puppetlabs/apt and unattended-upgrades - security

I want to have unattended-upgrades installed on my server and I want to edit the default config. I like to receive mail to confirm an upgrade, I know where to change it in config files.
andschwa/unattended_upgrades doc clearly says that puppetlabs/apt can manage unattended upgrades but there is nothing said in the doc.
Can I have some help to configure unattended-upgrades with puppetlabs official apt module ?
I know that there is several modules to manage unattended-upgrades but I want to be sure that it is not possible with puppetlabs/apt before adding another module like puppet/unattended_upgrades as it is said that it is not available for debian 8.
Thanks

andschwa/unattended_upgrades doc clearly says that puppetlabs/apt can manage unattended upgrades but there is nothing said in the doc.
The functionality was removed from puppetlabs-apt in version 2.0.0 (now 4.0.0), and moved into puppet-unattended_upgrades (the Vox Pupuli module).
I want to be sure that it is not possible with puppetlabs/apt before adding another module like puppet/unattended_upgrades as it is said that it is not available for debian 8.
This looks like a mistake in the metadata only that's been fixed in git since the latest release (2.2.0). The code to handle Debian 8 (Jessie) appears identical in the released version to git, so I'd say you can and should use this module to manage unattended-upgrades.

Related

Bluez, deinstallation before make from source?

i am using Fedora 24. For my thesis, i have to build BlueZ from the source, because I need the experimental features.
Now, what is the best practice? Do I have to remove BlueZ from the OS before I can reinstall it from the source? When i try to remove bluez with dnf, he wanna also remove httpd and other applications as dependencies.
Thanks
Best practice is probably to rebuild the RPM. We have bluez 5.39 in Fedora 23 (and 24) currently — this is one minor release behind the latest. If you need the newest, you could grab it from Rawhide, Fedora's development branch.
Then, modify the spec file to enable the experimental features you need (presumably in this case by putting --enable-experimental on the %configure line.
When you modify the specfile, add something like .experimental.1 to the end of the Release: field. That way, it will be counted as a newer update, and you can dnf update bluez-5.39-1.fc23.experimental.1.x86_64.rpm. (Update that final .1 whenever you make a change, as a form of rudimentary version control.) Then, use the DNF versionlock plugin to make sure updates don't override it, and when new versions come out, update at your leisure.

How to gather the full config of a NixOS system?

I read a bit about NixOS and tried it these days, because I got the impression that it would let me configure a Linux with just one file.
When I used it, I installed a bunch of packages with nix-env, so they didn't end up in the configuration.nix, but I could simply uninstall them later and add them to the configuration.nix by hand. I there something like npm i -g <package> that would install this globally so it would end up in the configuration.nix and could simply be copied to another machine.
Also, I installed stuff like zsh and atom and they have an entirely different approach to configuration and customization (bashscript, javascript, less, etc).
Is there a way for Nix/NixOS to track the package-specific config too?
Does it already happen and I don't see it? Like the nix expression of the package knows where the package will store its config etc.
I mean, it's nice that I can add these packages to the main config and when using it at another PC I get the same software installed, but I still see myself writing rather much configs for the installed packages too.
If you want packages installed through configuration.nix, then the easiest way to accomplish that is to add them to the environment.systemPackages attribute. Packages listed in there will be available automatically to all users on the machine. As far as I know, there is no shell command available to automate the maintenance of that attribute, though. The only way to manage that list is by editing configuration.nix and manually adding the packages you'd like to have installed.
Nix does not manage package-specific configuration files. As you probably know, NixOS provides such a mechanism for files in /etc, but a similar mechanism to manage config files in $HOME etc. does not exist. The PR https://github.com/NixOS/nixpkgs/pull/9250 on Github contains a concrete proposal to add this capability to Nix, but it hasn't been merged yet because it requires some changes that are controversial.
Nix does not currently offer ways of managing user specific configuration or language specific package managers. AFAICT that's because it is a very complex and opinionated territory compared to generating configs for sshd etc.
There are however Nix-based projects providing solution to at least some parts of your question. For managing user configuration (zsh etc.), have a look at home manager.

Keeping an apt-based distro, running as a web server, up to date

I am in the process of configuring a production web server running Debian 5.0. How do you keep an apt-based distro up to date. Is there any best practice or magical ways of doing it? Logging in via ssh and running apt-get upgrade manually seems unrational.
EDIT:
After some discussion in the comments I am now deciding to upgrade the server manually but would like to know how to keep up to date with what packages to apply.
Automatically updating your server could be problematic; the installation could fail, the new package could have slightly different behavior (debian is pretty good at avoiding this), or a condition might have changed which only becomes evident when package installation forces a service restart, etc. So I would advise against unattended package installs.
That being said, you could look into cron-apt, which you can configure to do just that, or to download the packages in advance, and alert you about the available updates so that all you have to do is log in and install them.
Additionally/alternatively, you could subscribe to debian-security-announce, which sends out notices of new security updates.

Version Roll Back

I am doing a concept in linux in which i want to do version rollback for an app installed in linux. Is it possible??
For eg I have an application named X with version 1.1
I get an update. It changes it to version 1.2
I note what all the packages in the app going to be modified.
Then i save them and apply the changes.
Now after sometime due to some problems I want to switch back to version 1.1
If i undo the changes and make the entire solution will the rollback be done?
The easiest and common way in Unix is to install them in separate directories,
eg "/usr/bin/MyApp.1.2.3" and "/usr/bin/MyApp.1.2.4" then create a link to the one to use "/usr/bin/Myapp".
Changing versions is then just a matter of moving the link.
You don't need to invent anything. Just keep the packages you install around. If you want to go back, uninstall the current version and install the previous package again.

Code Highlighting for Subversion/Apache Server

I have beeen looking around for a way to add code highlighting to my Subversion and Apache installation that hosts my local subversion projects. It runs on Fedora Core 10 installed in a VM. I would like to use syntaxhighlighter but I have not idea how i can get Apache to automatically insert the required javascript into my source code files (without tainting the source).
It is possible to modify my existing installation of Apache 2.2/SVN 1.5.5 to use syntaxhighlighter? (this is what it looks like)
There is a project called WebSVN hosted by Collabnet that seems to have something similar built in, however after the trouble I've gone to get the web subversion working (And Fedora configured nicely), I don't want to use OpenCollabnet's version of WebSVN. Plus their version does not support the latest subversion and Apache.
How can I add some form of code highlighting to my Apache that serves the subversion source?
I was using Trac for web-based project management software. It does issue tracking and wiki, but it also provides a repository browser which has syntax coloring. It supports a bunch of different syntax colorers. GNU Enscript, SilverCity, Pygments
Trac is installed, I checked out Enscript, SilverCity and Pygments.
There were no packages for FC10 for the first two, but there was a Pygments package.....it looks rather nice.
Demos here
The C++ highlighting is what i'm interested in, it looks decent: C++ Highlighting
Although Pygments is obviously not as nice as syntaxhighlighter, which I would still prefer to use if someone knows an easy way to setup.

Resources