Version Control for Important System Files?

TokyoCrusaders92 asks: "Like a lot of other organizations (800 staff, 5000 students) we have a mix of Windows, Novell & Linux (primarily Linux) for our IT infrastructure. We now have a multitude of config files, firewall rule bases, shell scripts, and so forth which are managed by multiple people and groups. Recently, we started using RCS for version control of the firewall rule-base, but this doesn't seem like it would scale up to larger groups of users. While thinking about this, it would seem that the critical features would include: version control; logging; multiple users; secure authentication; and integrity checking. What are other people using to manage their config files?"

Notepad

[Timesprout]

What more could you possibly need?

Re:Notepad

[smallfries]

GP uses a humorous post. Technical criticism is not applicable and is thus useless.

Re:Notepad

[fbartho]

Mine wasn't, I forgot to use version control.

Distributed SCM

[MichaelSmith]

I keep my config files in a directory structure in my home directory on my laptop which mirrors the structure of the systems I maintain. I use the mercurial DSCM for version control and push revisions to a user account on each server. From there I run a script as root which recursively copies the files into the target directory tree.

A CVS server

[kotj.mf]

How similar are your systems? I help manage several thousand distributed boxes that are reasonably identical, and we keep everything in a central CVS server: management scripts, config files, crontabs, what have you. There's no reason it couldn't be used for more heterogeneous systems, other than having to be more careful with file naming conventions.

Re:A CVS server

[tzanger]

I tried CVS for that... it is too much of a pain in the ass to patch CVS to accept root users. I don't know about you, but screwing about with permissions just to appease CVS was not my idea of fun. Maybe next time I'll run svn or something to see if it works better for config file management.

Subversion

[Just+Some+Guy]

Next question?

Re:Subversion

[Cyberax]

Subversion is the ideal solution - because it needs a lot of junk in .svn directories :( And it can mess with some scripts that do recursive grep or something similar.

SVK is better, but it is not as widely supported as SVN.

Re:Subversion

[ceroklis]

RTFM: that is what the export command is for.

Re:Subversion

[xlv]

Subversion is the ideal solution - because it needs a lot of junk in .svn directories :( And it can mess with some scripts that do recursive grep or something similar.

That's true, but in practice is that such a huge problem? We use SVN already for all project code and have managed to make do with it. If you can grep and operate on a few megs of in-house development source, a comparatively tiny /etc directory shouldn't be too much hassle.

I've been using svn for a few years now for projects and system files. There's a few problems with the .svn directories for system files. For instance, modprobe on Linux will check and complain about the files in /etc/modprobe.d/.svn when they are parsed.

As explained by somebody else, using the export command is not that useful as then /etc is not directly under revision control and that opens the door for synchronization errors.

puppet... maybe (not yet at least)

[getha]

Using something like subversion or any other version control system for such a task just leads to Yet Another Homebrew Administration System, that will probably lead your successors to tears and insanity. Use tools already there, and that are pertinent to the job.

version control; logging; multiple users; secure authentication; and integrity checking. All those features you need are mostly already there in puppet: http://puppet.reductivelabs.com/ (and maybe also in cfengine, but that's a nightmare). And the development on puppet is really picking up steam at the moment.

Problem for your situation is that it has no Windows or Novell support as of yet, but recently work on Windows at least seems to have started. And if your first priority is mainly config file management: that part should be fairly trivial.

Our system is great

[Heir+Of+The+Mess]

We have a login script that calls another script that is the one that gets modified. To use different script you just change the name of the called script to the one you want. If the script gets changed then the person who changed it changes the name and we can tell how old it is by the date stamp on the file. So far we have these (oldest to newest):

sublogin.bat
sublogn2.bat
sblg2fix.bat
latestlg.bat
newlatst.bat
finalfix.bat
reverted.bat
fixwrked.bat
NtOnMyPC.bat
WksOnMyn.bat
NTONMYPC.bat
TryThis1.bat

Seriously though, subversion is good because it lets you do atomic checkins.

Re:Our system is great

[26199]

How in the world did this get modded interesting?

It should be clear to anyone that you were being sarcastic :p

Those who don't know VMS...

