Puppet and Chef have each developed considerably—suffice to say, we’re lengthy overdue in revisiting these two heavy-hitters. On this article we’ll take a recent take a look at their core elements together with new ecosystem instruments and integrations that proceed to place them as main enterprise IT automation platforms.
Some previous differentiators—like every platform’s respective declarative/procedural strategy and underlying programming language—have been mentioned advert nauseum. And as each options proceed to develop extra highly effective and complicated, mentioned variations are actually much less related. For the needs of this comparability we’ll as a substitute deal with how properly they remedy IT and steady supply challenges confronted by at the moment’s enterprises.
Chef
Merely labeling a instrument as a DevOps resolution doesn’t make it so. It should deal with modern IT challenges in constructing/managing high-velocity organizations whereas facilitating fixed enchancment and collaboration between teams. Instruments—as important brokers of change—are instrumental in each managing expertise in addition to shaping tradition:
“The tools we use reinforce the behavior; the behavior reinforces the tool. Thus, if you want to change your behavior, change your tools.”– Adam Jacob, CTO, Chef
Chef extends this notion additional by utilizing martial arts as a metaphor for DevOps, particularly—Kung-fu. Beneath is a breakdown of Chef’s specific faculty of DevOps Kung-fu:
DevOps + GongFu. Supply: Chef.
Certainly, lots of the tenets highlighted above (e.g., accumulate metrics, combine and ship repeatedly, put purposes and infrastructure via the identical workflow) are manifest in Chef 15.
Chef Options and Highlights
On the fundamental degree, Chef is a instrument for automation, provisioning and configuration administration. The platform is made up of the next elements:
Chef Server: the primary hub the place Chef propagates and shops system configuration data and insurance policies (i.e., recipes and cookbooks). The Chef administration console is the net consumer interface for Chef Server.Chef Shopper: put in on each node being managed, the Chef Shopper performs configuration duties on the native machine.Chef Workstation: permits designated workstations to writer/check/preserve cookbooks and add them to Chef Server. Workstations are additionally used when using the Chef growth equipment bundle.Chef Analytics: a platform that gives actions and run historical past, real-time reporting, and notifications round Chef automation actions.Chef Grocery store: an open supply listing of community-contributed cookbooks
Steady Supply With Chef Automate
Conventional Puppet vs. Chef comparisons normally depict the latter as being extra developer-friendly, with favorites like Chef’s Knife Plugin Structure and the Chef Developer Package (Chef DK) relegated largely to developer use. On the 2015 ChefConf occasion, a brand new DevOps workflow product was launched: Chef Supply, a set of instruments that added but extra developer-friendly options like complete codebase change histories, metrics, and permissions administration to the platform. Chef has since constructed these automation and steady supply into Chef Automate, a platform that brings collectively all of Chef’s infrastructure automation instruments.
Chef Automate’s automated testing and steady integration/supply instruments embody options akin to a shared workflow pipeline, collaboration capabilities, and enhanced analytics—in addition to ecosystem integrations with AWS, Azure, and Docker, to call just a few. Although these enhancements are little doubt a boon to Chef’s developer group, Chef’s aspirations arguably have little to do with changing into a developer-centric automation instrument and extra with constructing a complete platform for DevOps pipeline administration.
Improved Safety With Chef Vault
Buyer and/or group customizations very often turn out to be so widespread and integral that they discover their manner into bonafide product releases. That is definitely the case with Chef Vault, a undertaking began by Nordstrom to enhance upon the platform’s inherent safety mechanisms. Chef can natively retailer delicate knowledge (e.g. SSL certificates keys, database passwords) in encrypted “data bags”—repositories of key/worth pairs—for safe and easy accessibility. Administration of those knowledge luggage, nevertheless, is a tedious and error-prone course of. Chef Vault offers an extra layer of safety that permits simpler administration of those encrypted knowledge luggage.
Chef Vulnerabilities
Per the Frequent Vulnerabilities and Exposures (CVE) database, Chef has a complete of 3 reported vulnerabilities of medium severity:
Chef additionally maintains an ongoing listing of safety notes that present prospects correct remediation tips in addressing safety shortcomings of the platform.
