Comparison of open source configuration management software


Comparison of open source configuration management software

This is a comparison of free (libre) and open source configuration management software.

Contents

Basic properties

Language Licensed Mutual auth Encrypts First release Latest stable release
Arusha Project (ARK) Python BSD [4] Yes [1] Yes [2] 2001-07-21 2005-04-19 20050419
Bcfg2 Python BSD [5] Yes [3] Yes [4] 2004-08-11 2011-05-27 1.1.2 [6]
cdist Bourne Shell GPL Yes [5] Yes [5] 2011-03-07 2011-04-07 1.6.1 [7]
CFEngine C GPL, COSL [8] Yes [1] Yes [6] 1993 2011-10-25 3.2.3 [9]
Chef [10] Ruby Apache Yes [7] Yes [4] 2009-01-15 0.5.0 2011-05-02 0.10.0 [11]
DACS [12] Perl Bourne Shell GPL plus some others Yes [5] Yes [5] 1994-11 as the Config system 2009-01-10 2.0 [13]
Etch Ruby MIT Yes [8] Yes [4] 2008-11-08 2011-01-18 3.18.0
FusionInventory with GLPI Perl, PHP GPL Yes Yes [4] 2010 2010-08
ISconf Python GPL [14] Yes [9] No [10] 1998 2006-08-13 4.2.8.233
LCFG Perl GPL Partial [11] Partial [12] 1994 Weekly Releases
OCS Inventory NG with GLPI Perl, PHP, C++ GPL No [13] Yes [4] 2003 2011/09/13 [15]
OpenSymbolic Java GPL Yes Yes 2008-05-08 2009-11-16 1.5.0-1
opsi (open pc server integration) Python, Delphi GPL No Yes [4] 2004 2010-10-01 4.0
Uranos PHP GPL Yes No [4] 2004 2011-04-09 1.1770
Pacha Python MIT Yes [14] Yes [14] 2010-02-02 0.2.3
Pallet Clojure EPL Yes [15] Yes [2] 2011-06-01 2011-06-01
PCfengine Python GPL [16] No [16] No [16] 0.0.2 (discontinued)
PIKT C GPL [17] Yes [17] Yes[18] 1998 2007-09-10 1.19.0
Puppet Ruby Apache from 2.7.0 and GPL prior to this Yes [19] Yes [4] 2005-08-30 2011-10-14 2.7.6
Quattor Perl EDG[18] Yes [20] Yes [21] 2005-04-01 2007-12-12 1.3-2
Radmind C BSD [19] Yes [22] Yes [23] 2002-03-26 2008-10-8 1.13.0
SmartFrog Java LGPL Yes [24] Yes [24] 2004-02-11 2009-01-26 3.16.004 [25]
Salt [20] [26] Python [27] Apache [21] Yes [28] Yes [28] 2011-03-17 0.6.0 2011-09-17 0.9.2
Spacewalk Java (Perl, Python & PL/SQL) GPL (v2) Yes 2008-06[29] 2010-04-29[30]
STAF C++ CPL [22] No [31][32] Partial [33] 1998-02-16 2011-03-31 3.4.5
Synctool Python GPL [23] Yes Yes 2003 2010-02-23 4.5

Platform support

Note: This means platforms on which a recent version of the tool has actually been used successfully, not platforms where it should theoretically work since it's written in good portable C/C++ or an interpreted language. It should also be listed as a supported platform on the project's web site.

