Large Scale Automation
I’ve been revisiting CFEngine recently in anticipation of installing it on around 50 notes.
Matthew Palmer has given me a lot to think about, suggesting that maybe CFengine isn’t the right tool for the job and suggesting I look at Puppet. It seems very new, and I’m not overly fond of the Rubyness – but otherwise it looks good.
There are some things that CFEngine gets right, and some things it gets wrong. One of the biggest “right” things is the split of the code:
- There is a “scripting language” which can be used to apply changes to the local host.
- There is a system for distributing these scripts to a number of nodes.
That strikes me as being a perfect split. The “script” file which is executed cfagent.conf is really a ruleset which is executed once on each host. The rest of the CFEngine setup is mostly concerned with distributing this file, handling updates, logging, security etc.
If I were to code a similar system that is exactly how I’d seperate it.
Now we come to the rules themselves. What do we do inside them? Well in my use of it to date I’m mostly doing a small number of things:
- Copying files from a central host + setting permissions + groups.
- Making minor edits to a local file.
- Testing to see if a file contains a given string; and if not replacing it wholesale.
- Testing that processes are running, and if so stoping/restarting/starting them
- Executing commands (install package, adding ssh host keys, “cvs update”)
So those are my primitives. They can actually be reduced further. Assume that the central server runs a HTTP server – then “copying a file” becomes “execute a command (wget/curl)”.
None of these jobs is complex. None of them are things that couldn’t be written with a simple scripting language such as perl, lua, etc.
It is almost tempting to write a simple rule-file-intepretter/parser. But down that path lies madness.
I’m going to install Puppet tonight and play with it. Gotta love Xen :)
If that works out nicely I might switch to using it, despite my concerns that it isn’t mature and is Ruby based.
If it doesn’t it becomes a choice of writing a simple intepretter + deamon which accepts SSL connections with client certificates, or living with CFEngine.