When managing the state of a server using a configuration management tool (e.g. salt, puppet, ansible), one can quite easily develop 'unmanaged' state through application of successive versions of the configuration. For example, one could go through the following steps:
- Apply a configuration that creates the file
/etc/a
- Edit the configuration so that it no longer creates the file
/etc/a
, or references it. - Apply the new configuration.
This means that the file /etc/a
remains hanging-around on the server. My instinct is that a truly declarative tool should delete the file in step 3, but my experience is that the tools do not. This seems like it could be dangerous -- for example if the file is in /etc/ssh/ssh_config.d
.
How can one avoid this sort of state appearing, or indeed even detect that it is present?