puppet & chef in the automation toolchain - … · solutions for configuration automation, chef...
TRANSCRIPT
1
Puppet & Chef in the Automation Toolchain
2
DevOps Depends on PeopleIn a few short years DevOps has gone from
a fringe movement to a must-have for any
IT leader. There’s a lot of buzz around it, but
there’s a lot of practical knowledge in there
as well. Provisioning environments, deploying
applications, maintaining infrastructures--these
are all critical yet delicate tasks traditionally
done by hand. What if we could get a machine to
do all that stuff for us, not just saving hours of
work, but also removing the element of human
error?
So began the boom in configuration management
(CM) tools. Some regard CM solutions as
“DevOps in a Box,” but that’s not right. DevOps
is about collaboration between people, while
CM tools are just that: tools for automating the
application of configuration states. Like any
other tools, they are designed to solve certain
problems in certain ways. How effectively they
do so depends on the knowledge and ability of
the person wielding them.
A discussion regarding tools and DevOps should
therefore begin by considering the individuals
who will be utilizing the tools. The rise of so-
called “polyglot programmers” and systems
administrators with coding proficiency reflects
a general trend in IT towards despecialization.
Developers these days are adept in a number
of languages and approaches, applying each
accordingly based on the problem at hand.
Similarly, most systems administrators
possess competent programming abilities for
traversing the stack-- on top of the requisite
skills for managing IT operations. The industry
has been quick in attaching new labels to these
emerging hybrid roles: DevOps Engineer and
DevOps Specialist being the most common.
Notwithstanding, the key takeaway is that no
single IT skill is more important or valuable than
another; subsequently, many different tools are
required to do the job effectively. So as DevOps
is comprised of a group of concepts clustered
around the premise of continuous software
delivery, these concepts in turn encompass a
range of associated tools for fulfilling particular
functions.
Puppet or Chef?So when it comes to CM automation solutions,
should you choose Puppet or Chef? This age
old question of configuration automation &
provisioning has started more than one flame war
in its time. The most appropriate answer really is
“It depends.” However, an understanding of the
differences between the technologies and the
companies behind them may make your choice a
little easier. We will explore Puppet and Chef as
CM solutions in the context of the larger DevOps
toolchain, to help you decide which one fits your
needs.
Introduction
3
Understanding the Automation Toolchain
Project
Management
Requirements
Gathering
Versioning
Continuous
Integration
Configuration
Management
Monitoring
Discovery
New Baseline
Standardize
Examples:
Jira, Asana, Pivotal
Examples:
Word, Wikis, Spreadsheets
Examples:
Git, SVN
Examples:
Jenkins, Team City, Travis,
CircleCI, Drone.io
Examples:
Puppet, Chef, Ansible
Examples:
Shell Scripts
Examples:
CMDBs
Examples:
None
Examples:
None
Infrastructure changes are tracked as tickets in UpGuard
and sent to your project management tool of choice.
The requirements of current applications are avaliable in
UpGuard’s system state documentation.
Artifacts Code and UpGuard policies are versioned and
checked in to be used in build and deployment process
Continuous integration and deployment tools use
UpGuard policies to validate environments before
and after deployment.
UpGuard generates manifests for configuration
management tools like Puppert, Chef, Powershell DSC,
Ansible, Salt and more.
Configuration state is continuously checked for deviation
from baseline, much like you would with
performance monitoring.
Complete configuration state is documented and
accessible for anomaly analysis and troubleshooting.
After confirming the system state’s health,
UpGuard documents the new baseline
for development.
UpGuard provides the feedback mechanism from the
end of one development cycle to the beginning of the next.
4
Versioning and Source ControlTracking code level changes is a common
and necessary activity of today’s software
developers. Doing so enables concurrent
development, merging, and rollback capabilities
for applications/software. Source Control
Management (SCM) tools are popular options for
keeping track of software code; many DevOps
practitioners also track versions of their systems
configuration with these tools, essentially
managing their infrastructure “as code.” For
example, it’s a common practice for systems
administrators to store and manage their Puppet
Manifests or Chef Cookbooks in GitHub.
Continuing Integration and OrchestrationContinuous integration (CI) and orchestration
tools enable the integration of development code
into the overall software product frequently
and early in order to mitigate potential conflicts
down the line. Typically, these tools are employed
to automate software builds and testing, and are
crucial for applying quality control on a continual
basis (as opposed to after the software has been
developed and released). These tools can also
be used to track and manage changes for CM--
for example, CI tools can be used to test Chef
Cookbooks and Puppet Manifests for bugs and
errors, and be configured to do so automatically
every time infrastructure changes are committed
and merged.