Chef Cybersecurity Danger Profile.png "Chef vs Puppet | Cybersecurity 3")
We have taken a take a look at Chef’s web site to see if we might uncover any any potential cybersecurity dangers that might end in knowledge leaks or knowledge breaches.
Not surprisingly, Chef, a comparatively refined expertise firm scores a decent B safety ranking (770/950).
Amongst its most important dangers are an insecure SSL/TLS model leaving it open to man-in-the-middle assaults. An absence of DMARC and DNSSEC.
Study extra about threat elements for the chef.io web site or get your personal safety ranking at no cost.
Puppet
As talked about beforehand, Puppet is taken into account a extra operations and sysadmin-oriented resolution when in comparison with Chef, although once more—these role-based distinctions have gotten much less related with every launch. DevOps practitioners—each builders and operations workers alike—attempt to realize optimum situations for steady integration/supply. Tooling is subsequently more and more evaluated based mostly on its capacity to realize these ends successfully and effectively within the context of an enterprise’s distinctive wants. However, Puppet has loved important first-mover benefits through the years, and although each Chef and Puppet have been neck-to-neck market leaders for the reason that early days of IT automation, the latter boasts an extended business monitor report and bigger set up base.
At the moment on model 6.11, Puppet is often deployed in a consumer/server configuration with managed nodes periodically synchronizing their configurations with the server. Reporting (e.g., outcomes from automation runs, errors/exceptions) and different data is shipped by the shoppers again to the server for combination evaluation and processing. The next graphic is a fundamental illustration of Puppet’s knowledge circulate:
Puppet’s knowledge circulate. Supply: Puppet Labs.Puppet Options and Highlights
Puppet automation works by implementing the specified state of an surroundings as outlined in Puppet Manifests—information containing pre-defined data (i.e., sources) describing the state of a system. The core elements that comprise Puppet are as follows:
Puppet Server – the central server that manages Puppet nodes (brokers)Puppet Agent – consumer software program put in on managed nodes that permits communication and synchronization with the PuppetmasterPuppet Enterprise Console – an online GUI for analyzing reviews and controlling infrastructure resourcesPuppetDB – knowledge storage service for Puppet the information produced by Puppet
Different key elements price mentioning over others embody MCollective, a framework for supporting server orchestration or parallel job execution, and Hiera—a hierarchical key/worth lookup utility for offering node-specific configuration knowledge to Puppet (for holding site-specific knowledge out of manifests). Puppet has built-in MCollective, Hiera, and a myriad of different open supply tasks into its platform to supply complete automation and administration of mission-critical enterprise infrastructures. Many community-contributed add-ons are additionally accessible on Puppet Forge—an expansive library of open supply modules for extending the platform’s options and capabilities.
The Puppet Enterprise Console. Supply: Puppet Labs.Updates to Puppet Node Supervisor
Puppet’s Node Supervisor allows the creation of guidelines round node attributes, which permits for simpler extra environment friendly node administration. With Node Supervisor, nodes could be managed based mostly on their job fairly than identify, eliminating the necessity to manually classify every node. New updates embody highly effective provisioning capabilities for Docker containers, AWS infrastructure and bare-metal machines.
Introducing Puppet Code Supervisor
Puppet has been a mainstay of the DevOps motion since its inception and continues to deal with the enterprise’s steady integration/supply necessities. The idea of “infrastructure-as-code” entails utilizing software program growth greatest practices to handle infrastructure configurations and provisioning particulars—together with code evaluation, model management, and collaborative growth, amongst others. And like Chef, Puppet’s platform has developed in response to the rising wants for a complete mechanism to handle the continual supply pipeline.
Out there since Puppet Enterprise 3.8, Puppet Code Supervisor offers a constant, automated option to change, evaluation, check and promote Puppet code in a steady supply framework. Based mostly round R10K—a common objective toolset for deploying Puppet environments and modules by interfacing with a model management system—Puppet Code Supervisor accelerates the deployment of infrastructure by rendering it a testable and programmatic course of. And by enabling straightforward integration with Git for model management, this newest addition to the Puppet platform additional blurs the road between software program and infrastructure.
