Configuration file shared across machines?

12.1-RELEASE-p7

I'm trying to decide what would be the kosher way of setting up either a shared configuration file or a service that is supposed to use partly identical configuration files in more than one machine?

Specific goal: have two (or more) instances of dns/dnsmasq running on separate machines use the same configuration file, save for any host-specific files.

So far I have considered:
  1. putting the configuration file in a HAST-backed directory
  2. putting the configuration file in an NFS-backed directory
  3. rsync(1)ing the configuration file
The theoretical problem with 1 is the maximum limit of computers that can back the HAST entity, which is two. The practical problem with both 1 and 2 is that I do not know enough of the order in which things are executed during FreeBSD boot to know if a HAST or NFS mount is available at the time the system loads rc.conf and notices that dnsmasq should read its configuration, i.e., I do not know if the configuration file would be available at that time.

Given that I may end up duplicating more services, what is the established way of using shared configuration files in a FreeBSD 12.1 environment?
 
I looked into this because I have very similar needs. Essentially, I want some form of a shared configuration store which individual hosts (and services running on those hosts) can lookup their configuration. Unfortunately, most of commonly used software packages which ships with FreeBSD relies on file storage to read their configuration: this can be a local file, an NFS share, or a remote file system which can be mounted and look like a file. Some packages provide options to read configuration from something like LDAP (Postfix, Dovecot, ISC DHCP server, to name a few). This used to be popular before network-aware shared configuration solutions came about (etcd and the likes). Nowadays, the popularity of LDAP-backed configuration diminished substantially, and the LDAP support is not compiled by default. It is not a big deal to rebuild and enable it, but then you would need yet another solution to publish your artifacts and reconfigure your servers to use it instead of official FreeBSD package repos.

I actually don't think network-backed storage of configuration files is a good idea: if you NFS/LDAP server goes down, so are all of your services. You can spend a lot of effort in improving (NFS or other network storage) availability, but there is non-zero probability that eventually network will fail.

The solution which gained popularity recently is to have your service configuration files stored locally, with a "sidecar" component to each service which is usually responsible for getting service configuration from a common (network) storage solution and placing it on a local file system. Some sidecar services can poll for changes, rewrite local config files, and restart the service. This is better because if for some reason your shared config storage is not available, at least your service can run on the previous "good" configuration.

Having described all of that, whichever route you pick, you would have to implement most of it yourself: as far as I know, there is no FreeBSD-native control plane. Linux is in a slightly better position because of the recent buzz in Kubernetes, etc.
 
Given that I may end up duplicating more services, what is the established way of using shared configuration files in a FreeBSD 12.1 environment?
Use Puppet or Ansible to configure your machines.
 
Use Puppet or Ansible to configure your machines.
They work ok in some contexts (e.g. configure hosts), but they have a rather large footprint (usually need python or ruby installed), and as such, a probably not the best thing to configure a service inside of a jail.
Furthermore, each tool comes with its own DSL and other complexities.
 
You can create your own "poor man's" configuration management. Stick your configs in git and have a script do a check every 30 minutes or so, do a pull if there are changes and copy the files to the right place. Then restart the appropriate services if needed.
 
Have a look at pkg search cfengine sysutils/cfengine. Oldy but goldy. Lower footprint & very mature (rock solid). EDIT And instead devel/git you can use RCS and/or CVS. Comment is the same. Web frontends available, in case you want or need such GUI.
 
You can create your own "poor man's" configuration management. Stick your configs in git and have a script do a check every 30 minutes or so, do a pull if there are changes and copy the files to the right place. Then restart the appropriate services if needed.
Sounds like a perfect idea and a spin of the sidecar idea.
 
That's how I used to do configuration management when I worked for a large oil company many years ago. That was on Solaris and we used CVS, but the basic idea is the same.

If you use subversion instead of git you could make it so it'll work on a basic FreeBSD install without requiring any additional packages (svnlite(1) is included in the base).
 
Back
Top