On 31-07-2014 19:47, Zach Leslie wrote: > Yes, and Puppet can exec those commands for you. Tools like fail2ban > can manage the local system's table, but can't (to my knowledge) > distribute the contents of that table to other systems in the > environment dynamically. PuppetDB gives you this and more. Pfsync just sync states. But writing a simple script to run pfctl across all the firewalls is simple. Even share the database. Using puppet just because of this, is overkill. > I hear you that people should be competent in what they are doing. Competence is different than knowledge. They generally go together, but just knowledge does not make you competent. > > Configuration management tools, like Puppet, can quickly abstract > knowledge of a particular technology away from the user and isolate > understanding for said technology to a smaller group of people with > those skills. This is the nature of technology, though, is it not? > Abstractions built on abstractions, packages including libraries, etc. > There is an inherent trust in the tools and, more importantly, the > authors of those tools. This does not mean that the "recipes" (as you > put it) are inherently bad, or manage a system poorly, or that great > care cannot be taken to manage a system effectively, and securely. Ha, > but there is also lots of bad code in the world. Such is life. Of course. But the problem is a false sense of rightness and security that these tools give to people that are not aware of all the implications. If you read a recipe and does not understand all that it does, then how can you be sure it won't mess with your system. > > The trust in a system's authors is one of the major reasons I use > OpenBSD in critical infrastructure without having to know anything about > how the compiler functions at its core. Without this trust, we'd still > be smacking coconuts against rocks instead of building bridges to the > "UberTech", so to speak. Don't get me wrong. I like these tools. But, for a few servers, I prefer to manage them directly. I'm warning that these tools need proper use, they are not a one size fits all solution.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
