在线时间:8:00-16:00
迪恩网络APP
随时随地掌握行业动态
扫描二维码
关注迪恩网络微信公众号
开源软件名称:PKRoma/etckeeper开源软件地址:https://github.com/PKRoma/etckeeper开源编程语言:Shell 74.8%开源软件介绍:etckeeper is a collection of tools to let It hooks into package managers like apt to automatically commit changes
made to /etc during package upgrades. It tracks file metadata that git does
not normally support, but that is important for /etc, such as the
permissions of It's quite modular and configurable, while also being simple to use if you understand the basics of working with version control. security warningsFirst, a big warning: By checking /etc into version control, you are creating a copy of files like /etc/shadow that must remain secret. Anytime you have a copy of a secret file, it becomes more likely that the file contents won't remain secret. etckeeper is careful about file permissions, and will make sure that repositories it sets up don't allow anyone but root to read their contents. However, you also must take care when cloning or copying these repositories, not to allow anyone else to see the data. Since git mushes all the files into packs under the .git directory, the whole .git directory content needs to be kept secret. (Ditto for mercurial and .hg as well as bazaar and .bzr) Also, since version control systems don't keep track of the mode of files like the shadow file, it will check out world readable, before etckeeper fixes the permissions. The tutorial has some examples of safe ways to avoid these problems when cloning an /etc repository. Also note that what etckeeper doesetckeeper has special support to handle changes to /etc caused by
installing and upgrading packages. Before apt installs packages,
You can also run There is also a cron job, that will use etckeeper to automatically commit any changes to /etc each day. VCS limitationsVersion Control Systems are designed as a way to manage source code, not as a way to manage arbitrary directories like /etc. This means there are a few limitations that etckeeper has to work around. These include file metadata storage, empty directories, and special files. Most VCS, including git, mercurial and bazaar have only limited tracking of
file metadata, being able to track the executable bit, but not other
permissions or owner info. (darcs doesn't even track executable bits.) So
file metadata is stored separately. Among other chores, git and mercurial cannot track empty directories, but they can be
significant sometimes in /etc. So the Most VCS don't support several special files that you probably won't have
in /etc, such as unix sockets, named pipes, hardlinked files (but symlinks
are fine), and device files. The Darcs doesn't support symlinks, so they are also stored in
tutorialA quick walkthrough of using etckeeper. Note that the default VCS is git, and this tutorial assumes you're using it. Using other VCSes should be broadly similar. First, get etckeeper installed. Something like:
The
The Now you might want to run
After this first commit, you can use regular git commands to handle further changes:
Rinse, lather, repeat. You might find that some files are changed by daemons and shouldn't be tracked by git. These can be removed from git:
etckeeper hooks into apt (and similar systems) so changes to interesting
files in /etc caused by installing or upgrading packages will automatically
be committed. Here "interesting" means files that are not ignored by
You can use any git commands you like, but do keep in mind that, if you check out a different branch or an old version, git is operating directly on your system's /etc. If you do decide to check out a branch or tag, make sure you run "etckeeper init" again, to get any metadata changes:
Often it's better to clone /etc to elsewhere and do potentially dangerous
stuff in a staging directory. You can clone the repository using git clone,
but be careful that the directory it's cloned into starts out mode 700, to
prevent anyone else from seeing files like
Another common reason to clone the repository is to make a backup to a
server. When using
If you have several machine's using etckeeper, you can start with a etckeeper repository on one machine, then add another machine's etckeeper repository as a git remote. Then you can diff against it, examine its history, merge with it, and so on. It would probably not, however, be wise to "git checkout" the other machine's branch! (And if you do, make sure to run "etckeeper init" to update file permissions.)
Incidentially, this also means I have a backup of dodo's /etc on darkstar. So if darkstar is compromised, that data could be used to attack dodo too. On the other hand, if dodo's disk dies, I can restore it from this handy hackup. Of course, it's also possible to pull changes from a server onto client machines, to deploy changes to /etc. Once /etc is under version control, the sky's the limit.. configurationThe main configuration file is etckeeper runs the executable files in For example, here's how to configure it to run
Here's how to disable the automatic commits after each apt run, while still letting it git add new files:
sudo integrationetckeeper will notice if it's being run by way of sudo, and makes a commit
with the author set to the user who sudoed to root. This is useful when
a system has multiple admins; as long as they use sudo while doing their
administration, and run changing VCSBy default, etckeeper uses git. This choice has been carefully made; git is the VCS best supported by etckeeper and the VCS users are most likely to know. [ It's possible that your distribution has chosen to modify etckeeper so its default VCS is not git -- if they have please complain to them, as they're making things unnecessarily difficult for you, and causing unnecessary divergence of etckeeper installations. You should only be using etckeeper with a VCS other than git if you're in love with the other VCS. ] If you would like to use some other VCS, and In the latter case, you just need to follow three steps:
In the former case, you will need to convert the git repository to the
other VCS using whatever tools are available to do that. Then you can
run inspirationTwo blog posts provided inspiration for techniques used by etckeeper: isisetup had some of the same aims as etckeeper, however, unlike it, etckeeper does not aim to be a git porcelain with its own set of commands for manipulating the /etc repository. Instead, etckeeper provides a simple setup procedure and hooks for setting up an /etc repository, and then gets out of your way; you manage the repository using regular VCS commands. licenseetckeeper is licensed under version 2 or greater of the GNU GPL. websitehttps://etckeeper.branchable.com/ authorJoey Hess [email protected] |
2023-10-27
2022-08-15
2022-08-17
2022-09-23
2022-08-13
请发表评论