[debian] dpkg asks about overwriting the config file every time the package is upgraded
dionysius opened this issue · 4 comments
In debian there are specific rules of package installation and upgrade behaviour of /etc files: https://www.debian.org/doc/debian-policy/ch-files.html#behavior
If the existence of a file is required for the package to be sensibly configured it is the responsibility of the package maintainer to provide maintainer scripts which correctly create, update and maintain the file and remove it on purge.
These scripts ..., must not ask unnecessary questions (particularly during upgrades), and must otherwise be good citizens.
Ideally the sysadmin should not have to do any configuration other than that done (semi-)automatically by the postinst script.
These two styles of configuration file handling must not be mixed, for that way lies madness: dpkg will ask about overwriting the file every time the package is upgraded.
Thanks to those rules unattended-upgrades are possible. I've realized that this wasn't possible with crowdsec-firewall-bouncer due to config file changes. Which forces me to manually update and manually review the changes.
Generally maintainer default configs should not be altered by scripts - or when scripts do, reapply the change during an upgrade of the package so the case below doesn't happen.
Configuration file '/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** crowdsec-firewall-bouncer.yaml (Y/I/N/O/D/Z) [default=N] ? d
--- /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml 2023-01-16 19:50:25.760927043 +0000
+++ /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml.dpkg-new 2023-05-16 07:34:54.000000000 +0000
@@ -10,7 +10,7 @@
log_max_backups: 3
log_max_age: 30
api_url: http://127.0.0.1:8080/
-api_key: MYOLDAPIKEY
+api_key: ${API_KEY}
insecure_skip_verify: false
disable_ipv6: false
deny_action: DROP
@@ -37,11 +37,18 @@
set-only: false
table: crowdsec
chain: crowdsec-chain
+ priority: -10
ipv6:
enabled: true
set-only: false
table: crowdsec6
chain: crowdsec6-chain
+ priority: -10
+
+nftables_hooks:
+ - input
+ - forward
+
# packet filter
pf:
# an empty string disables the anchor
@@ -50,4 +57,4 @@
prometheus:
enabled: true
listen_addr: 127.0.0.1
- listen_port: 60601
\ No newline at end of file
+ listen_port: 60601
Configuration file '/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
The problematic part is:
-api_key: MYOLDAPIKEY
+api_key: ${API_KEY}
The rest of the diff is fine and dpkg would've accepted the new maintainer defaults automatically.
Either the injenction of the current api-key happens during the upgrade automatically - or use and provide a way to offload the value onto a separate file. This way dpkg can detect, that the config file is still in the original maintainer state and applies the new maintainer config defaults without asking.
Hi!
We should probably keep the credentials in separate files; however what you ask is possible since v0.0.27. You can create a file
# cat /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml.local
api_key: <your-api-key>
and it will override any value in the main .yaml file. Now you can use the default configuration and it won't be modified.
Instructions seem to work, although the log entry is a bit funny:
Aug 31 23:09:01 snoot crowdsec-firewall-bouncer[4147450]: time="2023-08-31T23:09:01Z" level=info msg="Patching yaml: '/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml' with '/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml.local'"
Wording to me is a bit off, I thought it patched the original yaml... (but it didn't)
I see what you mean, will think of a better message.
Thanks!
oh, forgot to close. main issue resolved