ConfigMgmt

Is config mgmt still relevant?
Debate your thoughts on config mgmt in a world of containers & immutable IaaS
Darin Chambers
Do you feel that containerization leads to organizations patching infrastructure less often than before? What are the best approaches for keeping containers secure?
Greg Baker
Definitely! We're seeing more teams move to immutable infrastructure and work their security into their development pipelines a la DevSecOps. As this happens, people are questioning whether they need full blown config management or whether bash and powershell are sufficient.
Catalin Muresan
I think that the lack of automation in container-aware infrastructure patching, can lead to that, but at the same time it's easier than ever to do live patching in a container environment. Also integrating container security scanner tools will force updating the base images.
Greg Baker
How do you do live patching of container-aware infrastructure? Would you ever run a config mgmt. agent in the container and depend on it to pull updates from package repos or is that an anti-pattern?
Ryan Bezdicek
I agreed but there are still issues with many organizations trusting public docker images, which is a large concern. We do need more automation and security automation as, like you said, they are lacking. So patching is easy, but who's doing the looking?
Catalin Muresan
live patching would mean identify the host, drain it (do not allow new containers to start on it) terminate gracecefully the containers it runs, then patch, reboot, test, add it back, all automated but the automation tool needs to "talk" to the container orchestration also
Catalin Muresan
This is a task for configuration management tools, more for push-type (ansible) than others
Darin Chambers
Primarily my concern was directed to getting patches onto the container image itself, but this is also an interesting point.
Ryan Bezdicek
DC/OS currently does support this automation, and in my experience is works pretty well. There are some caveats, for instance if the images need persisted storage, but for stateless containers it handles live failovers well.
Catalin Muresan
To rely on the immutable infrastructure principle there would be no patching, you would simply start a new image with the new software versions on it and join it in the cluster, and drain then destroy the old instances.
Catalin Muresan
and here the config management tools would be used only in the instance launch/configuration phase, if needed, or in the image build phase.
Greg Baker
If you were building a brand new pipeline, would you select Puppet, Chef, Salt, etc.. for this? How about if you already had Puppet/Chef/Salt deployed and working? Would it be worth changing your pipeline?
Julie Nyenkamp
What is the difference between mutable and immutable?
Greg Baker
mutable = servers change. A server might have ver. 1 of an app, then v2, then v3. Immutable servers don't change. An update means creating a new server image and launching a new VM, container, etc... Immutable requires a mature CI/CD and automation pipeline.
Beth Johnson
What do we mean by immutability? Or what do we as an industry mean by it?
Greg Baker
Traditionally, teams build servers and then deploy their apps to them. When the app changes, updates are sent to the server. With immutable infra., servers never change. They are destroyed and new servers are created. Update and rollbacks are standard inf. rollouts.
Catalin Muresan
It's also a security layer as you can have immutability mean also readonly data in containers, an attacker has a much reduced access from within the container to deploy tools and attack further.
Ryan Bezdicek
In general yes, but there are some common best practices that are easily broken. For instance DC/OS allows containers to have sudo access, which is required for some of their out of the box images.
Zachary Winnerman
The core idea of merging systems engineers with developers is only made stronger with immutable infrastructure. Each 'release' of the infrastructure is immutable much like a compiled program is, but you still use source code management.
Krista Wheatley
Our time is up, thank you for joining us, if you would like to discuss this topic further or have any questions on this topic, please reach out directly to Greg at baker@pythian.com or Ryan at bezdicek@pythian.com
Pradeep Ravindran
I see the argument that configuration management is on its way out, now that we’re ready to usher in an era of “immutable” infra. You don’t push out new configs, you build new images with the new configs baked in and replace the existing nodes. How do we define configuration ??
Greg Baker
We lean on the 12 factor app!. "An app’s config is everything that is likely to vary between deploys". I argue that config should be stored outside of image artifacts and pulled in at deployment time. Is a tool like Puppet or Chef the right solution to pull cfgs?
Ryan Bezdicek
I think it's important to remember that Puppet is over 10 years old, there are still many companies just now migrating to some form of config management. There are also a lot of companies still using bare metal servers. Any form of management is better than none.
Greg Baker
And it's mature with lots of modules to make it turn-key. It's definitely still relevant. Underlying infrastructure to enable containers need to be managed, too!
Krista Wheatley
Thank you for joining our crowd chat with experts Greg Baker and Ryan Bezdicek. We are talking about the role of configuration management and its relevance in immutable infrastructure and serverless architectures.
Krista Wheatley
We would love to hear from you. Type in your thoughts, opinions, or questions.
Greg Baker
Thanks Krista! We want to talk about config mgmt and its role in the changing world of cloud computing. Agent or agentless? Do we still need heavy config management tools or are lighter weight solutions now preferred?
Ryan Bezdicek
@ghbaker Lighter weight solutions definitely seem to be more favored recently but there is always a use case for the 'old school' puppet/chef options. But in my experience there are rarely advantages to using an agent based management tool when you are using immutable infra.
Greg Baker
I think lighter weight solutions like Ansible have become popular because they put the control in the hands of developers and enable them to quickly create new environments without needing a centralized config mgmt server. Containers support this view.
Greg Baker
Some larger teams resist this due to the complexity of their infrastructure and their regulatory/compliance needs. They need tighter control of the infrastructure tier while also allowing development teams to dictate how their app is deployed and configured. Can we have both?
Ryan Bezdicek
@ghbaker Yeah but there is the other issue. Generating ansible inventory lists can get cumbersome. They do have nice scripts for big vendors, but often times you want some more customization. And if you aren't using immutable infra, config drift is a common concern.