X-Git-Url: http://git.annexia.org/?a=blobdiff_plain;f=clone%2Fvirt-sysprep.pod;h=eb56801dafbdebe7b433d042299f82b4235e1d91;hb=37cdd39ada139956f237b55c87c095bed622b5e3;hp=cc8e44f48413df426d95af657e2cb62d80d4fdda;hpb=1e35941f62bddafd6b88270b22b3afe4a5d37baa;p=libguestfs.git diff --git a/clone/virt-sysprep.pod b/clone/virt-sysprep.pod index cc8e44f..eb56801 100755 --- a/clone/virt-sysprep.pod +++ b/clone/virt-sysprep.pod @@ -26,6 +26,12 @@ must be shut down. If you want to preserve the existing contents of the guest, you I. See L below. +You do I need to run virt-sysprep as root. In fact we'd +generally recommend that you don't. The time you might want to run it +as root is when you need root in order to access the disk image, but +even in this case it would be better to change the permissions on the +disk image to be writable as the non-root user running virt-sysprep. + "Sysprep" stands for "system preparation" tool. The name comes from the Microsoft program C which is used to unconfigure Windows machines in preparation for cloning them. Having said that, @@ -119,6 +125,16 @@ If not given, defaults to C. List the operations supported by the virt-sysprep program. +=item B<--selinux-relabel> + +=item B<--no-selinux-relabel> + +I<--selinux-relabel> forces SELinux relabelling next time the guest +boots. I<--no-selinux-relabel> disables relabelling. + +The default is to try to detect if SELinux relabelling is required. +See L below for more details. + =item B<-v> =item B<--verbose> @@ -139,9 +155,9 @@ Enable tracing of libguestfs API calls. =head1 OPERATIONS -If the I<--enable> option is I given, then all sysprep operations -in the list below are enabled, although some are skipped depending on -the type of guest. +If the I<--enable> option is I given, then +I, although some are skipped +depending on the type of guest. Operations can be individually enabled using the I<--enable> option. Use a comma-separated list, for example: @@ -151,22 +167,61 @@ Use a comma-separated list, for example: To list the operations supported by the current version of virt-sysprep, use I<--list-operations>. +Future versions of virt-sysprep may add more operations. If you are +using virt-sysprep and want predictable behaviour, specify only the +operations that you want to have enabled. + +=head2 cron-spool + +Remove user at-jobs and cron-jobs. + +=head2 dhcp-client-state + +Remove DHCP client leases. + +=head2 dhcp-server-state + +Remove DHCP server leases. + =head2 hostname -This changes the hostname of the guest to the value given in the +Changes the hostname of the guest to the value given in the I<--hostname> parameter. If the I<--hostname> parameter is not given, then the hostname is changed to C. +=head2 logfiles + +Remove many log files. + +=head2 mail-spool + +Remove email from the local mail spool directory. + =head2 net-hwaddr Remove HWADDR (hard-coded MAC address) configuration. For Fedora and Red Hat Enterprise Linux, this is removed from C files. +=head2 random-seed + +Write some random bytes from the host into the random seed file of +the guest. + +See L below. + +=head2 rhn-systemid + +Remove the RHN system ID. + +=head2 smolt-uuid + +Remove the Smolt hardware UUID. + =head2 ssh-hostkeys -This erases the SSH host keys in the guest. +Remove the SSH host keys in the guest. The SSH host keys are regenerated (differently) next time the guest is booted. @@ -181,14 +236,29 @@ you a stark warning about the host key changing: =head2 udev-persistent-net -This erases udev persistent net rules which map the guest's existing -MAC address to a fixed ethernet device (eg. eth0). +Remove udev persistent net rules which map the guest's existing MAC +address to a fixed ethernet device (eg. eth0). After a guest is cloned, the MAC address usually changes. Since the old MAC address occupies the old name (eg. eth0), this means the fresh MAC address is assigned to a new name (eg. eth1) and this is usually undesirable. Erasing the udev persistent net rules avoids this. +=head2 utmp + +Remove the utmp file. + +This records who is currently logged in on a machine. In modern Linux +distros it is stored in a ramdisk and hence not part of the virtual +machine's disk, but it was stored on disk in older distros. + +=head2 yum-uuid + +Remove the yum UUID. + +Yum creates a fresh UUID the next time it runs when it notices that +the original UUID has been erased. + =head1 COPYING AND CLONING Virt-sysprep can be used as part of a process of cloning guests, or to @@ -356,6 +426,52 @@ to pay for disk space), then instead of copying the template, you can run L. Virt-resize performs a copy and resize, and thus is ideal for cloning guests from a template. +=head1 SECURITY + +Although virt-sysprep removes some sensitive information from the +guest, it does not pretend to remove all of it. You should examine +the L above, and the implementation of the operations in +the shell script. You should also examine the guest afterwards. + +Sensitive files are simply removed. The data they contained may still +exist on the disk, easily recovered with a hex editor or undelete +tool. Use L as one way to remove this content. See +also the L command to get rid of deleted content in +directory entries and inodes. + +=head2 RANDOM SEED + +I<(This section applies to Linux guests only)> + +The virt-sysprep C operation writes a few bytes of +randomness from the host into the guest's random seed file. + +If this is just done once and the guest is cloned from the same +template, then each guest will start with the same entropy, and things +like SSH host keys and TCP sequence numbers may be predictable. + +Therefore you should arrange to add more randomness I cloning +from a template too, which can be done by just enabling the +C operation: + + cp template.img newguest.img + virt-sysprep --enable=random-seed -a newguest.img + +=head2 SELINUX RELABELLING + +I<(This section applies to Linux guests using SELinux only)> + +If any new files are created by virt-sysprep, then virt-sysprep +touches C so that these will be correctly labelled by +SELinux the next time the guest is booted. This process interrupts +boot and can take some time. + +You can force relabelling for all guests by supplying the +I<--selinux-relabel> option. + +You can disable relabelling entirely by supplying the +I<--no-selinux-relabel> option. + =head1 SHELL QUOTING Libvirt guest names can contain arbitrary characters, some of which @@ -376,8 +492,9 @@ L, L, L, L, -L, L, +L, +L, L, L.