Patching configuration files



  • I often do the same changes in config files many times. But I'd like to automate it.

    For example I like to be able to ssh directly into the root account on internal servers. So I have to go and add/change PermitRootLogin in sshd_config. And so on and so forth.

    How do I use diff and patch so that my patch files works even if the config files look slightly different, perhaps an additional line or two somewhere? Or do I need some other tool for that?



  • @Pete-S That is what things like salt and Ansible are for. You tell the main server what programs should be installed/running, and config files. It manages the servers for you from there.



  • @travisdh1 said in Patching configuration files:

    @Pete-S That is what things like salt and Ansible are for. You tell the main server what programs should be installed/running, and config files. It manages the servers for you from there.

    Yes, I know and it's a good point. However I need something better than manual editing for servers that are not hooked up to ansible or salt.



  • @Pete-S said in Patching configuration files:

    I need something better than manual editing for servers that are not hooked up to ansible or salt.

    add them to salt/ansible.



  • @JaredBusch said in Patching configuration files:

    @Pete-S said in Patching configuration files:

    I need something better than manual editing for servers that are not hooked up to ansible or salt.

    add them to salt/ansible.

    You're right. It seems like that is easier than trying to figure out how to use diff & patch.



  • @Pete-S said in Patching configuration files:

    @JaredBusch said in Patching configuration files:

    @Pete-S said in Patching configuration files:

    I need something better than manual editing for servers that are not hooked up to ansible or salt.

    add them to salt/ansible.

    You're right. It seems like that is easier than trying to figure out how to use diff & patch.

    For sure, that's what I was thinking, too.



  • Create a shell script that just runs sed on the files you need?

    #!/bin/sh
    sed -i 's/PermitRootLogin No/PermitRootLogin Yes/' /etc/sshd_config
    sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/sshd_config
    


  • @manxam said in Patching configuration files:

    Create a shell script that just runs sed on the files you need?

    #!/bin/sh
    sed -i 's/PermitRootLogin No/PermitRootLogin Yes/' /etc/sshd_config
    sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/sshd_config
    

    Yeah using sed is the answer if you want to add or remove a few lines.



  • Contextual patching is the answer to my question. It will look at the lines before and after each change so it can apply a patch even if the location inside the file is not the same.

    # compare files and find what out what has changed
    diff -c oldfile newfile > changes.patch
    
    # apply the same patch to another file
    patch -i changes.patch anotherfile
    

    You can also diff & patch entire directory trees in one command.
    For example all the files under /etc/



  • @Pete-S : Does that not rely on always having the same context around the lines to patch though?
    I.E. You will always have to have PasswordAuthentication directly preceding PermitRootLogin followed by RandomBlockOfText in order to find and patch PermitRootLogin?
    I may be wrong, but I thought that if you added another config entry between PasswordAuthentication and PermitRootLogin that the patch would fail.



  • @manxam said in Patching configuration files:

    @Pete-S : Does that not rely on always having the same context around the lines to patch though?
    I.E. You will always have to have PasswordAuthentication directly preceding PermitRootLogin followed by RandomBlockOfText in order to find and patch PermitRootLogin?
    I may be wrong, but I thought that if you added another config entry between PasswordAuthentication and PermitRootLogin that the patch would fail.

    I'm not sure exactly what happens. I may have to run some tests to see.



  • Yeah this is bread and butter for config management tools. You'd either use a template for the config or the lineinfile module for Ansible.

    Your template would have something like this:

    PermitRootLogin {{ root_login_enabled }}
    

    In it and then you can control which servers allow root login with the root_login_enabled variable.