Config Management tool comparison (Linux)
Posted by weaver_of_cloth@reddit | sysadmin | View on Reddit | 13 comments
Perforce looked at Chef and CFEngine's business models and has decided it wants money for Puppet. We've got a Puppet environment but the directors don't want to pay the $$ it'll take to keep us there. The main things I need are
- automated stateful control (for keeping firewalls, users, httpd, etc immutable)
- standardized lintable formatting
- scalable
- path to translate existing codebase from puppet
- logging
- FOSS
We already use Ansible for a lot of initial-config things, and Terraform for a little of that, but even with ansible-pull I don't see it working as a scaled stateful tool (and its logging sucks). OpenTofu, the fork of Terraform, straight-out says not to use it for stateful config management.
I've been looking at
- cdist
- Quattor
- SaltStack (but I don't trust Broadcom)
- pyinfra
- OverlookInfra (which is all of a week old)
Anyone have any thoughts? I've got a spreadsheet and a doc and a huge discussion with my team, but I'd like some more outside opinions.
Hotshot55@reddit
Instead of bringing in another CM stack, have you looked into setting up AWX/AAP to get better management/reporting of your Ansible jobs?
weaver_of_cloth@reddit (OP)
We have an AWX installation, but as I'm not personally running it I haven't taken the time to figure out its reporting setup. Can you say more?
Do you have any thoughts about using Ansible/AWX as a stateful automation platform?
Hotshot55@reddit
I don't have a lot of hands-on experience with AWX/AAP since I'm at a Chef heavy org, but from my understanding you're able to schedule repeat jobs which is effectively what other platforms are doing.
weaver_of_cloth@reddit (OP)
I'd never heard of AAP before. See, this is exactly why I posted this, to learn about new things. Thanks!
ClumsyAdmin@reddit
AAP (as far as I'm aware) is just a rebranded AWX. It's also not free, it's very expensive.
weaver_of_cloth@reddit (OP)
Yeah, I haven't been able to find a way to make AWX do stateful things, like run across the inventory at scale to correct/reset firewall changes, for example.
It was a nice thought, though.
ClumsyAdmin@reddit
What do you mean by stateful? Because it definitely can change firewall settings at scale for at least linux and bsd.
weaver_of_cloth@reddit (OP)
I mean that if someone changes a firewall rule on a box somewhere, the next run of the automated CM software will change it back without us having to even know about it (and then they'll come find us and we'll change it the right way).
Right now we've got puppet-agent running a few times/day to do all that stuff.
ClumsyAdmin@reddit
AAP/AWX definitely does that. You just set up a job on a schedule.
Eldiabolo18@reddit
I understand your problems, especially w ansible, it scales horribly, even w well maintained code.
I would try to convince management to pay for thr new puppet licencing.
I never properly used saltstack but it seems the next best thing for your usecase, but i wouldnt trust it either in the longrun.
weaver_of_cloth@reddit (OP)
I'm leaning toward the 'convince sr directors' bit, but fortunately for me that's not up to me, I'm just here to provide a comprehensive look at the alternatives for the head of our team to have ammo to convince them.
NotAWittyScreenName@reddit
Are you referring to this? https://www.puppet.com/blog/open-source-puppet-updates-2025
The open source edition source code and puppet forge should still remain available, but looks like new binaries will be behind a paywall and commits to github will be less frequent. We've moved a bunch of stuff to Ansible but I guess we'll need to take this into account going forward. Thanks for bringing this up.
weaver_of_cloth@reddit (OP)
That's the one. I agree that that blog post is pretty poorly written and a bit hard to parse, but the upshot is the first quote we got from Perforce came in just shy of .5 million.
I am cautiously hopeful about https://github.com/overlookinfra, though.