Testing and ValidationTools and frameworks for testing and validation
are important for ensuring quality at all phases
of development. In many cases, unique solutions
are applied to a specific aspect of testing-- for
example, one tool may be used for unit testing
while another is used for integration testing.
Confirguation Management (CM)CM tools allow one to define the desired state
of a system and/or environment in regards to
configuration files, software installed, users,
groups and many other resource types. They
also provide functionality to automatically push
changes onto specific machines, also known as
automation and orchestration. This is where
Chef and Puppet live in the toolchain. Let’s take
a closer look now at CM tools to understand how
Chef and Puppet compare in this role.
Configuration Management ToolsAside from Puppet and Chef, which we will look
at in detail, there are other CM tools available on
the market.
CFEngineCFEngine runs on C, as opposed to Puppet’s
use of Ruby. C is the more low level of the two
languages, and one of the main complaints
regarding CFEngine is that the learning curve is
very steep. It does mean though that CFEngine
has a dramatically smaller memory footprint, it
runs faster and has far fewer dependencies.
SaltStackSalt, like Ansible, is developed in Python. It was
also developed in response to dissatisfaction
with the Puppet/ Chef hegemony, especially their
slow speed of deployment and restricting users
to Ruby. Salt is sort of halfway between Puppet
and Ansible – it supports Python, but also forces
users to write all CLI commands in either Python,
or the custom DSL called PyDSL. It uses a master
5
server and deployed agents called minions to
control and communicate with the target servers,
but this is implemented using the ZeroMq
messaging library at the transport layer, which
makes it a few orders of magnitude faster than
Puppet/ Chef.
AnisbleAnsible consists of two offerings: Ansible and
Ansible Tower, the latter featuring the platform’s
UI and dashboard. Despite being a relatively
new player in the arena when compared to
competitors like Chef or Puppet, it’s gained
quite a favorable reputation amongst DevOps
professionals for its straightforward operations
and simple management capabilities.
DockerTo think about CM in a different way, consider
Docker. Docker deploys software applications
with all the necessary parts in a container,
thereby ensuring it will run on any Linux server,
regardless of configuration and/or settings.
Containers can be created, configured, and saved
as templates for use on other hosts running the
Docker engine. These templates can then be used
to create more containers with the same OS,
configuration, and binaries.
Powershell DSCFor Microsoft shops, DSC is a management
platform in Windows PowerShell that enables
deploying and managing configuration data for
software services and managing the environment
in which these services run. DSC provides a set
of Windows PowerShell language extensions,
new Windows PowerShell cmdlets, and resources
that you can use to declaratively specify how
you want your software environment to be
configured. It also provides a means to maintain
and manage existing configurations.
Now that we’ve seen some of the various
offerings of Configuration Management tools
for DevOps, let’s dive into the two most popular
solutions for configuration automation, Chef and
Puppet.
6
Versioning and Source ControlTracking code level changes is a common
and necessary activity of today’s software
developers. Doing so enables concurrent
development, merging, and rollback capabilities
for applications/software. Source Control
Management (SCM) tools are popular options for
keeping track of software code; many DevOps
practitioners also track versions of their systems
configuration with these tools, essentially
managing their infrastructure “as code.” For
example, it’s a common practice for systems
administrators to store and manage their Puppet
Manifests or Chef Cookbooks in GitHub.
Continuing Integration and OrchestrationContinuous integration (CI) and orchestration
tools enable the integration of development code
into the overall software product frequently
and early in order to mitigate potential conflicts
down the line. Typically, these tools are employed
to automate software builds and testing, and are
crucial for applying quality control on a continual
basis (as opposed to after the software has been
developed and released). These tools can also
be used to track and manage changes for CM--
for example, CI tools can be used to test Chef
Cookbooks and Puppet Manifests for bugs and
errors, and be configured to do so automatically
every time infrastructure changes are committed
and merged.
Testing and ValidationTools and frameworks for testing and validation
are important for ensuring quality at all phases
of development. In many cases, unique solutions
are applied to a specific aspect of testing-- for
example, one tool may be used for unit testing
while another is used for integration testing.
Configuration Management (CM)CM tools allow one to define the desired state
of a system and/or environment in regards to
configuration files, software installed, users,
groups and many other resource types. They
also provide functionality to automatically push
changes onto specific machines, also known as
automation and orchestration. This is where
Chef and Puppet live in the toolchain. Let’s take
a closer look now at CM tools to understand how
Chef and Puppet compare in this role.
Chef and PuppetChefMerely labeling a tool as a DevOps solution does
not make it so. It must address contemporary IT
challenges in building/managing high-velocity
organizations while facilitating constant
improvement and collaboration between
groups. Tools—as critical agents of change—are
instrumental in both managing technology as well
as shaping culture:
“The tools we use reinforce the behavior; the
behavior reinforces the tool. Thus, if you want to
change your behavior, change your tools.”