[MrBoombasticfantasti]

Those who don't know VMS are wont to re-invent it... ;-)

See Files-11 for a flashback.

Add another box....

[williamyf]

Get an "Industry Standard OpenVMS" (that the name HP gives to that beast) and use it as your main file server and config info repository. All the features you desire are there by default.

While this response was accurate from the technical point of view, it was meant to be a joke

rsnapshot

[perlionex]

I use rsnapshot to do version control of my entire system. From the description:

rsnapshot is a filesystem snapshot utility for making backups of local and remote systems.

Using rsync and hard links, it is possible to keep multiple, full backups instantly available. The disk space required is just a little more than the space of one full backup, plus incrementals.

Personally, I configure rsnapshot to generate snapshots every 4 hours, and then daily, weekly, and monthly.

In your case, since you only want versioning for your configuration files, you can point rsnapshot at just the configuration directories (probably just /etc).

Re:rsnapshot

[hattmoward]

Those are snapshots, not versions. It is possible for a particular revision of a file to roll off your monthly rotation and be forgotten forever.

One idea for Windows and Unix (shameless plug)

[DNAGuy]

For Windows, the default answer for deploying configuration is Group Policy. With the Group Policy Management Console you can back up your GPOs and store them in your version control system. Alternatively, you can use a specialized Group Policy version control and troubleshooting product like Group Policy Manager from Quest which allows offline editing and testing before deployment to your production environment.

You can actually extend Group Policy to your *nix and Novell machines as well using Vintela Group Policy (a part of Vintela Authentication Services), which also has features to allow your *nix machines to use your Active Directory accounts. If you use it in combination with Group Policy Manager, you can back up the *nix specific settings alongside the rest of your GPO. Also, the integration allows you to diff different versions of your *nix settings alongside the rest of your GPO.

[Disclaimer: I am a developer on the Group Policy Manager team at Quest. While I'm proud of my product, I'm not any kind of official spokesperson for my employer.]

rcs

[pe1chl]

On systems where it matters, I keep config files etc in RCS.
In each directory where config files live that I want to keep, I create an RCS directory and rcs -i the file(s).
Nightly, I job runs that finds all files for which an RCS entry exists and that are newer than that entry, and a copy is checked in.

No need to think about checking in/out all the time, no problem that the RCS seems to believe that you don't want to keep the actual file around.
It does not save every edit but at least I have a copy of each day's state of the file.

Darcs

[swarsron]

Try darcs (http://www.abridgegame.org/darcs/). Should do everything you need and has the advantage that you can create multiple repos for different purposes which all base on a single base repository. So i have a repository with all my config files and several others for different users which can pull their changes on top of the standard stuff. The syntax is quite easy to learn too.

Only drawback is that it is quite slow with really big repositories (e.g. linux kernel).

Use SVN instead

[Schraegstrichpunkt]

For a new installation, Subversion is probably a better choice than CVS, mainly because changesets are committed atomically, directories are versioned, and it has better security when dealing with remote access.

svn trick

[bluegreenone]

I use subversion (and tortoisesvn as the client) to version my windows system files, in general it works well. There is a trick though. To get a directory under svn control you normally have to import that directory and then rename it so you can checkout an svn'ed copy under the same name. This can be a problem for certain system directories. In this case what you do is :

1. create the dir in the repository but leave it empty
2. checkout that url on the existing dir, since url is empty nothing is overwritten
3. now do an svn add then commit to get everything into the repository

This leaves you with a versioned dir without need for renaming or deletion

...
PATH train schedule online

Re:svn

[penfern]

I do not prefer SVN over httpd (as their website seems to recommend). I always go for it straight through ssh. Much simpler and easier to manage, as long as all your users are already ssh users.

So yes, you can easily use ssh identities, or none at all and they have to type in their username/password every time. :)

cfengine

[eviltypeguy]

One word: cfengine

http://www.cfengine.org/

Re:cfengine

[doug]

I like that you're thinking outside of box. Every post I've read has tied replication with revision control. You're right that cfengine would do a great job of replicating the config files, but that doesn't remove the need for source management. At least one machine will still need rcs/svn/clearcase track the originals.

- doug