mirrors/libguestfs
1
0
Fork 0
mirror of https://github.com/libguestfs/libguestfs.git synced 2026-03-21 22:53:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

sysprep: Use customize module for customizing the guest after sysprepping.

Browse Source 
Note this removes the following modules (all replaced by 'customize'):

 - delete       [--delete, --scrub]
 - firstboot    [--firstboot]
 - hostname     [--hostname]
 - password     [--password, --password-crypto, --root-password]
 - random-seed
 - timezone     [--timezone]
This commit is contained in:
Richard W.M. Jones
2014-03-19 15:14:06 +00:00
parent 51834ad219
commit ae6f726ecc
10 changed files with 35 additions and 515 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
po/POTFILES-ml
View File

@@ -37,15 +37,13 @@ sysprep/sysprep_operation_blkid_tab.ml
sysprep/sysprep_operation_ca_certificates.ml
sysprep/sysprep_operation_crash_data.ml
sysprep/sysprep_operation_cron_spool.ml
sysprep/sysprep_operation_delete.ml
sysprep/sysprep_operation_customize.ml
sysprep/sysprep_operation_dhcp_client_state.ml
sysprep/sysprep_operation_dhcp_server_state.ml
sysprep/sysprep_operation_dovecot_data.ml
sysprep/sysprep_operation_firewall_rules.ml
sysprep/sysprep_operation_firstboot.ml
sysprep/sysprep_operation_flag_reconfiguration.ml
sysprep/sysprep_operation_fs_uuids.ml
sysprep/sysprep_operation_hostname.ml
sysprep/sysprep_operation_kerberos_data.ml
sysprep/sysprep_operation_logfiles.ml
sysprep/sysprep_operation_lvm_uuids.ml
@@ -56,9 +54,7 @@ sysprep/sysprep_operation_net_hwaddr.ml
sysprep/sysprep_operation_pacct_log.ml
sysprep/sysprep_operation_package_manager_cache.ml
sysprep/sysprep_operation_pam_data.ml
sysprep/sysprep_operation_password.ml
sysprep/sysprep_operation_puppet_data_log.ml
sysprep/sysprep_operation_random_seed.ml
sysprep/sysprep_operation_rh_subscription_manager.ml
sysprep/sysprep_operation_rhn_systemid.ml
sysprep/sysprep_operation_rpm_db.ml
@@ -68,7 +64,6 @@ sysprep/sysprep_operation_smolt_uuid.ml
sysprep/sysprep_operation_ssh_hostkeys.ml
sysprep/sysprep_operation_ssh_userdir.ml
sysprep/sysprep_operation_sssd_db_log.ml
sysprep/sysprep_operation_timezone.ml
sysprep/sysprep_operation_tmp_files.ml
sysprep/sysprep_operation_udev_persistent_net.ml
sysprep/sysprep_operation_user_account.ml

10
sysprep/Makefile.am
View File

@@ -38,15 +38,13 @@ operations = \
ca_certificates \
crash_data \
cron_spool \
delete \
customize \
dhcp_client_state \
dhcp_server_state \
dovecot_data \
flag_reconfiguration \
firewall_rules \
firstboot \
fs_uuids \
hostname \
kerberos_data \
lvm_uuids \
logfiles \
@@ -57,9 +55,7 @@ operations = \
pacct_log \
package_manager_cache \
pam_data \
password \
puppet_data_log \
random_seed \
rh_subscription_manager \
rhn_systemid \
rpm_db \
@@ -69,7 +65,6 @@ operations = \
ssh_hostkeys \
ssh_userdir \
sssd_db_log \
timezone \
tmp_files \
udev_persistent_net \
user_account \
@@ -101,6 +96,9 @@ deps = \
$(top_builddir)/customize/hostname.cmx \
$(top_builddir)/customize/timezone.cmx \
$(top_builddir)/customize/firstboot.cmx \
$(top_builddir)/customize/perl_edit.cmx \
$(top_builddir)/customize/customize_cmdline.cmx \
$(top_builddir)/customize/customize_run.cmx \
$(top_builddir)/fish/guestfish-uri.o \
sysprep_operation.cmx \
$(patsubst %,sysprep_operation_%.cmx,$(operations)) \

