Differences between revisions 7 and 8
Revision 7 as of 2013-08-12 10:57:50
Size: 5850
Editor: h167
Comment: Fixed apparent typos (at least on CentOS 6.4, the spaces were causing parse errors)
Revision 8 as of 2013-08-12 11:00:11
Size: 5921
Editor: h167
Comment: Comment that would have been helpful to a newb like me :)
Deletions are marked like this. Additions are marked like this.
Line 126: Line 126:
 * More automatic, but less desirable for security reasons: let sudo preserve `$HOME` by adding the following to your `/etc/sudoers` file:  * More automatic, but less desirable for security reasons: let sudo preserve `$HOME` by adding the following to your `/etc/sudoers` file (somewhere after the env_reset and "env_keep =" lines, if it has them):

This is one approach - see the end of the page for other approaches.

Tracking /etc etc

Mercurial can be used to track host configuration, like a kind of backup of config. I use a depot in / and hgignore everything.

Files that I want to track are added on demand. Before editing an untracked file I commit it so that I can see what has been changed. After completing an admin task I review the output from "hg diff | vim -R -", check that I made the right changes, check that all relevant changes are tracked, and then I commit.

But there are some attributes that Mercurial doesn't track, such as owner and group and permissions, mtime/ctime/atime, special file system attributes. So don't try to update, that will mess things up. A restore must be done manually and carefully. Also be careful when you want to revert or stop tracking files (you might want to use hg rm --after).

Tracking symlinks like for example /etc/rc.d/rc?.d/* requires Mercurial 0.9.5. When dealing with symlinks be careful about what you are tracking: The link or the target file.

Some files in /etc/ are binary, and you probably don't want to track them. But there are files in other places that it makes sense to track. Please extend the list below with files you need track and think others would like to track too.

How to get started

cd /
hg init .
chmod go-rwx .hg
echo ^ > .hgignore

hg add \
 .hgignore \
 boot/grub/device.map \
 boot/grub/grub.conf \
 etc/aliases \
 etc/crontab \
 etc/dhcpd.conf \
 etc/dirvish/master.conf \
 etc/fstab \
 etc/group \
 etc/gshadow \
 etc/hosts \
 etc/httpd/conf.d/*.conf \
 etc/httpd/conf/httpd.conf \
 etc/inittab \
 etc/mantis/config_inc.php \
 etc/modprobe.conf \
 etc/mtab \
 etc/nsswitch.conf \
 etc/ntp.conf \
 etc/passwd \
 etc/php.ini \
 etc/postfix/access \
 etc/postfix/aliases \
 etc/postfix/canonical \
 etc/postfix/generic \
 etc/postfix/header_checks \
 etc/postfix/main.cf \
 etc/postfix/master.cf \
 etc/postfix/relocated \
 etc/postfix/transport \
 etc/postfix/virtual \
 etc/rc.d/* \
 etc/rc.d/rc?.d/* \
 etc/resolv.conf \
 etc/samba/lmhosts \
 etc/samba/smb.conf \
 etc/samba/smbusers \
 etc/selinux/config \
 etc/selinux/restorecond.conf \
 etc/selinux/semanage.conf \
 etc/selinux/targeted/modules/active/booleans.local \
 etc/shadow \
 etc/squirrelmail/config.php \
 etc/squirrelmail/config_local.php \
 etc/squirrelmail/default_pref \
 etc/squirrelmail/sqspell_config.php \
 etc/ssh/ssh_config \
 etc/ssh/ssh_host_dsa_key.pub \
 etc/ssh/ssh_host_key.pub \
 etc/ssh/ssh_host_rsa_key.pub \
 etc/ssh/sshd_config \
 etc/sysconfig/authconfig \
 etc/sysconfig/clock \
 etc/sysconfig/grub \
 etc/sysconfig/hwconf \
 etc/sysconfig/i18n \
 etc/sysconfig/iptables \
 etc/sysconfig/iptables-config \
 etc/sysconfig/kernel \
 etc/sysconfig/keyboard \
 etc/sysconfig/network \
 etc/sysconfig/network-scripts/ifcfg-eth* \
 etc/sysconfig/system-config-securitylevel \
 etc/sysctl.conf \
 etc/yum.conf \
 root/anaconda-ks.cfg \
 root/setup.txt \
 usr/local/bin/* \
 usr/local/sbin/* \
 var/lib/samba/private/passdb.tdb \
 var/lib/samba/private/secrets.tdb \
 var/lib/samba/private/smbpasswd \
 var/log/dmesg \
 var/log/rpmpkgs \
 var/named/chroot/etc/named.conf \
 var/named/chroot/var/named/* \

sudo and multiple users

You will obviously need to use sudo (or a similar tool) when managing those repositories, but often you will want separate users to still retain their username, custom Mercurial settings, etc. There are several approaches to that:

  • Have each user define HGRCPATH to include their own .hgrc file, and configure sudo to preserve that variable:

# /etc/sudoers
Defaults:username env_keep += "HGRCPATH"
# or
Defaults:%groupname env_keep += "HGRCPATH"
  • You can see where Mercurial is looking for hgrc files with hg debugconfig --debug:

$ hg debugconfig --debug
read config from: /etc/mercurial/hgrc
read config from: /home/username/.hgrc
...
  • More automatic, but less desirable for security reasons: let sudo preserve $HOME by adding the following to your /etc/sudoers file (somewhere after the env_reset and "env_keep =" lines, if it has them):

Defaults:username env_keep += "HOME"

Update Hook for proper permissions

I use this script as an update hook to manage the special permissions that files in /etc need (and also those I want my home directory contents to have). I'm sure there are some holes in it, but it does what I need it to do.

repo="$(hg root)"

case "${repo}" in
        "/etc")
                cd "${repo}"
                for file in $(hg manifest) ; do
                                perms=$(stat -c %a "${file}")
                                case "${file}" in
                                        "shadow"|"gshadow")
                                                if [[ "${perms}" == "644" ]] ; then
                                                        chmod -v 600 "${file}"
                                                fi
                                                ;;
                                        *)
                                                if [[ "${perms}" == "700" ]] ; then
                                                        chmod -v 755 "${file}"
                                                elif [[ "${perms}" == "600" ]] ; then
                                                        chmod -v 644 "${file}"
                                                fi
                                                ;;
                                esac
                done
                ;;
        "/home/ataraxia")
                cd "${repo}"
                for file in $(hg manifest) ; do
                        perms=$(stat -c %a "${file}")
                        if [[ "${perms}" == "755" ]] ; then
                                chmod -v 700 "${file}"
                        elif [[ "${perms}" == "644" ]] ; then
                                chmod -v 600 "${file}"
                        fi
                done
                ;;
        *)
                ;;
esac

Other approaches and comments

http://www.selenic.com/pipermail/mercurial/2007-August/014296.html Beware of the problems ...

http://www.selenic.com/pipermail/mercurial/2007-August/014298.html Example of complex .hgignore

http://www.selenic.com/pipermail/mercurial/2007-August/014301.html Discouragement ...

http://michael-prokop.at/blog/2007/03/14/maintain-etc-with-mercurial-on-debian/ Maintain /etc with mercurial on Debian

http://ygingras.net/b/2007/11/a-case-for-hg-on-etc Encouragement ...

TrackingEtcEtc (last edited 2013-08-12 11:00:11 by h167)