= dasscm =

'''dass''' '''c'''onfiguration '''m'''anagment (dasscm) is a simple solution for managing system configuration file with Subversion. It is favored because of its easy setup and low footsprint. It can be easily integrated into Nagios monitoring. 

== Naming ==

It is not always easy to get the context of eg. repository, because it can mean "server side svn repository", "package repository", like "RPM repository" or sometimes also your local svn ckeckout.
To distinguish between the different terms, we try to use the following terms in a consistent way:

|| target system      || the system were dasscm is installed and used ||
|| Subverson server   || the system were your SVN repository is hosted ||
|| system files       || config and other files on your system, like /etc/ntp.conf ||
|| system files managed by dasscm || the part of your system files that has already been checked in to Subversion via dasscm ||
|| local svn checkout             || your local svn checkout on the target system ||
|| svn repository                 || the Subversion repository were the "system files managed by dasscm" are versioned ||
|| package repository             || the installation source repository for dasscm ||



== Repository ==


|| package repositories (RPM and DEB) || http://download.opensuse.org/repositories/home:/dassit/ ||
|| source code                        || source:dasscm/trunk ||


== About ==

dasscm is a wrapper Perl script around the {{{svn}}} command. 
If you're planing to check-in your system configuration files into a Subversion repository, {{{dasscm}}} eases your life.

Instead of copying files from the system to the corresponding local subversion checkout directory and commit them there,
you just use:
{{{
dasscm login
dasscm add /etc/ntp.conf
}}}

Missing directories are added automatically.

But the real advantage, compared to plain {{{svn}}} is, that there is the possibility to check, if your local system files have changed against the repository. Just call:
{{{
dasscm status
}}}

For Nagios NRPE integration use
{{{
dasscm check
}}}



== Usage ==

=== Subcommands ===

dasscm suppots following subcommands:
{{{
help
init
login <username>
up <path>
ls <path>
add <path>
commit <path>
revert <path>
diff <path>
status <path>
check
cleanup
permissions
}}}



=== Pre-Requirements ===

  * an existing empty directory in a subversion repository. Normally you create a new directory of every dasscm installation (like http://mysubversionserver/config/HOSTNAME)
  * a user with read permissions to this subversion repository. The username {{{dasscm}}} is a good choice

=== Configuration ===

After installing it is required to configure {{{dasscm}}}.
All configuration changes have to be done in the file {{{/etc/dasscm.conf}}}

{{{
#
# dasscm configuration
#

#
# TODO:
# - set unique DASSCM_REPOSITORY_NAME.
#   Normally use the full qualified hostname
# - for security reasons, it is recommended
#   to set DASSCM_CHECKOUT_USERNAME and DASSCM_CHECKOUT_PASSWORD
#   individually (maybe host specific)
#

# 
# host specific name
# it is required, to set this unique
# normally, use the result of `hostname -f`
#
DASSCM_REPOSITORY_NAME=

#
# local base directory
#
DASSCM_LOCAL_REPOSITORY_BASE=/var/lib/dasscm/

#
# subversion server settings
# 
#DASSCM_SVN_REPOSITORY_BASE=https://svn.dass-it/svn/internal-dasscm/
#DASSCM_CHECKOUT_USERNAME=dasscm
#DASSCM_CHECKOUT_PASSWORD=

#
# file to store the permissions of the checked-in file
# 
DASSCM_PERMISSION_FILE="/etc/permissions.d/dasscm.permission_backup"
}}}

Set the following variables according to your needs:
    || {{{DASSCM_REPOSITORY_NAME=system-name}}}                          || normally {{{hostname -f}}} ||
    || {{{DASSCM_CHECKOUT_USERNAME=dasscm}}}                             || subversion user with read-only permissions ||
    || {{{DASSCM_CHECKOUT_PASSWORD=dasscm-password}}}                    || subversion password for {{{$DASSCM_CHECKOUT_USERNAME}}} || 
    || {{{DASSCM_SVN_REPOSITORY_BASE=http://your-svn-repository/path/}}} || subversion directory in which the {{{$DASSCM_REPOSITORY_NAME}}} directory is located ||
 
If it not already exists, you can create your subversion subdirectory by
{{{
source /etc/dasscm.conf
svn mkdir -m "initial" --no-auth-cache $DASSCM_SVN_REPOSITORY_BASE/$DASSCM_REPOSITORY_NAME
}}}

==== login ====

For convinience use 
{{{
dasscm login
}}}

This opens a shell, where the environment is set to the required values.

