Comparison: Configuration Management¶
Category: Infrastructure as Code Last meaningful update consideration: 2026-03 Verdict (opinionated): Ansible unless you need continuous convergence on long-lived servers (then Puppet). Chef and Salt are declining. For immutable infrastructure with containers, you may not need config management at all.
Quick Decision Matrix¶
| Factor | Ansible | Chef | Puppet | Salt |
|---|---|---|---|---|
| Learning curve | Low (YAML + SSH) | High (Ruby DSL) | Medium-High (Puppet DSL) | Medium (YAML + Python) |
| Operational overhead | None (agentless) | High (Chef Server/Infra) | High (Puppet Server) | Medium (Salt Master) |
| Cost at small scale | Free | Free (OSS) / Paid (Automate) | Free (OSS) / Paid (PE) | Free |
| Cost at large scale | Free + ops time | Expensive (commercial) | Expensive (PE licensing) | Free + ops time |
| Community/ecosystem | Massive | Declining | Declining | Small |
| Hiring | Easy | Difficult (niche, declining) | Difficult (declining) | Very difficult |
| Architecture | Agentless (SSH push) | Agent + Server (pull) | Agent + Server (pull) | Agent + Master (push/pull) |
| Idempotency | Module-dependent | Built-in (converge model) | Built-in (catalog model) | Module-dependent |
| Language | YAML (playbooks) | Ruby (recipes/cookbooks) | Puppet DSL (manifests) | YAML (states) + Jinja |
| Testing | Molecule, ansible-lint | ChefSpec, InSpec, Test Kitchen | rspec-puppet, Puppet Litmus | pytest-salt |
| Windows support | Good (WinRM) | Good | Good | Good |
| Cloud provisioning | Modules for AWS/GCP/Azure | Limited | Limited | Cloud modules |
| Speed at scale | Slower (SSH per host) | Fast (agent pull) | Fast (agent pull) | Fast (ZeroMQ) |
When to Pick Each¶
Pick Ansible when:¶
- You want the lowest barrier to entry — SSH-based, agentless, YAML playbooks
- You need a tool for both configuration management and orchestration (ad-hoc tasks, deployments)
- Your team manages a mix of Linux, Windows, network devices, and cloud resources
- You want a tool that doubles as a provisioning/deployment tool alongside Terraform
- Ansible Galaxy provides community roles for most common configurations
- You do not need continuous convergence — running playbooks on-demand or via CI/CD is sufficient
Pick Chef when:¶
- You have an existing Chef installation with extensive cookbooks — migration cost exceeds maintenance cost
- You need the InSpec compliance framework integrated with configuration management
- Your organization requires the convergence model (periodic agent runs enforce desired state)
- You should NOT pick Chef for new projects — the ecosystem is in decline
Pick Puppet when:¶
- You manage 1000+ servers that require continuous state enforcement
- Compliance and audit requirements demand provable convergence (every 30 minutes, state is enforced)
- You need PuppetDB for infrastructure querying (find all servers running Apache 2.4)
- Legacy infrastructure with years of Puppet modules — migration is not justified yet
- You should only pick Puppet for new projects if convergence is a hard regulatory requirement
Pick Salt when:¶
- You need event-driven configuration management (Salt's reactor system)
- Extreme scale (10,000+ nodes) where Salt's ZeroMQ transport outperforms SSH-based Ansible
- You want both push and pull modes in the same tool
- You have Python expertise and want to extend the tool with custom modules
- Salt is a reasonable choice but the small community makes support harder
Nobody Tells You¶
Ansible¶
- "Agentless" does not mean "nothing to manage." You need Python on target hosts, SSH key management, and connection timeouts tuning. On 500+ hosts, SSH-based execution is noticeably slow.
- YAML is simple but also limited. Complex logic in Jinja2 templates becomes unreadable. You will write
when:conditions,loop:constructs, andset_fact:chains that rival programming languages in complexity without their tooling. - Ansible roles from Galaxy are hit-or-miss. Many are unmaintained, untested, and make assumptions about your distro. Treat them as starting points, not production-ready.