– Adam Jacob, CTO, Chef
Chef Features and HighlightsAt the basic level, Chef is a tool for automation,
provisioning and configuration management. The
platform is made up of the following components:
Chef Server - the main hub where Chef
propagates and stores system configuration
information and policies (i.e., recipes and
cookbooks). The Chef management console is the
web user interface for Chef Server.
7
Chef Client - installed on every node being
managed, the Chef Client performs configuration
tasks on the local machine.
Workstation - allows designated workstations to
author/test/maintain cookbooks and upload them
to Chef Server. Workstations are also used when
utilizing the Chef development kit package.
Chef Analytics - a platform that provides
actions and run history, real-time reporting, and
notifications around Chef automation activities.
Chef Supermarket - an open source directory of
community-contributed cookbooks.
Chef Delivery - Chef Delivery is a set of tools that
add yet more developer-friendly features
like comprehensive codebase change histories,
metrics, and permissions management to the
platform.
Chef Delivery’s automated testing and
continuous integration/delivery tools augment
the platform with new features such as a shared
workflow pipeline, collaboration capabilities, and
enhanced analytics—as well as new ecosystem
integrations with AWS, Azure, and Docker, to
name a few. Though these enhancements are no
doubt a boon to Chef’s developer community,
Chef’s aspirations arguably have little to do with
becoming a developer-centric automation tool
and more with building a comprehensive platform
for DevOps pipeline management.
Improve Security with Chef VaultCustomer and/or community customizations
quite often become so widespread and integral
that they find their way into bonafide product
releases. This is certainly the case with Chef
Vault, a project started by Nordstrom to
improve upon the platform’s inherent security
mechanisms. Chef can natively store sensitive
data (e.g., SSL certificate keys, database
passwords) in encrypted “data bags”—
repositories of key/value pairs—for secure and
easy access. Management of these data bags,
however, is a tedious and error-prone process.
Chef Vault provides an additional layer of
security that enables easier management of these
encrypted data bags.
8
PuppetPuppet is considered a more operations and
sysadmin-oriented solution when compared to
Chef, though again—these role-based distinctions
are becoming less relevant with each release.
DevOps practitioners—both developers and
operations staff alike—strive to achieve optimal
conditions for continuous integration/delivery.
Tooling is therefore increasingly evaluated based
on its ability to achieve these ends effectively
and efficiently in the context of an enterprise’s
unique needs. Notwithstanding, Puppet has
enjoyed significant first-mover advantages over
the years, and though both Chef and Puppet have
been neck-to-neck market leaders since the early
days of IT automation, the latter boasts a longer
commercial track record and larger install base.
Currently on version 4.9, Puppet is commonly
deployed in a client/server configuration with
managed nodes periodically synchronizing their
configurations with the server. Reporting (e.g.,
results from automation runs, errors/exceptions)
and other information is sent by the clients
back to the server for aggregate analysis and
processing.
Puppet Features and HighlightsPuppet automation works by enforcing the
desired state of an environment as defined in
Puppet Manifests—files containing pre-defined
information (i.e., resources) describing the state
of a system. The core components that comprise
Puppet are as follows:
Puppet Server - the central server that manages
Puppet nodes (agents)
Puppet Agent - client software installed on
managed nodes that enables communication
and synchronization with the Puppetmaster
Puppet Enterprise Console - a web GUI for
analyzing reports and controlling infrastructure
resources
PuppetDB - data storage service for Puppet the
data produced by Puppet
Other key components worth mentioning over
others include MCollective, a framework for
supporting server orchestration or parallel
job execution, and Hiera—a hierarchical key/
value lookup utility for providing node-specific
configuration data to Puppet (for keeping
site-specific data out of manifests). Puppet has
integrated MCollective, Hiera, and a myriad of
other open source projects into its platform
to provide comprehensive automation and
management of mission-critical enterprise
infrastructures. Many community-contributed
add-ons are also available on Puppet Forge—
an expansive library of open source modules
for extending the platform’s features and
capabilities.
Puppet Node ManagerPuppet’s Node Manager enables the creation of
rules around node attributes, which allows for
easier more efficient node management. With
Node Manager, nodes can be managed based on
their job rather than name, eliminating the need
to manually classify each node. New updates
include powerful provisioning capabilities for
Docker containers, AWS infrastructure and bare-
metal machines.
Puppet Code ManagerPuppet has been a mainstay of the DevOps
movement since its inception and continues to
address the enterprise’s continuous
9
integration/delivery requirements. The
concept of “infrastructure-as-code” entails
using software development best practices
to manage infrastructure configurations and
provisioning details—including code review,
version control, and collaborative development,
among others. And like Chef, Puppet’s platform
has evolved in response to the growing needs
for a comprehensive mechanism to manage the
continuous delivery pipeline.
