[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: speculations to characterize issues for Debian Enterprise

CJ Fearnley wrote:
On Thu, Aug 12, 2010 at 11:28:26AM +1000, Geoff Crompton wrote:

Can you mention why you don't think puppet is the right solution? Clearly the defaults on any package will not suit every enterprise, and some customisation is required. Puppet can do that just as well as a vi session, or a local configuration package.

In my operation every client has 1-10 servers (so none are big enough to
benefit from many common configuration patterns).  That is, each server
is unique in hardware, domain name and in most other configuration details
(every client seems to have different requirements and so needs different
software with different integration behavior).  Plus due to organizational
boundaries, we are hyper-concerned about security (each system is behind
network firewalls plus host-based firewalls plus several extra layers
to protect ssh).

For example, several clients want a web-based user management tool and
some of their networks are LDAP (each with a different schema, of course),
AD (also with different schemas), or traditional unix passwd.  So ideally,
we need a configuration management tool that can flexibly work with
databases, LDAP _and_ files (and that doesn't need to be refactored with
every major upgrade of Debian).  So I remain very skeptical of centralized
approaches that provide leverage primarily for homogeneous use cases.

I'm overwhelmed by excessive heterogeneity.  The only thing in common
to all of our systems is Debian policy which is the baseline for all of
our customizations!

At Debconf10, I came to learn that puppet is possibly light-weight
enough that it might help even for our situation.  So it is now on the
TODO list.  But I remain very skeptical that another level of abstraction
can do anything but increase complexity.

Based on my experience I think that if you do get around to that item on your todo list, you will find advantages to using puppet. We currently only have 12 nodes in our manifest (a node corresponds to a server in puppet parlance). Despite such a small number we already see it as a benefit to have used puppet, though we are intending on rolling out more servers managed by puppet. So if you've got a client with 10 computers, they would probably find the same benefits.

Just because you are using puppet to push out configuration doesn't mean that you can't use LDAP, or AD, or unix accounts. And it doesn't mean that if you use postfix for one client, you can't use exim for another. It probably doesn't make sense to have your different clients connecting back to puppet master you run centrally, but it might make sense to deploy a puppet master to run at some of your clients. Or to simply have a git repository at the clients site, and use some cronjobs to pull the manifest to each host and run local puppet runs against the manifest.

+-Geoff Crompton
+--Debian System Administrator
+---Trinity College

Reply to: