[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Radmind vs CFengine

From: skaar
Subject: Re: Radmind vs CFengine
Date: Wed, 7 Jan 2004 20:50:26 -0500
User-agent: Mutt/1.4i

> >>Question2: Does cfengine have any way to determine changes to a 
> >>machine
> >>and create a install scripts or is it preferred to use a third party
> >>software installer for this functionality?
> >
> >There are many ways to install software. You can copy files or create
> >a special subroutine to unpack, compile and install files, you can
> >install from packages etc etc.
> >
> >Cfengine does not tell you how you should do it - it just tries to
> >provide a flexible framework for your own choices. It has
> >tripwire-like change management too, if that is of interest for
> >tracking changes.

At LISA last year I said that Radmin solves the "tripwire problem" and
said to Mark that I would follow up on this. Bascially it's a matter of
repository maintenance and state information. Anyone who has deployed
tripwire knows how painful it can be to keep the checksum databases
updated and not be flooded with warnings. Radmin combines the file
distribution and checksum mechanism.

Cfengine, on the other hand, really has no concenpt of a repository,
even when files are served from a central location. It does keep
checksums if you ask it to, but this is not associated with your
configuration data and works primarily as a internal mechanism in
cfengine for checks of remote and local files.

It is part of cfengine's design to keep this "noise" in the background,
to just do whatever you have defined in your configuration, it is also
part of being "an autonomous agent" that it shouldn't care so much or be
dependent, at runtime, of a central server(s) in order to perform it's

This would seem to possibly work with fairly static environments with
few people making changes, where you only have a limited number of
configurations or files maintained cfeinge (no, thousands of recusively
/local/bin files doesn't really count as many here). With growing number
of hosts and applications you soon run into situation where you want to
use your configuration data to verify/report that the target host
actually has the configuration you think it has.

It would not be trivial to have cfengine do this without having some way
of correspoinding revisions of data in a central repository with
recorded change events on the target hosts. Neither of which cfengine
provide much help for. Cfengine is more of an execution engine, than a
machine of (recorded) states. I don't see any confilict beteween
convergence ( and
maintaining reusable information about state and changes to this.


+----- address@hidden                   kent skaar   ----------------+
+----- internet services: infrastructure security   ----------------+

reply via email to

[Prev in Thread] Current Thread [Next in Thread]