Software program Outlined Networking (SDN)
SDN is a brand new paradigm for networking that decouples community management and forwarding from bodily infrastructure, enabling agile administration of community sources in quickly altering environments. Simply as cloud computing allows IT to shortly spin up compute and storage cases on-demand, SDN replaces inflexible (and typically guide) community operations with dynamically provisioned community providers and sources.
This new mannequin for networking is proper consistent with Puppet’s advocacy of “infrastructure as code.” As such, the corporate has made important strategic initiatives and partnerships in help of SDN. For instance, Puppet Labs not too long ago introduced a partnership with Arista Networks—a number one developer of SDN switches—to supply automation help to the seller’s SDN gear line. This and different related partnerships (e.g, Cumulus Networks, Dell, Cisco) will place Puppet favorably over competing distributors as soon as SDN applied sciences achieve widespread adoption.
Puppet safety and vulnerabilities
No software program is with out its share of vulnerabilities, and Puppet definitely has its personal. The corporate actively maintains a repository of Puppet safety disclosures, with an entire listing of reported vulnerabilities accessible through the CVE database. As of this writing, 79 vulnerabilities have been documented throughout Puppet’s ecosystem, with a mean severity degree of medium, and most of those making use of to open supply Puppet and Puppet Enterprise. Chef doesn’t preserve a CVE database for all of their merchandise. The one product they’ve issued CVEs for, Chef, incorporates 3 CVEs from 2012.
Puppet Cybersecurity Danger Profile
Puppet’s total threat rating, as measured by the Upguard Cybersecurity Score scores an A (903/950), a lot increased than Chef’s B ranking.
Like Chef it additionally does not make the most of DNSSEC.
Study extra about threat elements for the puppet.com web site or get your personal safety ranking at no cost.
Chef vs Puppet: DSL Variations and Ease of Use
Whereas Chef and Puppet are a lot nearer in design than radically completely different configuration administration instruments akin to Ansible. The primary main distinction is that instruments like Ansible depend on an agentless structure, whereas each Chef and Puppet use a master-agent or puppet-slave, agent based mostly structure. For Ansible, configuration administration adjustments are propagated from any work machine through SSH fairly than shoppers on the nodes. The second main distinction from these different instruments is the usage of the Ruby programming language upon which Chef and Puppet are constructed. In everyday utilization, nevertheless, you’ll discover delicate variations between Chef and Puppet, thanks largely to every platform’s utilization of a singular area particular language to automate configuration administration.
First up, the Chef DSL seems syntactically like Ruby, actually, it’s a normal Ruby DSL with particular features and key phrases added in to deal with infrastructure and utility configuration throughout OS platforms that embody Linux, Home windows, and extra. As a result of the Chef DSL permits you to write regular Ruby code alongside calling the Chef particular features and utilizing Chef particular key phrases, it comes with a decrease studying curve for these devops groups that use Ruby usually for his or her work. For instance, getting a Ruby developer up and working with Chef will in all probability take lower than a single afternoon and some fast Google searches. This isn’t the case with Puppet, which makes use of a DSL that, whereas declarative, strays removed from customary Ruby syntax.
To see these two at work, contemplate the next code instance which installs the Apache net server.
Chef:
bundle “apache2” do
motion :set up
finish
Puppet:
class apache {
bundle { ‘apache’:
identify => $apachename,
guarantee => current,
}
}
The DSL variations are superficial once you take a look at easy use circumstances, however they result in completely different baked in results. Chef, for instance, tends to be very versatile since you may accomplish no matter you need utilizing customary Ruby helpers and features. All of the expressive energy of Ruby is out there to you. This has each benefits and disadvantages, notably that you simply introduce pointless complexity that could be onerous for maintainers of your Chef recipes to untangle.
