A util that needs to be written

July 23, 2008

Let’s say I have a bunch of admins working on a bunch of systems. I know they try hard to make sure that anything they change on a machine to fix a problem is also put into our config mgmt system but I also know that at 3am you can’t always remember to do that. So, I want to be able to make sure we know if things have changed. Something like this:

import yum
my = yum.YumBase()
for pkg in my.rpmdb:
    ver_results = pkg.verify()
    for file_that_does_not_match in ver_results.keys():
        if not check_against_config_mgmt(thishost, file_that_does_not_match):
            notify_admin_about_modification(thishost, file_that_does_not_match, pkg)

The functions that don’t exist are the check_against_config_mgmt() and notify_admin_about_modification() functions. The parts preceding those all exist in current yum versions.

Anyone think they can take that up and find a way of checking if puppet knows about the changes that have been made? If you do, yell at me and I’ll help.

4 Responses to “A util that needs to be written”


  1. AFAIK, most config management systems don’t track this. They know what the rules are, but aren’t so good about auditing, and if they audit, less so in being able to programmatically parse all of that.

    Best practices probably dictate fixing it in the config management system first, but then that sort of fails for a variety of reasons — it’s kind of like telling someone how to fix something over the telephone.

    Hmm…

  2. Jag Says:

    That looks nice, but it misses all of the files that aren’t in rpms. I know there aren’t many files on a system that aren’t in rpms, but some of them are critical (ie ssl certs). Also, some applications (ie apache) tend to accumulate extra config files that aren’t in any rpms.

  3. skvidal Says:

    The above is not intended to be a 100% catch for things. It will catch a lot of changes though. Beyond that you’d need some way of register paths for where to look for unowned/orphaned files to check on them being in the config mgmt system.

  4. snerd Says:

    Jag, don’t laugh, but this is why in a previous life I used to create an rpm to contain my local certs. It worked incredibly well.

    If it’s worth putting in production, it’s worth packing properly. Entropy is not your friend!🙂


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: