Rudder

We want to have the possibility to make all configuration-related modification to go into a validation workflow so that they are not immediately deployed on nodes.

For example, such a workflow could be:
- user Alice create a new change request to modify the SSH port from 22 to 2222 in directive "OpenSSH server" because of some new security recommandation
- the modification is sent to Bob, the security guys, for approval, who check the correctness of the update and validate
- next, the prod manager, Charly, programm the modification to be deployed at 3 a.m
- in the night, the modification is commited and deployed
- then, a major service breaks, because it really need to contact SSH servers on port 22
- Charly revert the modification (which is no more deployed on nodes), and ask Alice to also correct the broken, dependant service
- Alice add to the change request the modification of "SSH client" directive of the broken service, and validate the request.
- the change request goes again to Bob, and then to Charly. That time, everything is OK.

All update on a change request must be traced in logs, and all logs of a change request must be linked in some way.
Notice also that the revert and the second modification are all part of the same change request, they are the same business thing.