Introduced in Puppet Enterprise 3.8, Puppet
Code Manager provides a consistent, automated
way to change, review, test and promote Puppet
code in a continuous delivery framework.
Based around R10K—a general purpose toolset
for deploying Puppet environments and
modules by interfacing with a version control
system—Puppet Code Manager accelerates the
deployment of infrastructure by rendering it
a testable and programmatic process. And by
enabling easy integration with Git for version
control, this latest addition to the Puppet
platform further blurs the line between software
and infrastructure.
Software Defined Network (SDN)SDN is a new paradigm for networking that
decouples network control and forwarding
from physical infrastructure, enabling agile
management of network resources in rapidly
changing environments. Just as cloud computing
enables IT to quickly spin up compute and
storage instances on-demand, SDN replaces rigid
(and sometimes manual) network operations with
dynamically provisioned network services and
resources.
This new model for networking is right in line
with Puppet’s advocacy of “infrastructure
as code.” As such, the company has made
significant strategic initiatives and partnerships
in support of SDN. For example, Puppet
Labs recently announced a partnership with
Arista Networks—a leading developer of SDN
switches—to provide automation support to the
vendor’s SDN equipment line. This and other
similar partnerships (e.g, Cumulus Networks,
Dell, Cisco) will position Puppet favorably over
competing vendors once SDN technologies gain
widespread adoption.
Chef or Puppet?Chef and Puppet continue to expand their
automation platforms in response to the needs
of the DevOps-enabled enterprise. Both vendors
are forging partnerships that may ultimately
define—as Chef would put it—what school of
DevOps a particular organization belongs to.
Recently, the two have partnered with Microsoft
to integrate their platforms with Azure, and
Puppet—no stranger to being a first mover—has
made key alliances with leading SDN vendors to
position it favorably once the technology takes
hold. So if your organization plans on adopting
SDN, Puppet might be a stronger candidate in
this respect.
Security is an enterprise-wide concern these
days and should be taken into account when
evaluating technologies. Chef has made
significant strides in improving its platform’s
security with Chef Vault. It’s interesting that
Puppet Labs rebroadcasts CVEs for vendored
software such as ruby while Chef does not,
despite both products including Ruby as a core
component. It’s also difficult to believe Chef
hardly ever finds vulnerabilities in any of their
software, whereas Puppet published CVEs on a
regular basis.
10
In short, both IT automation platforms have
matured greatly as enterprise solutions. We’ve
highlighted some of Chef and Puppet’s key
attributes and benefits—selecting the right
option comes down to identifying each platform’s
core competencies and determining which of
these fall in line with your organization’s unique
needs and requirements. Regardless of which
automation platform you choose, UpGuard can
complement either solution to round out the
DevOps toolchain with advanced vulnerability
assessment and monitoring, ensuring that
security—as a function of quality—is baked in at
every step of the continuous delivery process.
A typical DevOps toolchain might consist of
the following: UpGuard to discover and track
what you have and to determine what your
environment should look like. The platform
then outputs to a tool like Chef or Puppet for
provisioning and automation-- or directly to
Docker for creating containers or Vagrant for
creating development and test environments.
Once systems changes and applications have
been deployed to production, UpGuard can
validate that the changes have indeed been rolled
out successfully, and provide further validation
that any deployed applications and systems are
free of vulnerabilities through comprehensive
vulnerability scanning.
In the context of DevOps, the whole is truly
greater than the sum of its parts. One must
be equipped with the proper range of tools
to address the unique, ongoing challenges of
continuous integration and software delivery,
and no one tool can do the job alone. DevOps is
about delivering higher quality applications
quicker and with less errors; this is accomplished
by breaking down silos between development and
operations and creating a smoother path towards
software delivery. DevOps and its underlying
concepts provide undisputed benefits to any
forward-thinking organization, and the DevOps
toolchain provides mechanisms to realize these
benefits.
Conclusion
11
Businesses depend on trust, but breaches and outages
erode that trust. UpGuard is the world’s first cyber
resilience platform, designed to proactively assess and
manage the business risks posed by technology.
UpGuard gathers complete information across
every digital surface, stores it in a single, searchable
repository, and provides continuous validation and
insightful visualizations so companies can make
informed decisions.
909 San Rafael Ave.Mountain View, CA 94043
+1 888 882 3223www.UpGuard.com
UNKNOWN
© 2017 UpGuard, Inc. All rights reserved. UpGuard and the UpGuard logo are registered trademarks of UpGuard, Inc. All other products or services mentioned herein are trademarks of their respective companies. Information subject to change without notice.