Whether you’re responsible for a handful or a few hundreds of servers - you should use Configuration Management tool.
Introduction
Configuration Management tools are no-news for more than two decades now. CFengine pioneered the field in 1993 with Puppet and Chef following in 2005 and 2009 respectively with more solutions appeared during just last few years (SaltStack and Ansible just to name a few). Still I meet a lot of Sysadmins who haven’t used any of those yet. This post objective is to show those people the value in applying such tools in their daily jobs.
Self-documented infrastructure
If you ever came to a new workplace and spend a lot of time discovering how server is built you know the value of a good documentation. Configuration Management tools provide you with a way to define desired machine state and enforce it. The good thing is that most solutions store state definitions in human-readable form, so you can easily find what setting are important for the specific host (or group of hosts) without even logging in.
Detect configuration drift
Most of Configuration Management tools allows to execute dry-run policy check to verify what parts of configuration under it’s control have changed since last run. This allows you to keep number of assumptions about current state of the managed host down to a minimum.
Deploy safely
Configuration Management allows you to rapidly spin-up development and testing environments. Apart from saving you a lot of time, this brings you a peace of mind regading next production deployment - if it fails on dev/test environment rolled-out by your Infrastructure-as-a-Code solution it means you have to update your configuration policies/playbooks accordingly and execute those changes on production environment before code hits deployment pipeline.
Compliance
In case your Organization is subject for an audit by either external or internal authority, it will be a great time-saver to turn your effort from checking configuration for compliance to enforcing compliant configuration.
The good, the bad, the ugly
The good - we already discussed several bright points regarding application of Configuration Management tools even in smallish environments.
The bad - there’s no silver bullet, and Configuration Management solutions is no exception. Biggest short-fall of most Configuration Management solutions is inability to check whether run-time configuration is in line with the one, defined by your configuration policies/playbooks (or stored in your boot-time configuration).
The ugly - Some critical configuration changes can be introduced manually to the parts of configuration NOT under control of your Configuration Management solution. Even if those are persistent between re-boots there’s almost no chance to detect them without proper configuration discipline in place. One approach to solving this problem would be Immutable infrastructure, but this topic deserves a dedicated post to discuss.