What are configuration management tools?

3 readers like this.
Two different paths to different outcomes


For most people, computers don't stay the same. Software is added, removed, and updated. Configurations are changed. Think about the changes you've made to your computer since the first time you booted it up. Now imagine making those changes to 10, 100, or 1,000 more computers. Configuration management tools are what make implemententing and enforcing these changes possible.

Proto-configuration management

Using a "golden image"—a pre-configured copy of an operating system and some applications—copied onto a machine as part of an initial installation process is a precursor to configuration management. Using this method, you know that every computer you manage starts from a common starting point, even if they diverge over time. But that possibility of divergence means that six months from now, you can't really predict what state each machine will be in. And golden images aren't very flexible.

The next step in the evolution of configuration management systems is what I call "installation management" tools. These provide more flexibility and basically allow the automation of a "normal" installation. Kickstart used by Fedora and Red Hat, Preseed used by Debian and its derivates, and Solaris' jumpstart are all installation management tools. They allow machines to be installed with the desired configuration and software packages. Basic logic operators allow for some finer-grained control, and custom post-install scripts extend that further. But subsequent changes are still a manual process.

Configuration management features

Enter configuration management tools. Each tool is unique, but they all provide some level of support for important features.

Enforcement. Configuration enforcement may be the single most important feature of a configuration management tool. By running regularly and ensuring the machine is configured to the desired state, configuration management tools prevent configuration drift. Configuration drift can happen in a variety of ways: Package updates, live debugging, "helpful" coworkers, etc. Whatever the cause, being able to say with confidence, "This is how this machine is configured," is a great way to shorten incident resolution time and reduce surprises.

Enables cooperation. Configuration management tools make it easier for team members to cooperate. With one change, configuration can be updated across the entire infrastructure. Hand-editing configuration on machines can only lead to unexpected differences. By putting all of the configuration in one place, you can keep from stepping on someone else's (including future you) toes.

Version control friendly. Of course, the best way to enable cooperation is to have everything in a version control system. All of the tools listed below use some form of text for configuration. This means you can take advantage of the benefits of your favorite version control system. The benefits of version control are beyond the scope of this article, but let me assure you from experience that you really, really want your configuration in a version control system.

Enables change control processes. Because configuration management tools are textual and VCS-friendly, you can treat infrastructure changes like code. Changes can be submitted as diffs or merge requests and be subject to code review before approval. Having explicitly enumerated changes with timestamps can make reconstructing incidents much easier. With atomic changes, you can release them at a rate you're comfortable with instead of throwing a bucket of changes at your infrastructure all at once.

Abstraction. Few sysadmins maintain completely homogeneous environments. Even if you're an all-Linux shop, you probably have multiple distros that you support, or at least multiple versions of a distro. With configuration management tools, many of the operating-system-specific implementations of a configuration are abstracted away for you. The same configuration file can be used to manage, for example, the installation of Apache HTTPD on both Red Hat and Ubuntu systems.

Some configuration management tools

Great configuration management tools exist today and are just waiting for you to try them out. The table below lists some of the most popular tools, but there are many more out there. Most configuration management tools these days support Windows and Unix in addition to Linux.

Tool Language FLOSS version
CFEngine C CFEngine Community
Puppet Ruby Open Source Puppet  
Chef Ruby Chef
Ansible Python Ansible
SaltStack Python SaltOpen

Why you should use configuration management

If the preceding 800 words haven't convinced you, try this anecdote on for size. Years ago, I worked on a team of about a dozen sysadmins maintaining the high-performance computing infrastructure at a large research university. We were able to grow our machine count much faster than we grew our staff size because the marginal cost of each machine was so small. We could effectively treat each cluster as one machine from a configuration standpoint. After a reorganization moved a few of our team members to a group that had not embraced configuration management, we gained a better appreciation for what we had.

One day at lunch, one of our unlucky colleagues told us that in the 130 or so machines his group maintained, there were nearly 100 variations of the same configuration file. Most of them were functionally identical, which made it even worse. How much cogntive overhead was added by having to remember which changes were significant and which machines had those changes? And how much effort was involved when that file needed to be changed? Whether you maintain 5,000 machines or five, configuration management tools make the job easier.

User profile image.
Ben Cotton is a meteorologist by training, but weather makes a great hobby. Ben works as the Fedora Program Manager at Red Hat. He is the author of Program Management for Open Source Projects. Find him on Twitter (@FunnelFiasco) or at FunnelFiasco.com.


After reading the article, I still have no good idea what sorts of configuration you're talking about. Maybe some concrete understandable examples would help.
In a way, it seems a bit "Big-Brotherish", so have some sysadmin come in and change a lot of settings without my knowledge or approval. To some extent (and only to some extent) variety is the spice of life, so maybe some variation should be tolerated or even encouraged.

Greg, thanks for your comment. The context is basically "anything that runs on the system." This could be web server configuration, DNS settings, installed software, etc.

As for the "big-brotherish" part, that's a political question, not a technical one. If there's a sysadmin managing your desktop, then approval for changes is not yours to give. If you manage your own desktop, then you would be the sysadmin in that context.

In reply to by Greg P


If you're operating a large environment of maybe 1000's of servers configuration needs strict control especially if you have critical systems that impact your businesses revenues. Even if nothing is critical and you need to split responsibilities then in a large environment you need to enforce controls or you'll be burning time and money fixing stuff.

In reply to by Greg P

Ha! That ad is a classic. Thanks for reminding me about it.

In reply to by TweetingToDist… (not verified)

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.