Configuration management is a solved problem?

Transcript

1. Configuration Management is a solved problem(?)

2. I’m sorry

3. About me - Operations Staff Engineer @ - @lusis on

   twitter, github and other stuff - (retired) DevOpsDays core organizer - He/Him/His - Father/Husband - All around opinionated bastard

4. Story Time

5. DevOpsDays Mt. View 2011 Orchestration Panel “Configuration management is a

   solved problem” - me

6. “lol nope” - Andrew Clay Shafer (paraphrased)

7. What I meant to say was... - The tools do

   what they were designed to do - Not everything is CM shaped - “Past performance is no guarantee of future results”

8. Obviously it’s not a solved problem

9. The Dirty Secret

10. Services matter. Not Servers.

11. But we still have servers to configure…..

12. Unscientific Study - Packages - Daemons - Files - Templates

    - Users

13. Everything else Is (arguably) better handled by another tool -

    Orchestration - Application Lifecycle Management - Secrets Management - Binary Distribution

14. So with that in mind…. What do I think we’re

    still missing? What does a “next gen” CM tool provide?

15. Active Enforcement

16. I wrote a blog post a few years back (go

    figure) http://blog.lusis.org/blog/2012/05/24/configuration-drift-and-ne xt-gen-cm/

17. Inspired by….

18. Current Behaviour - CM is running - This file doesn’t

    look like it’s supposed to - CM changes file - CM isn’t running What happens in the 5/10/30/60 minutes/hours/days in between?

19. Can we create a system that actively responds to (and

    optionally PREVENTS) changes to systems outside of CM policy?

20. Consider - FSEvents - kqueue - inotify - dbus -

    kbus - dm-verity-alike Do we really want to register watches/hooks for EVERY file CM manages?

21. If our scope is limited to core competency, maybe?

22. Maybe the kernel needs more efficient hooks to enable this

    (think libnetfilter_queue but for files)

23. Can we get something like this instead of a new

    init system? Asking for a friend

24. “Truly Compiled Catalogs”

25. I wrote a gist post a few years back (go

    figure) https://gist.github.com/lusis/015c7a39fa45ec38a34c

26. “Binary CM” - Upload source to “server” component - “Server”

    compiles binary for all hosts it knows about where the code would apply (i.e. role::webserver) - Optionally for unknown clients, the binary is on-the-fly compiled when the host “checks in” (e.g. golang cross-compile) - Entire CM run is contained in single binary artifact. Use rsync or more efficient p2p mechanism for transferring

27. Distributed CM

28. I talked to someone a few years back (go figure)

    Umm….how do I link a conversation in person?

29. This one is just sort of abstract Imagine a config

    management system This system uses a central server The central server goes down
30. None

31. What if…. Nodes could pull state in peer ring instead

    of a central server? Habitat’s supervisor is sort of like this. If we can do that, do we need a central authority?

32. And what about these things?

33. Wrap up/Questions?

34. Image Credits - https://i.ytimg.com/vi/M-yIMgy9_2o/hqdefault.jpg - http://www.stratoscale.com/wp-content/uploads/AWS-Lambda.png - https://s3.amazonaws.com/kinlane-productions/bw-icons/bw-serverless.png - https://www.beautypunk.com/wp-content/uploads/2015/10/NoOps-pink.jpg

    - http://res.cloudinary.com/blog-mornati-net/image/upload/v1472668207/sz9sfw iji9foh0cv1v5p.png - https://rhelblog.files.wordpress.com/2015/11/rh_atomic_bug_2cblue_text_cmy k.png - http://www.galls.com/photos/styles/b2b/bd256.jpg - https://s-media-cache-ak0.pinimg.com/originals/de/a1/5f/dea15f0b0ad8c8774 5bf0c7dac106e53.jpg -