Posts Tagged ‘chef’

Puppet, Chef, deterministic ordering and the much maligned DSL

January 14th, 2010

This morning I came across a post entitled Puppet versus Chef: 10 reasons why Puppet wins. The post attempts to explain the differences between Chef and Puppet and why Puppet is superior. The post wasn’t great IMHO, personally I thought it was fairly poorly reasoned and made some, potentially accurate, but throughly unsubstantiated claims.

Leaving aside the issues with the post itself though, it did prompt an interesting comment thread, particularly comments between Opcode’s CTO Adam Jacob and Reductive Lab’s Teyo Tyree (links are to the respective comments – Adam’s and Teyo’s reply).

I’m going to quote Teyo’s comment in full because I think it answers a lot of question that people have had about some of the key differences between Puppet and Chef – dependency modelling and DSL:

There is a misstatement in your assessment of Puppet’s dependency handling. You express Chef’s ordering as deterministic and imply that Puppet is in someway non-deterministic. This is not the first time you have implied this publicly, so I thought I should bring some clarity to your misstatement. The actual differentiation is procedural ordering versus a dependency graph. Puppet provides a graphing model for ordering versus a procedural model. Sure, you get procedural ordering for free with Ruby, it seems easier, and I am aware that this was a design decision for you guys. We also know that you were frustrated by “having” to express dependencies in Puppet in order to ensure consistent ordering. Properly expressed dependencies in Puppet provide ordering where you care to have it. Procedural ordering is implicit even if you don’t care. This is a BIG difference, perhaps the fundamental difference between Puppet and Chef and one that was designed into Puppet because of experiences we had trying to cope with a large code base of procedurally order scripts to manage an enterprise infrastructure. Yeah we were using make, yeah that was crazy, crazy but informative.

Your omission is related to your design decision to avoid dependency graphing, which you yourself have admitted has some major downsides, namely the inability to provide a reasonable dry-run mode, http://bit.ly/4Gcz7G. Frankly, I don’t know how you develop with out a dry-run mode, but hey I am a sysadmin not a developer.

Without a graph of resource dependencies, we would have no way of separating concerns. Consider the use case of implementing security standards. Ideally, you would want any given configuration run to bring your system into complete compliance. That sounds great but would you really want security policies not to be implemented because some earlier procedure was unable to succeed, say because it was pulling in data from a source that was not available.

So here is the difference in a nutshell. Puppet generates a catalog of dependent resources. This catalog is shipped to the clients and acted on by the Resource Abstraction Layer (RAL). On the other hand Chef, ships the required Ruby code for any node’s configuration and orders the execution of that code procedurally. These are the core differences. The DSL issues become moot if you consider Shadow Puppet or the Ruby DSL that we are developing as part of Puppet’s next release. The real difference, and IMHO Puppet’s advantage is our resource model and it’s dependency graphs versus a monolithic procedural chunk of Ruby code delivered to every client.

Here are some derived advantages of our model and a little love for the much maligned declarative external DSL:

1) Graphing base branch independence.

Parts of a catalog can be implemented more often than others. That is to say, we can tag certain resources to be checked and reconfigured more often. Additionally, parts of a configuration can be meaningfully checked but not acted on (See Adam’s discussion of noop http://bit.ly/4Gcz7G). Our customers/community love this and without a graph I don’t see how it is possible.

2) Cross host dependencies.

Our data model passes dependencies into our catalog caching system, so cross host dependencies can be resolved as well. This isn’t currently available but the framework exists and we intend to take advantage of it.

3) Failures are contained.

Critical parts of a configuration run are not excluded because of non-dependent failures.

4) Low barrier to entry for non-rubyist.

Non-rubyist can take advantage of the specification language out of the gate and Ruby developers can take advantage of the current Puppet plugin API and the future Ruby DSL, so everyone gets to use their favorite hammer.

5) Don’t like our DSL, don’t like Ruby?

Because we are only generating a catalog from the configuration language it should be fairly straight forward for anyone to generate a catalog using whatever language they choose and the RAL would be able to act on it. Come on Python people you know you want to generate catalogs with Python.

6) I can’t run Ruby on my switch!

Because we are using a data model for resources, devices that can’t/don’t have access to Ruby could still use the catalog as a basis for configuring themselves. Routers, switches, firewalls, could all be configured using the same specification language independent of how the specification is implemented, but with the resource model intact.