AIX *BSD HP-UX Linux Mac OS X Solaris Windows Others
Arusha Project (ARK) Yes Yes Yes Yes No Yes No No
Bcfg2 Partial [34] Yes [35] No Yes [36] Partial [37] Yes No No
cdist No Yes No Yes Yes No No No
CFEngine Yes Yes [35][38][39] Yes Yes Yes [40] Yes Yes Yes
Chef Partial [41] Yes [35] Partial [42] Yes Yes Yes Partial [43] No
DACS [24] Yes Yes Yes No No
Etch No Yes No Yes No Yes No No
FusionInventory with GLPI Yes Yes Yes Yes Yes Yes Yes No
ISconf Yes Yes Yes Yes Yes Yes No No
LCFG No No No Partial [44] Partial [45] Partial [46] No No
OCS Inventory NG with GLPI Yes Yes Yes Yes Yes Yes Yes No
OpenSymbolic Yes Yes Yes Yes Yes Yes No Yes
opsi (open pc server integration) No No No No No No Yes No
Uranos No No No Yes No No Yes No
Pacha No No No Yes Yes No No No
Pallet No No No Yes Yes No No No
PCfengine Yes No No Yes No Yes No No
PIKT Yes Yes Yes Yes Yes Yes No Yes [47]
Puppet Yes Yes Yes Yes Yes Yes Yes Yes
Quattor No No No Yes No Yes No No
Radmind Yes Yes [35][38][39] No Yes Yes Yes Yes No
Rollout No Yes No Yes No Yes No No
SmartFrog No [48] No [48] Yes Yes Yes Yes Yes No [48]
Salt No [49] No [49] No [49] Yes [50] No [49] No [49] No [49] No [49]
Spacewalk No [51] No No Yes [52] No Yes [53] No No
STAF Yes [54] Yes [55] Yes [56] Yes [57] Yes [58] Yes [59] Yes [60] Yes [61]
Synctool Yes Yes Yes Yes Yes Yes No No

Short descriptions

Not all tools have the same goal and the same feature set. To help distinguish between all of these software packages, here is a short description of each one.

