RPM not identifying modified config files during a package upgrade

Hi. I’ve noticed a situation where modified package config files are not being identified during an upgrade.

Below is an example:

Pre upgrade:

rpm -qa | grep openssh
openssh-server-8.0p1-10.el8.x86_64
openssh-8.0p1-10.el8.x86_64
openssh-clients-8.0p1-10.el8.x86_64

sudo rpm -qc openssh-server
/etc/pam.d/sshd
/etc/ssh/sshd_config
/etc/sysconfig/sshd

sudo rpm -V openssh-server
S.5....T.  c /etc/ssh/sshd_config

#       S file Size differs
#       5 digest (formerly MD5 sum) differs
#       T mTime differs
#       c %config configuration file.

ls -al /etc/ssh/sshd_config*
-rw-------. 1 root root 4268 Jan 20  2021 /etc/ssh/sshd_config

Package upgrade:

sudo dnf upgrade openssh-server
Last metadata expiration check: 22:46:05 ago on Thu 10 Nov 2022 12:52:26 GMT.
Dependencies resolved.
==============================================================================================================================================================================================================================================================================================================================
 Package                                                                            Architecture                                                              Version                                                                         Repository                                                                 Size
==============================================================================================================================================================================================================================================================================================================================
Upgrading:
 openssh                                                                            x86_64                                                                    8.0p1-13.el8                                                                    baseos                                                                    521 k
 openssh-clients                                                                    x86_64                                                                    8.0p1-13.el8                                                                    baseos                                                                    667 k
 openssh-server                                                                     x86_64                                                                    8.0p1-13.el8                                                                    baseos                                                                    490 k

Transaction Summary
==============================================================================================================================================================================================================================================================================================================================
Upgrade  3 Packages

Total download size: 1.6 M
Is this ok [y/N]: y
Downloading Packages:
(1/3): openssh-clients-8.0p1-13.el8.x86_64.rpm                                                                                                                                                                                                                                                 10 MB/s | 667 kB     00:00    
(2/3): openssh-server-8.0p1-13.el8.x86_64.rpm                                                                                                                                                                                                                                                 6.5 MB/s | 490 kB     00:00    
(3/3): openssh-8.0p1-13.el8.x86_64.rpm                                                                                                                                                                                                                                                        6.1 MB/s | 521 kB     00:00    
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                                                                                                         6.7 MB/s | 1.6 MB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                                                                                                                                      1/1 
  Running scriptlet: openssh-8.0p1-13.el8.x86_64                                                                                                                                                                                                                                                                          1/1 
  Running scriptlet: openssh-8.0p1-13.el8.x86_64                                                                                                                                                                                                                                                                          1/6 
  Upgrading        : openssh-8.0p1-13.el8.x86_64                                                                                                                                                                                                                                                                          1/6 
  Upgrading        : openssh-clients-8.0p1-13.el8.x86_64                                                                                                                                                                                                                                                                  2/6 
  Running scriptlet: openssh-server-8.0p1-13.el8.x86_64                                                                                                                                                                                                                                                                   3/6 
  Upgrading        : openssh-server-8.0p1-13.el8.x86_64                                                                                                                                                                                                                                                                   3/6 
  Running scriptlet: openssh-server-8.0p1-13.el8.x86_64                                                                                                                                                                                                                                                                   3/6 
  Running scriptlet: openssh-server-8.0p1-10.el8.x86_64                                                                                                                                                                                                                                                                   4/6 
  Cleanup          : openssh-server-8.0p1-10.el8.x86_64                                                                                                                                                                                                                                                                   4/6 
  Running scriptlet: openssh-server-8.0p1-10.el8.x86_64                                                                                                                                                                                                                                                                   4/6 
  Cleanup          : openssh-clients-8.0p1-10.el8.x86_64                                                                                                                                                                                                                                                                  5/6 
  Cleanup          : openssh-8.0p1-10.el8.x86_64                                                                                                                                                                                                                                                                          6/6 
  Running scriptlet: openssh-8.0p1-10.el8.x86_64                                                                                                                                                                                                                                                                          6/6 
  Verifying        : openssh-8.0p1-13.el8.x86_64                                                                                                                                                                                                                                                                          1/6 
  Verifying        : openssh-8.0p1-10.el8.x86_64                                                                                                                                                                                                                                                                          2/6 
  Verifying        : openssh-clients-8.0p1-13.el8.x86_64                                                                                                                                                                                                                                                                  3/6 
  Verifying        : openssh-clients-8.0p1-10.el8.x86_64                                                                                                                                                                                                                                                                  4/6 
  Verifying        : openssh-server-8.0p1-13.el8.x86_64                                                                                                                                                                                                                                                                   5/6 
  Verifying        : openssh-server-8.0p1-10.el8.x86_64                                                                                                                                                                                                                                                                   6/6 

Upgraded:
  openssh-8.0p1-13.el8.x86_64                                                                         openssh-clients-8.0p1-13.el8.x86_64                                                                         openssh-server-8.0p1-13.el8.x86_64                                                                        

Complete!

Post upgrade:

rpm -qa | grep openssh
openssh-8.0p1-13.el8.x86_64
openssh-clients-8.0p1-13.el8.x86_64
openssh-server-8.0p1-13.el8.x86_64

sudo rpm -qc openssh-server
/etc/pam.d/sshd
/etc/ssh/sshd_config
/etc/sysconfig/sshd

sudo rpm -V openssh-server
S.5....T.  c /etc/ssh/sshd_config

ls -al /etc/ssh/sshd_config*
-rw-------. 1 root root 4268 Jan 20  2021 /etc/ssh/sshd_config

After the package upgrade, nothing changes regarding the modified config file.

If /etc/ssh/sshd_config is a config file, and it has been modified, why hasn’t the package upgrade created a rpmsave (%config) or a rpmnew (%config(noreplace)) file?

Thanks.

What you’re seeing is expected behavior. An rpmnew file only appears if the following conditions are met:

  • The default configuration file in the new RPM is different than what was included before (eg the defaults were changed by the maintainer)
  • The actual configuration file on disk has been changed from the default that was included in the current or previous version of the package (changes made by the user)

What you’re asking about is the second condition, which is usually what we would expect in most cases because we’ve seen it happen before. However, both the first condition and second condition are not being met, so you do not see an rpmnew file.

Ah! Good point. Completely forgot about the first condition. Many thanks.

On RHEL systems, most config files have a ‘directory.d’ so you can make changes outside of the file list defined in the package.