Notified when a file controlled by puppet is going to be changed by yum
Solution 1:
Yum supports plugins, so it's entirely possible to write a plugin that reads the cached puppet manifest and warns when a transaction will overwrite a puppet-controlled file. I'm not aware of an existing plugin that does this, but I will probably write just wrote one myself as I like the idea.
The plugin checks all newly installed/upgraded/downgraded packages, tells you which puppet-managed files it will overwrite and asks for a confirmation to do so.
[root@camel ~]# yum update pam
Loaded plugins: puppet, security
Skipping security plugin, no data
Setting up Update Process
Resolving Dependencies
Skipping security plugin, no data
--> Running transaction check
---> Package pam.i386 0:0.99.6.2-12.el5 set to be updated
---> Package pam.x86_64 0:0.99.6.2-12.el5 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
===============================================================================================================================================================
Package Arch Version Repository Size
===============================================================================================================================================================
Updating:
pam i386 0.99.6.2-12.el5 base 983 k
pam x86_64 0.99.6.2-12.el5 base 982 k
Transaction Summary
===============================================================================================================================================================
Install 0 Package(s)
Upgrade 2 Package(s)
Total download size: 1.9 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): pam-0.99.6.2-12.el5.x86_64.rpm | 982 kB 00:00
(2/2): pam-0.99.6.2-12.el5.i386.rpm | 983 kB 00:00
---------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 8.7 MB/s | 1.9 MB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing pam-0.99.6.2-12.el5.i386 overwrites puppet-managed file /etc/pam.d/system-auth
Installing pam-0.99.6.2-12.el5.i386 overwrites puppet-managed file /etc/security/access.conf
Installing pam-0.99.6.2-12.el5.i386 overwrites puppet-managed file /etc/security/limits.conf
Installing pam-0.99.6.2-12.el5.x86_64 overwrites puppet-managed file /etc/pam.d/system-auth
Installing pam-0.99.6.2-12.el5.x86_64 overwrites puppet-managed file /etc/security/access.conf
Installing pam-0.99.6.2-12.el5.x86_64 overwrites puppet-managed file /etc/security/limits.conf
Is this ok [y/N]: n
Aborting
[root@camel ~]# yum update pam
Loaded plugins: puppet, security
Skipping security plugin, no data
Setting up Update Process
Resolving Dependencies
Skipping security plugin, no data
--> Running transaction check
---> Package pam.i386 0:0.99.6.2-12.el5 set to be updated
---> Package pam.x86_64 0:0.99.6.2-12.el5 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
===============================================================================================================================================================
Package Arch Version Repository Size
===============================================================================================================================================================
Updating:
pam i386 0.99.6.2-12.el5 base 983 k
pam x86_64 0.99.6.2-12.el5 base 982 k
Transaction Summary
===============================================================================================================================================================
Install 0 Package(s)
Upgrade 2 Package(s)
Total size: 1.9 M
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing pam-0.99.6.2-12.el5.i386 overwrites puppet-managed file /etc/pam.d/system-auth
Installing pam-0.99.6.2-12.el5.i386 overwrites puppet-managed file /etc/security/access.conf
Installing pam-0.99.6.2-12.el5.i386 overwrites puppet-managed file /etc/security/limits.conf
Installing pam-0.99.6.2-12.el5.x86_64 overwrites puppet-managed file /etc/pam.d/system-auth
Installing pam-0.99.6.2-12.el5.x86_64 overwrites puppet-managed file /etc/security/access.conf
Installing pam-0.99.6.2-12.el5.x86_64 overwrites puppet-managed file /etc/security/limits.conf
Is this ok [y/N]: y
Updating : pam 1/4
Updating : pam 2/4
Cleanup : pam 3/4
Cleanup : pam 4/4
Updated:
pam.i386 0:0.99.6.2-12.el5 pam.x86_64 0:0.99.6.2-12.el5
Complete!
The plugin itself can be found in my github hacks repository.
Nov. 8 2013 update:
As hinted at in the comments, I've now turned this into a larger project to improve the interaction between Yum and Puppet. You can find it on GitHub.
Solution 2:
Yes, it's possible but it doesn't relate to the Puppet itself.
Linux systems has support for inotify mechanism which "can be used to monitor and act upon filesystem events". Besides inotify-tools there is also incron program which works similar to cron but it reacts to file system events. I think that you may use it for being notified about changing any file.
(BTW, if you want to watching /etc/sysctl.conf file I suggest to check before do it -- is your Linux has support for /etc/sysctl.d directory?)