Finally, I think that you were a little hard on John about his comments on Chef being Rails focused. Certainly he misspoke, but the truth is that Chef development has been focused on web-application rollout in fairly homogeneous environments. Sure you can use Chef to manage the initial deployment of a web application, but in environments where you may have lots of teams utilizing compute resources for various application architectures, Puppet’s resource model shines. Security administrators can develop their Puppet manifests and not need to worry that security policies are not going to be applied because the DBA teams manifests failed. Operations teams can run Puppet in noop mode persistently and be notified if their configuration is out of compliance. Developers can make sure that the infrastructure they need for successful application deployment is available without having to worry that the security policy failed to be applied. Everyone gets to be friendlier with one and other and perhaps even get to the pub earlier on occasion.

Disclosure & Disclaimer – I am Puppet’s Release Manager and obviously heavily involved with the Reductive Lab’s team and the project. My opinions are my own and not representative of my employer or Reductive Labs.

2 comments »

Posted in Blog, puppet

Tags: chef configuration management deterministic DSL puppet

Tivo-Devo (Or casino rouge: i would make love to it if i could)

May 12th, 2004

*rant mode on*

I just read a post Erin had on her site about the acquisition of a TiVo. I have looked at these funny TiVo things a few times (apparently you can make them work here in Oz now but it looks like a lot of work to me) and I was thinking “Wouldn’t this be a good idea – a box that would tape the shows I actually watch instead of me missing them because I forget they are on.”

Then I realised “What am I thinking?” I don’t actually like the TV. Not at all. (You have no idea how annoying it is to be an insomniac and not like TV. No wonder I have disturbing thoughts about sticking knitting needles into Rove McManus’ ear). And damn adverts. I hates them. With a passion. I don’t want any of the things they sell. I don’t want to hear about special deals, the latest shampoo or how to fix my hair loss. And as the night wears on they just get worse. By midnight you usually have Christian Television Association adverts. Whatever the fuck it is that the guys who make those are on I don’t EVER want to touch. Then the ultimate insult – infomercials. Television that is pretending to be content when in fact it is one long, extremely boring, commercial. Incredible banality. And the guy from the memory one? Him I might just hunt down and kill in breach of my normal views on pacifism as a service to humanity (and maybe that Chef guy with the knives too).

This is not to say I don’t like some content on TV. I do watch TV. There are even a few shows I am a little passionate about (though I still can’t watch Alias – too much Jennifer Garner makes me hyper-ventilate). But overall? It’s drivel. Even the news is aimed at low browed trogs. I’ll read my news in the paper or via the web thanks. I don’t need 10 second sound-bite spins on issues the presenters know nothing about taking place somewhere the presenter can’t even pronounce the name of. And reality shows? Dear god. Reality shows. The lowest brow of the brows. If I hear one more thing about Big Brother then Gretel Killen is going to discover why the Roman’s crucified people as a punishment. It’s depressing where this potentially wonderful medium has ended up. You could so make some really cool shows using wit, intelligence and creativity. Instead 95% of them seem to be boring, banal and unimaginative. Very, very annoying.

P.S. The shows I do watch by the way are Law & Order and its offshoots, CSI and Crossing Jordan. Sensing a pattern here? Yep. I love [u”>good[/u”> crime TV almost as much as I love crime fiction. Love it. Hmmm – either that or I like shows where people dismember other people in search of the truth. Worrying. I may be the only person who bought all four seasons of Homicide: Life on the Streets and was really excited about it. And The Shield. That rocked. But generally the rest of TV can go fuck off-ski – ’tis boring and a waste of time.

*rant mode off*

No comments »

Posted in Uncategorized

Tags: chef ci is on Ruth television

Argh

August 2nd, 2002

Linux box toast again. First Apache2 falls over on me then my php module implementation starts doing weird things and no longer serves out php pages. *sigh* I give up. Going to trash the box and start from scratch again using Red Hat 7.3 instead. In addition my bloody router is not passing http traffic to the right server. There is a filter in there somewhere which isn’t working but buggered if I can find it. Ah well enough geekiness.

One of Lu’s brothers is in town and we popped out and had lunch with him today. Great Teppanyaki from a new place in King St south – we were the only ones in there for lunch – which is usually a sign of bad things but in this case that proved untrue. The chef put on a good show. Lovely food, good presentation and very cool food prep with flashing knives and tossing utensils. Much recommended if you get down that way – it’s just before the corner of Alice St and King St.

Reading: Nothing still. Bored.

Listening to: Maren Ord