Puppet’s DSL has the energy that it retains most duties easy and there’s typically one certain option to do issues. The draw back is that in case your workforce has complicated configurations to deal with, you will see that your self preventing towards the constraints imposed by the DSL. It’s been famous that Chef’s DSL is pleasant to Ruby builders whereas Puppet’s DSL is extra pleasant and nearer to system directors who may want a configuration language not removed from XML or different declarative config information. Such a view stays true, although, as famous, each platforms accomplish basically the identical duties for probably the most half.
Chef vs Puppet: Microservices and Containerization Assist
The recognition of containerization and instruments akin to Docker and Kubernetes have impacted the best way purposes are deployed. As purposes have developed from a monolithic structure to granular microservices, the position of conventional configuration administration instruments has been referred to as into query. In spite of everything, containerization platforms akin to Google Kubernetes Engine and Amazon ECS include instruments for configuring containers within the cloud.
Chef has embraced containerization and constructed instruments to help the construct and deployment of containerized purposes. Its open supply Chef Habitat instrument, accessible on Github, offers you an entire app lifecycle administration instrument that performs properly with Docker, Kubernetes, and different containerization instruments. Habitat’s versatility permits it to construct and deploy conventional purposes, akin to legacy Java or Python purposes, simply as simply as granular microservices, via the usage of a plan.sh file that gives all the main points wanted to construct your utility. Habitat integrates properly with conventional devops instruments akin to Jenkins, and deploys to a lot of platforms, together with Crimson Hat Linux, different Linux distros, Mac, Home windows, and Unix. The bundle export codecs accessible in Habitat are set to develop sooner or later, however already, Docker is included. The total listing options:
Docker ACI MesosTarcloudfoundry
Puppet has additionally built-in mechanisms to make it straightforward for system directors to handle and deploy containerized purposes. Puppet has had a number of supported modules for putting in and managing Docker, together with downloading and configuring Docker pictures. The newest model of the Puppet Docker module accessible in Puppet Forge allows the working and managing of Docker containers utilizing Puppet code. Puppet’s Docker module helps the next working methods:
RedHatLinuxWindowsUbuntu Debian CentOSTest Automation for Chef and Puppet Code
Good code practices embody testing your code early and infrequently, with test-driven growth practiced popularly throughout sections of the tech business. The transfer of infrastructure configuration to infrastructure as code (IaC) facilitated by devops instruments akin to Chef and Puppet means that there’s higher scope for working light-weight checks to confirm any adjustments that will likely be rolled out in your infrastructure.
Puppet’s growth equipment, the PDK, offers instruments for unit testing in addition to validating the syntax of your Puppet code information, together with your metadata.json file which tracks all of the module’s metadata in JSON format. Puppet depends on customary instruments, together with RSpec and Cucumber, for testing your Puppet code.
Chef, however, helps all of the above and in addition consists of highly effective instruments for testing the correctness and compliance of your infrastructure code. The primary of those instruments is ChefSpec, a framework that extends RSpec’s capabilities to permit testing your recipes as a part of a simulated Chef Infra Shopper run. A plethora of examples can be found within the ChefSpec Github repository that will help you get began.
One other complete testing instrument for Chef recipes is Kitchen, which permits integration testing of your Chef cookbooks and infrastructure code, with a driver plugin structure that checks your code on virtualization and containerization instruments akin to Vagrant and Docker, in addition to cloud platforms.
Kitchen even consists of help for integration testing configuration administration code run by different configuration administration instruments akin to Ansible and Saltstack. For these use circumstances, particular provisioners are required, which can be found as open supply libraries on Github. The Chef integration testing and compliance testing ecosystem is far more featureful than that provided by Puppet. Chef’s ecosystem additionally consists of Chef Automate, an enterprise degree instrument to automate safety compliance and handle your infrastructure’s automation from a single dashboard.
When to Select Chef Over Puppet
Now that we’ve seen how these two platforms work underneath the hood and the way they accomplish lots of the similar issues, a phrase about choosing the proper platform in your workforce’s necessities. One instrument will likely be a greater match for one surroundings and set of necessities versus one other, and that is one thing you should severely ponder earlier than making the choice in your workforce.
To start, you may select Chef in environments the place you wish to account for complicated configuration administration eventualities akin to deploying to a number of targets within the cloud and on virtualization platforms. Chef’s design performs properly in eventualities the place you want the complete energy of the Ruby programming language to code your recipes, with little in the best way of constraints to do issues a sure manner.