Arusha Project (ARK)
Manage package and configuration specification of hosts via a custom XML description language. Can be used as a front end for Cfengine or PIKT. Provides some collaboration features between administration 'teams'. The last commit dates from April 2007.
Bcfg2
Software to manage the configuration of a large number of computers using a central configuration model and the client–server paradigm. The system enables reconciliation between clients' state and the central configuration specification. Detailed reports provide a way to identify unmanaged configuration on hosts. Generators enable code or template based generation of configuration files from a central data repository.
cdist
cdist is a simple, usable configuration management system written in POSIX shell. It is extented by writing types and supports the push mechanism to deploy configurations.
CFEngine
Lightweight agent system. Manages configuration of a large number of computers using the client–server paradigm or stand-alone. Any client state which is different from the policy description is reverted to the desired state. Configuration state is specified via a declarative language. CFEngine's paradigm is convergent "computer immunology"
Chef
Chef is a configuration management tool written in Ruby, and uses a pure Ruby DSL for writing configuration "recipes". Chef can be used as a client–server tool, or used in "solo" mode.
DACS
It is similar to other CCM (computer configuration management) tools such as bcfg2, lcfg, puppet and the well known cfengine. However, it has some unique features that makes it more than just a program which pushes files to other hosts. It integrates: a host database; a version control system; an optional file generation system; a file distribution and remote command execution mechanism.
Etch
Etch uses a client-server or client-only model. Configuration is defined in XML, Ruby, and embedded Ruby (ERB) templates. A copy of the original file is provided to the user's configuration scripts, allowing easy idempotent edits to stock files. In client-server mode clients can submit requests to the server for special configuration, allowing clients to have limited control of their configuration while still ensuring centralized management.
FusionInventory with GLPI
FusionInventory is a solution for hardware and software inventory with agent or agentless using SNMP (like for computer inventory or switch inventory), Wake On Lan (WOL), software deployment using the OCS Inventory NG protocol and peer-to-peer download, network connected devices (using NetBIOS, nmap and SNMP). It can be used with GLPI directly and other Asset solution (with lib server PHP integration).
ISconf
Tool to execute commands and replicate files on all nodes. The nodes do not need to be up; the commands will be executed when they boot. The system has no central server so commands can be launched from any node and they will replicate to all nodes. It implements many of the ideas in "Why Order Matters: Turing Equivalence in Automated Systems Administration".
LCFG
LCFG manages the configuration with a central description language in XML, specifying resources, aspects and profiles. Configuration is deployed using the client–server paradigm. Appropriate scripts on clients (called "components") transcribe the resources into configuration files and restart services as needed.
OCS Inventory NG with GLPI
OCS Inventory NG, when integrated with GLPI, provides inventory and asset management scans/database, package deployment, distributed script execution, and via plugins permissions management and other configuration management functions. Here is a good diagram of its architecture.
OpenSymbolic
OpenSymbolic is an OpenSource Enterprise Platform designed to build, configure and manage your huge and global distributed data centers. Based on the best open source frameworks for these purposes, represents the state-of-the-art solution for a centralized datacenter management platforms.
opsi (open pc server integration)
opsi (open pc server integration) is a desktop management software for Windows clients based on Linux servers. It provides automatic software deployment (distribution), unattended OS-Installation, patch management, hard- and software inventory, License Management / Software Asset Management as well as administrative tasks for the configuration management.[62]
Uranos
Its an alternative to Opsi desktop management software, includes support for Linux distributions .[63]
Pacha
Pacha was designed to be a simple way to backup and manage software configuration files from single or multiple server instances across the network.Written in Python, the initial approach is to easily deploy an instance and capture any changes via a version control (mercurial), giving the System Administrator the ability to rollback and safe guard valid, working configurations.
Pallet
