[nycbug-talk] Public-key sudo?

[Bob Ippolito]

On Mon, Jan 9, 2012 at 2:23 PM, Chris Snyder <chsnyder at gmail.com> wrote:

> On Mon, Jan 9, 2012 at 4:56 PM, Bob Ippolito <bob at redivi.com> wrote:
>
> > won't give cdist the time of day is that I really don't think that push
> from
> > a laptop is the right model for configuration management.
>
> Push from a dedicated Chromebook that is otherwise not connected to
> the internet or used for anything other than cdist sounds a lot more
> secure to me than having a master server that is always hanging out
> online waiting for an exploit.
>
> I, too, have a deep-seated aversion to push management, but cdist
> looks like it's just automating what I already do as a sysadmin. The
> simplicity of the approach is very compelling.
>

The simplicity of the approach is great, but if anything goes wrong (and
there are a million things that can), you are potentially fucked. Having
done a lot of traveling over the past few years I can't imagine a reliably
successful result when trying to do push management to servers in the US
from a laptop in China. Even if the connection was stable I sure would be
waiting a long time to do something to a few hundred machines in multiple
data centers.

Having a periodic and pull-based approach allows for convergence to happen
even if there are transient problems of just about any kind. You can also
scale it horizontally. Yes, you can scale push too, but it doesn't seem
like it would be very simple to do with something like cdist.

-bob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20120109/47f337fa/attachment.html>