The Chef ecosystem, specifically Chef Habitat, has you lined in relation to constructing your purposes to run on nearly any system you take into account, and this can assist simplify your containerization workflows with Docker or Kubernetes. Chef has wonderful help for the open supply group and different instruments your enterprise might use, akin to Kubernetes, Nagios, Docker, and extra. Integrations can be found for cloud platforms like Rackspace, with Amazon EC2 going a step additional by integrating Chef servers through the AWS OpsWorks for Chef Automate service. In an indication of its open supply dedication, in April 2019, Chef’s CEO introduced in a weblog publish that Chef can be making all its merchandise open supply. As soon as your workforce has mastered Chef as soon as, you’ll proceed reaping the dividends by utilizing Chef experience throughout its huge, open supply, ecosystem.
When to Select Puppet Over Chef
Puppet, with its declarative model, appeals to organizations that desire a dependable and simple to make use of instrument for configuration administration. This philosophical distinction stands out starkly from a instrument like Chef, which, whereas equally highly effective, takes much more programmatic effort, involving the usage of pure Ruby and the Chef DSL. The choice to make use of Chef imposes a steeper studying curve for non Ruby builders. The declarative model of configuration administration comes with numerius strengths, together with ease of upkeep and holding configuration implementation constant throughout the workforce.
Puppet has these benefits in widespread with different declarative CM instruments akin to Ansible, which makes use of the YAML format for composing configuration playbooks in a declarative model. In case your devops workforce consists of a excessive variety of system directors who’re probably extra aware of declarative configuration information, then utilizing Puppet will higher fit your workforce. Puppet is a way more opinionated configuration administration instrument than Chef, and will, arguably, work higher on very massive groups the place Puppet, by design, locations in-built constraints on code model.
Abstract
Chef and Puppet proceed to develop their automation platforms in response to the wants of the DevOps-enabled enterprise, with new options akin to Chef Supply and the Puppet Code Supervisor serving to to streamline the continual integration/supply pipeline. Each distributors are forging partnerships that will finally outline—as Chef would put it—what faculty of DevOps a specific group belongs to. Previously, the 2 partnered with Microsoft to combine their platforms with Azure, and Puppet—no stranger to being a primary mover—was early to make key alliances with main SDN distributors to place it favorably because the expertise takes maintain. So in case your group plans on adopting SDN, Puppet could be a stronger candidate on this respect.
Safety is an enterprise-wide concern today and must be taken under consideration when evaluating applied sciences. Chef has made important strides in enhancing its platform’s safety with Chef Vault, although its 3 printed CVE vulnerabilities definitely pale compared to Puppet’s 79. It’s fascinating that Puppet Labs rebroadcasts CVEs for vendored software program akin to ruby whereas Chef doesn’t, regardless of each merchandise together with Ruby as a core part. It’s additionally troublesome to consider Chef hasn’t discovered a vulnerability in any of their software program since 2012.
In brief, each IT automation platforms have matured drastically as enterprise options. We have highlighted a few of Chef and Puppet’s key attributes and advantages—deciding on the suitable possibility comes all the way down to figuring out every platform’s core competencies and figuring out which of those fall consistent with your group’s distinctive wants and necessities. No matter which automation platform you select, Cybersecurity can complement both resolution to spherical out the DevOps toolchain with superior vulnerability evaluation and monitoring, guaranteeing that safety—as a perform of high quality—is baked in at each step of the continual supply course of.
A great rule of thumb is Puppet is like writing configuration information whereas Chef is like programming the management of your nodes. If you happen to or your workforce have extra expertise with system administration, you could want Puppet and for those who’re largely builders, Chef could be the most effective match.
Disclaimer
The cybersecurity threat profiles had been final up to date on December 12, 2019.
Whereas we’re dedicated to representing every firm’s threat profile precisely, this weblog just isn’t the place for actual time threat monitoring, and the above data must be taken as time limit snapshots.
Puppet vs Chef Infographic
