[Freedombox-discuss] Chef and Puppet experts?

Thu Sep 15 16:59:01 UTC 2011

On 09/15/11 08:41, Philip Hands wrote:
> On Wed, 14 Sep 2011 11:07:49 -0700, FreedomBox-Discuss.NeoPhyte_Rep at OrdinaryAmerican.net wrote:
> ...
>>> Using any of Puppet/Chef/cfengine to achieve the same effect is
>>> effectively just an attempt to side-step the edict against one package
>>> modifying the conffiles of another (which would be another way of doing
>>> this) -- while that edict is sometimes inconvenient, it's there for good
>>> reason so one should be very cautious before ignoring it.

[snip]
> Section 3, paragraph 3, of this:
> 
>   http://release.debian.org/squeeze/rc_policy.txt
> 
> 	Packages must not modify other packages' configuration files
> 	except by an agreed upon APIs (eg, a /usr/sbin/update-foo command).
> 
> rc_policy.txt is the list of things that would have justified a release
> critical bug in the latest stable release -- I failed to find it in the
> general policy docs, but note that the same thing is also mentioned here:
> 
>     http://www.debian.org/doc/packaging-manuals/upgrading-checklist.txt
> 
>           * updated section about `Configuration files': packages may not
>           touch other packages' configuration files
> 
> in 1997.  Perhaps it's so fundamental that it doesn't need to be written
> down in policy -- I suppose it's just a special case of the fact that
> packages shouldn't tread on other package's files.

Except that this is not the case. With configuration management tools
(puppet, cfengine, chef, there are more), it is not the package that is
treading on other packages files, it is the user (or sysadmin) that is
changing those files. The tool only applies the rules that the user
tells it to.

This is no different than a user/sysadmin using vim or a web interface
to change the configuration. The crucial difference is that it is the
user and not a package maintainer that makes the changes, and that she
only declares those changes and they are enforced automatically by the
CM tool.

This is just a friendly attempt for clarification. I like these tools,
they are hugely important for sysadmins, but i'm not yet convinced of
the use case for FreedomBox (maybe i haven't followed discussion closely
enough, sorry). Would the CM tool apply and enforce the configuration
that the user declares in some way (web interface, whatever)? That would
make possible to defer the configuration of my box or some services to a
trusted party, like my grandmother administrating the photo service of
the whole family. It could help to share the configurations and the load
of the administration. But this seems to me very far off, no sense
discussing this at this point. It may not even be necessary as there may
not even be an significant administration load to share, given good
defaults and simple interfaces on the FBX.

cheers,
zé