This rant on CM software was written two years ago but is sadly still valid today. On my blog I have focused on the lack of true state management in the current generation of tools. Kevin Bowling, the author of the rant, is annoyed by the lack of out-of-the-box support for basic Linux OS and core infrastructure configurations. Instead, he rightfully points out, every admin has to write his own custom configuration in order to use the CM tool. This means we are all reinventing the wheel thousands of times over. I agree completely.
If you look at, for example, the list of core Puppet “resource” types you will see that it actually boils down to a just few key ones: users, files, packages, and processes. The other CM tools are largely the same. If you want to manage BIND, DHCP, postfix, Apache, mySQL, etc. or even iptables you will have to hunt for an additional module/resource/recipe. The problem is that those applications are the bread and butter of Linux servers. They are the whole point. If the CM tools included support for these applications as core, and included default best practice configurations which we could modify to fit our environment that would make them much more useful.
To be fair, we are still in the early phase of this technology so the vendors are still trying to figure out how the tools should behave and with making basic features work. On the other hand, cfengine has been around for 20 years and (as far as I could tell by reading its documentation) doesn’t provide out-of-the-box configurations for core infrastructure either. After 20 years I would expect to download cfengine, point to a text file saying “Centos, mySQL, php, and Apache”, and snap! I have a server fully configured, optimized, and secured according to the very latest expert guidelines and ready for a few site-specific modifications. I don’t think the tools are at that stage yet.
I view the “configuration management” tools as really automated systems administration tools. Hence, in addition to the convenience of automated user and package management they need built-in expertise. Expert guidance on configuring basic tools like BIND should be built-in to the tools themselves. That is the kind of functionality that will make a human systems administrator’s job easier. Maybe we could pay an annual subscription fee to have the latest configurations just like we do for anti-virus and web blocking software?