Following up from my post about Ansible, I decided to look into SaltStack.
SaltStack looks like one of the more promising tools to appear recently on the system management landscape.
It's primary features are:
- Remote method invocation with result caching (supporting asynchronous jobs)
- "Broadcast" command execution (pub/sub with ZeroMQ) with filters
- Secure data/config-snippet distribution
- State Management ala Puppet/Chef
This is an impressive set of features for a single solution, but there are some areas of concern:
- It's still under heavy development and some breakages in the latest (0.17) release suggest that their testing isn't yet up to par.
- Some non-core components lack documentation and tests (eg. halite, a web frontend)
- Architectural documentation is severely lacking. Before I deploy this in a production environment, I want to know exactly what it's doing and what the implications of my decisions are. A few pretty diagrams aren't a substitute for real docs.
- As a new open source product, support is lacking. Simple questions get answered on IRC, but hard ones get blank stares.
- The primary developer seems to be a bottleneck and a risk - many questions and decisions get deferred to him because he seems to be the only one who understands it. If he got hit by a bus, the project would be in jeopardy.
Some specific technical issues appear to be:
- There's only client-side filtering of broadcast commands, so information leakage is possible, since broadcast commands are readable by every minion and they decide themselves whether they match a filter or not. (https://github.com/saltstack/salt/issues/7669)
- There's too much trust that the minions (clients) will do the right thing. When it comes to security, some things should be enforced server-side. (https://github.com/saltstack/salt/issues/7556)
I hold out hope that these issues will be addressed. In the meantime, I won't be recommending it as a general purpose solution for a large organisation.