I'm playing with etckeeper and it seems to be a good product. I use it only to track /etc filesystem locally, but these days the idea came to my mind - to create central Gitlab repository and to store all the node /etc repositories there. The question is how can I do that? I noticed in the config of etckeeper, there is a variable called: PUSH_REMOTE="", but do I have to create separate repository for every server or I can use one and combine all the servers in it? Maybe I can use branches? Or different folders? Any advice's are welcomed. I will try to do it in manual way, and if it works I will think how to do it in automated way, via Puppet or Ansible.. Thanks in advance.

etckeeper should log all config changes on a system. But there is one important setting that is outside of /etc/: crontab -e edits a file inside: /var/spool/cron/crontab/ so there are important config files on the server. How do I include those files to the git repository of etckeeper?

OS: Debian Buster 10.10 inside lxc I am attempting to install a new package (I tried different packages) and apt (and DPkg) is complaining with the following error message(s): /etc/etckeeper/pre-install.d/README: 1: /etc/etckeeper/pre-install.d/README: Files: not found /etc/etckeeper/pre-install.d/README: 2: /etc/etckeeper/pre-install.d/README: etc.: not found /etc/etckeeper/pre-install.d/README: 3: /etc/etckeeper/pre-install.d/README: uncommitted: not found E: Problem executing scripts DPkg::Pre-Invoke 'if [ -x /usr/bin/etckeeper ]; then etckeeper pre-install; fi' E: Sub-process returned an error code I decided to unstall etckeeper and got the exact same error message. My googling / searching seems to be lacking. My reasoning is the problem lies with etckeeper, although I could be wrong.

I use [etckeeper](http://etckeeper.branchable.com/) to keep my various OS configurations under version control. Until now, I was content to just use a local Git repository to keep track of changes but it occurred to me that I wasn’t making the most of this feature and I decided that it would be useful to configure a remote repository to keep copies of these repositories so that the /etc configurations are available from other machines. On the remote server, I created a bare repository (ensuring only the git user can access its contents): sudo -u git -H git init --bare ~git/repos/anthony-etc.git chmod -R 700 ~git/repos/anthony-etc.git/ The SSH daemon on the remote server was configured to allow users (including the git user) to use only keys for authentication – and I had already uploaded my personal public key to the .authorized_keys of the git user on the server. On the local machine, I added this as remote repository: sudo git remote add origin git@example.com:/home/git/repos/anthony-etc.git/ Since only a super user can modify files in the /etc directory (including its .git sub-directory), all the Git commands are run using sudo. Before attempting to push using SSH, I checked to see if I could use my current SSH authentication agent: $ sudo ssh-add -l Could not open a connection to your authentication agent. This failed when being run using sudo and I was wondering how I could configure sudo to work with the SSH authentication agent that I’m already using as a non-super user.

**Context:** Want to put a lock on *etckeeper/apt* hook activity during special backup. Objective is to preserve whole package integrity, e.g., wait until any package installation is complete, and then prevent new installation from starting until special backup is complete. Found shell script under *cron* which appears to be attempting to a lock on /var/cache/etckeeper/packagelist.pre-install but actually it is not performed atomically and so it is flawed. I presume the *cron* shell script is part of *Ubuntu 16.04* installation, not a part of *etckeeper* release. **Flawed lock code shown below.** Searched for *etckeeper* documentation about use of /var/cache/etckeeper/packagelist.pre-install as lock file. Found no documentation. But did find a piece of script file which writes to /var/cache/etckeeper/packagelist.pre-install without treating it as a lock file. At this time I am presuming that /var/cache/etckeeper/packagelist.pre-install is not intended to serve as a lock file interface for *etckeeper*. **Etckeeper internal script not treating /var/cache/etckeeper/packagelist.pre-install as a lock file shown below.** **Question 1: Is there (and if so where is) documentation on etckeeper locking mechanism, or a developers portal to issue a requestion for clarification?** There are plenty of questions and much discussion on *stackexchange* sites about the use of /var/lib/apt/lists/lock (we call it apt lock below) and /var/lib/dpkg/lock (we call it dpkg lock below) as locks for *apt* and *dpkg* respectively. All of the communications are concerned with stuck locks, how to diagnose them, and how to unstick them. However, I kind find no references to official *apt* and *dpkg* documentation specifying those lock files use as a formal interface. **Question 2: Is there (and if so where is) documentation on *apt* lock mechanism and/or *dpkg* lock mechanism as public interfaces?** Flawed lock attempt shell script, probably provided by *Ubuntu 16.04*: $ sudo cat /etc/cron.daily/etckeeper #!/bin/sh set -e if [ -x /usr/bin/etckeeper ] && [ -e /etc/etckeeper/etckeeper.conf ]; then . /etc/etckeeper/etckeeper.conf if [ "$AVOID_DAILY_AUTOCOMMITS" != "1" ]; then # avoid autocommit if an install run is in progress lockfile=/var/cache/etckeeper/packagelist.pre-install if [ -e "$lockfile" ] && [ -n "$(find "$lockfile" -mtime +1)" ]; then rm -f "$lockfile" # stale fi if [ ! -e "$lockfile" ]; then AVOID_SPECIAL_FILE_WARNING=1 export AVOID_SPECIAL_FILE_WARNING if etckeeper unclean; then etckeeper commit "daily autocommit" >/dev/null fi fi fi fi *Etckeeper* internal shell scipt writing to packagelist.pre-install and not treating it as a lock - hence I don't think it was intended as a lock interface. $ sudo cat /etc/etckeeper/pre-install.d/10packagelist #!/bin/sh # This list will be later used when committing. mkdir -p /var/cache/etckeeper/ etckeeper list-installed > /var/cache/etckeeper/packagelist.pre-install etckeeper list-installed fmt > /var/cache/etckeeper/packagelist.fmt

