Managing /etc with etckeeper
Background on /etc and version control
I manage a number of Linux machines ranginge from servers to laptops. I have little interest in babysitting /etc and all the excitement that happens there. I try to avoid modifing files in /etc so that future upgrades are slightly more seemless. However, somethings absolutely need to be modified.
A long time ago I started using svn for watching all the files under /etc. Some issues with the filesystem caused files to get corrupted. The corrupted files were quickly restored from the local svn repository. Another machine had a site it hosted compromised. Having things under version control enabled me to quickly validate the contents of /etc. Lessons learned that payback dividends.
Fast forward several years and Linus Torvalds created git, and invevitably I fell in love with git. With git we can do all of the same things, just easier. Git is a distributed version control system so that makes setting up the repository and pushing it to remove machines for back-up are also much easier.
I have since learned that Joey Hess of git annex fame created etckeeper, which makes all this even easier.
Setup etckeeper on Ubuntu 12.04:
-
Install etckeeper on a Debian based distribution:
$ sudo apt-get install etckeeper
-
Edit /etc/etckeeper/etckeeper.conf, commented out the VCS=”bzr” line and uncomment the VCS=”git” line. One-liner:
$ sed -e 's:^\(VCS\s*=.*bzr\):#\1:' -e 's:^#\(VCS\s*=.*git\):\1:' -i /etc/etckeeper/etckeeper.conf
-
Initialize the repository:
$ cd /etc $ sudo etckeeper init
-
Ensure the the /etc/.git directory has safe permissions, should only be readable by root. Should this change, anyone who can read the git repoository can read all the the /etc files stored in the repository as objects.:
$ ls -ld /etc/.git drwx------ 1 root root 108 Aug 7 22:27 /etc/.git
-
Create the initial commit:
$ sudo etckeeper commit "Initial commit"
Tour of etckeeper
-
Etckeeper sets up gitignore for you:
$ cat /etc/.gitignore
-
View the git log:
$ cd /etc $ sudo git log commit 1726dc3a2330216548b7adc99cce402cc39a5a9c Author: nitro <nitro@core> Date: Tue Aug 21 17:44:47 2012 -0500 committing changes in /etc after apt run Package changes: +lftp 4.3.3-1 lftp.conf | 94 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) commit af34fb96471751709ef3b2abb18cedb058ff31fa Author: nitro <nitro@core> Date: Tue Aug 14 21:00:58 2012 -0500 committing changes in /etc after apt run Package changes: -base-files 6.5ubuntu6 +base-files 6.5ubuntu6.2 -fonts-opensymbol 2:102.2+LibO3.5.4-0ubuntu1 +fonts-opensymbol 2:102.2+LibO3.5.4-0ubuntu1.1 -gir1.2-launchpad-integration-3.0 0.1.56 +gir1.2-launchpad-integration-3.0 0.1.56.1 -google-chrome-stable 21.0.1180.75-r150248 +google-chrome-stable 21.0.1180.77-r150576 -launchpad-integration 0.1.56 +launchpad-integration 0.1.56.1 -libbonobo2-0 2.32.1-0ubuntu1 -libbonobo2-common 2.32.1-0ubuntu1 -libbonoboui2-0 2.24.5-0ubuntu1 -libbonoboui2-common 2.24.5-0ubuntu1 +libbonobo2-0 2.32.1-0ubuntu1.1 +libbonobo2-common 2.32.1-0ubuntu1.1 +libbonoboui2-0 2.24.5-0ubuntu1.1 +libbonoboui2-common 2.24.5-0ubuntu1.1 -liblaunchpad-integration-3.0-1 