Re: Radmind vs CFengine

[Chris Kacoroski]

On Jan 7, 2004, at 2:15 PM, Mark.Burgess@iu.hio.no wrote:

> On  7 Jan, Chris Kacoroski wrote:
> > Hi,
> >
> > I am looking to implement an enterprise infrastructure (see
> > infrastructures.org) and am trying to decide between radmind and
> > cfengine.  Searching the archives and google, The only thing I could
> > find was a transcript from a LISA '03 BoF session on configuration
> > management.  After looking at both it seems that cfengine allows a
> > person to program into it semantics of the system files (e.g. the
> > editfiles command) while radmind does not have any idea of what may be
> > in a file.  As such radmind can only replace files which makes it much
> > simpler to use (e.g. no scripts to write).  In addition, radmind
> > enables a person to install software on a machine and then it will
> > automatically figure out what files were changed and create a script 
> > to
> > replication the installation on other machines.
> >
> > Question1: Does anyone have examples of when just replacing a file 
> > will
> > not work?
>
> This is not really the point. The point is that sometimes you do not 
> want
> to manage the entire content of a file. e.g. you might have very 
> different
> versions of inetd.conf on each host, and just want to make sure that 
> no host
> has ftp enabled, or that all machines should definitely have a web 
> server, or whatever.
> i.e. both complete and differential management is possible with 
> cfengine.
But is this type of management required?  Couldn't I just keep a 
separate version of inetd.conf for each host (or group of hosts) on the 
cfengine server?  I think that the cfengine code would be the same 
(e.g. a copy file section, instead of an editfiles section).

My concern is that the cfengine scripts will quickly become very 
complex which is why the Radmind approach is attractive.  cfengine has 
a much more flexibility, but is there a point where that flexibility 
shoots you in the foot (or allows you to shoot yourself in the foot :).

> > Question2: Does cfengine have any way to determine changes to a 
> > machine
> > and create a install scripts or is it preferred to use a third party
> > software installer for this functionality?
>
> There are many ways to install software. You can copy files or create
> a special subroutine to unpack, compile and install files, you can 
> install
> from packages etc etc.
>
> Cfengine does not tell you how you should do it - it just tries to 
> provide
> a flexible framework for your own choices. It has tripwire-like
> change management too, if that is of interest for tracking changes.
>
> Mark
I like the tripwire-like intrusion detection.  Radmind also has this 
ability.