[Infrastructures] Radmind vs. Isconf ?

[Wesley Craig]

On 05 Apr 2005, at 22:26, Steve Traugott wrote:
> A bunch of us sat down at LISA 2003 and went over Radmind; Patrick had
> presented it in the infrastructures workshop.  (Make sure to see the
> Radmind paper from that year as well.)

The paper is here:

     http://radmind.org/files/LISA-radmind.pdf

It covers some comparisons between radmind, cfengine, lcfg, etc.

> The impression I came away with
> was that Radmind gives you a way to maintain the baseline image, plus
> any deltas, as rsync-like sets of changed files (not what they call it
> -- I'm digging this out of my sieve-like memory).   

It's not really important what we call it, but "loadsets".

> The main conceptual difference between Radmind and ISconf is that,  
> while
> ISconf expects to distribute native rpm, deb, tarballs, and other
> packages from upstream, Radmind specializes in making it easy to
> redistribute the results of applying a package, rather than the  
> package
> itself.  An overly simplistic way of looking at Radmind is that it's a
> more granular version of systemimager, implements its own protocol
> rather than using rsync (right guys?) with more tools for capturing  
> and
> managing deltas and exceptions.  (This is a horrible analogy, I'm  
> gonna
> get pummelled again). ;-)  Systemimager's optimized for image install,
> Radmind is optimized for ongoing maintenance.  (What do most Radmind
> users use for network install?)

Protocol: yes, radmind implements SSL/TLS over an SMTP-like  
protocol.  Verbs are basically "retrieve", "store", and "stat".  I  
would probably say the main difference between most other tools and  
radmind is that radmind can detect that a managed file no longer  
matches what the admin said it should be.  This basic idea is  
leveraged into the ability to 1) tripwire, 2) capture differences, 3)  
apply captured differences to other machines, and 4) roll back changes.

> A better analogy might be a R/W version of tripwire -- I think that  
> idea
> was some of the inspiration for radmind.

Absolutely.

> I remember we talked about how files get selected for change sets,
> because I was concerned about (a) finding everything and (b) doing it
> quickly, but they seemed to have that covered; I don't remember how.

Quickly here means <1 minute to scan most information, longer if  
checksums are enabled.

> Radmind also has a concept of excludes ("negative space"?) which  
> have to
> be managed, and probably a post-replication trigger facility for
> per-host customizations like IP and hostname.

radmind has *both* per-host customization ("special files") and pre-  
and post- change triggers.

> I came away convinced
> that radmind avoids most classes of ordering issues with the  
> *possible*
> exception of replacing the radmind client agent itself, or any  
> prereqs,
> though they might have avoided that too.

We frequently update radmind using radmind.  It works pretty well.   
You can shoot yourself in the foot (it's a tool, not an admin :) by  
telling radmind to *remove* radmind.  Once you've done that, you'll  
need to install radmind by hand to continue using it.

> - The way they list named file sets in an ordered high-level manifest
>   file (again not what they call it) means that, even if more than one
>   file set contains the same file, the same one (the last one?) always
>   wins.  This will work as long as you only append to the manifest  
> file,
>   and never edit or remove an existing entry (it might work in other
>   cases; need to think about it).  The manifest file plus the  
> content of
>   the individual file sets adds up to one big transaction log.  I  
> don't
>   remember (or never knew) if they're checkpointing that log at any
>   point, or if the entire disk gets scanned/updated every run, or
>   something else.

We call the manifest a "transcript".  I mentioned in another note  
that radmind doesn't have the idea of partially changing individual  
files.  The highest precedence transcript wins.  However, it's  
unusual that this is a problem.  When it *is* a problem, radmind  
provides the tools for the admin to *detect* that it will be a  
problem.  In general, radmind provides a means for an admin to detect  
changes are made when they do things.  This is very educative.

:wes