Comparison of open-source configuration management software

From Wikipedia, the free encyclopedia
Jump to: navigation, search

This is a comparison of notable free and open source configuration management software, suitable for tasks typically performed by a system administrator.

Basic properties[edit]

"Verify mode" refers to having an ability to determine whether a node is conformant with a guarantee of not modifying it, and typically involves the exclusive use of an internal language supporting read-only mode for all potentially system-modifying operations. "Mutual auth" refers to the client verifying the server and vice-versa. "Agent" describes whether additional Software Daemons are required. Depending on the management software these agents are usually deployed on the target system or on one or many central "controller" servers.

Language License Mutual auth Encrypts Verify mode Agent First release Latest stable release
Ansible Python GPL Yes[1] Yes[2] Yes No 2012-03-08 2014-09-24 1.7.2[3]
Bcfg2 Python BSD[4] Yes[5] Yes[6] Yes[7] Yes 2004-08-11[8] 2014-02-25 1.3.4[8]
cdist Python GPL Yes[1] Yes[2] No 2010 2012-06-05 2.0.13
Chef Ruby Apache Yes[9] Yes[6] Yes[10][11] Yes 2009-01-15 0.5.0 2014-02-20 11.10.4,[12] 2013-02-15 11.0.6 (server)[13]
CFEngine C GPL, COSL[14] Yes[1] Yes[15] Yes[16][17] Yes 1993 2014-07-28 3.6.1[18]
ISconf Python GPL[19] Yes[20] No[21] 1998 2006-08-13 4.2.8.233
Juju Python, Go[22] Affero General Public License 2010-09-17[23] 2013-04-03 0.7[24]
Local ConFiGuration system (LCFG) Perl GPL Partial[25] Partial[26] 1994 Weekly Releases
OCS Inventory NG with GLPI Perl, PHP, C++ GPL No[27] Yes[6] 2003 2011-09-13[28]
Open pc server integration (Opsi) Python, Java GPL No Yes[6] Yes 2004 2013-03-01 4.0.3
PIKT C GPL[29] Yes[30] Yes[31] Yes 1998[32] 2007-09-10 1.19.0
Puppet Ruby Apache from 2.7.0, GPL before then Yes[33] Yes[6] Yes[34][35] Yes 2005-08-30[36] 2014-06-10 3.6.2[37]
Quattor Perl, Python Apache 2.0[38][39] Yes[40] Yes[41] 2005-04-01[42] 2014-09-08 14.8.0[43]
Radmind C BSD[44] Yes[45] Yes[46] Yes 2002-03-26[47] 2008-10-08 1.13.0[48]
Rex Perl Apache Yes[1] Yes[2] No 2010-11-05 0.9.0[49] 2014-07-14 0.50.0[50]
Rundeck[51] Java[52] Apache Yes Yes Yes 2010-05-01 1.0.0 2014-06-27 2.1.3[53]
SmartFrog Java LGPL Yes[54] Yes[54] Yes 2004-02-11 2009-01-26 3.16.004[55][56]
Salt[57] Python[58] Apache[59] Yes[60] Yes[60] Yes Yes 2011-03-17 0.6.0[61] 2014-07-15 2014.7[62]
Spacewalk Java (C, Perl, Python, PL/SQL) GPLv2 Yes Yes Yes 2008-06[63] 2013-07-19 2.0[64]
STAF C++ CPL[65] No[66][67] Partial[68] Yes 1998-02-16[69] 2012-12-16 3.4.16 [70]
Synctool[71] Python[72] GPLv2[73] Yes[74] Yes[2] Yes[75] 2003[76] 2014-06-15 6.1[77]
Vagrant[78] Ruby MIT License 2010-01-21 2014-05-06 1.6.1

Platform support[edit]

Note: This means platforms on which a recent version of the tool has actually been used successfully, not platforms where it should theoretically work since it's written in good portable C/C++ or an interpreted language. It should also be listed as a supported platform on the project's web site.

AIX *BSD HP-UX Linux Mac OS X Solaris Windows Others
Ansible Yes Yes Yes Yes Yes Yes Yes Yes
Bcfg2 Partial[79] Yes[80] No Yes[81] Partial[82] Yes No No
CFEngine Yes Yes[80][83][84] Yes Yes Yes[85] Yes Yes Yes
cdist Yes Yes Yes No
Chef Yes[86] Yes Yes Yes Yes Yes Yes[87] Yes
ISconf Yes Yes Yes Yes Yes Yes No No
Juju Yes
Local ConFiGuration system (LCFG) No No No Partial[88] Partial[89] Partial[90] No No
OCS Inventory NG Yes Yes Yes Yes Yes Yes Yes No
Open pc server integration (Opsi) No No No Yes No No Yes No
PIKT Yes Yes Yes Yes Yes Yes No Yes[91]
Puppet Yes Yes Yes Yes Partial Yes Yes Yes
Quattor No No No Yes Partial[92] Yes No No
Radmind Yes Yes[80][83][84] No Yes Yes Yes Yes No
Rex Yes Yes Yes[93] Yes Yes[93] No
Rundeck Yes Yes Yes Yes Yes Yes Yes No
SmartFrog No[94] No[94] Yes Yes Yes Yes Yes No[94]
Salt No[95] Yes No[95] Yes[96] Yes Yes[97] Yes Partial[95]
Spacewalk No[98] No No Yes[99] No Yes[100] No No
STAF Yes[101] Yes[102] Yes[103] Yes[104] Yes[105] Yes[106] Yes[107] Yes[108]
Synctool Yes Yes Yes Yes Yes Yes Yes Yes[109]
Vagrant Yes Yes Yes

Short descriptions[edit]

Not all tools have the same goal and the same feature set. To help distinguish between all of these software packages, here is a short description of each one.

Ansible
Combines multi-node deployment, ad-hoc task execution, and configuration management in one package. Manages nodes over SSH and does not require any additional remote software (except python 2.4 or later)[110] to be installed on them. Modules work over JSON and standard output and can be written in any language. Uses YAML to express reusable descriptions of systems.
Bcfg2
Software to manage the configuration of a large number of computers using a central configuration model and the client–server paradigm. The system enables reconciliation between clients' state and the central configuration specification. Detailed reports provide a way to identify unmanaged configuration on hosts. Generators enable code or template based generation of configuration files from a central data repository.
CFEngine
Lightweight agent system. Manages configuration of a large number of computers using the client–server paradigm or stand-alone. Any client state which is different from the policy description is reverted to the desired state. Configuration state is specified via a declarative language.[111] CFEngine's paradigm is convergent "computer immunology".[112]
cdist
cdist is a zero dependency configuration management system: It requires only ssh on the target host, which is usually enabled on all Unix-like machines. Only the administration host needs to have Python 3.2 installed.
Chef
Chef is a configuration management tool written in Ruby, and uses a pure Ruby DSL for writing configuration "recipes". These recipes contain resources that should be put into the declared state. Chef can be used as a client–server tool, or used in "solo" mode.[113]
ISconf
Tool to execute commands and replicate files on all nodes. The nodes do not need to be up; the commands will be executed when they boot. The system has no central server so commands can be launched from any node and they will replicate to all nodes.
Juju
Juju concentrates on the notion of service, abstracting the notion of machine or server, and defines relations between those services that are automatically updated when two linked services observe a notable modification.
Local ConFiGuration system (LCFG)
LCFG manages the configuration with a central description language in XML, specifying resources, aspects and profiles. Configuration is deployed using the client–server paradigm. Appropriate scripts on clients (called components) transcribe the resources into configuration files and restart services as needed.
Open pc server integration (Opsi)
Open pc server integration (Opsi) is desktop management software for Windows clients based on Linux servers. It provides automatic software deployment (distribution), unattended installation of OS, patch management, hard- and software inventory, license management and software asset management, and administrative tasks for the configuration management.[114]
PIKT
PIKT is foremost a monitoring system that also does configuration management. "PIKT consists of a sophisticated, feature-rich file preprocessor; an innovative scripting language with unique labor-saving features; a flexible, centrally directed process scheduler; a customizing file installer; a collection of powerful command-line extensions; and other useful tools."
Puppet
Puppet consists of a custom declarative language to describe system configuration, distributed using the client–server paradigm (using XML-RPC protocol in older versions, with a recent switch to REST), and a library to realize the configuration. The resource abstraction layer enables administrators to describe the configuration in high-level terms, such as users, services and packages. Puppet will then ensure the server's state matches the description. There was brief support in Puppet for using a pure Ruby DSL as an alternative configuration language starting at version 2.6.0. This feature was deprecated, however, beginning with version 3.1.[113][111][115][116]
Quattor
The quattor information model is based on the distinction between the desired state and the actual state. The desired state is registered in a fabric-wide configuration database, using a specially designed configuration language called Pan for expressing and validating configurations, composed out of reusable hierarchical building blocks called templates. Configurations are propagated to and cached on the managed nodes.
Radmind
Radmind manages hosts configuration at the file system level. In a similar way to Tripwire (and other configuration management tools), it can detect external changes to managed configuration, and can optionally reverse the changes. Radmind does not have higher-level configuration element (services, packages) abstraction. A graphical interface is available (only) for Mac OS X.
Rex
Rex is a remote execution system with integrated configuration management and software deployment capabilities. The admin provides configuration instructions via so-called Rexfiles. They are written in a small DSL but can also contain arbitrary Perl. It integrates well with an automated build system used in CI environments.
Rundeck
Rundeck is an open-source software Job scheduler and Run Book Automation system for automating routine processes across development and production environments. It combines task scheduling, multi-node command execution, workflow orchestration and logs everything that happens. Access control policy governs who executes actions across nodes via the configured "node executor" (default for unix uses SSH) and does not require any additional remote software.[1] to be installed on them. Jobs and plugins can be written in scripting languages or Java. The workflow system can be extended by creating custom step plugins to interface external tools and services.
Salt
Salt started out as a tool for remote server management. As its usage has grown, it has gained a number of extended features, including a more comprehensive mechanism for host configuration. This is a relatively new feature facilitated through the Salt States component. With the traction that Salt has gotten in the last bit, the support for more features and platforms might continue to grow.
SmartFrog
Java-based tool to deploy and configure applications distributed across multiple machines. There is no central server; you can deploy a .SF configuration file to any node and have it distributed to peer nodes according to the distribution information contained inside the deployment descriptor itself.
Spacewalk
Spacewalk is an open source Linux and Solaris systems management solution and is the upstream project for the source of Red Hat Network Satellite. Spacewalk works with RHEL, Fedora, and other RHEL derivative distributions like CentOS, Scientific Linux, etc. There are ongoing efforts on getting it packaged for inclusion in Fedora. Spacewalk provides systems inventory (hardware and software information, installation and updates of software, collection and distribution of custom software packages into manageable groups, provision systems, management and deployment of configuration files, system monitoring, virtual guest provisioning, starting/stopping/configuring virtual guests and delegating all of these actions to local or LDAP users and system entitlements).
STAF
The Software Testing Automation Framework (STAF) enables users to create cross-platform, distributed software test environments. STAF removes the tedium of building an automation infrastructure, thus enabling users to focus on building their automation solution. The STAF framework provides the foundation upon which to build higher level solutions, and provides a pluggable approach supported across a large variety of platforms and languages.
Synctool
Synctool aims to be easy to understand, learn and use. It is written in Python and makes use of SSH (passwordless, with host based or key based authentication) and rsync. No specific language is needed to configure Synctool. Synctool has dry run capabilities that enable surgical precision.
Vagrant
Vagrant is free and open-source software for creating and configuring virtual development environments.[1] It can be considered a wrapper around virtualization software such as VirtualBox and configuration management software such as Chef, Salt and Puppet.

References[edit]

  1. ^ a b c d Key Pair: Uses public/private key pairs and key fingerprints for mutual authentication, like SSH.
  2. ^ a b c d Secure Shell: Uses the Secure Shell protocol for encryption.
  3. ^ Ansible CHANGELOG
  4. ^ /. "bcfg2/LICENSE at master · Bcfg2/bcfg2 · GitHub". Github.com. Retrieved 2014-02-10. 
  5. ^ Certificate and Passwords: Uses SSL X.509 certificate and fingerprint for clients to authenticate server, and passwords for server to authenticate clients; clients should only share the same password if they are allowed access to each other's configuration data.
  6. ^ a b c d e SSL: Uses the Secure Sockets Layer, Transport Layer Security (TLS) for encryption.
  7. ^ Full support for non-modifying determination of node compliance, including nodes not previously modified by a Bcfg2 configuration pass.
  8. ^ a b "Download – Bcfg2". bcfg2.org. Retrieved 2014-08-20. 
  9. ^ Per request signed headers and pre-shared keys.
  10. ^ Chef 10.14.0+ (called why-run mode)
  11. ^ "[#CHEF-13] Add -noop support - Opscode Open Source Ticket Tracking". Tickets.opscode.com. Retrieved 2014-02-10. 
  12. ^ by (2014-02-20). "Chef Client Patch Release: 11.10.4". getchef.com. Retrieved 2014-03-03. 
  13. ^ by (2013-04-23). "Chef Server 11.0.8 Released | Chef Blog". Opscode.com. Retrieved 2014-02-10. 
  14. ^ CFEngine license
  15. ^ Custom: Uses code specific to the software for this function.
  16. ^ Called dry-run, used to verify what would happen
  17. ^ "Quick Reference Guide for CFEngine 3 - CFEngine - Distributed Configuration Management". CFEngine. Retrieved 2014-02-10. 
  18. ^ CFEngine Enterprise 3.6.1 Maintenance Release Now Generally Available
  19. ^ "/trunk/LICENSE - ISconf - Trac". Trac.t7a.org. 1989-04-01. Retrieved 2014-02-10. 
  20. ^ HMAC: Uses HMAC signatures on all network traffic.
  21. ^ Improved security which would include an encrypted, mutually authenticated, peer-to-peer message bus is tracked here [1].
  22. ^ "Juju at Canonical". groups.google.com. 2013-02-10. Retrieved 2014-07-09. 
  23. ^ "timeline : pyjuju". Launchpad.net. Retrieved 2014-02-10. 
  24. ^ "Milestones : pyjuju". Launchpad.net. Retrieved 2014-02-10. 
  25. ^ LCFG does not provide its own transport mechanism; it relies on an external program, most often Apache. Using Apache it should be possible to do mutual authentication in several ways; however the documentation at The Complete Guide to LCFG, Section 9.4: Authorization and Security, shows access control based on IP address ranges, implying that the client does not authenticate itself to the server via an SSL certificate; it also does not mention if the LCFG client checks the validity of the server's SSL certificate (such as via a per-site fingerprint distributed with the client, or a chain of trust to an accredited CA). It mentions that there can be a per-client password in the profile, but also states that "The contents of the LCFG profile should be considered public".
  26. ^ LCFG supports encrypted communications channels (SSL via Apache); however the documentation at The Complete Guide to LCFG, Section 9.4: Authorization and Security, states that "The contents of the LCFG profile should be considered public".
  27. ^ Server authenticates to client, but client does not authenticate to server. See OCS Inventory NG Installation and Administration guide, page 114.
  28. ^ "2.0.1 stable published". OCS Inventory NG. Retrieved 2014-02-10. 
  29. ^ Robert Osterlund (2014-01-04). "PIKT Licensing". Pikt.org. Retrieved 2014-02-10. 
  30. ^ PIKT uses shared secret keys for mutual authentication. "As an option, you can use secret key authentication to prove the master's identity to the slave. [...] If one managed to crack any system in the PIKT domain, one would have access to all common secrets. To solve this problem, you may use per-slave uid, gid, and private_key settings." - from Security Considerations.
