[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: how to deploy common ssh_config and sshd_config settings on all hosts?

Hi Harald,

On Thu, Feb 02, 2017 at 02:50:09PM +0100, Harald Dunkel wrote:
> On 02/02/17 11:17, Andy Smith wrote:
> > Also through the use of override config files that are included into
> > the main config file, you can avoid being prompted about changes to
> > the main config file. For sshd the config directive is "Include".
> > 
> 
> Are you sure about this?
> 
> root@jessie2:/etc/ssh# /usr/sbin/sshd -d
> /etc/ssh/sshd_config: line 90: Bad configuration option: Include
> /etc/ssh/sshd_config: terminating, 1 bad configuration options

You are right, sorry. It seems "Include" is actually only valid in
ssh_config (not sshd) and then only from the version in testing
currently.

> > This is a classic use case for configuration management. You define
> > your configuration externally, in one authoritative place, and the
> > config management system takes care of applying that config to all
> > your hosts.
> 
> Exactly. The central place in my case is a debian source package. It
> provides binary meta-packages referencing other packages and some
> /etc/service.d/local.conf files, extending the ususal /etc/service.conf
> files provided by the service's binary package.

If you are making your own Debian packages with all of your custom
config already in them, then you could just put them in your own apt
repository and point all your machines there. But you must have
already thought of this so there must be some reason why that
solution is not acceptable…

> > Popular examples are Puppet, Ansible and Chef, all of which are
> > well-supported on Debian. To decide which is best for you will
> > require some independent research as this is a big topic area and
> > hard to generalise.
> 
> They are supported on Debian, but are they supported *by* Debian
> as well? Won't I have to expect conflicts with Debian's dpkg
> infrastructure?

Fundamentally they all just result in changes to config files. It is
no different to you making changes to config files personally,
except it is automated.

You could not really say that Debian does not support you changing
config files. What you could say is that if you do change config
files, and the relevant Debian package comes with config file
changes, then dpkg will interactively ask you what to do.

Probably what's going to happen if you DID interactively accept
config file changes is that your config management system will then
revert the config back to what it thinks it should be, losing Debian
changes.

So, if moving to config management what you would normally do is
examine what the new package version wants to change and then
incorporate those changes in your config management instead.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting
Reply to: