Forgot your password?
Cloud Technology

Review: Puppet Vs. Chef Vs. Ansible Vs. Salt 141

Posted by samzenpus
from the best-of-breed dept.
snydeq writes "InfoWorld's Paul Venezia provides an in-depth review of Puppet, Chef, Ansible, and Salt — four leading configuration management and orchestration tools, each of which takes a different path to server automation. 'Puppet, Chef, Ansible, and Salt were all built with that very goal in mind: to make it much easier to configure and maintain dozens, hundreds, or even thousands of servers. That's not to say that smaller shops won't benefit from these tools, as automation and orchestration generally make life easier in an infrastructure of any size. I looked at each of these four tools in depth, explored their design and function, and determined that, while some scored higher than others, there's a place for each to fit in, depending on the goals of the deployment. Here, I summarize my findings.'"
This discussion has been archived. No new comments can be posted.

Review: Puppet Vs. Chef Vs. Ansible Vs. Salt

Comments Filter:
  • Oh really? (Score:1, Interesting)

    by mybeat (1516477)
    "That's not to say that smaller shops won't benefit from these tools"
    I call BS on that statement, I run puppet at home for my 2.5 servers, it really simplifies my life.
    • Re:Oh really? (Score:5, Informative)

      by Joining Yet Again (2992179) on Friday November 22, 2013 @06:39AM (#45489273)

      In English, unlike many other languages, a double negative means a positive (sarcasm aside). The guy is agreeing with you.

      • by mybeat (1516477)
        Thanks for pointing that. And yes, English isn't my native language
      • by Sique (173459)
        In English, you can also have sentences where a double negative puts more weight on the negation. ("I haven't seen no negation.")

        Standard-German for instance always interprets a double negative as positive, quite different from some German dialects.

        • by umghhh (965931)
          that confirms my experience in all languages that I know well enough (that would be 3.5) - high language (as high German) tends to be correct logically whereas the low and/or less formal language is allowing for freedom of expression and letting you deduce the meaning of say double negation (by using the context usually). I would even go as far as to claim that if a language is big enough (big enough meaning: number of speakers, universities and literature also scientific etc) it develops into different dia
      • and two positives make it a negative :)

      • If anyone is looking for an even simpler solution, I've package up my own project and open-sourced it. It's called pave, and has few dependencies, just PyYaml and fabric:
        Would love to get more feedback.

    • by XaXXon (202882)


  • by Anonymous Coward still my tool of choice.

  • Since these are all cookie-cutter solutions for a broad range of necessarily very different scenarios, your choice will depend on how well your scenario fits in with the features provided by each product.

    As always, the ideal solution will come from rolling your own, possibly by heavily customising an existing solution - which may include one of these. But you may not have the knowledge or the time to do this, and it might piss off corporate if they would rather something which makes you easily replaceable.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      The odds of successfully rolling your own package management and deployment solution is challenging enough to even talented specialists, and then you expect documentation?

      But sure, that's the ideal solution. I presume the problem starts out, "first, assume a spherical sysadmin in a frictionless environment..."

      • These products merely provide hooks into native package management.

        • by Anonymous Coward

          Completely wrong. That's only single function of a large tasklist that these tools are used for. Anything an administrator could want to do on a server can be automated via these programs. Configuration updates, custom software installation, version controlled code distribution, directory and file permission sanity checks and so on. The list is endless.

          It's *how* these application go about performing these jobs and how complicated it is to write the script / recipe / yaml file to perform the task that is th

          • Context of GP, goddammit. As far as package management, these tools do not provide package managers, merely hooks into native package management.

      • by gbjbaanb (229885)

        If you expect documentation, and probably support too, then you will find a commercial package (eg Landscape []) will fit your needs better than the free equivalents.

        That's not to say the commercial equivalent is better in any way, or necessarily does more, or has better features.. just that they are the ones to go with if you need that level of support.

        Or you could just hire someone to provide you with that support internally, the fat sysadmin that was mentioned :)

        • by aesiamun (862627)

          The reviews were of the Enterprise versions. Puppet and Chef Enterprise is far from free...

    • Re:summary (Score:5, Insightful)

      by CrankyFool (680025) on Friday November 22, 2013 @09:24AM (#45489999)

      I can't possibly disagree with you more.

      When I joined my current company about four years ago, we were running a home-grown configuration management system. When I argued against this with the sysadmin who had built it, he handwaved about "those other, much too complicated, CMSs," and "this one does exactly what we want."

