Re: speculations to characterize issues for Debian Enterprise
CJ Fearnley wrote:
On Thu, Aug 12, 2010 at 11:28:26AM +1000, Geoff Crompton wrote:
Can you mention why you don't think puppet is the right solution?
Clearly the defaults on any package will not suit every enterprise, and
some customisation is required. Puppet can do that just as well as a vi
session, or a local configuration package.
In my operation every client has 1-10 servers (so none are big enough to
benefit from many common configuration patterns). That is, each server
is unique in hardware, domain name and in most other configuration details
(every client seems to have different requirements and so needs different
software with different integration behavior). Plus due to organizational
boundaries, we are hyper-concerned about security (each system is behind
network firewalls plus host-based firewalls plus several extra layers
to protect ssh).
For example, several clients want a web-based user management tool and
some of their networks are LDAP (each with a different schema, of course),
AD (also with different schemas), or traditional unix passwd. So ideally,
we need a configuration management tool that can flexibly work with
databases, LDAP _and_ files (and that doesn't need to be refactored with
every major upgrade of Debian). So I remain very skeptical of centralized
approaches that provide leverage primarily for homogeneous use cases.
I'm overwhelmed by excessive heterogeneity. The only thing in common
to all of our systems is Debian policy which is the baseline for all of
At Debconf10, I came to learn that puppet is possibly light-weight
enough that it might help even for our situation. So it is now on the
TODO list. But I remain very skeptical that another level of abstraction
can do anything but increase complexity.
Based on my experience I think that if you do get around to that item on
your todo list, you will find advantages to using puppet. We currently
only have 12 nodes in our manifest (a node corresponds to a server in
puppet parlance). Despite such a small number we already see it as a
benefit to have used puppet, though we are intending on rolling out more
servers managed by puppet. So if you've got a client with 10 computers,
they would probably find the same benefits.
Just because you are using puppet to push out configuration doesn't mean
that you can't use LDAP, or AD, or unix accounts. And it doesn't mean
that if you use postfix for one client, you can't use exim for another.
It probably doesn't make sense to have your different clients connecting
back to puppet master you run centrally, but it might make sense to
deploy a puppet master to run at some of your clients. Or to simply have
a git repository at the clients site, and use some cronjobs to pull the
manifest to each host and run local puppet runs against the manifest.
+--Debian System Administrator