Notified when a file controlled by puppet is going to be changed by yum

Solution 1:

Yum supports plugins, so it's entirely possible to write a plugin that reads the cached puppet manifest and warns when a transaction will overwrite a puppet-controlled file. I'm not aware of an existing plugin that does this, but I will probably write just wrote one myself as I like the idea.

The plugin checks all newly installed/upgraded/downgraded packages, tells you which puppet-managed files it will overwrite and asks for a confirmation to do so.

    [root@camel ~]# yum update pam
    Loaded plugins: puppet, security
    Skipping security plugin, no data
    Setting up Update Process
    Resolving Dependencies
    Skipping security plugin, no data
    --> Running transaction check
    ---> Package pam.i386 0:0.99.6.2-12.el5 set to be updated
    ---> Package pam.x86_64 0:0.99.6.2-12.el5 set to be updated
    --> Finished Dependency Resolution

    Dependencies Resolved

    ===============================================================================================================================================================
     Package                           Arch                                 Version                                       Repository                          Size
    ===============================================================================================================================================================
    Updating:
     pam                               i386                                 0.99.6.2-12.el5                               base                               983 k
     pam                               x86_64                               0.99.6.2-12.el5                               base                               982 k

    Transaction Summary
    ===============================================================================================================================================================
    Install       0 Package(s)
    Upgrade       2 Package(s)

    Total download size: 1.9 M
    Is this ok [y/N]: y
    Downloading Packages:
    (1/2): pam-0.99.6.2-12.el5.x86_64.rpm                                                                                                   | 982 kB     00:00
    (2/2): pam-0.99.6.2-12.el5.i386.rpm                                                                                                     | 983 kB     00:00
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------
    Total                                                                                                                          8.7 MB/s | 1.9 MB     00:00
    Running rpm_check_debug
    Running Transaction Test
    Finished Transaction Test
    Transaction Test Succeeded
    Running Transaction
    Installing pam-0.99.6.2-12.el5.i386 overwrites puppet-managed file /etc/pam.d/system-auth
    Installing pam-0.99.6.2-12.el5.i386 overwrites puppet-managed file /etc/security/access.conf
    Installing pam-0.99.6.2-12.el5.i386 overwrites puppet-managed file /etc/security/limits.conf
    Installing pam-0.99.6.2-12.el5.x86_64 overwrites puppet-managed file /etc/pam.d/system-auth
    Installing pam-0.99.6.2-12.el5.x86_64 overwrites puppet-managed file /etc/security/access.conf
    Installing pam-0.99.6.2-12.el5.x86_64 overwrites puppet-managed file /etc/security/limits.conf
    Is this ok [y/N]: n


    Aborting
    [root@camel ~]# yum update pam
    Loaded plugins: puppet, security
    Skipping security plugin, no data
    Setting up Update Process
    Resolving Dependencies
    Skipping security plugin, no data
    --> Running transaction check
    ---> Package pam.i386 0:0.99.6.2-12.el5 set to be updated
    ---> Package pam.x86_64 0:0.99.6.2-12.el5 set to be updated
    --> Finished Dependency Resolution

    Dependencies Resolved

    ===============================================================================================================================================================
     Package                           Arch                                 Version                                       Repository                          Size
    ===============================================================================================================================================================
    Updating:
     pam                               i386                                 0.99.6.2-12.el5                               base                               983 k
     pam                               x86_64                               0.99.6.2-12.el5                               base                               982 k

    Transaction Summary
    ===============================================================================================================================================================
    Install       0 Package(s)
    Upgrade       2 Package(s)

    Total size: 1.9 M
    Is this ok [y/N]: y
    Downloading Packages:
    Running rpm_check_debug
    Running Transaction Test
    Finished Transaction Test
    Transaction Test Succeeded
    Running Transaction
    Installing pam-0.99.6.2-12.el5.i386 overwrites puppet-managed file /etc/pam.d/system-auth
    Installing pam-0.99.6.2-12.el5.i386 overwrites puppet-managed file /etc/security/access.conf
    Installing pam-0.99.6.2-12.el5.i386 overwrites puppet-managed file /etc/security/limits.conf
    Installing pam-0.99.6.2-12.el5.x86_64 overwrites puppet-managed file /etc/pam.d/system-auth
    Installing pam-0.99.6.2-12.el5.x86_64 overwrites puppet-managed file /etc/security/access.conf
    Installing pam-0.99.6.2-12.el5.x86_64 overwrites puppet-managed file /etc/security/limits.conf
    Is this ok [y/N]: y
      Updating       : pam                                                                                                                                     1/4
      Updating       : pam                                                                                                                                     2/4
      Cleanup        : pam                                                                                                                                     3/4
      Cleanup        : pam                                                                                                                                     4/4

    Updated:
      pam.i386 0:0.99.6.2-12.el5                                                    pam.x86_64 0:0.99.6.2-12.el5

    Complete!

The plugin itself can be found in my github hacks repository.


Nov. 8 2013 update:

As hinted at in the comments, I've now turned this into a larger project to improve the interaction between Yum and Puppet. You can find it on GitHub.

Solution 2:

Yes, it's possible but it doesn't relate to the Puppet itself.

Linux systems has support for inotify mechanism which "can be used to monitor and act upon filesystem events". Besides inotify-tools there is also incron program which works similar to cron but it reacts to file system events. I think that you may use it for being notified about changing any file.

(BTW, if you want to watching /etc/sysctl.conf file I suggest to check before do it -- is your Linux has support for /etc/sysctl.d directory?)