Ok, so the title is a little misleading. Configuration Management is a part of ITIL, however I’m not going to talk about ITIL, at least not directly.
As an administrator I’m responsible for multiple systems. Some of these are identical, e.g. Apache servers, MySQL servers, some of them provide unique, stand alone, services. However, they all have some things in common…sshd configuration, log rotation schedules (logrotated), etc.
It’s a PITA to keep up with all of these servers individually. A global change can take quite a bit of time, especially with our ever increasing number of ESX hosts. So, how do I make my job easier, myself more productive, and next year’s raise larger? Automated configuration management.
The (potential) solution
The *nix world has several open source tools available. Puppet and cfengine come to mind immediately, along with other projects from the likes of RedHat (cobbler), all of which make central management of many servers easy. For windows admins, I don’t know of any open source projects (I haven’t looked…), but Microsoft has their suite of tools…SMS, etc. There are also some packages that are distributed by independent companies…opsware (formerly LoudCloud, which developed in-house management software that was eventually bought by HP to become opsware) which is/are capable of interacting with many different OSs.
All of these tools make life easier for admins. Using puppet, you define the rules that a server must comply with…software package “A” must be installed, configuration file “B” must have “this line” in it, etc…and the management suite ensures compliance. This means that you configure one server (to act as your template/tester) and have the configuration applied to all servers. You can even categorize your servers…all of my Apache servers must have the apache rpm installed.
Configuration for things like security is also somewhat easier. Many of the packages listed above enable admins to be notified when certain files are changed. Want to know when the sudoers file was modified? You can be notified and verify that the modification was legitimate. Additionally, permissions and ownership rules can be implemented…/etc/passwd must be owned by root and have 640 permissions…if it doesn’t meet those criteria, make it that way.
Admins are no longer required to login to each host to verify potentially hundreds of permissions and ownership requirements (have you ever really read the Unix STIG?). You simply set the configuration on the master, tell it to enforce, and the work is taken care of for you.
What makes me enjoy tools like puppet even more is the ability to provision servers quickly. What happens if one of my Apache hosts suffers a catastrophic failure? I reinstall the OS and agent, then tell the controller to do it’s magic…the programs are installed and configuration files put in place.
What does it all mean?
Well, less administrator time per server. Which means (sorry admins) that each person is capable of managing more servers, and/or spending more time on problem management and root cause analysis.
But it’s not all rose colored glass and rainbows. Being able to configure servers en masse means that you can also screw up more servers, faster (I’ve seen admin shops refuse to use tools like opsware, flat out admitting they aren’t competent enough).
At the end of the day, assuming you have a release management process in place to ensure proper testing and verification, automated configuration management of servers can be a terrific time and money (if you’re the pointy haired boss type) saver.
In case your interested, there is some excellent reading on manging an infrastructure here. Additionally, a couple blogs I keep up with on data center management include The Hot Aisle and Datacenter Knowledge. They provide information on all aspects of managing a data center, from servers to power and cooling to data center migration.