Packaging Configuration Files?

Dear lazyweb, I have a question about Debian Packaging (which also extends to Ubuntu and related distros) that would allow me to install a server with custom configurations. Here’s an example of what I’d like to do with the venerable openssh-server package, where I want to install an ssh server on a non-standard port.

custom-openssh-server (metapackage)
depends: custom-openssh-server-config, openssh-server

custom-openssh-server-config (adds non-standard port)
contains: /etc/ssh/sshd_config

openssh-server (straight from the official repo)

——————
The idea here is to install our custom config before installing the package we want. Good packages are not supposed to overwrite configuration files.

So when we add our metapackage to a preseed (building a computer from scratch), it would automatically do the right thing. If openssh gets a security update, version numbering would work correctly.

Since we could have some sensitive information in the config files, we could use an ssh repository with apt, or at a minimum only make our personal repository only available on the local network.

Can anyone explain the downsides to this approach?

Advertisements

5 Comments

  1. January 25, 2011 at 4:14 pm

    […] Packaging Configuration Files? « Cooncat Publishing […]

  2. jimcooncat said,

    August 31, 2010 at 5:25 am

    Thank you Mackenzie! Your comment has led me to http://wiki.debian.org/ConfigPackages and debmarshal.

    This may allow me to build a structure where changes (whether my own or upstream) can be simply tested and tweaked before moving them out to my friends and coworkers.

    I do like that the system uses apt to publish updates rather than adding another publishing system. That the end result of the customization results in packages enables a netboot install which could greatly speed up the time it takes to produce a working box.

    I could be at the breakeven point in the number of computers I manage to incorporate these technologies and multiply my efforts. If it works out well, I think it could be structured into something that can be used by other “family geeks” to make a Friends and Family repository setup; or empower a part-time tech at a small company. Having both roles, I hope it works out.

  3. Mackenzie said,

    August 18, 2010 at 10:53 am

    I think you need to maintain a PPA of a modified openssh-server, because when they try to install openssh-server after your package, dpkg should complain that it’s trying to overwrite an existing file. If you mark it as a config file in your packaging, then it won’t *automatically* overwrite, but it will ask the user “what do I do?” and then the user’s expected to be able to understand the old config and new config and then choose between them or manually merge them.

  4. jimcooncat said,

    August 16, 2010 at 4:35 am

    No thanks. I have been reading up on Puppet and feel it’s another “silver bullet” tool that will end up bloated and misdirected like Webmin did.

    Redirects? I don’t see that word being used in packaging, except in places where you redirect stderr. Perhaps you meant diversions? That’s what I’m attempting to avoid here, I dont want to change the version of the main package.

    I have done my homework as best I could here. Another alternative is dkpg-repack, which I do use and like, but it has the same inherent problem — once that computer walks out the door there’s no simple way to do proper updates to the base package.

  5. August 15, 2010 at 1:28 pm

    You really want Puppet for this: http://projects.puppetlabs.com/projects/puppet

    Alternativly you need to package your custom config with redirects.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: