How to use RPM for config file mainenance
Fred van Zwieten
fvzwieten at gmail.com
Mon May 28 07:44:31 UTC 2012
I would like to use RPM to manage my configuration files. The problem is, of course, that these configuration files already belong to other packages. For a lot of packages, the problem is solved using the conf.d approach, but not all software takes that route. Take, for example, ntp.conf. It belongs to the ntp package, but I want to change it using the RPM deployment mechanism.
I know there are great solutions like cfengine, chef and puppet for this, but I prefer not to use them. There are a number of reasons for this:
1. I want rpm -V to work on these config files so I can use rpm as a IDS
2. I want to be able to sign the packages so I know the config files are genuine.
2. Our prod systems are locked down in a way that is not very puppet friendly: The whole system is mounted read-only, with the obvious exception of /var, /tmp, etc, these are mounted noexec, among others. When we do maintenance, we shutdown network connectivity, with the exception of the RPM system, remount the system writeable and do the rpm update. Then, we lock the system down again and do a new rpm -V.
I have seen various "solutions" to this config-file-is-owned-by-two-packages problem, but I don't like them, so far. The most popular seem to be to install your own config files in a separate location and copy them to the correct location in the %post. This is no good.
So, is there an elegant and RPM native solution to this problem where I can be sure my config files come from verified and signed packages?
More information about the Rpm-list