34
sysprep/sysprep_operation_random_seed.ml → sysprep/sysprep_operation_customize.ml
View File

@@ -1,5 +1,5 @@
(* virt-sysprep
* Copyright (C) 2012 Red Hat Inc.
* Copyright (C) 2014 Red Hat Inc.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -19,25 +19,33 @@
open Sysprep_operation
open Common_gettext.Gettext
open Random_seed
module G = Guestfs
let random_seed_perform (g : Guestfs.guestfs) root side_effects =
if set_random_seed g root then
side_effects#created_file ()
let customize_args, get_ops =
let args, get_ops = Customize_cmdline.argspec ~prog () in
let args = List.map (
fun (spec, v, longdesc) ->
{ extra_argspec = spec;
extra_pod_argval = v; extra_pod_description = longdesc }
) args in
args, get_ops
let customize_perform ~debug ~quiet g root side_effects =
let ops = get_ops () in
Customize_run.run ~prog ~debug ~quiet g root ops;
side_effects#created_file () (* XXX Did we? *)
let op = {
defaults with
name = "random-seed";
order = 99; (* Run it after everything. *)
name = "customize";
enabled_by_default = true;
heading = s_"Generate random seed for guest";
heading = s_"Customize the guest";
pod_description = Some (s_"\
Write some random bytes from the host into the random seed file of the
guest.
See L</RANDOM SEED> below.");
perform_on_filesystems = Some random_seed_perform;
Customize the guest by providing L<virt-customize(1)> options
for installing packages, editing files and so on.");
extra_args = customize_args;
perform_on_filesystems = Some customize_perform;
}
let () = register_operation op

74
sysprep/sysprep_operation_delete.ml
View File

@@ -1,74 +0,0 @@
(* virt-sysprep
* Copyright (C) 2013 Fujitsu Ltd.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*)
open Common_utils
open Sysprep_operation
open Common_gettext.Gettext
module G = Guestfs
let paths = ref []
let add_paths ?(scrub = false) path = paths := (scrub, path) :: !paths
let path_perform g root side_effects =
let paths = List.rev !paths in
if paths <> [] then (
List.iter (
function
| false, glob -> Array.iter g#rm_rf (g#glob_expand glob)
| true, path -> g#scrub_file path
) paths
)
let op = {
defaults with
name = "delete";
enabled_by_default = true;
heading = s_"Delete or scrub specified files or directories";
pod_description = Some (s_"\
Use the I<--delete> option to specify a path to remove.
You can use shell glob characters in the specified path; note that such
metacharacters might require proper escape. For example:
virt-sysprep --delete '/var/log/*.log'
An alternative option, I<--scrub>, can be used to scrub files. This
only works for files (not directories) and cannot use globs.
You can use both options as many times as you want.");
extra_args = [
{ extra_argspec = ("--delete", Arg.String add_paths, s_"path" ^ " " ^ s_"File or directory to be removed on guest");
extra_pod_argval = Some "PATHNAME";
extra_pod_description = s_"\
Delete (recursively) the specified C<PATHNAME> in the guest.";
};
{ extra_argspec = ("--scrub", Arg.String (add_paths ~scrub:true), s_"path" ^ " " ^ s_"File to be scrubbed");
extra_pod_argval = Some "PATHNAME";
extra_pod_description = s_"\
Scrub (aggressively overwrite then remove) the specified
file called C<PATHNAME> in the guest. Only single files can
be specified using this argument.";
}
];
perform_on_filesystems = Some path_perform;
}
let () = register_operation op

