Configuration and automation query
Hi all, I have a question about merging default configurations with own changes. As an example, take an apache configuration. The default configuration may change, according to best practice(e.g. which encryption protocols are safe to use etc). so you are happy to use whatever the package provides (if it is well-maintained) However, some things you may not like, say: the "PermitRootLogin yes" line. [Okay, the example has a bit of a "design fault" because Apache configs have include statements etc. - but there are examples without, as ntp.conf, and some do not like to have two lines of the same key which are conflicting - so you really have to replace the default with yours. I just wanted to give this as an example you may familiar with] So, for the sake of this example, assume all is written in one httpd.conf (no includes) and you are not allowed to have two lines as PermitRootLogin yes PermitRootLogin no How do you keep track of the "latest changes" in default configuration while making the changes you really want? I wonder especially in the context of automation where you may run it on many instances without manual invervention. My solution at the moment is: 1st install: - backup default (copies etc/htttpd.conf to httpd.conf.defaults) - update_config (e.g. parses the defaults with awk and replaces PermitRootLogin "yes by "no"[simplified]: awk '{if $1=="PermitRootLogin") print $1" no"; else print}' Update: - backup $version (just in case..) - restore default (copies etc/htttpd.conf.default to httpd.conf so the upgrade finds a pristine config) - package upgrade - update_config (as before) The advantage of this: update_config can do a lot of things, including using system-specific variables (e.g. getting an IP address from the system so you tell the system to listen on this IP only - no localhost: "Listen IPAddress:80"). A "diff" can be used to monitor unexpected changes afterwards (the diff should oonly show the xpected lines) , to alarm me if things are not right. I wonder whether there is any better support from configuration management tools you are using. Thank you Peter
On Tue, Nov 22, 2016 at 11:52:03AM +1100, Peter Ross wrote:
The default configuration may change, according to best practice(e.g. which encryption protocols are safe to use etc). so you are happy to use whatever the package provides (if it is well-maintained)
However, some things you may not like, say: the "PermitRootLogin yes" line. [...]
not sure what you're running (freebsd, i think) but here's what debian does: When you upgrade a debian package that has a listed conffile, what happens depends on whether either the installed version of the file has been changed from the default and/or the package version has been changed from the previous version. If the installed version of a conffile hasn't been changed (i.e. edited in some way by the local admin) then: - if the package version hasn't changed, nothing happens - if the package version HAS changed, it replaces the current installed version. If the installed conffile has been edited and the package version hasn't changed then nothing happens. If the installed conffile has been edited and the package version HAS changed, then the user is asked what they want to do - the three main options are: - replace customised config file with package config file - keep custom config - view diff (you can also fork a shell or switch to another terminal and manually diff and/or edit the relevant files, view man pages etc, before making a decision) anyway, if the user chooses to replace their custom config file, it is renamed to filename.dpkg-old if the user chooses to keep their custom config file, the packaged version is renamed to filename.dpkg-dist These renames allow you to easily diff the config files from the command line and manually cherry-pick any changes. They also make it easy to change your mind later with just a simple mv to replace the current config file with the .dpkg-old or dpkg-dist version. This is still useful/convenient even when using revision control for your config files.
I wonder whether there is any better support from configuration management tools you are using.
Package: etckeeper Version: 1.18.5-1 Description-en: store /etc in git, mercurial, bzr or darcs The etckeeper program is a tool to let /etc be stored in a git, mercurial, bzr or darcs repository. It hooks into APT to automatically commit changes made to /etc during package upgrades. It tracks file metadata that version control systems do not normally support, but that is important for /etc, such as the permissions of /etc/shadow. It's quite modular and configurable, while also being simple to use if you understand the basics of working with version control. Homepage: http://etckeeper.branchable.com/ automated revision control of /etc and all subdirectories. nicely integreated with apt to automatically commit changes before and after any package installs/upgrades/removals (i think it also has similar support for yum, and dnf). commits are also run nightly from cron. and, of course, you can manually commit any file with a useful commit log message whenever you want. using etckeeper and git makes it even easier to cherry-pick config file changes, and is useful for all files under /etc, not just those listed in a package as a "conffile". and the changelog and history that git (or whatever) gives you is as useful for config files as it is for programming. plus you get all the other benefits of git. a long time ago, i used to manually use subversion on most systems (and rcs before that), but having etckeeper available as a package means that revision control of my config files just happens automatically on all my systems whether i'm paying particular attention to it or not. and adding a remote in git is easy, so I can push configs to any git repo...and clone (and fork and merge and cherry-pick and diff and ...) them as needed. craig -- craig sanders <cas@taz.net.au>
participants (2)
-
Craig Sanders -
Peter Ross