      Only it didn't. It resulted in customers using phrases like "we asked for eight webservers and we got eight webservers all of which were almost exactly alike." Almost.

      I know, I know, we all think we're smart and talented and it's easier for us to simply roll something out than figure out how to adapt Chef, Puppet, etc to our environment. We're wrong. There's tremendous value to using a standardized tool and, honestly, if I have to bet on some random schmoe coming up with a good fullfeatured less-buggy idempotent (etc etc etc) configuration management system or Chef or Puppet being able to do it ... I'll go for the thing that has been out for a while, is supported by a vibrant community, and is used on thousands of servers already. Everything else is just misplaced arrogance.

      • by Bigbutt (65939)

        The problem on my side is we have a lot of legacy gear including Tru64 and old HP-UX 11.0.0 boxes that run critical applications. New systems are being rolled out on virtual systems for non-critical applications. I have a lot of scripts I write but they're for information gathering mostly.

        I've looked at various tools like cfengine when I got here 6 years ago and more recently things like Puppet and Chef but find they aren't really built to solve my problem and many have clients that go on the systems or oth

      • I don't know, people have been doing large scale deployments and management huge groups of servers since forever. Long before puppet was an idea people were deploying thousands of completely identical servers in minutes. It's really not that hard.

        That said, of the four in the review, I'm in favor of salt. I have previously considered chef and puppet and rejected them as not worth my time. There's no "win" over doing it the way it's always been done (by people who actually know something). Salt is diffe

      • Re:summary (Score:5, Insightful)

        by Joining Yet Again (2992179) on Friday November 22, 2013 @10:50AM (#45490793)

        It sounds like either your sysadmin wasn't good enough or you overestimate the capabilities of puppet &co. The only way to get two servers exactly the same is to buy same hardware from the same batches then image the drives.

        My experience with these tools is that they work "well enough", giving you reasonably similar configurations across servers... providing you have fairly routine needs on mainstream platforms. But there are SO MANY niggly differences between platforms and builds that almost all your work is going to go into identifying and accommodating for those differences. For security-conscious deployments, in particular, you want to do nothing less than study each individual platform's quirks.

        A senior sysadmin will have been maintaining automation tools for longer than most of the tools mentioned in this article have existed. The problem is not the guy who has built and maintained a working system, but the upstart who whines that he actually has to learn something new and won't get a new buzzword to put on his CV. If your in-house system isn't 100% perfect, don't use that as an excuse to throw the baby out with the bathwater. If you're building something from scratch, DO evaluate ALL these options, but be prepared to have to consider EVERYTHING they do behind the scenes in order to understand whether they're behaving exactly as you want them to.

        Lastly - and this advice for puppet users in particular - try not to get a hard-on for the word "idempotence". It's not that complex or unique a concept.

  • Another one... (Score:2, Insightful)

    by Anonymous Coward

    When i evaluated this tools i just did one thing:

    Checked job offers that quoted those tools.


    Go for Chef / Puppet, because you will never find people with the other ones skills.

    Between Chef and Puppet, it's pretty much a question of taste / existing skills in your company.

    • Re:Another one... (Score:5, Insightful)

      by Joining Yet Again (2992179) on Friday November 22, 2013 @06:53AM (#45489321)

      Whyyyyyyyyyyyyy are people employed on the basis of skill with specific ephemeral brands.

      You want their brains, not their.. oh never mind. This is why I am out of the software business.

      • by amalcolm (1838434)
        Exactly oh for mod points!
      • by jabberw0k (62554) on Friday November 22, 2013 @07:56AM (#45489533) Homepage Journal

        WANTED: Programmer with 15 years experience Ruby on Rails and 23 years MongoDB experience, to help write $5 million package. Pay: $11/hour, 30 hours/week part time (although we expect you to camp out as we supply pizza and beer). Supply your own equipment. Job to last three months.

        -- That's why I'm running my own shop instead of trying to go thru a recruiter.

        • by swamp boy (151038)

          Don't forget the rock star part.

        • by Joining Yet Again (2992179) on Friday November 22, 2013 @08:56AM (#45489817)

          And it works, because many geeks are antisocial sorts who rather than organising their labour will happily walk over each other just to get that little bit of green. Then, when the race to the bottom has been reached, they'll bitch about everyone else being better treated, rather than stopping to ask why it happened and striving to improve their collective lot.

