guaranteed to have a stable API. Something I really appreciate and gives me confidence in my Ansible scripts. Ansible also a Docker provider.Chef also really requires you to use a Ruby gem manager which is a hassle if you are not using Ruby right now. Since I have stopped using Ruby it is a lot easier to just 'sudo apt install ansible'.My biggest issue with Ansible is that the error messages can be very poor.Take the snap provider for example. The older version on Ubuntu 18.04 does not support the later snap provider in later version of Ansible that my dotfile manager uses. This by itself is a small issue, but the error message it gives is very makes you think you have a syntax issue with an unrelated part rather than an undocumented keyword.

bkovacev大约 5 年前

Containers do not stop you to use Chef, Ansible, Puppet or Terraform. Matter of fact, they make it easier for you.We use Terraform to setup new reproducible environments for all of our projects. We have full modules for ECS, EC2 and various others combination of services that we repeatedly use on AWS. It makes it really easy to set something up and not worry about it. Helps us setup bastions, rds, clusters, task definitions, scaling, vpc, alb and all the other things you'd have to waste couple of hours/days to get right.

评论 #22893154 未加载

betaby大约 5 年前

Well, someone still have to manage hardware nodes! So I use cf-engine to install smatrd, manage ssh keys, to install packages an so on. Also configuration management for the servers where state lives, like your git repos, db, documentation, internal knowledge systems. To ensure backup software is installed and running. I prefer cf-engine due to the fact it's compiled package, not dependent on any scripting language.<a href="https://cfengine.com" rel="nofollow">https://cfengine.com</a>

评论 #22892737 未加载

评论 #22892656 未加载

core-questions大约 5 年前

Consider this: a Dockerfile is a build script. It has a limited syntax, no programmatic functionality, and the moment you want some logic, you're reduced to firing off an inline shell script or running something else within your building container to get things configured correctly.At a certain point, you may start to need more logic in your build. If you have a big container designed to run an older app, you may need to install a lot of dependencies; and maybe you're lucky and there's a Makefile, maybe not. The result might be some ugly shell script that gets more complex and harder to read over time, as you re-implement more and more of what would already be in the wheelhouse of a good config manager.You could instead just use Ansible or Chef Zero to run all of that logic inside your container. Packer is happy to run Chef Zero and output totally compliant Docker containers for you that don't use a normal Dockerfile at all. It's not common, but it's certainly an option, if you're looking for a reason why these tools might persist into the future.Other than that, the strongest use cases are:- Provisioning "legacy" stuff like EC2 or VMWare VMs, and bare metal- Keeping long-lived servers up to date and maintaining their replace-ability as best as possible (i.e. the next best thing to immutable infra is replaceable infra)- Automating integrations, i.e. Ansible and Chef have a ton of modules for services like Zabbix, Consul, etc. you can use as part of your script to get a machine totally ready to serve on the network without you re-implementing API calls.

评论 #22892272 未加载

nodesocket大约 5 年前

I run and own a DevOps consulting company.Huge proponent of Packer + Terraform. Running commands and copying files on boot of VM instances can be a bit dodgy (cloud-init) or using Terraform provisioner "file" or provisioner "remote-exec", but they work. Typically you want to "bake" as much as possible into the AMI using Packer and anything that is runtime dependent, can be setup by Terraform on instance create using the methods described above.If you running standard Docker containers and AWS, highly recommend AWS ECS using Fargate[1]. No servers to manage, just define the services and container details and ECS runs the containers for you. Blue-green deploys and auto-scaling out of the box with health checks.If you running Kubernetes, I highly recommend looking at using Terraform to manage the Kubernetes resources[2]. Helm, while nearly a defacto standard is full of edge cases, weird quirks, and utter frustration. Oftentimes Helm is required though to work within the Kubernetes ecosystem.<pre><code> [1] https://aws.amazon.com/fargate/ [2] https://www.terraform.io/docs/providers/kubernetes/index.html</code></pre>

评论 #22892195 未加载

nunez大约 5 年前

Containers are the way to go if your application can be containerized. It's much easier to configure and deploy the application and its environment this way. It's also much easier to test a production-like copy of the application in development without having to spin up a bunch of infrastructure locally.Assuming that you can't or aren't able to containerize your app, Ansible is a great all-arounder largely because of it being agentless. It's easy to install and easy to scale. However, really large organizations usually want to use their configuration management as a CMDB of sorts. While Red Hat has Ansible Tower for this, Chef provides a much more mature offering (from hearsay; I haven't actually used Tower).I dismiss Puppet these days. It's more legacy compared to Chef, and it's harder to get recent information when searching for stuff. It's also really hard to test locally compared to Chef with test-kitchen.

评论 #22892210 未加载

twunde大约 5 年前

For cloud-based systems, configuration management is really used primarily for configuring kubernetes hosts and more traditional run-your-own services like SFTP (these may be things that your cloud doesn't offer, are cheaper to run yourself or requires options that aren't available unless you run it yourself). I'll note that for those who use immutable infrastructure patterns, many AMI pipelines will use Packer + configuration management to create the AMIs.

评论 #22892874 未加载

atmosx大约 5 年前

Ideally never. The only reason to work with CF tools is through Hashicorp packer or legacy staff that doesn’t make sense to setup on orchestrators. The infra should be immutable