Is Puppet or Chef suitable for managing very basic server config in a multi tenant environment?

puppet

Solution 1:

Try Ansible (ansible.cc). May be it is for you. There is no agent running on your clients. It is growing very fast.

Another very good alternative is Salt Stack.

Ansible and Salt are easy to understand, you can use them as a command line tool if you want, like distributed shell.

Solution 2:

Yes, this is certainly possible. Deciding if you should do so or not is up to you though.

Regarding your queries:

1) fair enough. The traffic is ssl based, so certificate management is important. Also don't trust any 'facts' which the client supplies relating to its identity, as these can be altered by the client. You want to rely on the client's ssl certificate to provide the authentication of who the server is. To be honest if you're using things like hiera properly and avoiding huge hostname based if-blocks in your code (which you really should) you'll be fine.

2) It shouldn't be, assuming you keep it patched. Properly configured, there's only a small vector for the puppetmaster to be attacked by the clients. That said, the effects if it did get compromised are large, so take care to lock it down.

3) That's really a testing and deployment issue. If you have solid puppet code, it won't screw your files. It does take a little while to get that sorted, but for the basics (like you need) not long.

Related

ansible: why is the file module skipping?
What can I do to speed up createrepo?
Can you change the virtual NIC type after building a VM?
Quickly SSH into another box over SSH [duplicate]
Postfix aliases db: No such file or directory
In Crontab generic way to specify every n mins where n > 60 [duplicate]
ZFS hot spares versus more parity
Rollback the changes in Ansible
Deleting S3 files with a given prefix only
MySQL / MariaDB client slow to start/load for user A but not for user B
"+::::::" at the end of /etc/passwd
Should I use SSL for a receive only SMTP server?