We are a startup that is just getting up to speed and running into the problem of managing hundreds of machines, and having to do nightly and weekly releases to all of them as well as managing their configurations.

This is typically a job for one or more sysadmins, but in our case we need to do this with just one. We looked into tools such as Puppet and Distributed Shell, but none of them seem to fit what we are looking for. For each machine, need to build some linux modules from source, update packages, set stack and linux configurations, pull down source code from Git, and update database schema definitions all in an automated way. The catch is that we need to do this all with approvals.

Are there any tools out there that will allow us to stage commands to be approved before being executed?

Puppet seemed to be the closest to what we need, but building from source seems difficult to set up and requires an additional port to be open (we only have port 22 available).

  • Why does the "approval" need to be implemented in the deployment software? Why are not producing binary builds and instead performing builds on all the nodes you are deploying to? Are you already using CI software such as `jenkins` or `bamboo`? Your deployment should be a single command (running the deployment script). – jordanm Apr 12 '15 at 17:16
  • jordanm - our team is distributed across the globe, and the approval needs to be in place in case the sysadmin decides to do something malicious or peek at private customer data - outside the US and EU there are very lax privacy and IP protection laws – anonymous_startup Apr 12 '15 at 17:30
  • If giving someone the ability to do a software deployment and giving them access to sensitive data is the same, then there is an issue with your deployment strategy. – jordanm Apr 12 '15 at 17:46
  • To address the port 22 issue, you could run puppet in standalone mode and pull updates via scheduled scp or rsync over ssh. – Andy Apr 12 '15 at 20:24

2 Answers2


You may want to look as Ansible for Configuration Management, as it uses existing SSH access for reaching out to machines.

It sounds like as much as you need a Configuration Management solution, you also need an orchestration / workflow management solution to manage complex sequences of events, with per-step failure detection and parallelization across multiple machines. For this, something like Control/M, JBPM or event Concourse.ci would be useful.

Best of luck for you and your startup.

  • 1,688
  • 10
  • 15
  • +1 for Ansible because it works via SSH only; To implement approval take a look at [Gerrit](https://code.google.com/p/gerrit/) or [Crucible](https://www.atlassian.com/software/crucible/overview) – mschuett Apr 13 '15 at 17:40

If you are using virtual machines, you may want to look at Asgard. This would let anyone build the AMI's, but only approved individuals will be able to actually release a new AMI into the wild. You could then use any tool you want to build the AMI.

Tejay Cardon
  • 379
  • 1
  • 4