Pallet is a provisioning, configuration and management tool written in Clojure. It uses configuration "crates", that can be functionally composed to configure machines. It requires neither a server, nor an agent on the managed machine.
PCfengine
This tool aim to be a better Cfengine written in Python. It uses Python directly as a language to describe configuration files. In contrast to Cfengine, it determines automatically the order in which actions are applied in the client. You can read about its concepts and api.
PIKT
PIKT is foremost a monitoring system that also does configuration management. "PIKT consists of a sophisticated, feature-rich file preprocessor; an innovative scripting language with unique labor-saving features; a flexible, centrally directed process scheduler; a customizing file installer; a collection of powerful command-line extensions; and other useful tools." [25]
Puppet
Puppet consists of a custom declarative language to describe system configuration, distributed using the client–server paradigm (using XML-RPC protocol in older versions, with a recent switch to REST), and a library to realize the configuration. The resource abstraction layer enables administrators to describe the configuration in high-level terms, such as users, services and packages. There is support in Puppet for using a pure Ruby DSL as an alternative configuration language in version 2.6.0 and later.
Quattor
"The quattor information model is based on the distinction between the desired state and the actual state. The desired state is registered in a fabric-wide Configuration Database (CDB), using a specially designed configuration language for expressing and validating configurations, composed out of reusable hierarchical building blocks called templates. Configurations are propagated to and cached on the managed nodes." [26]
Radmind
Radmind manages hosts configuration at the file system level. In a similar way to Tripwire (and other configuration management tools), it can detect external changes to managed configuration, and can optionally reverse the changes. Radmind does not have higher-level configuration element (services, packages) abstraction. A graphical interface is available (only) for Mac OS X.
Rollout
Rollout is a system developed to automate system administration on UNIX servers. It is primarily focused towards Linux, but could be adapted to Solaris, HP-UX,AIX, etc. It is written purely in Perl, and the configuration is also a Perl source file. Some Perl knowledge is required to edit the configuration, but copy-and-paste may suffice.
Salt
Salt started out as a tool for remote server management. As its usage has grown, it has gotten a number of extended features, including a more comprehensive mechanism for host configuration. This is a relatively new feature facilitated through the Salt States component. With the traction that Salt has gotten in the last bit, the support for more features and platforms will continue to grow.
SmartFrog
Java-based tool to deploy and configure applications distributed across multiple machines. There is no central server; you can deploy a .SF configuration file to any node and have it distributed to peer nodes according to the distribution information contained inside the deployment descriptor itself.
Spacewalk
Spacewalk is an open source Linux and Solaris systems management solution and is the upstream project for the source of Red Hat Network Satellite. Spacewalk works with RHEL, Fedora, and other RHEL derivative distributions like CentOS, Scientific Linux, etc. We are working on getting it packaged for inclusion in Fedora. It allows you to inventory your systems (hardware and software information, install and update software on your systems, collect and distribute your custom software packages into manageable groups, provision your systems (from bare metal via KOAN and cobbler), manage and deploy configuration files to your systems, monitor your systems, provision virtual guests, start/stop/configure virtual guests and delegate all of these actions to organisations with fine grain local or LDAP user controls and system entitlements.
STAF
"The Software Testing Automation Framework (STAF) is an open source, multi-platform, multi-language framework designed around the idea of reusable components, called services (such as process invocation, resource management, logging, and monitoring)." [27] There are STAF plugins to perform a variety of common configuration management functions, such as distributed scheduling, execution, and file copying.
Synctool
Python based command line tool that uses SSH with host-based authentication and rsync to copy an overlay tree to a machine or group of machines. Synctool is designed to be easy to learn and easy to use. Default behaviour is to show a preview of what files would be updated on which machine; then the admin can either view the changes in more detail or deploy them. Synctool was created by SARA system expert Walter de Jong.

