The linked article is about package management, not configuration management. Whoever set the title of this post didn't understand the point of the article. From the comments, people seem to confuse and conflate configuration management, job automation and package management. To run a successful infrastructure at any scale you need all three.
If it's about package management, why did it even talk about Chef, Ansible, etc? It seems to me that the package management changes he describes can be exposed at a top-level layer of "tell me which packages and versions you want", which has NOTHING to do with the configuration managers he mentions.
Literally every single one of the tools he said we can do better than, could use his package manager with almost no changes.
Imagine a world in which the treatment for heart attacks was to get the victim to sit down and press icepacks to their chest. Someone writes an article about "Why icepacks aren't good enough" as treatments for cardiac arrest. It would be clear why the article started by talking about icepacks.
Not really. He's complaining about Ansible/Chef/etc when they have nothing to do with the real issue, which is package management. The rest is just tangential.
As best I understand: he explains why you see certain problems when using the Ansible/Chef etc. (the icepack) and then explains why these are symptoms of underlying problems with package management (the heart-attack) which can't be resolved through the use of an icepack.
I disagree, the tools (or, well, Ansible, which is the only one I'm familiar with) are declarative, as he describes. He says "these tools are not enough", then goes on to say that you need stateless package management, through a non-sequitur.
You can specify the packages you want in Ansible, and it will abstract away everything else, giving you what you asked for. Ansible's config language wouldn't look any different if it were using nix (and it probably can), so what he says doesn't follow:
Ansible (et al) aren't enough => We improve a part of the underlying system => Ansible looks exactly the same, but is magically now enough.
> I disagree, the tools (or, well, Ansible, which is the only one I'm familiar with) are declarative, as he describes. He says "these tools are not enough", then goes on to say that you need stateless package management, through a non-sequitur.
There is a fundamental difference between Ansible and co. and NixOS. These tools take you from an unknown state, look at the part of this state you configured in the Ansible files, and apply the modifications necessary. NixOS will take its cue from a single file (possibly with includes) describing the entire machine.
Concretely, if you tell Ansible "package X should be present", apply the configuration and then remove this line before reapplying the configuration, package X will still be present, even though it's not listed in the configuration. I don't mean that as a criticism of Ansible, for my purpose it's about as good as it gets, but it's two different paradigms.
Ansible (et al) aren't enough => We improve a part of the underlying system => We build a new tool that makes use of the improvements and is therefor better than Ansible.
Right. But enforcing state in the packaging system is only one facet of what configuration management tools are used for. Building a better package manager won't remove the need for configuration management tools. The problems that gave arise to these tools extend far beyond package management and cannot be reduced to package management as a root cause.
What's the difference between a "package" and a "configuration"? At some level, they are both sets of files, so I can imagine a tool handling both, providing the benefit of a common interface. On the other hand, why might one want separate tools for packages and configuration?
A package is a product, a cooked thing like Nginx. A configuration is ephemeral and site-specific, a dynamic thing like ~/.bashrc. You can claim the two are really the same, but no one else will understand what you are on about (is he saying we should hard-code more stuff?). We don't need exactly two categories here, but that seems the most idiomatic, and has done for decades.
Individual users may benefit from versioning their config files, but usually not their programs. Big business might do both, or just as likely screw it up and version code but not configs (I'm looking at you, crontab).
Packages are far more ephemeral than people assume, because of the constant flow of security patches, bug fixes, and feature updates. If you're running a long-lived system, at some point those version numbers will matter.
I think the more useful way to think of packages and configuration are that they are necessary compliments. An unconfigured package doesn't do what you want, and configuration without a package doesn't do anything at all.
The theory is, they're both components of system state, so why not manage them together?
But to me it sounds like saying that text and layout are necessary compliments for a magazine, so why not manage them together? Because it turns out that is a horrible idea. Anyone who does professional publishing manages them separately.
If you follow it, you'll get a package like "mycorp-nginx", which is an atomic piece of configuration management that not only controls nginx's configuration wherever you deploy it, but also nginx's version on those same machines.
Basically, with this strategy, instead of installing nginx, you only install mycorp-nginx; the config-package then installs the thing it's configuring as a dependency. That dependency is locked to a specific version, so it'll only upgrade when you push out a config-package that changes that dependency.
Some people 'cook' their configuration into packages because they aren't allowed to change the configuration on the target. You can also generalize 'automation' to mean configuration management, package management, job management, bug management, change management, deployment, monitoring, continuous deployment/delivery, continuous integration, and many other fields.
In practice, everybody screws something up, whether individually or part of a small/big business. The tools are typically not the problem; the humans and how they use them, are.
Packages should be invariant across similar systems. Configuration should vary. For a coarse-grained example, if I have a cluster of servers, they should all run exactly the same version of the OS, but have different hostnames.
A fair definition. If they're anything like mine, the hosts probably have unique hostnames but share the remaining 99% of the nginx config. Is that identical portion a "package" or "configuration"?
I think there are a few more steps in there. Assuming identical OS and arch, you've probably got:
* software packages that should be identical on all nodes in the cluster
* a set of software packages that should be installed on all nodes
* configuration that should be identical (e.g. 99% of an nginx config)
* configuration that is unique to the host (e.g. a hostname)
Or perhaps:
* packages limited to a single OS (traditional software packages for Linux)
* packages limited to a single organization (identical portions of configs)
* packages limited to a single node (hostname)
Anyway, I'm playing around with using Nix for all but the unique-per-host stuff. I see potential, but it may or may not pan out. I seem to always need a custom version of nginx, or ruby, and I find making custom Debian packages rather cumbersome, even with a fair amount of experience.
A package is more loosely defined. You can have the same Apache package installed with vastly different configurations. A configuration is a lot more specific.
>The linked article is about package management, not configuration management
The whole point is that those aren't different things. Once you create a proper package management system, it is also a proper configuration management system. The article didn't do a great job of explaining it, but fire up a few VMs and give NixOps a try.
