also sprach Antoine Pitrou <
soli...@pitrou.net> [2013.06.26.1226 +0200]:
Argh, such a shame that I need JavaScript and other juice just to
read a blog post, but so be it.
I am going to leave these comments there too.
Overall, I agree with the article, and I had much the same
enthusiasm about Ansible. I still think it's a pretty good system,
but the project leader is a showstopper for me, as I cannot be sure
what's going to be next. Being prevented from interacting with the
community "because I don't make this a happy place" means I won't
invest any time into this Free Software project. In fact, while Salt
and Ansible both have companies behind them, I have the feeling that
Ansible is a lot less about Free Software than Salt. Make of that
what you will, but I don't want to rely on a software whose author
made it clear to me that he's neither open to suggestions, nor open
to alternative uses of his tool.
I disagree that Salt having a lot of dependencies is a downside.
First, it's just a couple of Python libraries that are quickly
installed and hardly do any harm. Second, and more importantly, this
means that Salt doesn't need to transfer anything other than control
data over the network. Ansible, on the other hand, always assembles
a module and sends that over the link, then executes it (and
actually uses three shell invocations, where only one is needed). It
does that for every single task, one after the other, and I found
this to majorly slow things down. The enforcement of a TTY for every
single connection also doesn't help things and deprives all modules
of stderr.
Furthermore, the way this is done is just horrific: the module is
loaded as a string, then manipulated with string-replace functions
(e.g. the logging facility is done by replacing "syslog.USER" with
whatever is in the configuration file) and this makes for very big
surprises during debugging.
Overall, I was also not impressed with Ansible's code quality.
There's a bunch of plain mistakes (like a select loop that's wrong),
yet the author has no interest in accepting patches to fix that, as
he sees no problem with it. Also, there's a really complex callback
system in place, which is at first a nice sight. However, trying to
understand the system is neigh impossible, and getting it to do
things like limiting the console output by removing expected results
just wasn't possible.
You can take a peak at some of the pull requests I sent, including
Michael's comments:
https://github.com/ansible/ansible/pulls/madduck
I agree that the use of SSH is nice, and I wish Salt wouldn't have
gone with the less mature 0mq project, having to add its own
encryption layer (which I think it does suboptimally, working way
more than necessary, actually).
On the other hand, push-mode with Ansible doesn't really make well
for team-maintenance, and while there is a pull-mode, it's not
really trivial to set up, especially not if your inventory comes
from an external source.
As for maintenance, I also agree that Salt have to do a better job
at stable releases and changelogs, but I disagree that Ansible is
without fault. The recent 1.2 release added a lot of features that
felt immature and unnecessary. For instance, Jinja2-templating was
added to all variables, which means that everything is now a string
and cannot be casted back easily.
Speaking of Jinja2: I hate it because we are not writing
HTML for super-secure web applications. Salt lets you use other
renderers, like Mako, which are much more suited for sysadmin work.
It's true that Ansible's break with the traditional requirements
ordering of tasks is a refreshing novelty, and being able to name
everything is nice, although cosmetic. The notification/handler
system isn't really different from Salt's. And I am sure Salt could
be extended to allow for deterministic ordering. Anyway, it's hardly
difficult to maintain dependencies and let the ordering be
indeterminate. Just don't use requisite_in and keep to requisite…
Ansible centres around Playbooks, which you play over your
infrastructure. That's great for making infrastructure-wide changes,
but it's not really suitable to keeping your infrastructure aligned.
Here, salt-call invoked from Cron every 3 hours is a much better
approach.
So, in conclusion, I think Ansible has some good concepts, but it's
not worth adopting. Instead, I think Salt can borrow and integrate
some of the concepts, and hopefully address some of the other issues
that I pointed out a while ago:
http://madduck.net/blog/2013.02.01:a-botnet-for-configuration-management/
and then there won't be much of a question anymore as to what's
better.
That shall be all for now. I'll write again if I remember something
I forgot.
the uncertainty principle:
you can never be sure how many
beers you had last night.
spamtraps:
madduc...@madduck.net