References

  1. ^ a b Key Pair: Uses public/private key pairs and key fingerprints for mutual authentication, like SSH.
  2. ^ a b Secure Shell: Uses the Secure Shell protocol for encryption.
  3. ^ Certificate and Passwords: Uses SSL X.509 certificate and fingerprint for clients to authenticate server, and passwords for server to authenticate clients; clients should only share the same password if they are allowed access to each other's configuration data.
  4. ^ a b c d e f g h SSL: Uses the Secure Sockets Layer / Transport Layer Security (TLS) for encryption.
  5. ^ a b c d cdist uses ssh as the underlying transport mechanism.
  6. ^ Custom: Uses code specific to the software for this function.
  7. ^ Per request signed headers and pre-shared keys.
  8. ^ Uses SSL X.509 certificate for clients to authenticate server, and RSA public/private keys for server to authenticate clients.
  9. ^ HMAC: Uses HMAC signatures on all network traffic.
  10. ^ Improved security which would include an encrypted, mutually authenticated, peer-to-peer message bus is tracked here.
  11. ^ LCFG does not provide its own transport mechanism; it relies on an external program, most often Apache. Using Apache it should be possible to do mutual authentication in several ways; however the documentation at The Complete Guide to LCFG, Section 9.4: Authorization and Security, shows access control based on IP address ranges, implying that the client does not authenticate itself to the server via an SSL certificate; it also does not mention if the LCFG client checks the validity of the server's SSL certificate (such as via a per-site fingerprint distributed with the client, or a chain of trust to an accredited CA). It mentions that there can be a per-client password in the profile, but also states that "The contents of the LCFG profile should be considered public".
  12. ^ LCFG supports encrypted communications channels (SSL via Apache); however the documentation at The Complete Guide to LCFG, Section 9.4: Authorization and Security, states that "The contents of the LCFG profile should be considered public".
  13. ^ Server authenticates to client, but client does not authenticate to server. See OCS Inventory NG Installation and Administration guide, page 114.
  14. ^ a b SSH: Uses SSH for mutual authentication and underlying transport mechanism.
  15. ^ Key Pair: Uses SSH private/public key authentication.
  16. ^ a b It is not clear if PCfengine's networking code was ever completed. The README states that libdnet is used, which doesn't look like it supports any kind of strong network security.
  17. ^ PIKT uses shared secret keys for mutual authentication. "As an option, you can use secret key authentication to prove the master's identity to the slave. [...] If one managed to crack any system in the PIKT domain, one would have access to all common secrets. To solve this problem, you may use per-slave uid, gid, and private_key settings." - from Security Considerations.
  18. ^ "For file installs, file fetches (to diff against the central configuration), and command executions, you can optionally encrypt all such data traffic between master and slave." - from Security Considerations.
  19. ^ Certificates: Uses SSL X.509 Certificates for mutual authentication. Can use any SSL Certificate Authority to manage the Public Key Infrastructure.
  20. ^ "Client to server authentication and vice versa: on one hand, this allows to enforce access policies to sensitive data according to the client "name", on the other hand, clients are guaranteed to talk to the original server." - from Quattor Installation and User Guide: Version 1.1.x, page 70
  21. ^ "[...] secure information transfer, since data are encrypted: this prevents eavesdroppers from obtaining information in transit over the network." - from Quattor Installation and User Guide: Version 1.1.x, page 70
  22. ^ "SSL certificates can also be used to authenticate both the Radmind server and the managed clients, regardless of DNS or IP-address variation." - from Radmind: The Integration of Filesystem Integrity Checking with Filesystem Management
  23. ^ "For network security, Radmind supports SSL-encrypted links. This allows nodes on insecure networks to be updated securely." - from Radmind: The Integration of Filesystem Integrity Checking with Filesystem Management
  24. ^ a b See Using the new SmartFrog Security
  25. ^ The release the Smartfrog pushes from its own site is 3.17.014 of 2009-09-04
  26. ^ Salt States provides much of the host configuration functionality of Salt
  27. ^ 2.5, 2.6, and 2.7
  28. ^ a b See [1]
  29. ^ Spacewalk inception date; June 2008
  30. ^ Heya Spacewalkers, Spacewalk 1.0 has been released!
  31. ^ Network Trust: Trusts the network, like rsh.
  32. ^ User-only Auth: User authenticates to server via password, but uses Network Trust to authenticate user to server, like telnet.
  33. ^ There is a feature request for a Secure TCP/IP Connection Provider, and one of the developers stated on 2007-04-05 that "You will need to download the source code for OpenSSL and point the build files at it. Other than that, it should just work.", so it looks like there may be working encryption if you build from scratch instead of using the prebuilt binaries. It is unclear what if any authentication building against OpenSSL would give STAF.
  34. ^ Encap, RPM, and POSIX File Support Only
  35. ^ a b c d FreeBSD
  36. ^ Debian, Ubuntu; Gentoo; RPM-based distributions (CentOS, Mandrake, Red Hat, RHEL, SLES, SuSE)
  37. ^ POSIX File, Launchd, and MacPorts Support Only
  38. ^ a b NetBSD
  39. ^ a b OpenBSD
  40. ^ Support for Darwin, Mac OS X's *BSD base, via Darwin Ports
  41. ^ Chef is known to run on AIX, but does not have any platform-specific providers.
  42. ^ Chef will run on HP-UX, but does not have any platform-specific providers.
  43. ^ Windows support is a work in progress.
  44. ^ "Recent versions run on Fedora Core (3, 5, 6). Various people have ported some of the LCFG core to other Linux distributions, such as Debian, but these ports have not been incorporated"
  45. ^ "There has been an experimental port to Mac OS X, which does work and includes some Mac-specific components. However, this is not production quality and the lack of uniform packaging system under Mac OS X means that automatic management of installed software is likely to be difficult."
  46. ^ "LCFG core has been ported back to Solaris and we are using this in production, although the software has not been packaged for distribution, and is not so well supported"
  47. ^ Digital Unix; IRIX
  48. ^ a b c Written in Java, so should in theory work on this platform if there is the appropriate JVM version available for it; however it has not been tested on the platform, which should be considered unsupported.
  49. ^ a b c d e f g Will run anywhere Python runs, but handlers for different platforms are untested.
  50. ^ See [2]
  51. ^ Support for NIMOL feature request
  52. ^ "Spacewalk works with RHEL, Fedora, and other RHEL derivative distributions like CentOS, Scientific Linux, etc"
  53. ^ Managing Solaris Systems
  54. ^ 4.3.3+ (Power 32); 5.1+ (Power 32/64)
  55. ^ FreeBSD 4.10 (x86-32); FreeBSD 6.1+ (x86-32)
  56. ^ 11.00+ (PA-RISC 32, IA-64)
  57. ^ (x86-32, x86-64, IA-64, PPC 64, zSeries 32/64)
  58. ^ [3]10.2+ (?)
  59. ^ 2.6+ (Sparc 32); 10+ (x86-32, x86-64)
  60. ^ 95, 98, Me, NT4, 2000, XP, 2003, Vista (x86-32), 7 (x86-32), 7 (x86-64); 2003, Vista (x86-64); 2004 (IA-64)
  61. ^ OS/400 5.2+ (iSeries 32); z/OS Unix 1.4+
  62. ^ http://www.opsi.org/features/
  63. ^ http://uranos.sourceforge.net/

Wikimedia Foundation. 2010.