owenhollandsThis post has been a long time coming as I have tried to write this several different way. I need to thank Justin Warren and John Martin for their input into this topic, and for introducing me to Promise Theory.
Many products boast an API interface, typically REST based, yet in my experience there is little use of these interfaces in the corporate world. Using a configuration API you still need to specify the changes needed to move from the current state, to the desired state.
For those who are more mathematically inclined,
State(new) = State(old) + Change(x) + …
What I have seen is more tools featuring policy based configuration. As was recently said about Cisco ACI by Lauren Malhoit on the In tech we trust podcast, the use of declarative vs. imperative configuration.
In other words, you tell the system what you want the end state to be, and works out how to configure the hardware to make it happen (“make it soâ€).
Mathematically, you define State(new), and leave it to software to work out the specific configuration changes. You don’t need to know what those changes are.
Change(x) = State(new) – State(old)
You configuration is much closer to a design specification. In a network you might say my web servers must be able to receive incoming connections from the load balancer on port ‘http’, and outbound to the DB on ‘mysql’. This policy will remain unchanged as servers are added or removed, the network topology changes or new policies are added that reference different servers. At the network device level the port and ACL configuration changes, but the configuration as specified by a human remains unchanged.
This is where the mathematical beauty lies. State(new) remains unchanged. In the event that there is a change(y) that is not caused by a policy change (a device fails, a new server is created etc), without human intervention the policy engine calculated change(y’) such that
State(new) = State(new) + Change(y) + Change(y’)
This doesn’t technically require special hardware. In theory there is nothing stoping a policy engine logging into a switch via the CLI and issuing the commands to configure the switch.
Cisco ACI is hardly unique, indeed the network model of most IaaS products is very similar. In the compute area there are also, AWS CloudFormation, Powershell DSC and configuration tools such as Puppet and Chef.