This is related to [Create meaningful etckeeper commit messages](https://unix.stackexchange.com/q/368078/1036) . I've patched /etc/etckeeper/pre-install.d/50uncommitted-changes as follows (to add support for a "PRECOMMIT" file): #!/bin/sh set -e PRECOMMIT=/root/.etckeeper/pre-install.txt if etckeeper unclean; then if [ "$AVOID_COMMIT_BEFORE_INSTALL" = 1 ]; then echo "" >&2 echo "** etckeeper detected uncommitted changes in /etc prior to $HIGHLEVEL_PACKAGE_MANAGER run" >&2 echo "** Aborting $HIGHLEVEL_PACKAGE_MANAGER run. Manually commit and restart." >&2 echo "" >&2 exit 1 fi if [ -r "PRECOMMIT" ]; then MSG=$(cat "$PRECOMMIT") else MSG="saving uncommitted changes in /etc prior to $HIGHLEVEL_PACKAGE_MANAGER run" fi if ! etckeeper commit "$MSG"; then echo "warning: etckeeper failed to commit changes in /etc using $VCS" >&2 fi fi [ -r "$PRECOMMIT" ] && mv "$PRECOMMIT" "$(basename "$PRECOMMIT" txt).$(date +%Y%m%d.%s)" And I've written a (Bash) shell function for my /root/bashrc which wraps the apt-get command to create the this "precommit" message (and to rename out of the way). But I'd prefer to patch the hooks in /etc/apt/apt.conf.d/05etckeeper My question is: can I capture the apt-get command's arguments from within a **DPKG::Pre-Invoke** command?

From here I learned that etckeeper doesn't exclude files via the usual .gitignore file. How can I view which directories and files are excluded from it? I'm using Debian 9.1 with KDE.

So as the terminal was telling me that /etc wasn't a git repository after running git status and gitk resolv.conf & I made a mistake and ran sudo etckeeper init and sudo etckeeper commit "Initial version" which I already ran earlier before realizing that the terminal was printing out this misleading info(!) only when not using sudo. Now I'd like to know whether (and if so how) I can view changes to files before I reran the init command. Are they still stored somewhere in a way that I could retrieve them? I'm using Debian 9.1 with KDE.

So I'm using etckeeper on my machine running Debian 9.1 with KDE and would like to view diffs (or if that isn't yet implemented: past versions) of specific files. How can I do that?

I wrote [a ansible role to automate installing etckeeper](https://github.com/sourcejedi/ansible-etckeeper) . I discover that git will complain if I haven't configured user.email. In some circumstances, git commits will fail. This includes automatic commits to etckeeper when installing a package, potentially causing the install to fail. So I have to add a task for that, like [everyone else does :)](https://github.com/debops-contrib/ansible-etckeeper/blob/b56cc3496c76c3e2d44322748f3efa5422baa980/tasks/main.yml#L85) . The frustrating thing is that in some circumstances, it seemed to work ok. And it doesn't seem to be a problem when using etckeeper manually. user.email is never mentioned in the [tutorial](https://etckeeper.branchable.com/README/) . Is it actually necessary to set user.email in the Ansible role? If so... there must be _some_ deliberate reason(s) causing this. Some explanation, which I could put into a comment in the role, or which would justify a patch to etckeeper or git?

I want to keep track of the /etc changes with etckeeper Unfortunately, the commit messages are the same for all commits saving uncommitted changes in /etc prior to emerge run I wish there would be something more descriptive like apt-get install foo on debian based systems or emerge foo on gentoo based systems when reading the logs with git log. Is there a hook script, I can use for this?

