[nycbug-talk] version control for config files

David Lawson dave at donnerjack.com
Sun Mar 8 00:59:56 EST 2009

Puppet is a really good option for config management, I looked really  
seriously at it a while back and liked what I saw a lot, but I had two  
major problems with it.  First, it's written in Ruby and I'm not a  
Ruby programmer, so that kind of bites if I wanted to extend it.   
Second, and nearly every configuration management system I've looked  
at suffers from this problem, there's a pretty serious bootstrap cost  
to implementing it.  It's a reasonably complex system, it's non- 
trivial to understand how to make it do what you want it to do, and  
when you do get a good handle on it, converting all your systems to  
use it can be a pretty serious undertaking, depending on how many you  
have.  At the time, I was looking at a couple hundred, with  
configurations drifted all over hell and gone, so that was a time sink  
I couldn't afford.

What I ended up doing is writing a stupid simple configuration manager  
in python, we call it ghetto-config in the office.  I've actually been  
thinking about asking to open source it, I'll talk to my boss about it  
on Monday, but the basic concepts are simple, and it didn't take me  
more than an afternoon to implement a first cut.

Ghetto-config works as a very simple templating engine, you define a  
number bunch of key value pairs, and you can use those keys in a file  
and have ghetto-config substitute in the appropriate value for you  
when it parses it.  It also understands how to set file modes, create  
symlinks, manage owners and groups, and how to diff version of a file  
if it's changed.

Basically, you assign each machine a unique ID of some sort at install  
time (or later, if you want), we used the MAC address of the interface  
that was used to PXE boot the machine for kickstart, but you could use  
hostname or whatever if that was easier.  That serves as the unique  
identifier for the system.  Ghetto-config takes that information and  
uses it to build a URL to fetch configuration information from a  
central HTTP server storing config data.  It fetches the URL it builds  
and gets back a file in config parser syntax (basically an .ini file)  
with a couple special sections.  The first section is includes, so it  
can include in other config parser syntax files.  The second is  
definitions, it allows to set up key-value pairs, like $eth0-ip$ =, and the third set of managed file sections.

Each managed file section gives the URL to fetch the template from (so  
you can use the same template file for multiple machines by just  
pointing to the URL of a canonical version) and the location on the  
file system to write the rendered template to once the substitutions  
have been performed.  It optionally includes a file mode, owner,  
group, and the location of a symlink to make to the file location.

There's some additional detail in structuring the central config  
server and doing some other stuff that makes it simpler to manage, but  
that's the gist of it.  It's about two hundred lines of python, it  
supports doing diffs between the central configuration and the local  
reality for any attribute it understands (so file contents, owner,  
group, mode, etc.) as well as a programmatic mode intended to be run  
from cron that'll tell you whether anything has changed on the machine  
so you can make sure none of your machines have drifted nightly, etc.   
We've started checking the central config tree into SVN so we have an  
audit trail of who did what to what file.

Does it do everything puppet does?  God no.  Does it do everything  
cfengine does?  Again, god no.  It's an 80/20 solution, it took me an  
afternoon to write the first version of it, and maybe a week of total  
development time to get it doing what it does and full test coverage  
for it.  It happily manages several hundred machines, it makes  
installing and provisioning a new machine a thirty second job instead  
of a half hour or so, and it makes managing software installs over  
multiple machines much, much easier and more deterministic.

Like I said, I've been planning on asking about open sourcing it  
anyway, but if I don't get to do that, I'll be happy to answer  
questions or give pointers where I can.

On Mar 8, 2009, at 12:36 AM, Brian Gupta wrote:

> I know you think it is overkill, but seriously take a look at puppet.
> (I'm biased here). Basically it lets you put all your configs on a
> central server and then use SVN/GIT/whatever to manage it.
> I'd be willing to help you get started, and we have a puppet user
> group in NYC. (Although we would be open to expanding it to include
> cfengine, if there are enough cfengine folks around).
> -Brian
> On Thu, Feb 26, 2009 at 6:27 PM, Charles Sprickman <spork at bway.net>  
> wrote:
>> Howdy,
>> I think the subject pretty much sums it up - I'm sick of not tracking
>> changes in /etc and /usr/local/etc.  I want something that deal  
>> with file
>> permissions and is relatively transparent.
>> I've been googling around, but finding not much other than weird
>> contortions based on CVS that make such huge disclaimers as "this of
>> course does not work with symlinks" or "this of course does not  
>> maintain
>> file ownership/permissions".
>> cfengine and the like do more than I want...
>> Any interesting ideas out there?
>> The most I have to work with is perhaps a dozen servers, maybe  
>> almost that
>> many jails.
>> Thanks,
>> Charles
>> ___
>> Charles Sprickman
>> NetEng/SysAdmin
>> Bway.net - New York's Best Internet - www.bway.net
>> spork at bway.net - 212.655.9344
>> _______________________________________________
>> talk mailing list
>> talk at lists.nycbug.org
>> http://lists.nycbug.org/mailman/listinfo/talk
> -- 
> - Brian Gupta
> New York City user groups calendar:
> http://nyc.brandorr.com/
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk

More information about the talk mailing list