  31. ^ "For file installs, file fetches (to diff against the central configuration), and command executions, you can optionally encrypt all such data traffic between master and slave." - from Security Considerations.
  32. ^ "Index of /pikt/dist". Pikt.org. Retrieved 2014-02-10. 
  33. ^ Certificates: Uses SSL X.509 Certificates for mutual authentication. Can use any SSL Certificate Authority to manage the Public Key Infrastructure.
  34. ^ Using the --noop option
  35. ^ "puppet agent Man Page — Documentation — Puppet Labs". Docs.puppetlabs.com. Retrieved 2014-02-10. 
  36. ^ "Index of /puppet". Puppetlabs.com. Retrieved 2014-02-10. 
  37. ^ Puppet 3 Release Notes. "Puppet 3.6 Release Notes — Documentation — Puppet Labs". Docs.puppetlabs.com. Retrieved 2014-07-09. 
  38. ^ "EU DataGrid Software License (EUDatagrid) | Open Source Initiative". Opensource.org. 1999-02-22. Retrieved 2014-02-10. 
  39. ^ "DataGrid Software License (do not change the page URL)". Eu-datagrid.web.cern.ch. 2004-05-26. Retrieved 2014-02-10. 
  40. ^ "Client to server authentication and vice versa: on one hand, this allows to enforce access policies to sensitive data according to the client "name", on the other hand, clients are guaranteed to talk to the original server." - from Quattor Installation and User Guide: Version 1.1.x, page 70
  41. ^ "[...] secure information transfer, since data are encrypted: this prevents eavesdroppers from obtaining information in transit over the network." - from Quattor Installation and User Guide: Version 1.1.x, page 70
  42. ^ "Index of /quattorsw/software/quattor/release". Quattorsw.web.cern.ch. Retrieved 2014-02-10. 
  43. ^ http://www.quattor.org/news/2014/09/08/announcing-quattor-14.8.0.html Quattor 14.8.0 released]
  44. ^ "Research Systems Unix Group: beepage". Rsug.itd.umich.edu. Retrieved 2014-02-10. 
  45. ^ "SSL certificates can also be used to authenticate both the Radmind server and the managed clients, regardless of DNS or IP-address variation." - from Radmind: The Integration of Filesystem Integrity Checking with Filesystem Management
  46. ^ "For network security, Radmind supports SSL-encrypted links. This allows nodes on insecure networks to be updated securely." - from Radmind: The Integration of Filesystem Integrity Checking with Filesystem Management
  47. ^ "Radmind - Browse /radmind/radmind-0-6-0 at". Sourceforge.net. 2006-02-10. Retrieved 2014-02-10. 
  48. ^ http://sourceforge.net/project/showfiles.php?group_id=141444
  49. ^ Rex initial release tag
  50. ^ Github changelog for Rex
  51. ^ Rundeck Rundeck is an open source workflow automation service to manage your operations.
  52. ^ system reqs
  53. ^ http://rundeck.org/downloads.html
  54. ^ a b See Using the new SmartFrog Security
  55. ^ http://sourceforge.net/project/shownotes.php?release_id=656342
  56. ^ The release the Smartfrog pushes from its own site is 3.17.014 of 2009-09-04
  57. ^ Salt is an open source tool to manage your infrastructure. Easy enough to get running in minutes and fast enough to manage tens of thousands of servers
  58. ^ http://saltstack.org/topics/tutorial.html#salt-dependencies
  59. ^ http://saltstack.org/topics/index.html#open
  60. ^ a b http://saltstack.org/topics/index.html#building-on-proven-technology
  61. ^ http://saltstack.org/topics/releases/0.6.0/
  62. ^ https://github.com/saltstack/salt/releases/tag/v2014.7
  63. ^ https://fedorahosted.org/spacewalk/wiki/SpacewalkFaq#HowlonghasSpacewalkbeenaround
  64. ^ https://fedorahosted.org/spacewalk/wiki/ReleaseNotes20
  65. ^ http://staf.sourceforge.net/license.php
  66. ^ Network Trust: Trusts the network, like rsh.
  67. ^ User-only Auth: User authenticates to server via password, but uses Network Trust to authenticate user to server, like telnet.
