Is it possible to receive a notification on the console when a package containing a file that is controlled by puppet is about to change that file? Meaning, in yum when doing yum update, is it possible to inject a custom warning?
Asked
Active
Viewed 1,071 times
3 Answers
22
Yum supports plugins, so it's entirely possible to write a plugin that reads the cached puppet manifest and warns when a transaction will overwrite a puppet-controlled file. I'm not aware of an existing plugin that does this, but I will probably write just wrote one myself as I like the idea.
The plugin checks all newly installed/upgraded/downgraded packages, tells you which puppet-managed files it will overwrite and asks for a confirmation to do so.
[root@camel ~]# yum update pam
Loaded plugins: puppet, security
Skipping security plugin, no data
Setting up Update Process
Resolving Dependencies
Skipping security plugin, no data
--> Running transaction check
---> Package pam.i386 0:0.99.6.2-12.el5 set to be updated
---> Package pam.x86_64 0:0.99.6.2-12.el5 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
===============================================================================================================================================================
Package Arch Version Repository Size
===============================================================================================================================================================
Updating:
pam i386 0.99.6.2-12.el5 base 983 k
pam x86_64 0.99.6.2-12.el5 base 982 k
Transaction Summary
===============================================================================================================================================================
Install 0 Package(s)
Upgrade 2 Package(s)
Total download size: 1.9 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): pam-0.99.6.2-12.el5.x86_64.rpm | 982 kB 00:00
(2/2): pam-0.99.6.2-12.el5.i386.rpm | 983 kB 00:00
---------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 8.7 MB/s | 1.9 MB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing pam-0.99.6.2-12.el5.i386 overwrites puppet-managed file /etc/pam.d/system-auth
Installing pam-0.99.6.2-12.el5.i386 overwrites puppet-managed file /etc/security/access.conf
Installing pam-0.99.6.2-12.el5.i386 overwrites puppet-managed file /etc/security/limits.conf
Installing pam-0.99.6.2-12.el5.x86_64 overwrites puppet-managed file /etc/pam.d/system-auth
Installing pam-0.99.6.2-12.el5.x86_64 overwrites puppet-managed file /etc/security/access.conf
Installing pam-0.99.6.2-12.el5.x86_64 overwrites puppet-managed file /etc/security/limits.conf
Is this ok [y/N]: n
Aborting
[root@camel ~]# yum update pam
Loaded plugins: puppet, security
Skipping security plugin, no data
Setting up Update Process
Resolving Dependencies
Skipping security plugin, no data
--> Running transaction check
---> Package pam.i386 0:0.99.6.2-12.el5 set to be updated
---> Package pam.x86_64 0:0.99.6.2-12.el5 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
===============================================================================================================================================================
Package Arch Version Repository Size
===============================================================================================================================================================
Updating:
pam i386 0.99.6.2-12.el5 base 983 k
pam x86_64 0.99.6.2-12.el5 base 982 k
Transaction Summary
===============================================================================================================================================================
Install 0 Package(s)
Upgrade 2 Package(s)
Total size: 1.9 M
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing pam-0.99.6.2-12.el5.i386 overwrites puppet-managed file /etc/pam.d/system-auth
Installing pam-0.99.6.2-12.el5.i386 overwrites puppet-managed file /etc/security/access.conf
Installing pam-0.99.6.2-12.el5.i386 overwrites puppet-managed file /etc/security/limits.conf
Installing pam-0.99.6.2-12.el5.x86_64 overwrites puppet-managed file /etc/pam.d/system-auth
Installing pam-0.99.6.2-12.el5.x86_64 overwrites puppet-managed file /etc/security/access.conf
Installing pam-0.99.6.2-12.el5.x86_64 overwrites puppet-managed file /etc/security/limits.conf
Is this ok [y/N]: y
Updating : pam 1/4
Updating : pam 2/4
Cleanup : pam 3/4
Cleanup : pam 4/4
Updated:
pam.i386 0:0.99.6.2-12.el5 pam.x86_64 0:0.99.6.2-12.el5
Complete!
The plugin itself can be found in my github hacks repository.
Nov. 8 2013 update:
As hinted at in the comments, I've now turned this into a larger project to improve the interaction between Yum and Puppet. You can find it on GitHub.