==== add files/directories ====

For example cups configuration


{{{
# it is recommended to check initially check a file before you first edit it. Use the comment "orig"
dasscm add -m "orig" /etc/sysconfig/cups
# make you changes to /etc/sysconfig/cups
dasscm commit -m "my comment about my change" /etc/sysconfig/cups
}}}

==== checkin modified files ====

{{{
dasscm commit -m "my comment about my change" /etc/sysconfig/cups
}}}

Note: every "add" also calls "commit", so the command "commit" is not really required

==== status ====

{{{
dasscm status
}}}

==== store file permissions ====

on every call of {{{dasscm add/commit}}} als file permissions are evaluated and stored in the file 
{{{
/etc/permissions.d/dasscm.permissions_backup
}}}

==== restore file permissions ====

On SUSE system:
{{{
cp -a /etc/permissions.d/dasscm.permissions_backup /etc/permissions.d/dasscm.permissions
# change all file permissions to the values, that are defined in the file /etc/permissions.d/*.permissions
/sbin/conf.d/SuSEconfig.permissions
}}}


==== diff ====

{{{
dasscm diff $filename
}}}
shows the differences of a local system file against the file in the local svn checkout.

==== revert ====

If a local system file is modified (see {{{dasscm diff}}})
it can be reverted to the checked in version by
{{{
dasscm revert $filename
}}}

==== help ====

{{{
dasscm help
}}}


== dasscm as non-root user ==

Using {{{dasscm}}} as non-root user requires sufficient permissions.

  * create group {{{dasscm}}}. Default GID is 4199
  * {{{chgrp dasscm /etc/dasscm.conf}}}
  * verify group {{{dasscm}}} has read permission on {{{/etc/dasscm.conf}}}

=== why sudo? ===

Ohne **sudo** läßt sich nicht sicherstellen,
dass der Benutzer Zugriff auf alle Dateien erhält,
die sich im Produktivsystem befinden.

Falls eine Datei keine Leserechte für Other besitzt,
kann beim //status// keine Differenz zwischen dieser Datei und dem Repository ermittelt werden.

=== Konfiguration ===

{{{
getent group dasscm
# 4199:*:dasscm:joergs,maik

# Leserechte für die Gruppe dasscm
chgrp dasscm /etc/dasscm.conf

# der Gruppe dasscm die Benutzung von dasscm erlauben
echo "
Defaults env_keep+=DASSCM_USERNAME
Defaults env_keep+=DASSCM_PASSWORD
dasscm ALL=(ALL) NOPASSWD:/usr/bin/dasscm" >> /etc/sudoers
}}}

=== usage (non-root) ===

{{{
# Anmelden
dasscm login

sudo dasscm status

sudo dasscm ls

sudo dasscm add <DATEINAME>
}}}


== Nagios/NRPE Check ==

Client-seitige Konfiguration für NRPE

{{{
# nrpe config file
CFG=/etc/nagios/nrpe.cfg

# überprüfen als welcher Benutzer nrpe läuft
NRPE_USER=`sed -n 's/nrpe_user=//p' $CFG`
echo "NRPE_USER: $NRPE_USER"


# zu sudoers hinzufügen
grep -q "dasscm check" /etc/sudoers || echo "$NRPE_USER ALL=(ALL) NOPASSWD:/usr/bin/dasscm check" >> /etc/sudoers

# sicherstellen, dass check_dasscm für nrpe definiert ist
grep -q dasscm $CFG || echo "command[check_dasscm]=sudo dasscm check" >> $CFG

# nrpe neu starten
/etc/init.d/nrpe restart
}}}

Wie schon bei Benutzern beschrieben, wäre der Zugriff auch ohne **sudo** denkbar.
Dann würden aber ggf. nicht alle veränderten Dateien erkannt.

=== Besonderheit auf RedHat / CentOS ===
Damit Sudo über nrpe oder ssh funktioniert muss folgende Option in ///etc/sudoers/// auskommentiert werden:
   # Defaults    requiretty
Unter Suse Systemen ist das  bereits voreingestellt.


== usage (German) ==

from [source:dasscm/trunk/doc/dasscm_howto.txt]:

[[Include(source:dasscm/trunk/doc/dasscm_howto.txt, text/plain)]]