0.1.56 -liblaunchpad-integration-common 0.1.56 -liblaunchpad-integration1 0.1.56 +liblaunchpad-integration-3.0-1 0.1.56.1 +liblaunchpad-integration-common 0.1.56.1 +liblaunchpad-integration1 0.1.56.1 -libnspr4 4.8.9-1ubuntu2 -libnspr4-0d 4.8.9-1ubuntu2 +libnspr4 4.8.9-1ubuntu2.1 +libnspr4-0d 4.8.9-1ubuntu2.1 -libreoffice-base-core 1:3.5.4-0ubuntu1 -libreoffice-calc 1:3.5.4-0ubuntu1 -libreoffice-common 1:3.5.4-0ubuntu1 -libreoffice-core 1:3.5.4-0ubuntu1 -libreoffice-draw 1:3.5.4-0ubuntu1 -libreoffice-emailmerge 1:3.5.4-0ubuntu1 -libreoffice-gnome 1:3.5.4-0ubuntu1 -libreoffice-gtk 1:3.5.4-0ubuntu1 -libreoffice-help-en-us 1:3.5.4-0ubuntu1 -libreoffice-impress 1:3.5.4-0ubuntu1 -libreoffice-math 1:3.5.4-0ubuntu1 -libreoffice-style-human 1:3.5.4-0ubuntu1 -libreoffice-style-tango 1:3.5.4-0ubuntu1 -libreoffice-writer 1:3.5.4-0ubuntu1 +libreoffice-base-core 1:3.5.4-0ubuntu1.1 +libreoffice-calc 1:3.5.4-0ubuntu1.1 +libreoffice-common 1:3.5.4-0ubuntu1.1 +libreoffice-core 1:3.5.4-0ubuntu1.1 +libreoffice-draw 1:3.5.4-0ubuntu1.1 +libreoffice-emailmerge 1:3.5.4-0ubuntu1.1 +libreoffice-gnome 1:3.5.4-0ubuntu1.1 +libreoffice-gtk 1:3.5.4-0ubuntu1.1 +libreoffice-help-en-us 1:3.5.4-0ubuntu1.1 +libreoffice-impress 1:3.5.4-0ubuntu1.1 +libreoffice-math 1:3.5.4-0ubuntu1.1 +libreoffice-style-human 1:3.5.4-0ubuntu1.1 +libreoffice-style-tango 1:3.5.4-0ubuntu1.1 +libreoffice-writer 1:3.5.4-0ubuntu1.1 -light-themes 0.1.9.1-0ubuntu1 +light-themes 0.1.9.1-0ubuntu1.1 -mdadm 3.2.3-2ubuntu1 +mdadm 3.2.5-1ubuntu0.2 -python-uno 1:3.5.4-0ubuntu1 +python-uno 1:3.5.4-0ubuntu1.1 -sessioninstaller 0.20+bzr128-0ubuntu1 +sessioninstaller 0.20+bzr128-0ubuntu1.1 -uno-libs3 3.5.4-0ubuntu1 +uno-libs3 3.5.4-0ubuntu1.1 -update-manager 1:0.156.14.6 -update-manager-core 1:0.156.14.6 -update-notifier 0.119ubuntu8.4 -update-notifier-common 0.119ubuntu8.4 +update-manager 1:0.156.14.9 +update-manager-core 1:0.156.14.9 +update-notifier 0.119ubuntu8.5 +update-notifier-common 0.119ubuntu8.5 -ure 3.5.4-0ubuntu1 +ure 3.5.4-0ubuntu1.1 -xserver-common 2:1.11.4-0ubuntu10.6 +xserver-common 2:1.11.4-0ubuntu10.7 -xserver-xorg-core 2:1.11.4-0ubuntu10.6 +xserver-xorg-core 2:1.11.4-0ubuntu10.7 bonobo-activation/bonobo-activation-config.xml | 1 + issue | 2 +- issue.net | 2 +- lsb-release | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-)
Shortcomings
When I managed my git repos myself, in the days before etckeeper, I would make a habit of specifying the author with commits. Consequently, on shared servers administered by groups of people, I made a big deal out of everyone specifying the author when they modified files under /etc. The result was a real traceable history, and no more initials and comments from co-workers and friends about who changed what and why as the git log provided all this.
It does appear to grab the $SUDO_USER
environmental variable though, so that helps a little. However, on lightweight virtual machines without real users and multiple admins, it will always say the author is root@hostname
.
I’m unaware of any ways to do this under etckeeper now. Perhaps someday I’ll get around to writing a patch to do it and submit it upstream.
Comments