Say I had to change the permissions of some file in /etc/ssl to allow a program to read a private key file: $ cd /etc $ chgrp ssl-cert ssl/private/key.pem $ chmod g+r ssl/private/key.pem $ git status On branch master nothing to commit, working directory clean How do I tell etckeeper that some file permissions have changed in order to commit them? I know that the permissions are kept in /etc/.etckeeper, but couldn't find any way to update that file.

I would like to make clean commits with etckeeper. Here is what happens: 1) Check the status of the repository : git status On branch master nothing to commit, working directory clean 2) Modify a configuration file : vi myfile.conf 3) Add it to the index git add myfile.conf 4) Make a commit git commit -m"Add this ... to myfile.conf" 5) Observe the commit : git log -p -1 [...] maybe chmod 0644 'magic.mime' -maybe chmod 0644 'mail.rc' maybe chmod 0644 'mailcap' maybe chmod 0644 'mailcap.order' maybe chmod 0644 'mailname' +maybe chmod 0644 'mail.rc' maybe chmod 0644 'manpath.config' maybe chmod 0644 'matplotlibrc' maybe chmod 0755 'maven' [...] (My modification to myfile.conf) [...] I understand that etckeeper need to keep track of file permissions in the git repository even if I don't understand the purpose of this reordering. I would like to separate in distinct commits all modifications related to the ./etckeeper directory and modifications related to the content of the configuration files. How to do it?

I was thinking how to automatically rollback network misconfigurations with etckeeper and systemd. Workflow: # etckeeper commit # $EDITOR /etc/systemd/network/wired.network # systemctl restart systemd-networkd You broke the network! I'm calling your mom! Here's your broken config: $(cat broken_file) $(etckeeper vcs reset -- old_config_file) # $EDITOR /etc/systemd/network/wired.network # systemctl restart systemd-networkd # Currently i'm stuck how to hook into restart event. gdbus monitor --system --dest org.freedesktop --object-path /org/freedesktop Doesn't output anything when running # systemctl restart systemd-networkd Script itself could be something like: * hook into systemd restart and if possible, directly into restart systemd-networkd * Read the hook information if it contains that restart failed, otherwise read systemctl is-active systemd-networkd * Rename broken file to $file.broken * Restore: etckeeper vcs reset -- $file * systemctl stop automatic-net-configuration-rollback.service (so that there's no infinite loop) * systemctl restart systemd-networkd * Works -> systemctl start automatic-net-configuration-rollback.service * Doesn't -> echo Rollbacked config file doesn't work either. Repair manually and start automatic rollback after it works. Is this possible and/or does systemd already have this kind of service built-in or has someone made one already? My google searches came up empty.

> [etckeeper] hooks into package managers like apt to automatically commit changes made to /etc during package upgrades [to a git repository] Fedora uses libhif as a backend for PackageKit tools, such as GNOME Software. libhif doesn't use the command-line package manager, dnf, which leads to some confusing situations. E.g. PackageKit and dnf don't share caches, at least for the moment. Question: If I install etckeeper on Fedora, will it make the automatic commits before/after package installs/upgrades, if these actions are performed using PackageKit as opposed to using dnf on the command line?

I read about the ability to store configuration files that live outside of /etc here, and I tested it out on a test server, and it appears to work. One thing that I'm having a bit of an issue with however, is identifying what of these files external to /etc in an application needs to be included and what needs to be left out. What makes a file a good candidate for inclusion or exclusion in etckeeper? It seems to me that if you have an application that sits at the top of a LAMP or other stack, that it's configuration file and .htaccess or equivalent should be included in /etc to have a log of changes that can be included in the same commit. While I know you could conceivably store the entire application in git, it slows down commits, and mis-uses git. It also seems that anything considered cache or binary should be excluded, but that any text-based configuration files should be included.

I've seen some tutorials on the internet in which people are using etckeeper to keep a log of their server configuration, and yet they use the git command directly instead of running it through the etckeeper vcs command. This seems a little dangerous to me, since etckeeper is a proxy for the git command since etckeeper has to store file permissions and meta data in the .etckeeper directory . Is running git commands like this dangerous to the state of the .etckeeper directory or anything else related to it? Does it depend on which command is run? Why or why not?

gitk is a pretty good tool for viewing changesets in a git repository. Is there any way to use it locally on my workstation to view/review an etckeeper git repository on a remote server? Also should I clone the repo to my workstation and then making my changes locally on the workstation, and push them to the remote server's repo / a test server, or should I be doing something else like mounting the share locally using sshfs and just access it from there?

In what directory does etckeeper store its metadata and permissions in? I want to know for purposes of testing the restoration of a configuration.