  68. ^ There is a feature request for a Secure TCP/IP Connection Provider, and one of the developers stated on 2007-04-05 that "You will need to download the source code for OpenSSL and point the build files at it. Other than that, it should just work.", so it looks like there may be working encryption if you build from scratch instead of using the prebuilt binaries. It is unclear what if any authentication building against OpenSSL would give STAF.
  69. ^ http://staf.sourceforge.net/history.php
  70. ^ http://staf.sourceforge.net/
  71. ^ Synctool aims to be easy to understand and use. It's built in Python and uses SSH and Rsync.
  72. ^ http://www.heiho.net/synctool/doc/chapter2.html
  73. ^ https://github.com/walterdejong/synctool/blob/master/LICENSE
  74. ^ Secure Shell: Uses the Secure Shell protocol for authentication.
  75. ^ Synctool performs a dry-run by default, and only modifies things when invoked with '--fix'.
  76. ^ http://www.heiho.net/synctool/doc/chapter1.html
  77. ^ https://github.com/saltstack/salt/releases/tag/v2014.7
  78. ^ Vagrant is free and open-source software for creating and configuring virtual development environments.
  79. ^ Encap, RPM, and POSIX File Support Only
  80. ^ a b c FreeBSD
  81. ^ Debian, Ubuntu; Gentoo; RPM-based distributions (CentOS, Mandrake, Red Hat, RHEL, SLES, SuSE)
  82. ^ POSIX File, Launchd, and MacPorts Support Only
  83. ^ a b NetBSD
  84. ^ a b OpenBSD
  85. ^ Support for Darwin, Mac OS X's *BSD base, via Darwin Ports
  86. ^ Opscode and IBM Join Forces to Bring Open Source Cloud Automation to the Enterprise, April 25, 2013 
  87. ^ Install the chef-client on Microsoft Windows, retrieved November 21, 2013 
  88. ^ "Recent versions run on Fedora Core (3, 5, 6). Various people have ported some of the LCFG core to other Linux distributions, such as Debian, but these ports have not been incorporated"
  89. ^ "There has been an experimental port to Mac OS X, which does work and includes some Mac-specific components. However, this is not production quality and the lack of uniform packaging system under Mac OS X means that automatic management of installed software is likely to be difficult."
  90. ^ "LCFG core has been ported back to Solaris and we are using this in production, although the software has not been packaged for distribution, and is not so well supported"
  91. ^ Digital Unix; IRIX
  92. ^ Some effort has been made to port some functionality to OSX [2]
  93. ^ a b "Rex installation instructions". Retrieved 2014-07-19. 
  94. ^ a b c Written in Java, so should in theory work on this platform if there is the appropriate JVM version available for it; however it has not been tested on the platform, which should be considered unsupported.
  95. ^ a b c Will run anywhere Python runs, but handlers for different platforms are untested.
  96. ^ See
  97. ^ Salt was added to the OpenCSW package repository in September of 2012 in version 0.10.2 of Salt
  98. ^ Support for NIMOL feature request
  99. ^ "Spacewalk works with RHEL, Fedora, and other RHEL derivative distributions like CentOS, Scientific Linux, etc"
  100. ^ Managing Solaris Systems
  101. ^ 4.3.3+ (Power 32); 5.1+ (Power 32/64)
  102. ^ FreeBSD 4.10 (x86-32); FreeBSD 6.1+ (x86-32)
  103. ^ 11.00+ (PA-RISC 32, IA-64)
  104. ^ (x86-32, x86-64, IA-64, PPC 64, zSeries 32/64)
  105. ^ [3]10.2+ (?)
  106. ^ 2.6+ (Sparc 32); 10+ (x86-32, x86-64)
  107. ^ 95, 98, Me, NT4, 2000, XP, 2003, Vista (x86-32), 7 (x86-32), 7 (x86-64); 2003, Vista (x86-64); 2004 (IA-64)
  108. ^ OS/400 5.2+ (iSeries 32); z/OS Unix 1.4+
  109. ^ Synctool runs on any platform that supports SSH, Rsync and Python.
  110. ^ ""Getting Started | AnsibleWorks"". 2013-09-25. 
  111. ^ a b https://www.scriptrock.com/blog/puppet-cfengine/
  112. ^ http://www.usenix.org/event/lisa98/full_papers/burgess/burgess.pdf
  113. ^ a b https://www.scriptrock.com/articles/puppet-vs-chef-battle-wages/
  114. ^ http://www.opsi.org/features/
  115. ^ https://puppetlabs.com/blog/ruby-dsl/
  116. ^ http://docs.puppetlabs.com/puppet/3/reference/whats_new.html#ruby-dsl-is-deprecated