- Ansible does not enforce state continuously. If someone SSHes into a server and changes a config, Ansible does not know until the next run. This is fine for immutable infrastructure; it is a problem for long-lived servers.
- Ansible Vault for secrets works but is clunky. Encrypting/decrypting individual variables within a file creates merge conflicts in git. Use a dedicated secrets manager for production.
- Ansible AWX/Tower (now AAP) is Red Hat's commercial offering. It adds UI, RBAC, and scheduling but is a significant operational investment itself.
- Collections (the new distribution format) replaced standalone modules and roles. The migration from pre-collections Ansible (2.9) to collections-based (2.10+) broke many existing playbooks.
Chef¶
- Chef requires Ruby proficiency. If your team does not write Ruby, the learning curve is steep and ongoing.
- The Chef Server is a significant component to operate — PostgreSQL, Elasticsearch, RabbitMQ under the hood. Upgrades are complex.
- Progress Chef (the company) has pivoted toward enterprise compliance (InSpec/Automate). The open-source Chef Infra community has shrunk accordingly.
- Cookbook dependency management (Berkshelf, Policyfiles) is its own subfield. Dependency hell is real.
- Chef's testing story (Test Kitchen + ChefSpec + InSpec) is actually excellent — better than Ansible's. This is the one area where Chef still leads.
Puppet¶
- The Puppet DSL is declarative and powerful but alien to most developers. It is not YAML, not Ruby, not anything else — it is its own language with its own type system.
- Puppet's catalog compilation is resource-intensive. The Puppet Server (JVM-based) requires significant memory and CPU.
- Module quality on the Puppet Forge varies wildly. Supported modules from Puppet (now Perforce) are solid; community modules are inconsistent.
- The agent-server model means every node checks in every 30 minutes by default. At 5000 nodes, the Puppet Server needs careful capacity planning.
- Puppet's structured facts and Hiera (hierarchical data lookup) are powerful once understood but have a steep learning curve. Hiera configuration bugs are a common source of "why is this value wrong."
- Perforce (Puppet's parent company) has not invested heavily in modernization. The product works but feels like it peaked in 2018.
Salt¶
- Salt's documentation is notoriously incomplete and disorganized. You will rely on reading source code and community blog posts.
- The Salt Master is a single point of failure for push-based operations. HA Master setups are possible but complex.
- Salt's event bus and reactor system are genuinely unique and powerful for event-driven infrastructure — no other tool does this as natively.
- Community size matters for config management. When a Salt formula does not exist for your use case, you write it from scratch.
- VMware acquired Salt and then largely deprioritized it. The open-source community carries development forward but with limited corporate backing.
Migration Pain Assessment¶
| From → To | Effort | Risk | Timeline |
|---|---|---|---|
| Puppet → Ansible | High | Medium | 3-6 months |
| Chef → Ansible | High | Medium | 3-6 months |
| Salt → Ansible | Medium | Low | 2-4 months |
| Ansible → containers (no CM) | Medium | Low | 2-4 months |
| Chef → Puppet | Medium | Medium | 2-4 months |
| Any CM → immutable infra | High | Medium | 6-12 months |
The most important migration in 2026 is not between config management tools — it is from mutable servers + config management to immutable infrastructure (containers, AMIs, VM images). If you are building new systems, consider whether you need config management at all.
The Interview Answer¶
"Ansible is my default because it is agentless, uses YAML that anyone can read, and serves double duty for both configuration management and ad-hoc orchestration. But the honest answer is that configuration management is less important than it was five years ago. With containers and immutable infrastructure, you 'configure' a system by building a new image, not by running a config management agent. I'd use Ansible for bootstrapping servers and managing the things that sit outside containers — the hosts themselves, network devices, cloud resources — and rely on Dockerfiles and Helm charts for application configuration."
Cross-References¶
- Topic Packs: Ansible, Ansible Deep Dive, Packer
- Related Comparisons: IaC Tools, Container Orchestrators