          Every sufficiently old once secure job is now tenuous or non-existent. What is secure today will be tenuous in a decade's time.

          • Except of course executive, or VP who married the daughter.

          • by tobiasly (524456)

            And it works, because many geeks are antisocial sorts who rather than organising their labour will happily walk over each other just to get that little bit of green. Then, when the race to the bottom has been reached, they'll bitch about everyone else being better treated, rather than stopping to ask why it happened and striving to improve their collective lot.

            Organized labor? Uh no, we're too smart for that. I can't speak for everywhere else but where I live there are plenty of well-paying development jobs and I've never seen the type of behavior you describe among my peers.

            Every sufficiently old once secure job is now tenuous or non-existent. What is secure today will be tenuous in a decade's time.

            Yes, it is a field where you must keep your skills up to date and be willing to switch jobs if market or other conditions dictate. If you stay in one position too long and let your skills stagnate you do run the risk of becoming obsolete.

            • Organized labor? Uh no, we're too smart for that.

              LOL - OK buddy. In the UK, Directors have a union (Institute of Directors), business owners have a union (CBI), farm owners have a union (NFU - which actually comprises a lot of wealthy landowners, explaining the often right-leaning politics), doctors have a union (BMA), university lecturers have a union (UCU)... but you're too smart for that because you DO COMPUTERS. Carry on with that rat race!

              I can't speak for everywhere else but where I live there are plenty of well-paying development jobs

              Oh, that's all right then. And there were plenty in 1999, too.

              and I've never seen the type of behavior you describe among my peers.

              Then you work with your eyes closed. That sort of b

        • You forgot; "Include on portfolio or website a complete implementation of the latest cool thing I saw in a magazine on an airplane."

          Most of the jobs I've seen that are still open are either; "We are just trolling to get personal information" or "Seriously, we do absolutely nothing at this company and figured the WHOLE PACKAGE would just drop in and take care of making a product for us. However we do have HR department to tell you not to make any jokes during work hours and a company email which will send yo

      • by goddidit (988396)

        Whyyyyyyyyyyyyy are people employed on the basis of skill with specific ephemeral brands.

        You want their brains, not their.. oh never mind. This is why I am out of the software business.

        Measuring brains is hard. For example, phrenology gives only a crude estimate.

        • You are right that phrenology, IQ tests, generic aptitude tests, etc. are inappropriate measures of ability.

          But actually taking time to look at what went into fulfillling particular qualifications, experience, hobbies is relevant and very possible. Relevant technical interviews which test general engineering skills and probationary periods are also valuable.

        • by pioneerX (830117)
          The ancient Egyptians extracted the brain through the nose and stuffed it into a jar. If the industry came up with standardized canopic vessels you could include them with your application.
      • Re:Another one... (Score:4, Insightful)

        by Thanshin (1188877) on Friday November 22, 2013 @08:54AM (#45489805)

        Because some people are ephemeral too.

        If I want to hire someone I'll be firing in a year, I couldn't care less about his skills other than exactly what I want him to do during that year.

        • I wouldn't describe "number of years you've dablled in [package]" as a skill. I've dabbled in loads of things for 20+ years, but it says very little about my skill with them. What is more, anyone who sees "10+ years experience with [package]" is going to edit their CV to emphasise their experience with [package].

          OTOH, I am quite competent with tools I've spent far less time with, because I've had to apply my skills to producing clever shit.

        • I'd argue if you're hiring just to fire someone in a year -- and you know this in advance -- you're doing it wrong.

    • Go for Chef / Puppet, because you will never find people with the other ones skills.

      My workplace uses Salt. Just saying.

      • by gbjbaanb (229885)

        that's because they don't want you to learn the transferable skills that make you attractive to other employers. Just saying :)

        • Actually, you couldn't be further from the truth! :)

          Salt was my recommendation based on an evaluation of the options at the time. It was selected as the best fit for the company requirements, yes, not for my own personal benefit. I'm sure that other professionals would do the same.

          If there aren't currently many job advertisements for people with Salt experience, I can only imagine that it's because the technology is still relatively new so hasn't been a configuration management candidate at many companies u

          • by Lennie (16154)

            I would think someone with Python programming skills and experience with Puppet/Chef should be able to use Ansible or Salt just fine.

    • by higuita (129722)

      Go for Chef / Puppet, because you will never find people with the other ones skills.

      you know, skills are learned, not born with.... you people with a little brain and dedication will learn whatever skill its needed

    • You know, it's funny. I manage a software development team that uses Scala to build a pretty big distributed system.

      Nobody on this team knew Scala when the team decided it wanted to use Scala to build this product. We still don't actually prioritize Scala as a skillset for developers we look to hire.

      It turns out that smart, experienced, people tend to be able to learn whatever particularities of whatever your choice of product pretty reasonably quickly. It's hard enough to find good developers, so we foc

  • by Anonymous Coward

    This guy just doesn't have what it takes to provide usefulness or utility in his columns. In fact, he's probably responsible for more than a little corporate stupidity, thanks to CIOs blithely following his "advice".

    • by Anonymous Coward
      I have to agree. This is a very poor "comparison" which doesn't appear to compare anything, and is downright incorrect and misleading in places. He doesn't appear to have made any actual effort to use any of the tools, so his "comparison" is based on what he read on their websites (and possibly, peoples blogs).

      He misses more than he covers. He doesn't even mention the various convergence models; for example, Puppet has no implicit dependencies between actions, so you can't rely on it running the same acti
      • by Lennie (16154)

        There were links in the article to articles about the individual products behind a paywall, I would assume they are more detailed.

        • by eschasi (252157)
          Not an actual paywall, they only ask for your email address. Not even a password. This strikes me as a fine way to subscribe strangers to mailing lists, sigh.
  • by Anonymous Coward

    What about security? Like Salt with its "homemade cryptography"

  • by Anonymous Coward

    I've recently been playing around with cdist, which is another configuration management framework.

    Configuration is done via shell (sh) scripts instead of XML or some other wacky language. I liked this flexibility. Of course, flexibility comes at the expense of simplicity: the base feature set is small so you end up having to write a lot of code, and the shell scripts you end up writing are really ugly because you have to use their weird constructs. Still, it was pretty easy to learn.

    The requirements are rea

  • by FatLittleMonkey (1341387) on Friday November 22, 2013 @07:31AM (#45489439)

    Article did not contain the review I expected. Would not read again. 0 stars.

  • Advanced Puppet (Score:3, Interesting)

    by purpleidea (956832) on Friday November 22, 2013 @07:40AM (#45489465) Homepage

    I prefer Puppet, but I don't think it's perfect. As a result, I've written some complicated hacks do to complicated things that aren't directly possible in core. I still think Puppet is the closest thing to being right.

    Feel free to look through my articles and hacks: []
    Most code available at: []

  • unfamiliar with all so i did some quick research. Ansible least transparent Chef not bad, it comes down to Puppet Vs. Salt. Had to search Saltstack for information on google to find a result for Salt. i believe most would go with Salt and that seams to be the case, minimal intelligence required. Puppet is very intriguing simply because it requires a higher level of intelligence. Salt offered a tutorial but Puppet offers a direct line of communication to solve problems. in my 15 min. search i would choose P
    • by ruir (2709173) on Friday November 22, 2013 @08:58AM (#45489835)
      I chose Ansible because it goes in line with my minimalist configuration policy, it works via ssh and doesnt need an agent. Puppet or Chef are very interesting, but use a lot of resources.
      • One reason to prefer Puppet over Ansible is that Puppet tries to add a declarative language layer. This (hopefully) lets you reason at a higher level about the configuration. Ansible is just fancy SSH. In some cases Ansible can be quite useful. But I think we're comparing apples to flamethrowers.

        • by Lennie (16154)

          Salt and Ansible both support/use Yaml as a template language as a declarative language.

          • I don't know enough about Salt, but from what I know about Ansible, they don't separate the execution of the declarative language between server and client the way Puppet does. IMHO, this is a clever separation.

            Then Puppet adds in exported resources and other magic.

        • Yeah, I love puppet's JSON interface which is royally fucked up because if you write legal JSON, then puppet doesn't work. You have to use their fucked up version of JSON. I know they have a Ruby interface now too but it wouldn't surprise me if they fucked that up as well. Seriously, how do you fuck up JSON?!?!

          • I'm not sure if you're serious or trolling, but you're not supposed to "write json".

            You write in the Puppet DSL and/or Ruby. Puppet does the rest.

      • by Lennie (16154)

        Ansible and Salt are very similar. Both are written (mostly) in Python.

        What Ansible already had (yaml templates and agent-less/ssh), Salt now also supports (Salt supports multiple templates languages with Yaml as the default I believe).

        What Salt has (zmq transport), Ansible now supports (fireball mode).

