Hi Harald, On Thu, Feb 02, 2017 at 02:50:09PM +0100, Harald Dunkel wrote: > On 02/02/17 11:17, Andy Smith wrote: > > Also through the use of override config files that are included into > > the main config file, you can avoid being prompted about changes to > > the main config file. For sshd the config directive is "Include". > > > > Are you sure about this? > > root@jessie2:/etc/ssh# /usr/sbin/sshd -d > /etc/ssh/sshd_config: line 90: Bad configuration option: Include > /etc/ssh/sshd_config: terminating, 1 bad configuration options
You are right, sorry. It seems "Include" is actually only valid in ssh_config (not sshd) and then only from the version in testing currently. > > This is a classic use case for configuration management. You define > > your configuration externally, in one authoritative place, and the > > config management system takes care of applying that config to all > > your hosts. > > Exactly. The central place in my case is a debian source package. It > provides binary meta-packages referencing other packages and some > /etc/service.d/local.conf files, extending the ususal /etc/service.conf > files provided by the service's binary package. If you are making your own Debian packages with all of your custom config already in them, then you could just put them in your own apt repository and point all your machines there. But you must have already thought of this so there must be some reason why that solution is not acceptable… > > Popular examples are Puppet, Ansible and Chef, all of which are > > well-supported on Debian. To decide which is best for you will > > require some independent research as this is a big topic area and > > hard to generalise. > > They are supported on Debian, but are they supported *by* Debian > as well? Won't I have to expect conflicts with Debian's dpkg > infrastructure? Fundamentally they all just result in changes to config files. It is no different to you making changes to config files personally, except it is automated. You could not really say that Debian does not support you changing config files. What you could say is that if you do change config files, and the relevant Debian package comes with config file changes, then dpkg will interactively ask you what to do. Probably what's going to happen if you DID interactively accept config file changes is that your config management system will then revert the config back to what it thinks it should be, losing Debian changes. So, if moving to config management what you would normally do is examine what the new package version wants to change and then incorporate those changes in your config management instead. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
