[Infrastructures] Version control over sensitive config files

[Ryan Nowakowski]

--CdrF4e02JqNVZeln
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Fri, Feb 14, 2003 at 10:57:37AM -0500, ph-infrastructure@bluepenguin.us wrote:
> One side note - I believe the the application itself makes changes to
> these config files, so even if I use a CVS-like approach, I'm not always
> going to be able to do the standard approach of making changes on a gold
> server, then moving those changes out.  Before I realized that I had
> password issues, I had considered periodically doing a CVS checkin from
> the application's copy of these files to make sure everything was in sync.

When we have human-editable stuff and machine-editable stuff in the
same file, we'll version control all the human-editable stuff in a
separate file.  Then we write a script to parse out the machine editable
stuff from the main file.  We use a makefile on the target host to remake
the main file when our human-editable source file changes.  We call
that makefile from the isconf makefiles.  I'll use the /etc/hosts file
as an example:

contents of /etc/hosts:
127.0.0.1	localhost
192.168.0.2	mailhost
192.168.0.3	dbhost
192.168.0.4	webhost

contents of /etc/hosts.source:
172.0.0.1 localhost
192.168.0.2 mailhost
192.168.0.4	webhost

machine-editable line:
NNN.NNN.NNN.NNN	dbhost

contents of /etc/hosts.mk:
hosts: hosts.source
	grep dbhost hosts > hosts
	cat hosts.source >> hosts


This example is simple enough to have the machine readable script in the
makefile itself(grep dbhost hosts > hosts).  Hope this helps.

- Ryan

--CdrF4e02JqNVZeln
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE+Tn6t6ZA8+1/wXqMRAkU5AKCsKsqOLGjWP8yQqwGbWpaAYITWmQCgli5p
nRphNo++ObYNEU4M765q4Uc=
=iPV1
-----END PGP SIGNATURE-----

--CdrF4e02JqNVZeln--