ETCkeeper Tutorial » Historie » Version 1
Josef Braun, 02.01.2010 14:51
| 1 | 1 | Josef Braun | etckeeper tutorial |
|---|---|---|---|
| 2 | |||
| 3 | <pre> |
||
| 4 | ## tutorial |
||
| 5 | |||
| 6 | A quick walkthrough of using etckeeper. |
||
| 7 | |||
| 8 | Note that the default VCS is git, and this tutorial assumes you're using |
||
| 9 | it. Using other VCSes should be broadly similar. |
||
| 10 | |||
| 11 | The `etckeeper init` command initialises an /etc/.git/ repository. |
||
| 12 | If you installed etckeeper from a package, this was probably automatically |
||
| 13 | performed during the package installation. If not, your first step is to |
||
| 14 | run it by hand: |
||
| 15 | |||
| 16 | etckeeper init |
||
| 17 | |||
| 18 | The `etckeeper init` command is careful to never overwrite existing files |
||
| 19 | or directories in /etc. It will create a `.gitignore` if one doesn't |
||
| 20 | already exist (or update content inside a "managed by etckeeper" comment |
||
| 21 | block), sets up pre-commit hooks if they don't already exist, and so on. It |
||
| 22 | does *not* commit any files, but does `git add` all interesting files for |
||
| 23 | an initial commit later. |
||
| 24 | |||
| 25 | Now you might want to run `git status` to check that it includes all |
||
| 26 | the right files, and none of the wrong files. And you can edit the |
||
| 27 | `.gitignore` and so forth. Once you're ready, it's time to commit: |
||
| 28 | |||
| 29 | cd /etc |
||
| 30 | git status |
||
| 31 | git commit -m "initial checkin" |
||
| 32 | git gc # pack git repo to save a lot of space |
||
| 33 | |||
| 34 | After this first commit, you can use regular git commands to handle |
||
| 35 | further changes: |
||
| 36 | |||
| 37 | passwd someuser |
||
| 38 | git status |
||
| 39 | git commit -a -m "changed a password" |
||
| 40 | |||
| 41 | Rinse, lather, repeat. You might find that some files are changed by |
||
| 42 | daemons and shouldn't be tracked by git. These can be removed from git: |
||
| 43 | git rm --cached printcap # modified by CUPS |
||
| 44 | echo printcap >> .gitignore |
||
| 45 | git commit -a -m "don't track printcap" |
||
| 46 | |||
| 47 | etckeeper hooks into apt (and similar systems) so changes to interesting |
||
| 48 | files in /etc caused by installing or upgrading packages will automatically |
||
| 49 | be committed. Here "interesting" means files that are not ignored by |
||
| 50 | `.gitignore`. |
||
| 51 | |||
| 52 | You can use any git commands you like, but do keep in mind that, if you |
||
| 53 | check out a different branch or an old version, git is operating directly |
||
| 54 | on your system's /etc. If you do decide to check out a branch or tag, |
||
| 55 | make sure you run "etckeeper init" again, to get any metadata changes: |
||
| 56 | |||
| 57 | git checkout april_first_joke_etc |
||
| 58 | etckeeper init |
||
| 59 | |||
| 60 | Often it's better to clone /etc to elsewhere and do potentially dangerous |
||
| 61 | stuff in a staging directory. You can clone the repository using git clone, |
||
| 62 | but be careful that the directory it's cloned into starts out mode 700, to |
||
| 63 | prevent anyone else from seeing files like shadow, before `etckeeper init` |
||
| 64 | fixes their permissions: |
||
| 65 | |||
| 66 | mkdir /my/workdir |
||
| 67 | cd /my/workdir |
||
| 68 | chmod 700 . |
||
| 69 | git clone /etc |
||
| 70 | cd etc |
||
| 71 | etckeeper init -d . |
||
| 72 | chmod 755 .. |
||
| 73 | |||
| 74 | Another common reason to clone the repository is to make a backup to a |
||
| 75 | server. When using git push to create a new remote clone, make sure the new |
||
| 76 | remote clone is mode 700! (And, obviously, only push over a secure |
||
| 77 | transport like ssh, and only to a server you trust.) |
||
| 78 | |||
| 79 | ssh server 'mkdir /etc-clone; cd /etc-clone; chmod 700 .; git init' |
||
| 80 | git push ssh://server/etc-clone master |
||
| 81 | |||
| 82 | If you have several machine's using etckeeper, you can start with a |
||
| 83 | etckeeper repository on one machine, then add another machine's etckeeper |
||
| 84 | repository as a git remote. Then you can diff against it, examine its |
||
| 85 | history, merge with it, and so on. It would probably not, however, be wise |
||
| 86 | to "git checkout" the other machine's branch! (And if you do, make sure to |
||
| 87 | run "etckeeper init" to update file permissions.) |
||
| 88 | |||
| 89 | root@kodama:/etc>git remote add dodo ssh://dodo/etc |
||
| 90 | root@kodama:/etc>git fetch dodo |
||
| 91 | root@kodama:/etc>git diff dodo/master group |head |
||
| 92 | diff --git a/group b/group |
||
| 93 | index 0242b84..b5e4384 100644 |
||
| 94 | --- a/group |
||
| 95 | +++ b/group |
||
| 96 | @@ -5,21 +5,21 @@ sys:x:3: |
||
| 97 | adm:x:4:joey |
||
| 98 | tty:x:5: |
||
| 99 | disk:x:6: |
||
| 100 | -lp:x:7:cupsys |
||
| 101 | +lp:x:7: |
||
| 102 | |||
| 103 | Incidentially, this also means I have a backup of dodo's /etc on kodama. |
||
| 104 | So if kodama is compromised, that data could be used to attack dodo |
||
| 105 | too. On the other hand, if dodo's disk dies, I can restore it from this |
||
| 106 | handy hackup. |
||
| 107 | |||
| 108 | Of course, it's also possible to pull changes from a server onto client |
||
| 109 | machines, to deploy changes to /etc. Once /etc is under version control, the |
||
| 110 | sky's the limit.. |
||
| 111 | |||
| 112 | </pre> |