This is one approach - see the end of the page for other approaches.
Tracking /etc etc
Mercurial can be used to track host configuration, like a kind of backup of config. I use a depot in / and hgignore everything.
Files that I want to track are added on demand. Before editing an untracked file I commit it so that I can see what has been changed. After completing an admin task I review the output from "hg diff | vim -R -", check that I made the right changes, check that all relevant changes are tracked, and then I commit.
But there are some attributes that Mercurial doesn't track, such as owner and group and permissions, mtime/ctime/atime, special file system attributes. So don't try to update, that will mess things up. A restore must be done manually and carefully. Also be careful when you want to revert or stop tracking files (you might want to use hg rm --after).
Tracking symlinks like for example /etc/rc.d/rc?.d/* requires Mercurial 0.9.5. When dealing with symlinks be careful about what you are tracking: The link or the target file.
Some files in /etc/ are binary, and you probably don't want to track them. But there are files in other places that it makes sense to track. Please extend the list below with files you need track and think others would like to track too.
How to get started
cd / hg init . chmod go-rwx .hg echo ^ > .hgignore hg add \ .hgignore \ boot/grub/device.map \ boot/grub/grub.conf \ etc/aliases \ etc/crontab \ etc/dhcpd.conf \ etc/dirvish/master.conf \ etc/fstab \ etc/group \ etc/gshadow \ etc/hosts \ etc/httpd/conf.d/*.conf \ etc/httpd/conf/httpd.conf \ etc/inittab \ etc/mantis/config_inc.php \ etc/modprobe.conf \ etc/mtab \ etc/nsswitch.conf \ etc/ntp.conf \ etc/passwd \ etc/php.ini \ etc/postfix/access \ etc/postfix/aliases \ etc/postfix/canonical \ etc/postfix/generic \ etc/postfix/header_checks \ etc/postfix/main.cf \ etc/postfix/master.cf \ etc/postfix/relocated \ etc/postfix/transport \ etc/postfix/virtual \ etc/rc.d/* \ etc/rc.d/rc?.d/* \ etc/resolv.conf \ etc/samba/lmhosts \ etc/samba/smb.conf \ etc/samba/smbusers \ etc/selinux/config \ etc/selinux/restorecond.conf \ etc/selinux/semanage.conf \ etc/selinux/targeted/modules/active/booleans.local \ etc/shadow \ etc/squirrelmail/config.php \ etc/squirrelmail/config_local.php \ etc/squirrelmail/default_pref \ etc/squirrelmail/sqspell_config.php \ etc/ssh/ssh_config \ etc/ssh/ssh_host_dsa_key.pub \ etc/ssh/ssh_host_key.pub \ etc/ssh/ssh_host_rsa_key.pub \ etc/ssh/sshd_config \ etc/sysconfig/authconfig \ etc/sysconfig/clock \ etc/sysconfig/grub \ etc/sysconfig/hwconf \ etc/sysconfig/i18n \ etc/sysconfig/iptables \ etc/sysconfig/iptables-config \ etc/sysconfig/kernel \ etc/sysconfig/keyboard \ etc/sysconfig/network \ etc/sysconfig/network-scripts/ifcfg-eth* \ etc/sysconfig/system-config-securitylevel \ etc/sysctl.conf \ etc/yum.conf \ root/anaconda-ks.cfg \ root/setup.txt \ usr/local/bin/* \ usr/local/sbin/* \ var/lib/samba/private/passdb.tdb \ var/lib/samba/private/secrets.tdb \ var/lib/samba/private/smbpasswd \ var/log/dmesg \ var/log/rpmpkgs \ var/named/chroot/etc/named.conf \ var/named/chroot/var/named/* \
sudo and multiple users
You will obviously need to use sudo (or a similar tool) when managing those repositories, but often you will want separate users to still retain their username, custom Mercurial settings, etc. There are several approaches to that:
Have each user define HGRCPATH to include their own .hgrc file, and configure sudo to preserve that variable:
# /etc/sudoers Defaults:username env_keep += "HGRCPATH" # or Defaults:%groupname env_keep += "HGRCPATH"
You can see where Mercurial is looking for hgrc files with hg debugconfig --debug:
$ hg debugconfig --debug read config from: /etc/mercurial/hgrc read config from: /home/username/.hgrc ...
More automatic, but less desirable for security reasons: let sudo preserve $HOME by adding the following to your /etc/sudoers file (somewhere after the env_reset and "env_keep =" lines, if it has them):
Defaults:username env_keep += "HOME"
Update Hook for proper permissions
I use this script as an update hook to manage the special permissions that files in /etc need (and also those I want my home directory contents to have). I'm sure there are some holes in it, but it does what I need it to do.
repo="$(hg root)"
case "${repo}" in
"/etc")
cd "${repo}"
for file in $(hg manifest) ; do
perms=$(stat -c %a "${file}")
case "${file}" in
"shadow"|"gshadow")
if [[ "${perms}" == "644" ]] ; then
chmod -v 600 "${file}"
fi
;;
*)
if [[ "${perms}" == "700" ]] ; then
chmod -v 755 "${file}"
elif [[ "${perms}" == "600" ]] ; then
chmod -v 644 "${file}"
fi
;;
esac
done
;;
"/home/ataraxia")
cd "${repo}"
for file in $(hg manifest) ; do
perms=$(stat -c %a "${file}")
if [[ "${perms}" == "755" ]] ; then
chmod -v 700 "${file}"
elif [[ "${perms}" == "644" ]] ; then
chmod -v 600 "${file}"
fi
done
;;
*)
;;
esac
Other approaches and comments
http://www.selenic.com/pipermail/mercurial/2007-August/014296.html Beware of the problems ...
http://www.selenic.com/pipermail/mercurial/2007-August/014298.html Example of complex .hgignore
http://www.selenic.com/pipermail/mercurial/2007-August/014301.html Discouragement ...
http://michael-prokop.at/blog/2007/03/14/maintain-etc-with-mercurial-on-debian/ Maintain /etc with mercurial on Debian
http://ygingras.net/b/2007/11/a-case-for-hg-on-etc Encouragement ...