    • unfamiliar with all so i did some quick research. Ansible least transparent Chef not bad, it comes down to Puppet Vs. Salt.

      You're seriously presenting your quick google search and no actual knowledge of these products as something we should pay attention to? And your criteria for a deployment system is that they have online support??!?!? Are you even in the market for these products, have you ever used one, and do you know what they do?

      I've used Ansible and it's pretty good, really straightforward, plenty o

  • Ansible lol... (Score:5, Interesting)

    by Notabadguy (961343) on Friday November 22, 2013 @08:37AM (#45489709)

    Am I the only one who saw Ansible in the article and was expecting a discussion about FTL communications?

  • by nimbius (983462) on Friday November 22, 2013 @08:59AM (#45489843) Homepage
    imagine a room full of angry hitmen.
    Puppet: plans to beat you to death, but when his arm gets tired he cant switch to the other arm. instead he grabs a box of markers and proceeds to write an angry letter on your face.
    Chef: is competent enough to kill you in your sleep, knows everything about you and can even draft random passerby for practice. Shes spending the next 2 months assembling a rifle for each possible scenario she may find you in, and redefining some of the most effective murder/homicides in history so they work just for you.
    Ansible: A nice killer in a business suit that will probably smother you and dispose of your corpse in an entirely predictable way. The 'Murder She Wrote' of configuration management, she'll win an oscar once you're dead.
    Salt:as of this writing, salt last killed 54 days ago and currently stands as the less-than-well-known of your potential murderers. Salt has pretty good ideas on how you should die...its just puppet has been maiming folks for way longer and chef's gotten so popular that people cant walk through the streets without hearing someone gloat about how wonderfully she kills. Salt has a manifesto and a pretty sizeable arsenal...someone just needs to send a contract over, or a phonecall, or whatever it is chef does when she gets to murder folks.
    • Good people go to bed earlier.

      Lately I've started going to bed about 4 in the morning. (Severed.) Assuming you go to bed about 9 or 10 at night, that must means I'm MUCH gooder than you.

      Great comparison, BTW.

  • by Pav (4298) on Friday November 22, 2013 @09:35AM (#45490055)

    This stuff is overdue in smaller shops - stay with me on this for a second. The smaller guys need to become more efficient and secure, and automation really helps. Potentially the small end could benefit MORE from automation than the big guys already have - automation is a much more disciplined and useful form of sharing information. Docs are often incorrect or incomplete - automation imposes discipline, and also allows the author to benefit from the end result. Time savings for everyone are often huge.

    I'm regularly on #fusiondirectory on FreeNode (IRC) along with a few others who are working towards this kind of thing (using the Munich software as a base). Anyone else wanting to join us is welcome.

  • rhel-only shop, I've had good luck just packaging my own stuff and using yum with my own repositories. Then keeping each server up to date is a simple matter of 'yum clean all & yum groupupdate whatevergroups'

  • by gozar (39392) on Friday November 22, 2013 @12:46PM (#45492121) Homepage
    Puppet can also run with out a server. You can clone your puppet repo and simply run "puppet apply main manifest.pp" The server gives you more control over what the machine receives, so each machine wouldn't have access to items such as ssh keys or user info that doesn't pertain to the machine.
  • Architecturally, Salt is based on a Pub/Sub message queue (they use ZeroMQ to build it) - this allows the master node to send commands to a large number of minion nodes with very little overhead. It is also pretty easy to hook into the message queue on either master or minion nodes, so you can use it to send custom "event" messages along the queue (with authentication and all the fixin's) which can be used to trigger commands or configuration changes, or to hook into external systems.

    I am using this t
  • Puppet, Chef, yadda yadda - the REAL action is in the META tools for automating all the Puppet and Chef etc. systems worldwide. PuppetMaster (pulls all the Puppet's strings), GordonRamsey (yells at all the Chefs out there). Let's not kid ourselves, THAT'S where Skynet is going to emerge.
  • Haven't evaluated in over a year, but a stark finding from that timeframe was that making Puppet or Chef handle Windows was a force-fit, at the very least, and pretty crude. Have things advanced? How well do any of these solutions manage the byzantine complexity that is Windows CM?
  • The only reason to choose Puppet over Chef is if you are a sysadmin who can't program. Choose Salt if you prefer Python over Ruby.

Nothing is easier than to denounce the evildoer; nothing is more difficult than to understand him. - Fyodor Dostoevski