79
sysprep/sysprep_operation_firstboot.ml
View File

@@ -1,79 +0,0 @@
(* virt-sysprep
* Copyright (C) 2012 Red Hat Inc.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*)
open Printf
open Common_utils
open Sysprep_operation
open Common_gettext.Gettext
module G = Guestfs
let files = ref []
let firstboot_perform g root side_effects =
(* Read the files and add them using the {!Firstboot} module. *)
let files = List.rev !files in
let i = ref 0 in
List.iter (
fun filename ->
incr i;
let i = !i in
let content = read_whole_file filename in
Firstboot.add_firstboot_script g root i content;
side_effects#created_file ()
) files
let op = {
defaults with
name = "firstboot";
(* enabled_by_default because we only do anything if the
* --firstboot parameter is used.
*)
enabled_by_default = true;
heading = s_"Add scripts to run once at next boot";
pod_description = Some (s_"\
Supply one of more shell scripts (using the I<--firstboot> option).
These are run the first time the guest boots, and then are
deleted. So these are useful for performing last minute
configuration that must run in the context of the guest
operating system, for example C<yum update>.
Output or errors from the scripts are written to
C<~root/virt-sysprep-firstboot.log> (in the guest).");
pod_notes = Some (s_"\
Currently this is only implemented for Linux guests using
either SysVinit-style scripts, Upstart or systemd.");
extra_args = [
{ extra_argspec = "--firstboot", Arg.String (fun s -> files := s :: !files), s_"script" ^ " " ^ s_"run script once next time guest boots";
extra_pod_argval = Some "SCRIPT";
extra_pod_description = s_"\
Run script(s) once next time the guest boots. You can supply
the I<--firstboot> option as many times as needed."
}
];
perform_on_filesystems = Some firstboot_perform;
}
let () = register_operation op

60
sysprep/sysprep_operation_hostname.ml
View File

@@ -1,60 +0,0 @@
(* virt-sysprep
* Copyright (C) 2012 Red Hat Inc.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*)
open Printf
open Common_utils
open Sysprep_operation
open Common_gettext.Gettext
module G = Guestfs
let hostname = ref "localhost.localdomain"
let hostname_perform (g : Guestfs.guestfs) root side_effects =
if Hostname.set_hostname g root !hostname then
side_effects#created_file ()
let op = {
defaults with
name = "hostname";
enabled_by_default = true;
heading = s_"Change the hostname of the guest";
pod_description = Some (s_"\
This operation changes the hostname of the guest to the value
given in the I<--hostname> parameter.
If the I<--hostname> parameter is not given, then the hostname is changed
to C<localhost.localdomain>.");
pod_notes = Some (s_"\
Currently this can only set the hostname on Linux guests.");
extra_args = [
{ extra_argspec = "--hostname", Arg.Set_string hostname, s_"hostname" ^ " " ^ s_"New hostname";
extra_pod_argval = Some "HOSTNAME";
extra_pod_description = s_"\
Change the hostname. If not given, defaults to C<localhost.localdomain>."
}
];
perform_on_filesystems = Some hostname_perform;
}
let () = register_operation op

