[Infrastructures] Is cfengine a good tool?

Luke A. Kanies luke@madstop.com
Fri, 21 Feb 2003 21:39:13 -0600 (CST) 

On Fri, 21 Feb 2003, Tim Writer wrote:

> > I think that cfengine provides some functionality all in one place that's
> > really hard to duplicate manually, but the hoops you have to jump through
> > to get there are not very fun.
>
> That's the part I'm not convinced about.  The cfengine docs suggest that it's
> superior to Perl and make for example.  While I agree, that the intent of:
>
>     AppendIfNoSuchLine "..."
>
> is clearer than the correpsonding Perl code, I find that its even easier to
> write unmaintainable cfengine "code" than Perl.  Perl has its warts, no
> question.  But wouldn't it make more sense to write a coherent suite of Perl
> modules aimed at performing some of the tasks cfengine does?  IOW, start with
> a powerful, widely ported programming language and "tune" it to the task of
> infrastructure management, rather than a weak language with some builtin
> "knowledge" of system management that you quickly outgrow.

Well, in my opinion it's more than just a question of the modules that
do the work, it's also about how you store the information that gets
turned into the work, i.e., the language.

There is much talk of this on the lssconf (large system configuration)
mailing list, which came out of the 2002 LISA configuration workshop; some
are of the opinion that cfengine is a great tool for generated code, while
some have their own tools, and many are in the process of writing
something with a similar goal.

> > Cfengine is kind of amazing in that I've never seen a tool used so heavily
> > but which has so many people trying to work around it.
>
> So, I'm not completely out to lunch.  That's too bad because I was hoping
> cfengine would simplify my life.

Well, I think it can do so, just not as much as one might hope.  I find
that I spend far more time debugging exactly how to get something to work
in cfengine than I do in other languages, but I still save time overall,
especially since once something is true, it's always true so you don't
have to worry about it.

In my case, I've already got ISconf installed everywhere, so it's
straightforward to deploy cfengine along with that (and I'll hopefully be
releasing my cfengine/ISconf integration module this weekend).  I mainly
plan on using cfengine to do permission/ownership checking, file copies,
and process checking; I already have scripts that do most of this, but
cfengine has equivalent or better functionality than any of them, and
provides it all in one place, so I think it's worth deploying.

I just don't consider it a silver bullet, and I'm very happy to have
ISconf to work with it.

Luke

-- 
"DOS is the _only_ operating system -- and I'm using that term
loosely -- which [exhibits this behavior]."
                -- Aeleen Frisch, "Essential System Administration"