Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> [...] Ansible could be swapped for "any modern cloud configuration tool".

Deployment tool, not configuration tool. Ansible is awful for keeping environment configured, it was from ground up designed as somebody's deployment script.



What's an example of an configurable aspect of some environment that Ansible handles awfully but that another configuration tool handles well?

Generally, all these tools are doing the same thing, i.e. running a bunch of commands on a bunch of servers. I haven't discovered what specific details tho indicate Ansible being less suitable (or unsuitable) for configuration management.

I could easily imagine that the 'modules' in Ansible aren't as robust as those in, e.g. Chef, at least for some platforms. But my experience so far having used both Chef and Ansible with Windows VMs (on VMWare) is that Ansible is much better.


> What's an example of an configurable aspect of some environment that Ansible handles awfully but that another configuration tool handles well?

Hosts that were temporarily down when Ansible tried to ship configuration. CFEngine or Puppet just apply the changes some time later without operator's intervention.

> Generally, all these tools are doing the same thing, i.e. running a bunch of commands on a bunch of servers.

So does Ant or Gradle. Something is different about the operation, though, because nobody uses Gradle to manage server configuration.

> I haven't discovered what specific details tho indicate Ansible being less suitable (or unsuitable) for configuration management.

The architecture and the protocol.

With Ansible you get synchronous sequence of operations that breaks on first problem (e.g. host is down for maintenance). This is OK for deployment, but not for ordering a configuration change, for which you don't care when it will be applied, as long as it's soon enough. Note that deployment and managing configuration are similar, but different things, and it's not uncommon to need to do both (although not at the same time).

Then the protocol. Ansible uses brain-dead idea of using the debugging/interactive channel (SSH) to configure things, including possibly SSH itself. One small mistake can cut off your all remote access at once. It's negligible risk if you only configure SSH daemon when deploying the server, but it increases quickly in the log-term.

Not to mention that managing SSH access properly (e.g. not ignoring warnings about hosts' public keys, but not just that) is much more tedious than keeping a CA, so SSH is a bad choice for unattended operations.


Amen.

Ansible is great for fire and forget machines you don't need or care about. You need real config management with an audit trail when you go enterprise.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: