Updated on July 3, 2017 by UpGuard
While most people think of Puppet and Chef when they’re thinking about Configuration Management tools, other alternatives exist. One notable example is CFEngine. In this post, we’ll compare
Puppet to this older, more established configuration management tool.
CFEngine is actually significantly older than Puppet or Chef, dating back to 1993. It was created by Mark Burgess and, like Puppet, started out as an open-source configuration management tool, not an an enterprise Configuration Management product. It wasn't commercialized in 2008. CFEngine has been described as the grandfather of configuration management tools.
So how do CFEngine and Puppet differ from one another?
Complexity and Power
While Puppet is heralded to be more “Ops-friendly”, due to its model-driven approach and relatively small learning curve, CFEngine resides more in the “Dev-friendly” side of the spectrum.
In contrast to the Ruby-built Puppet, CFEngine was developed with C. This means that CFEngine has a dramatically smaller memory footprint, runs faster and has far fewer dependencies. For configuration information, CFEngine uses its own declarative language to create "promises," or policy statements. Puppet, on the other hand, uses a Ruby DSL to create its manifests. So those with some Ruby experience may find themselves in more familiar territory with Puppet.
One of the main complaints regarding CFEngine is that the learning curve is very steep. Puppet's model-driven approach means a smaller learning curve, which makes it a preferred option for sysadmins with limited coding experience. The model-driven approach also takes on a lot of the responsibility for dependency management. Some argue that this can result in unexpected behaviour though and has its limits.
Puppet’s edge here is avoiding specific nuances across operating systems, which exist when using CFEngine. In general, both Puppet and CFEngine offer broad cross-platform support. Take a look at the following for in-depth information regarding specific OS options:
Puppet and CFEngine both have strong user communities, as they are both mature tools. CFEngine has a strong international presence, headquartered in Oslo, with several US offices as well.
CFEngine’s site claims that they currently manage more than 10 million nodes. Puppet is less specific about exactly how many servers their software runs on, but they have an impressive list of customers.
Both Puppet and CFEngine have moved past early missteps (or lack of focus) on the documentation front. Both have online references available:
Whatever your choice it is always wise to look to third party reference material to get a full appreciation of the power and nuances of each tool.
Naturally, due to its open-source origins, CFEngine (like Puppet) has a free open-source version available. Puppet’s Enterprise edition provides 10 free nodes, and then charges $99 per node per year (with bulk discounts available). CFEngine’s pricing after the 25 free nodes is unspecified, they require you to contact a sales representative for more pricing information – they offer “promotional pricing” based off of a client’s particular needs.
One key benefit of CFEngine’s pricing model appears to be that its pricing is more customizable to a company’s specific needs. CFEngine also offers significantly more free nodes than does Puppet.
At a high level if coding and complexity doesn't scare you, if small agent footprints and speed matter and you'll take control and scale over simplicity then CFEngine may be for you. If the relatively smoother onboarding and simpler model driven approach is more attractive then Puppet may well be for you. As always, both tools are available to trial at no cost so if you have the time choose a representative (if modest) configuration to automate using each and compare and contrast. Nothing beats hands on experience.
*Note: information in this post was updated for accuracy on 3/19/2015.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.