A realization: install configuration files before packages
We have what is probably a somewhat unusual problem. Every so often we do what I'll call an 'in-place' reinstall of a machine, where we reinstall a machine with the name and IP address that it will use in production, and as part of such reinstalls we install packages for things like mailers (if the machine is a mail machine), web servers, and so on. The problem with this is that sometimes a package will not just install the daemon but auto-start it for you. This auto-start happens with the package's default configuration file, which generally won't work right for your environment; an extreme case is a mailer, where everyone installs very conservative, no-relay configurations. If you start the mailer on one of your custom mail machines with such a conservative configuration, it will immediately start bouncing incoming email. So far we've dealt with this by install instructions that say things like 'shut down the following services on other machines' or 'before you install these additional packages, add the following IP blocks'. This has generally worked but it's always made me a little nervous about how fragile it was.
I'm slow sometimes, so it was only today that it occurred to me that there's another way. Normally we install software packages, stop the daemon, and then install our local configuration files. Well, you know, there's no reason we have to do it in that order; instead, we can install our local configuration files before installing the packages. That way even if installing the package auto-starts the daemon it will auto-start with our configuration files instead of the stock ones and things will work or at least fail gracefully, even if we slip up and don't apply the IP blocks or don't shut down everything.
Whether or not this works depends on how the packaging system you're
using behaves and whether or not the files you're pre-installing are
marked as 'configuration' files (I know this works in Debian's
beyond that I haven't yet experimented). Hopefully every package system
is smart enough to go along with this, because this is a useful trick.
(One potential problem with this is file ownership, if installing the package also creates some users or groups. There are potential ways around this if it matters, but in general what you care about is not necessarily that the daemon works but that it doesn't hard-fail anything that it shouldn't hard-fail. Having a setup that just says 'sorry, internal problem, come back later' is generally at least as good as having a fully working one.)