Greg Dubicki
- 1,239
- 1
- 17
- 33
Dennis Kaarsemaker
- 19,277
- 2
- 44
- 70
-
This is lovely. I sure wish it knew to ignore %config(noreplace) stuff, though, since those aren't actually going to be overwritten. – freiheit Oct 16 '13 at 23:54
-
Yeah, I plan to add that, and a whole lot more. This question gave me lots of ideas :) – Dennis Kaarsemaker Oct 17 '13 at 06:07
-
Wow ! You really went beyond the call of duty here. I am impressed. This is exactly what my question was trying to address. I was thinking a shell script but this is much better! Now, I installed your plugin into yum, but it won't load the puppet plugin. Any idea why? I see the .pyc file, but no .pyo file like rhnplugin and security have – Engineer2021 Oct 17 '13 at 12:07
-
Nevermind, I had to install PyYAML. – Engineer2021 Oct 17 '13 at 12:17
-
Can you add a software license? – Engineer2021 Oct 17 '13 at 12:57
-
Yum is GPL2+, so this one too. I'll add another comment here when I've implemented all the features I have in mind. We are heavy users of puppet, and I have some ideas on making this plugin and a special package provider for yum work a lot nicer together. – Dennis Kaarsemaker Oct 17 '13 at 21:49
-
Cool, try to get it into yum-utils too! – Engineer2021 Oct 18 '13 at 01:39
-
This is brilliant work, Dennis. Simple, but incredibly useful to a lot of people. I hope the word gets out. – Aaron Copley Nov 12 '13 at 22:53
2
Yes, it's possible but it doesn't relate to the Puppet itself.
Linux systems has support for inotify mechanism which "can be used to monitor and act upon filesystem events". Besides inotify-tools there is also incron program which works similar to cron but it reacts to file system events. I think that you may use it for being notified about changing any file.
(BTW, if you want to watching /etc/sysctl.conf file I suggest to check before do it -- is your Linux has support for /etc/sysctl.d directory?)
php-coder
- 141
- 2
0
I don't know of a way to implement such notifications. It may be possible to set something up by staging the yum transaction, determining the list of config files that might be affected, and then checking to see if puppet manages any of them.
However, in general it is not good practice to manage a file that will be updated by a package. In the case of configuration files (use rpm -qlc packagename to see if they are marked as such), if the package contains a new version it is saved as filename.rpmnew. You are then left to your own devices to merge any needed changes.
We have run into a problem where a config file was removed by puppet and then replaced by yum when the package was updated. This caused problems until the next puppet run removed the file. Our workaround for that situation was to set the content of the "removed" file to a comment so it is essentially empty. Another way to handle it would be to attempt to ensure that Package['a'] -> File['/etc/a'] so that only one puppet run is needed.
jdkindy
- 79
- 3
-
I tried to find some best practices on puppet that says "it is not good practice to manage a file that will be updated by a package". I manage sysctl.conf especially because there are settings in that file that I need for certain applications to run. What is the alternative then? – Engineer2021 Oct 16 '13 at 11:51
-
1It is absolutely fine to manage configs with puppet that yum also wants to touch. RPM generally wont touch customized config files, and even if it does, puppet will restore your content. – Dennis Kaarsemaker Oct 16 '13 at 19:38
-
Configuration files will only be updated by RPM/yum if they do not exist. It is not (generally) good practice to use puppet to edit other files in the package, because your changes could break the functionality. I guess it would have been better to say "edit" than "manage" in my answer since managing can be ensuring proper permissions. If you want to edit files that are not config files, then you should also implement some sort of version locking or exclusion to ensure that packages are updated on demand, not automatically. That way you can control the entire update process. – jdkindy Oct 17 '13 at 13:39
-
@jdkindy: https://www.redhat.com/archives/rhl-list/2003-December/msg04713.html – Engineer2021 Oct 17 '13 at 13:41
-
@0A0D: Thanks, that is the behavior I was talking about. I wish I had enough rep to comment on Dennis Kaarsemaker's post - that is the beginning of an elegant solution. Also, the configuration ".d" directories (noted by php-coder) are very easy to implement in puppet if the package supports them. – jdkindy Oct 17 '13 at 13:55
-
Thank you to you both. Taught me a lot. I am not a sys admin by trade but rather sys admin in situ :) – Engineer2021 Oct 17 '13 at 14:03