Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Configuration management is a solved problem?

John Vincent
February 06, 2017

Configuration management is a solved problem?

Keynote talk at cfgmgmtcamp.eu 2017

John Vincent

February 06, 2017
Tweet

More Decks by John Vincent

Other Decks in Technology

Transcript

  1. Configuration
    Management
    is a solved problem(?)

    View full-size slide

  2. About me
    - Operations Staff Engineer @
    - @lusis on twitter, github and other stuff
    - (retired) DevOpsDays core organizer
    - He/Him/His
    - Father/Husband
    - All around opinionated bastard

    View full-size slide

  3. DevOpsDays Mt. View 2011
    Orchestration Panel
    “Configuration management is a solved problem” -
    me

    View full-size slide

  4. “lol nope” - Andrew
    Clay Shafer
    (paraphrased)

    View full-size slide

  5. What I meant to say was...
    - The tools do what they were designed to do
    - Not everything is CM shaped
    - “Past performance is no guarantee of future results”

    View full-size slide

  6. Obviously it’s not a solved problem

    View full-size slide

  7. The Dirty Secret

    View full-size slide

  8. Services matter. Not
    Servers.

    View full-size slide

  9. But we still have servers
    to configure…..

    View full-size slide

  10. Unscientific
    Study
    - Packages
    - Daemons
    - Files
    - Templates
    - Users

    View full-size slide

  11. Everything else
    Is (arguably) better handled by
    another tool
    - Orchestration
    - Application Lifecycle
    Management
    - Secrets Management
    - Binary Distribution

    View full-size slide

  12. So with that in
    mind….
    What do I think we’re still missing?
    What does a “next gen” CM tool provide?

    View full-size slide

  13. Active Enforcement

    View full-size slide

  14. I wrote a blog post a few
    years back (go figure)
    http://blog.lusis.org/blog/2012/05/24/configuration-drift-and-ne
    xt-gen-cm/

    View full-size slide

  15. Inspired by….

    View full-size slide

  16. Current Behaviour
    - CM is running
    - This file doesn’t look like it’s supposed to
    - CM changes file
    - CM isn’t running
    What happens in the 5/10/30/60 minutes/hours/days in between?

    View full-size slide

  17. Can we create a system that actively
    responds to (and optionally
    PREVENTS) changes to systems
    outside of CM policy?

    View full-size slide

  18. Consider - FSEvents
    - kqueue
    - inotify
    - dbus
    - kbus
    - dm-verity-alike
    Do we really want to register watches/hooks for
    EVERY file CM manages?

    View full-size slide

  19. If our scope is
    limited to core
    competency,
    maybe?

    View full-size slide

  20. Maybe the kernel needs more
    efficient hooks to enable this
    (think libnetfilter_queue but for files)

    View full-size slide

  21. Can we get something
    like this instead of a
    new init system?
    Asking for a friend

    View full-size slide

  22. “Truly Compiled
    Catalogs”

    View full-size slide

  23. I wrote a gist post a few
    years back (go figure)
    https://gist.github.com/lusis/015c7a39fa45ec38a34c

    View full-size slide

  24. “Binary CM”
    - Upload source to “server” component
    - “Server” compiles binary for all hosts it knows about where
    the code would apply (i.e. role::webserver)
    - Optionally for unknown clients, the binary is on-the-fly
    compiled when the host “checks in” (e.g. golang
    cross-compile)
    - Entire CM run is contained in single binary artifact. Use
    rsync or more efficient p2p mechanism for transferring

    View full-size slide

  25. Distributed CM

    View full-size slide

  26. I talked to someone a few
    years back (go figure)
    Umm….how do I link a conversation in person?

    View full-size slide

  27. This one is just sort of
    abstract
    Imagine a config management system
    This system uses a central server
    The central server goes down

    View full-size slide

  28. What if….
    Nodes could pull state in peer ring instead of a central
    server?
    Habitat’s supervisor is sort of like this.
    If we can do that, do we need a central authority?

    View full-size slide

  29. And what about these things?

    View full-size slide

  30. Wrap up/Questions?

    View full-size slide

  31. Image Credits
    - https://i.ytimg.com/vi/M-yIMgy9_2o/hqdefault.jpg
    - http://www.stratoscale.com/wp-content/uploads/AWS-Lambda.png
    - https://s3.amazonaws.com/kinlane-productions/bw-icons/bw-serverless.png
    - https://www.beautypunk.com/wp-content/uploads/2015/10/NoOps-pink.jpg
    - http://res.cloudinary.com/blog-mornati-net/image/upload/v1472668207/sz9sfw
    iji9foh0cv1v5p.png
    - https://rhelblog.files.wordpress.com/2015/11/rh_atomic_bug_2cblue_text_cmy
    k.png
    - http://www.galls.com/photos/styles/b2b/bd256.jpg
    - https://s-media-cache-ak0.pinimg.com/originals/de/a1/5f/dea15f0b0ad8c8774
    5bf0c7dac106e53.jpg
    -

    View full-size slide