
Ask HN: How do you handle configuration management? - jsntrmn
I ask for two reasons:<p>1.) My company mandates the use of Jenkins for &quot;all the things&quot; CI&#x2F;CD related. A significant component of my team&#x27;s domain is a heavily customized off-the-shelf commercial product. This product comes with a plethora of configuration. We are tasked with using Jenkins to deploy config changes to production, and this has proven to be an inflexible pain in the rear.<p>2.) My company has an enterprise Puppet license, which to me seems a much better fit for our use case. One major caveat is that my company is devoutly beholden to its shareholders, which means it favors FOSS (extreme emphasis on FREE) solutions as much as possible. This has me thinking Ansible.<p>I&#x27;m curious as to what you use and why you use it. I&#x27;m also open to any suggestions as to how I can convince both my manager and upper management that Jenkins just isn&#x27;t cutting it.
======
git-pull
Fabric.

[http://www.fabfile.org/](http://www.fabfile.org/)

Works over SSH. Uses pure Python. No need to deploy and configure
minions/agents/etc.

Fabric also benefits from being highly composable. Since it's python, you can
parametrize and reuse functions and create class-based tasks [1]

Want to use Fabric with python 3? Here is a fork with Python 3 support:
[https://github.com/mathiasertl/fabric/](https://github.com/mathiasertl/fabric/)

If you use fabtools, I maintain a fork of it for fabric3:
[https://github.com/develtech/fabtools/tree/fabric3](https://github.com/develtech/fabtools/tree/fabric3)

[1] [http://docs.fabfile.org/en/1.14/usage/tasks.html#task-
subcla...](http://docs.fabfile.org/en/1.14/usage/tasks.html#task-subclasses)

~~~
jsntrmn
I've been writing so much boring backend Java for so long... Some Python would
be a sorely needed breath of fresh air. Thanks for pointing me in this
direction. I might just play around with it on my homelab for the fun of it!

------
dodgyb
This is an interesting read on Config Management which essentially concludes
that makefiles with Jenkins (etc.) work best:

[https://fortyft.com/posts/ansible-puppet-chef-no-
thanks/](https://fortyft.com/posts/ansible-puppet-chef-no-thanks/)

For more bells and whistles (and a steeper learning curve) try Escape:

[https://escape.ankyra.io/docs/what-is-
escape/](https://escape.ankyra.io/docs/what-is-escape/)

~~~
jsntrmn
Thank you for the article link! It was an interesting read, indeed. I hadn't
thought of this seemingly obvious approach, and it's one that won't be too
difficult to pitch to management.

------
nodesocket
I've been trying as much as possible to stick to Packer[1] (create AMI's /
Images) and Terraform[2] for executing arbitrary commands and shell scripts.
Some may argue this is not truly configuration management because it does not
constantly check and maintain desired state.

[1] - [https://packer.io](https://packer.io)

[2] - [https://terraform.io](https://terraform.io)

------
dozzie
> This has me thinking Ansible.

Yeah, no, bad choice. Ansible only pushes configs to remote servers, and on-
line ones at that. Don't expect a retry if any of the servers is down. Good
match for deploying things, but terrible for long term management. It's
somewhat similar with this regard to Jenkins.

Also Ansible's approach of using SSH (directly to root or through sudo) is
brittle; prepare for outages if you start changing sshd config or sudoers, as
it's easy to cut off your all channels: configuration distribution, running
predefined procedures, and debugging. And there's more, like managing hosts'
public keys being PITA (as always with SSH) or weird way of encoding a
programming language as YAML with mismatching preprocessor (Jinja2).

If you have Puppet deployed, stay with Puppet for managing configuration.

~~~
vr46
That’s not quite true. Ansible will happily run locally without SSH. A machine
can easily be configured to pull Ansible roles from git or S3 and then run a
playbook.

------
mariocesar
I use ansible to do remote execution, and upload more complex scripts to do
tasks. Doing everything with Ansible is hard and most often you spend more
time learning the quirks of Ansible and not solving problems.

Ansible for remote execution and your write your own scripts, tha has been a
good combination for me.

Very resently I remake all my bash and makefile scripts to use just python
scripts with
[https://github.com/mariocesar/boot.py](https://github.com/mariocesar/boot.py),
taking advantage that all my instances have Python 3.6 by default.

Have python3 for scripting makes doing sysadmin work joyful.

------
atsaloli
I use CFEngine -- because of its maturity, wide range of supported platforms,
and the amazing support I experienced from the author and community.

I wrote this 3 years ago and it's still true today:
[http://verticalsysadmin.com/blog/cfengine-is-
awesome/](http://verticalsysadmin.com/blog/cfengine-is-awesome/)

Offering training and consulting on CFEngine has allowed me the privilege of
training top-notch talent from all over the world (and to see more of the
States).

------
akulbe
The project I'm working on currently, it's 95% Chef. The remainder is Ansible.
We use Ansible for what it's good at, and Chef for the rest.

------
rahulgulati
Have you tried AWS OpsWorks for Puppet Enterprise or Stacks yet?

