> > Configuration management tools, like Puppet, can quickly abstract > > knowledge of a particular technology away from the user and isolate > > understanding for said technology to a smaller group of people with > > those skills. This is the nature of technology, though, is it not? > > Abstractions built on abstractions, packages including libraries, etc. > > There is an inherent trust in the tools and, more importantly, the > > authors of those tools. This does not mean that the "recipes" (as you > > put it) are inherently bad, or manage a system poorly, or that great > > care cannot be taken to manage a system effectively, and securely. Ha, > > but there is also lots of bad code in the world. Such is life. > Of course. But the problem is a false sense of rightness and security > that these tools give to people that are not aware of all the > implications. If you read a recipe and does not understand all that it > does, then how can you be sure it won't mess with your system.
I agree, though, I'd extend that sentiment far beyond config management. > > The trust in a system's authors is one of the major reasons I use > > OpenBSD in critical infrastructure without having to know anything about > > how the compiler functions at its core. Without this trust, we'd still > > be smacking coconuts against rocks instead of building bridges to the > > "UberTech", so to speak. > Don't get me wrong. I like these tools. But, for a few servers, I prefer > to manage them directly. I'm warning that these tools need proper use, > they are not a one size fits all solution. No doubt. There is also something to be said for beautifully handcrafted config files. -- Zach [demime 1.01d removed an attachment of type application/pgp-signature]