[CentOS] Spacewalk or Puppet?

Wed Nov 4 18:07:54 UTC 2009
Les Mikesell <lesmikesell at gmail.com>

nate wrote:
> 
>> What good is a configuration tool if it can't handle a change in NIC
>> setup?  That's really about the only thing that is enough trouble to do
>> manually that it is worth more automation than a shell loop of ssh commands.
> 
> Just wondering what kind of NIC setup? In the hundreds of systems I
> have managed I've never had to change the default NIC settings. If
> you mean interface (IP/etc) setup then that could be an issue, for
> me I have a script that grabs the MAC addresses and serial numbers
> and polls a web server with config files associated with them to
> configure interfaces upon system installation (I haven't had to
> change them post install, I prefer just to re-install if the system
> is being re-purposed).

Most of our machines have 5 or so NICs, each connected to special 
purpose subnets.  And even the ones that only need 1 or 2 connections 
will have the same physical setup so the servers are reusable.

>> Exactly - and remote 'hands on' support generally won't know which NIC
>> is which, making this fairly problematic.  And you can't just clone
>> setups because the copies won't work with different MAC addresses.
> 
> If your setup is simple, e.g. 1 network, what I do is I bond all
> of the interfaces into a single bond in active/passive mode, that
> makes all of the NICs available for the same purpose, no need to know
> what is where. If the system needs to access another part of the
> network that is handled via routing not via physical connection.

It's not simple.  Some of the networks will have multicast data feeds, 
others have backend data, admin access, or are public facing.  So, I 
need to configure the correct addressing and routes for each.

> If you have an issue where you need to change a NIC's duplex
> setting because of a flawed switch I'd suggest you look at replacing
> your switches(at least going forward). 

Of course, but that's the point.  If you've had old Cisco switches that 
didn't auto negotiate well, you'll have all of the connected equipment 
set to force full duplex.  Then when you replace the switch you have to 
undo that - probably one subnet at a time.  How do you manage real-world 
things like that with a configuration tool?

> I've only had to screw with
> the duplex setting on a couple of occasions about 5-6 years ago
> with really old HP big iron. Hundreds of x86 boxes and different
> switch types/models/vendors later never had a problem.

OK, but it's configuration, and it affects every piece of equipment once 
if you start with older infrastructure.

>> small sets.  Do any of the tools make this easy?  That's the main reason
>> I haven't used OCSinventory's deployment mechanism even though its
>> cross-platform capabilities are appealing in a mixed environment.
> 
> Define easy, in cfengine and puppet(I'm sure, never used it though)
> you can define a class of systems and roll the change out to that
> class.

Easier than an ssh loop that does a 'yum update xxx' or similar command 
across a set of machines.

> OCS really is a poor management system IMO, it's ok for
> inventory but the rest is crap.

Yes, but what else works cross-platform?  I'm toying with the idea of 
using its agent to run a command, but running the agent via ssh or 
winexec/psexec (windows) to control the timing.

 > Can't speak for spacewalk, it sounds
> like a decent inventory/installation system for redhat-based systems
> but myself wouldn't use it beyond that role.

I can't quite deal with the idea of needing to abstract OS commands and 
doing it in a way that still only works with one OS.  Why not either 
just automate the actual commands you need to run, or fix the commands 
in the first place if they are so bad that you have to abstract them 
into some new language.  And RHEL/Centos boxes are a small part of the 
operation at the moment.

> My own cfengine configuration consists of roughly 17,000 lines and
> a couple thousand files that are pushed out to various systems(in many
> cases I push out entire config files rather than having cfengine
> edit them inline).

And that's supposed to be the easy way?

> It takes some time to get ramped up(I've been working with
> cfengine for many years) but once your there life is a lot
> easier. Probably took me a good 2 years of learning. A lot of
> it revolving around changing the way you think, how can X concept
> be applied in a more generic fashion to dynamically adapt to more
> systems automatically for example. Such as defining a dynamic
> class so when you build a new server it automatically gets everything
> it needs without having to go touch your policy files.

Could you switch arbitrary boxes to windows or some other OS without 
changing what the operators see?  If you are still tied to the arcana of 
the underlying system - and vulnerable to its changes, what does this 
get you?

-- 
    Les Mikesell
     lesmikesell at gmail.com