Cfengine vs Puppet for Policy Management

I’m always on the lookout for tools that will help me babysit servers and was delighted to find this well-written article comparing Cfengine and Puppet.

From the article:

Cfengine is a great way to scale common administrative practices — you can move from using SSH and a for loop to using Cfengine pretty smoothly. However, there is just as much complexity present in either form. You still have to handle file contents, and you still have to manage operating system differences yourself — you have to know whether it’s useradd or adduser, whether it’s init or Sun’s SMF, and what the format of the filesystem tab is.

One of Puppet’s primary innovations is a resource abstraction layer, so that you do not have to know those details. You can speak in terms of resources like users, services, or filesystems, and Puppet will translate them to the appropriate commands on each system. Puppet administrators are free to focus on the complexity of their configurations, rather than being forced to also handle that complexity plus the complexity of the differences between the operating systems.

Puppet’s development was heavily influenced by the many external modules that Luke Kanies wrote for cfengine, each module managing a separate resource like users, packages, or cron jobs, and one of Puppet’s primary goals was to be able to make it easy to expand the number of resource types it can manage.