« Back to blog

Blog: Automatic commits for server configuration files

Graham Weldon

08 December, 2011

Today I was looking for a solution that could allow me to quickly and simply provide configuration management local to a server with minimal if any dependencies clogging up the system, and as little interaction as possible from administration users. As I know that te server in question has a number of hands-on users, with root access, automating and hiding a mechanism that can backup critical information would be invaluable. I set about creating a tiny system built on Git.

The server in question relies on Git already for deployment after successful test runs, so the use of Git added no additional dependencies to the server, which is great. Git is fast, so there would be no issues using it quietly in the background.

Thinking slightly further into the future, I figured that an ideal mechanism would bootstrap itself, and operate without interaction from users. We all love to be lazy, and adding more steps to existing administration work would not go down well, and could potentially be forgotten.

With all this in mind, I created the following small bash script. Its placed into /root/.bash_logout and is run every time you logout:

#!/bin/bash

##
## Commit configuration files.
##
if [ ! -d /etc/.git ]; then
    cd /etc
    git init
    git config user.name "Server Administrator"
    git config user.email "root@localhost"
fi
git \
    --work-tree=/etc \
    --git-dir=/etc/.git \
    add . >/dev/null 2>&1
git \
    --work-tree=/etc \
    --git-dir=/etc/.git \
    commit -a -m "Logout commit `date +%c`" >/dev/null 2>&1

You can grab it via Github as a gist as well, and place it into your server:

wget http://goo.gl/I5YLU -O /root/.bash_logout

Beware doing this if you already have a /root/.bash_logout file, as it would be overwritten.

The script is run every time you logout. If a git repository doesn't exist yet, it creates one and makes the initial commit of all data. Every subsequent logout commits changed information, keeping a track of everything you do in your /etc directory.

There are definitely ways to improve this. As git creates 644 file and 755 directory permissions, it would be wise to chmod all files to 600 and all directories to 700 to prevent regular system users from browsing the git objects hierarchy and viewing your /etc/shadow file and other sensitive information.

Let me know if you have any ideas for additional security, or any other automatic smarts to improve this quick-n-dirty server config versioning mechanism. Enjoy!

Comments