We want to provide solution on configuration drift to our Customer using chef. I have below questions on how chef can handle some of the challenges of configuration drift.
1. Chef manages only a sub-set of a machine's state. Other configurations which are not part of Chef configuration management get changed which causes configuration drift. How can we handle this
2. Can we use Chef for rebuilding virtual machines frequently
3. How can we re-build machines for configuration drift which are not on virtualized environments
4. How can we use Chef to setup the configuration drift management of already existing infrastructure
to me it would seem like you have more of a cultural problem than a technical one.
but here goes:
- yes it manages policy only what it was told to
- yes
- the same as #2
- yes you can just bring in chef and make it begin managing things - but you should test what the impact of doing so is
Back to why I believe you have a cultural issue and not a technical one.
- Those questions seem more about someone coming to the table with
‘hey we have a problem - we have configuration drift - how will chef fix that for us?’
The truth is - it can try but if the culture of people that allowed config drift to continue is still in place - nothing will fix that! I’ve seen places just have the mindset of turning OFF chef-client so they can continue to hack on things by hand…
You need a cultural change as well as a technical one. As in unless you make things happen that prevent the ability to even continue on the old path , then all you’re doing is adding a lot of technical workarounds for cultural (human) problems!
I would:
- start a process document for how systems will be built from now on (hint they will use chef and they will control all the critical aspects of the systems [ you need to document what that is and get feedback on it before jumping into it])
- Setup security policies (only the people that need to change something should be able to) this will help a lot in the ‘drift’
- whether its a VM or a physical machine they should all be built the same way… using a set of recipes / cookbooks / roles / procedures that allow all systems to work and be built the same way
- start using test kitchen / vagrant to let people ‘play’ with chef instead of on live systems.
Either way chef can help you with some of the traditional server management tasks (making you scale up a bit better and less people per servers etc) but at the end of the day - you need buy in from management and you need buy in from your peers… or else you will be back here a while with nowhere to go and no support from the people you need support from.
Best of luck
1 Like