Configuration Management is a solved problem(?)

I’m sorry

About me - Operations Staff Engineer @ - @lusis on twitter, github and other stuff - (retired) DevOpsDays core organizer - He/Him/His - Father/Husband - All around opinionated bastard

Story Time

DevOpsDays Mt. View 2011 Orchestration Panel “Configuration management is a solved problem” - me

“lol nope” - Andrew Clay Shafer (paraphrased)

What I meant to say was... - The tools do what they were designed to do - Not everything is CM shaped - “Past performance is no guarantee of future results”

Obviously it’s not a solved problem

The Dirty Secret

Services matter. Not Servers.

But we still have servers to configure…..

Unscientific Study - Packages - Daemons - Files - Templates - Users

Everything else Is (arguably) better handled by another tool - Orchestration - Application Lifecycle Management - Secrets Management - Binary Distribution

So with that in mind…. What do I think we’re still missing? What does a “next gen” CM tool provide?

Active Enforcement

I wrote a blog post a few years back (go figure) http://blog.lusis.org/blog/2012/05/24/configuration-drift-and-ne xt-gen-cm/

Inspired by….

Current Behaviour - CM is running - This file doesn’t look like it’s supposed to - CM changes file - CM isn’t running What happens in the 5/10/30/60 minutes/hours/days in between?

Can we create a system that actively responds to (and optionally PREVENTS) changes to systems outside of CM policy?

Consider - FSEvents - kqueue - inotify - dbus - kbus - dm-verity-alike Do we really want to register watches/hooks for EVERY file CM manages?

If our scope is limited to core competency, maybe?

Maybe the kernel needs more efficient hooks to enable this (think libnetfilter_queue but for files)

Can we get something like this instead of a new init system? Asking for a friend

“Truly Compiled Catalogs”

I wrote a gist post a few years back (go figure) https://gist.github.com/lusis/015c7a39fa45ec38a34c

“Binary CM” - Upload source to “server” component - “Server” compiles binary for all hosts it knows about where the code would apply (i.e. role::webserver) - Optionally for unknown clients, the binary is on-the-fly compiled when the host “checks in” (e.g. golang cross-compile) - Entire CM run is contained in single binary artifact. Use rsync or more efficient p2p mechanism for transferring

Distributed CM

I talked to someone a few years back (go figure) Umm….how do I link a conversation in person?

This one is just sort of abstract Imagine a config management system This system uses a central server The central server goes down

No content

What if…. Nodes could pull state in peer ring instead of a central server? Habitat’s supervisor is sort of like this. If we can do that, do we need a central authority?

And what about these things?

Wrap up/Questions?

Image Credits - https://i.ytimg.com/vi/M-yIMgy9_2o/hqdefault.jpg - http://www.stratoscale.com/wp-content/uploads/AWS-Lambda.png - https://s3.amazonaws.com/kinlane-productions/bw-icons/bw-serverless.png - https://www.beautypunk.com/wp-content/uploads/2015/10/NoOps-pink.jpg - http://res.cloudinary.com/blog-mornati-net/image/upload/v1472668207/sz9sfw iji9foh0cv1v5p.png - https://rhelblog.files.wordpress.com/2015/11/rh_atomic_bug_2cblue_text_cmy k.png - http://www.galls.com/photos/styles/b2b/bd256.jpg - https://s-media-cache-ak0.pinimg.com/originals/de/a1/5f/dea15f0b0ad8c8774 5bf0c7dac106e53.jpg -