Patching configuration files
-
@Pete-S That is what things like salt and Ansible are for. You tell the main server what programs should be installed/running, and config files. It manages the servers for you from there.
-
@travisdh1 said in Patching configuration files:
@Pete-S That is what things like salt and Ansible are for. You tell the main server what programs should be installed/running, and config files. It manages the servers for you from there.
Yes, I know and it's a good point. However I need something better than manual editing for servers that are not hooked up to ansible or salt.
-
@Pete-S said in Patching configuration files:
I need something better than manual editing for servers that are not hooked up to ansible or salt.
add them to salt/ansible.
-
@JaredBusch said in Patching configuration files:
@Pete-S said in Patching configuration files:
I need something better than manual editing for servers that are not hooked up to ansible or salt.
add them to salt/ansible.
You're right. It seems like that is easier than trying to figure out how to use diff & patch.
-
@Pete-S said in Patching configuration files:
@JaredBusch said in Patching configuration files:
@Pete-S said in Patching configuration files:
I need something better than manual editing for servers that are not hooked up to ansible or salt.
add them to salt/ansible.
You're right. It seems like that is easier than trying to figure out how to use diff & patch.
For sure, that's what I was thinking, too.
-
Create a shell script that just runs sed on the files you need?
#!/bin/sh sed -i 's/PermitRootLogin No/PermitRootLogin Yes/' /etc/sshd_config sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/sshd_config -
@manxam said in Patching configuration files:
Create a shell script that just runs sed on the files you need?
#!/bin/sh sed -i 's/PermitRootLogin No/PermitRootLogin Yes/' /etc/sshd_config sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/sshd_configYeah using sed is the answer if you want to add or remove a few lines.
-
Contextual patching is the answer to my question. It will look at the lines before and after each change so it can apply a patch even if the location inside the file is not the same.
# compare files and find what out what has changed diff -c oldfile newfile > changes.patch # apply the same patch to another file patch -i changes.patch anotherfileYou can also diff & patch entire directory trees in one command.
For example all the files under /etc/ -
@Pete-S : Does that not rely on always having the same context around the lines to patch though?
I.E. You will always have to have PasswordAuthentication directly preceding PermitRootLogin followed by RandomBlockOfText in order to find and patch PermitRootLogin?
I may be wrong, but I thought that if you added another config entry between PasswordAuthentication and PermitRootLogin that the patch would fail. -
@manxam said in Patching configuration files:
@Pete-S : Does that not rely on always having the same context around the lines to patch though?
I.E. You will always have to have PasswordAuthentication directly preceding PermitRootLogin followed by RandomBlockOfText in order to find and patch PermitRootLogin?
I may be wrong, but I thought that if you added another config entry between PasswordAuthentication and PermitRootLogin that the patch would fail.I'm not sure exactly what happens. I may have to run some tests to see.
-
Yeah this is bread and butter for config management tools. You'd either use a template for the config or the
lineinfilemodule for Ansible.Your template would have something like this:
PermitRootLogin {{ root_login_enabled }}In it and then you can control which servers allow root login with the
root_login_enabledvariable.
