Puppet: The Good, Bad & Ugly for Configuration Management & Security

193

Puppet is great for spinning up new VMs, blades and containers with static configurations that have short lifespans.
However, if the server/VM is going to be around for any length of time using Puppet for Linux (and UNIX) OS security control does not scale very well. We seem to start having these discussions with organizations with 3000 plus servers or VMs. There are a lot of files spread around the OS to keep consistent. That’s a lot of recipes to deploy. And God forbid you have multiple architectures and OSes, as you will need variant recipes for each platform and OS. With FoxT you can make IDM and security changes, and this operates cross-platform, and at scale, with a single command.

Puppet is poor at UID/GID consistency. A strange statement for a configuration management product you might think, so I’ll explain. Puppet was never designed to manage an identity management namespace and only interact with one, and as a result cannot enforce consistent UID/GID. If a deployed recipe says “make this change to this user on this server”, the Puppet Agent will do so, even if it breaks UID/GID consistency across your domain. We see this pops up as an operation problem that gets worse over time, and more so as your server/VM estate expands.

Read more at FoxTechnologies Blog.