Add sed-like operations

[rtsisyk]

Feature Request

Desired Feature

MachineConfigOperator + Ignition is a powerful tool. It almost completely supersedes Ansible and other configuration tools.
The only thing I really miss is an ability to invoke sed-like commands on configuration files. Ansible provides great module called lineinfile. This module can change text files in declarative manner:

# NOTE: Fully quoted because of the ': ' on the line. See the Gotchas in the YAML docs.
- name: Validate the sudoers file before saving
  lineinfile:
    path: /etc/sudoers
    state: present
    regexp: '^%ADMIN ALL='
    line: '%ADMIN ALL=(ALL) NOPASSWD: ALL'
    validate: /usr/sbin/visudo -cf %s

- name: Ensure SELinux is set to enforcing mode
  lineinfile:
    path: /etc/selinux/config
    regexp: '^SELINUX='
    line: SELINUX=enforcing

- name: Make sure group wheel is not in the sudoers configuration
  lineinfile:
    path: /etc/sudoers
    state: absent
    regexp: '^%wheel'

I often just want to change one line in /etc without overwriting the entire file. For example, set PasswordAuthentication no in /etc/ssh/sshd_config or disable sudo without password in /etc/sudoers, like in the example above.

Currently Ignition doesn't provide to change lines in the middle of a file. I propose to extend files section to support lineinfile-like operations. I don't see any contradictions with the core concepts of Ignition.

Any thoughts? Please upvote if you also need miss this feature.

[jlebon]

The thing with lineinfile is that it marks the config file as "modified", which means that from that point on you'll stop receiving updates to the config file (this isn't specific to OSTree systems, see e.g. rpmconf).

The approach we've been trying to push for is .d drop-in directories. Some projects already support this, and some don't. For those that don't, we've sometimes worked with upstreams to add support.

In the case of sshd_config, see https://bugzilla.mindrot.org/show_bug.cgi?id=2468 --> https://src.fedoraproject.org/rpms/openssh/blob/7e9d04698628fb536f09dc7a63d48cc7ff04022f/f/openssh-7.7p1-redhat.patch#_75.

For PasswordAuthentication, note FCOS already disables it by default: https://github.com/coreos/fedora-coreos-config/blob/dda7834cadbd1a0fd10e68ae332ce6f48d34d57a/overlay.d/15fcos/etc/ssh/sshd_config.d/40-disable-passwords.conf (see coreos/fedora-coreos-tracker#138).

For /etc/sudoers, it also supports /etc/sudoers.d, see for example: https://github.com/coreos/fedora-coreos-config/blob/dda7834cadbd1a0fd10e68ae332ce6f48d34d57a/overlay.d/05core/etc/sudoers.d/coreos-sudo-group.

[rtsisyk]

The thing with lineinfile is that it marks the config file as "modified", which means that from that point on you'll stop receiving updates to the config file (this isn't specific to OSTree systems, see e.g. rpmconf).

Ahh! I understood the technical limitation: rpm-ostree is not git and it can't merge text changes in files, only entire file can be replaced. OK, proposed approach doesn't work in this architecture. I close this issue since it can't be implemented.
Thanks for explanation.

[cgwalters]

https://blog.verbum.org/2020/08/22/immutable-%E2%86%92-reprovisionable-anti-hysteresis/ also points out problems with lineinfile.