Finding the grain of sand in a heap of Salt

https://blog.cloudflare.com/finding-the-grain-of-sand-in-a-heap-of-salt/

32•privacyops•2mo ago

Comments

gorgoiler•2mo ago

Theirs is certainly an impressive environment and I don’t mean to do Cloudflare’s achievements a disservice, but I strongly encourage engineers building these kinds of systems to treat their infrastructure as actual code, and avoid the temptation to dip in and out of wire text formats like JSON or YAML as much as possible.

The worst case scenario, in terms of engineering, is one piece of Python using Jinja templated YAML only for another piece of Python also written by you! to parse that output. Every time this happens it proves to be — as the article points out — a seized opportunity to get caught out by syntax errors, and a missed opportunity to have static analysis find errors (mypy et al., basically) before they happen at runtime, should all the logic had been done in pure Python without dipping in and out of structured text.

In the Cloudflare system the fundamental unit of action is configuration driving Python functions through gitops. My preferred version of these systems is pure python at the top emitting execve() calls, sh-scripts, and file writing over ssh or local transports, or in Dockerfiles, possibly with very small sh functions on the far side, but kept minimal in size and scope and with everything being purely declarative.

(It’s certainly an anti-pattern to return data back from the host to decide what to do next. The Python end is only allowed to declare that a package be installed, and the rest of the system ensures that is the case. People think this is limiting but the majority of these configuration systems, in my experience, hinge on 90% data structures to declare how the system out to be — IPAM arithmetic, building config files from lists of domains and accounts, processing key material etc. — and only 10% is the logic to install things much of which is very simple given a good base OS like Debian where many packages split their config into .d directories with helper scripts to enable things.)

PS: I wonder if the authors have had experience with Ansible? It was my own experience with that tool’s slowness and inflexibility that prompted a lot of my opinion forming in this area. Lots of good ideas have been borne of having first been exposed to Ansible and, alas, coming up against its limits.

skywhopper•2mo ago

Ansible is only slow when run in a remote-push based fashion. As a local config management solution, it can be quite fast. Ultimately, any push-based CM solution will be slow and failure-prone in the end.

bigstrat2003•2mo ago

I think it's fair to consider remote push-based as the "default" Ansible setup against which one measures. In my experience, the #1 talking point people use to praise Ansible is that you don't need to install anything locally, just remotely push configs over ssh. Therefore, it seems fair to consider that the typical Ansible setup. Maybe the community has pivoted, but in the past at least that was my experience.

ytoawwhra92•2mo ago

IME you end up in roughly the same place regardless of which direction you go.

nextaccountic•2mo ago

So, Pulumi?

Someone•2mo ago

Dissolve the whole heap in water? Or should I read the article to learn this isn’t a physics question ;-) ?

kragen•2mo ago

Yeah, I think that's the right answer. Dissolve it in water and run it through a smallish filter. Other impurities in the salt can clog the filter sometimes.

defrost•2mo ago

So close, it was in fact a philosophy question ..

https://plato.stanford.edu/entries/sorites-paradox/

"How many grains of sand change a heap of salt into a pile of manure"

NooneAtAll3•2mo ago

...none? manure requires organic material

cwmoore•2mo ago

Yes, none is correctly wrong.

skywhopper•2mo ago

Having worked with Salt and Ansible and Puppet extensively, there really is no good argument to be made for the sort of push architecture the article here is struggling with. At one large SaaS company I worked for, we replaced a mix of push-based Ansible, Salt, and Puppet with a fully pull-based Ansible system that solved most of the problems of these centrally-controlled push-based systems. It was lightning-fast and far easier to manage at a growing scale.

The fact that Cloudflare sysadmins were desperately chasing Salt logs between minions and masters in recent memory is a shocking failure of imagination (or investment) on their part.

bigiain•2mo ago

Do you have any good references/example/docs/keywords about the difference between setting up and running "a fully pull-based Ansible system" compared to "centrally-controlled push-based systems"? I'm fairly certain I'm doing what you'd call "centrally-controlled push-based Ansible", but I'm in the planning stages of formalising and operationalising our ongoing configuration management policies, SOPs, internal docs, and dev training - I'd love to know just how I'm "doing it wrong"...

(Note: we are not even in the same universe as Cloudflare, fleet size wise. Think perhaps a few dozen hosts, not thousands or tens of thousands. We've only just barely embraced the "cattle, not pets" stage here.)

mianos•2mo ago

I never had ansible scale through more than 100 servers. Its design assumes things will mostly work. Above a few hundred servers, things will fail all day every day. Whereas I have seen salt easily manage 6000+ servers.

OpenClaw Creator: Why 80% of Apps Will Disappear

What Happens When Technical Debt Vanishes?

AI Is Finally Eating Software's Total Market: Here's What's Next

Computer Science from the Bottom Up

Show HN: I built a toy compiler as a young dev

You don't need Mac mini to run OpenClaw

Learning to Reason in 13 Parameters

Convergent Discovery of Critical Phenomena Mathematics Across Disciplines

Ask HN: Will GPU and RAM prices ever go down?

From hunger to luxury: The story behind the most expensive rice (2025)

Substack makes money from hosting Nazi newsletters

A New Crypto Winter Is Here and Even the Biggest Bulls Aren't Certain Why

Moltbook was peak AI theater

Why Claude Cowork is a math problem Indian IT can't solve

Show HN: Built an space travel calculator with vanilla JavaScript v2

Why a 175-Year-Old Glassmaker Is Suddenly an AI Superstar

Micro-Front Ends in 2026: Architecture Win or Enterprise Tax?

These White-Collar Workers Actually Made the Switch to a Trade

The Wonder Drug That's Plaguing Sports

Show HN: Which chef knife steels are good? Data from 540 Reddit tread

Federated Credential Management (FedCM)

Token-to-Credit Conversion: Avoiding Floating-Point Errors in AI Billing Systems

The Story of Heroku (2022)

Obey the Testing Goat

Claude Opus 4.6 extends LLM pareto frontier

Brute Force Colors (2022)

Google Translate apparently vulnerable to prompt injection

(Bsky thread) "This turns the maintainer into an unwitting vibe coder"

Software development is undergoing a Renaissance in front of our eyes

Can you beat ensloppification? I made a quiz for Wikipedia's Signs of AI Writing