Ask Your Question

How to maintain (copy of file + patch)

asked 2016-02-04 12:33:20 -0600

pmorch gravatar image

We have a /etc/ssh/sshd_nopass_config that we always want to be a copy of /etc/ssh/sshd_config except that some specific diffs need to be applied. What is the "puppet way" to do that? I've tried to use augeas but have come up short.

In bash it would be:

cp /etc/ssh/sshd_config /etc/ssh/sshd_nopass_config
patch /etc/ssh/sshd_nopass_config < /path/to/mychanges.patch

If the file doesn't pre-exist, this works great:

file { '/etc/ssh/sshd_nopass_config':
    source => '/etc/ssh/sshd_config',
    replace => false

augeas { 'sshd_nopass_augeas':
    require => File['/etc/ssh/sshd_nopass_config'],
    incl => '/etc/ssh/sshd_nopass_config',
    lens => 'Sshd.lns',
    changes => [
        "rm Match",
        'set PasswordAuthentication no',
        'set PidFile /var/run/',
        'set Port 1234',
    notify => Service['ssh_nopass'],

But once the file has been created, if now somebody makes some unrelated change to /etc/ssh/sshd_config, /etc/ssh/sshd_nopass_config is not re-generated, and so it isn't constantly maintained as a particular patch to /etc/ssh/sshd_config.

Using vanilla augtool there is the cp command that would allow me to do this (I think), but cp is not supported in augeas in puppet. I was thinking along the lines of:

# Doesn't work - cp not supported
changes => [
    "cp /files/etc/ssh/sshd_config /files/etc/ssh/sshd_nopass_config",
    'set PasswordAuthentication no',
    'set PidFile /var/run/',
    'set Port 1234',

How is this done?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2016-02-05 05:34:06 -0600

updated 2016-02-05 05:39:23 -0600

I think you're over-complicating this.

Here's what I'd do:

file { '/etc/ssh/sshd_config':
  ensure => file,
  content => template('mymodule/sshd_config.erb'),
file { '/etc/ssh/sshd_nopass_config':
  ensure => file,
  content => template('mymodule/sshd_nopass_config.erb'),

Done. And if you want to ensure that the two files always differ by the specific diffs, I'd write Rspec-puppet tests that will fail the build if someone forgets to keep them in sync.

edit flag offensive delete link more


Thanks, Alex for your answer. Sure there are simpler ways to do this. It doesn't fit my situation though. We do actually as a matter of fact want to allow sysadmins to modify `/etc/ssh/sshd_config` any way they like, and have `/etc/ssh/sshd_config` follow suit automatically. Then this doesn't work.

pmorch gravatar imagepmorch ( 2016-02-05 06:46:47 -0600 )edit

Well you have asked what the Puppet Way is to solve this problem, but this isn't something you should do with Puppet. Taking a step back, why do you need this nopass file? What's the problem you're really trying to solve?

Alex Harvey gravatar imageAlex Harvey ( 2016-02-05 07:28:10 -0600 )edit

Ok, here is the real situation: We want standard debian sshd on port 22. But also another sshd on port 1234, that is *exactly* the same, but just doesn't accept passwords for logins (only ssh keys). It is used in various settings, where admins modifying ssh configuration by hand is ok.

pmorch gravatar imagepmorch ( 2016-02-05 12:29:52 -0600 )edit

I guess: "This isn't easy/possible to do with puppet" is a valid answer. Sure, if I would take a snapshot in time and fix/hard-code the entire file contents, then the problem becomes trivial. I'm asking about: How do I maintain a file that is always "source file + specific diffs".

pmorch gravatar imagepmorch ( 2016-02-05 12:33:59 -0600 )edit

Yeah, well the whole point of Puppet is that you don't let sysadmins manually edit stuff any more, so the Puppet community doesn't run into this sort of problem. If you want to use Puppet, let me edit my answer for a suggestion.

Alex Harvey gravatar imageAlex Harvey ( 2016-02-05 21:39:14 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2016-02-04 12:33:20 -0600

Seen: 58 times

Last updated: Feb 05 '16