Forum: CFEngine Help Subject: Re: Master to client security, signing? Author: sauer Link to topic: https://cfengine.com/forum/read.php?3,24394,24501#msg-24501
In our environment, cf-serverd handles a bunch of clients well, but transferring a bunch of files to one host doesn't seem to work so well. I have a couple of situations where I have a few config files which are specific to each individual host. So with, say, 10K hosts, that's at least ~30K files (I started seeing problems at about the 10-15K file point). While each individual host needs to pull down only a couple of files, the distributed cf masters need to keep all of those files in sync. I think the problem is the checksum calculation in the clients; the cf-agent process on the cf masters need to calculate a bazillion checksums every time they start up, while the server side can keep the calculated checksums cached unless an individual file changes. In any event, I now keep my entire config structure in subversion (using svn externals to map different release branches into a single directory, making updates easier), and the policy masters all just schedule an svn update every few minutes. The non-master clients all use cfengine to transfer the files after that. It works very well this way. Anecdotally: another area in my company is using Puppet in the same infrastructure as I'm using CFEngine, and it's probably worth noting that the puppetmasters require very roughly 4x the CPU and RAM as the CFEngine masters, while the Puppet infrastructure is only servicing about 60% of the environment we're handling with CFEngine. This is likely because so much work is offloaded to the puppetmaster, as the file transfer itself is just handled over http(s), and Apache itself should be fine with that load. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