201
sysprep/sysprep_operation_password.ml
View File

@@ -1,201 +0,0 @@
(* virt-sysprep
* Copyright (C) 2013 Red Hat Inc.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*)
open Printf
open Sysprep_operation
open Common_gettext.Gettext
open Password
module G = Guestfs
let passwords = Hashtbl.create 13
let rec set_root_password arg =
set_password "root" arg
and set_user_password arg =
let i =
try String.index arg ':'
with Not_found ->
eprintf (f_"virt-sysprep: password: invalid --password format; see the man page.\n");
exit 1 in
let len = String.length arg in
set_password (String.sub arg 0 i) (String.sub arg (i+1) (len-(i+1)))
and set_password user arg =
let pw = parse_selector ~prog arg in
if Hashtbl.mem passwords user then (
eprintf (f_"virt-sysprep: password: multiple --root-password/--password options set the password for user '%s' twice.\n") user;
exit 1
);
Hashtbl.replace passwords user pw
let password_crypto : password_crypto option ref = ref None
let set_password_crypto arg =
password_crypto := Some (password_crypto_of_string ~prog arg)
let password_perform g root side_effects =
if Hashtbl.length passwords > 0 then (
let typ = g#inspect_get_type root in
match typ with
| "linux" ->
let password_crypto = !password_crypto in
set_linux_passwords ~prog ?password_crypto g root passwords;
side_effects#created_file ()
| _ ->
eprintf (f_"virt-sysprep: cannot set passwords for %s guests.\n") typ;
exit 1
)
let op = {
defaults with
name = "password";
(* enabled_by_default because we only do anything if the
* --password or --root-password parameter is used.
*)
enabled_by_default = true;
heading = s_"Set root or user password";
pod_description = Some (s_"\
Set root or another user's password.
Use the I<--root-password> option to specify a replacement root
password for the guest. You can only use this option once.
Use the I<--password> option to specify replacement user password(s).
You can use this option as many times as you want.
Use I<--password-crypto> to change the password encryption used.
See L</OPTIONS> above for details of these options.
This operation is enabled by default, but it only does something
if there is at least one I<--root-password> or I<--password>
argument given.");
pod_notes = Some (s_"\
Currently this only works for glibc-based Linux guests that
use shadow passwords.");
extra_args = [
{ extra_argspec = "--root-password", Arg.String set_root_password, s_"..." ^ " " ^ s_"set root password (see man page)";
extra_pod_argval = Some "SELECTOR";
extra_pod_description = s_"\
Set the root password. See I<--password> above for the format
of C<SELECTOR>."
};
{ extra_argspec = "--password", Arg.String set_user_password, s_"..." ^ " " ^ s_"set user password (see man page)";
extra_pod_argval = Some "USERNAME:SELECTOR";
extra_pod_description = s_"\
Set a user password. The user must exist already (this option
does I<not> create users).
The I<--password> option takes C<USERNAME:SELECTOR>. The
I<--root-password> option takes just the C<SELECTOR>. The
format of the C<SELECTOR> is described below:
=over 4
=item B<--password USERNAME:file:FILENAME>
=item B<--root-password file:FILENAME>
Read the password from C<FILENAME>. The whole
first line of this file is the replacement password.
Any other lines are ignored. You should create the file
with mode 0600 to ensure no one else can read it.
=item B<--password USERNAME:password:PASSWORD>
=item B<--root-password password:PASSWORD>
Set the password to the literal string C<PASSWORD>.
B<Note: this is not secure> since any user on the same machine
can see the cleartext password using L<ps(1)>.
=item B<--password USERNAME:random>
=item B<--root-password random>
Choose a random password, which is printed on stdout. The password
has approximately 120 bits of randomness.
=item B<--password> USERNAME:disabled
=item B<--root-password> disabled
The account password is disabled. This is like putting C<*>
in the password field.
=item B<--password> USERNAME:locked:file:FILENAME
=item B<--password> USERNAME:locked:password:PASSWORD
=item B<--password> USERNAME:locked:random
=item B<--root-password> locked:file:FILENAME
=item B<--root-password> locked:password:PASSWORD
=item B<--root-password> locked:random
The account is locked, but a password is placed on the
account. If first unlocked (using C<passwd -u>) then logins will
use the given password.
=item B<--password> USERNAME:locked
=item B<--password> USERNAME:locked:disabled
=item B<--root-password> locked
=item B<--root-password> locked:disabled
The account is locked I<and> password is disabled.
=back"
};
{ extra_argspec = "--password-crypto", Arg.String set_password_crypto, s_"md5|sha256|sha512" ^ " " ^ s_"set password crypto";
extra_pod_argval = Some "md5|sha256|sha512";
extra_pod_description = s_"\
Set the password encryption to C<md5>, C<sha256> or C<sha512>.
C<sha256> and C<sha512> require glibc E<ge> 2.7
(check L<crypt(3)> inside the guest).
C<md5> will work with relatively old Linux guests (eg. RHEL 3), but
is not secure against modern attacks.
The default is C<sha512> unless libguestfs detects an old guest
that didn't have support for SHA-512, in which case it will use C<md5>.
You can override libguestfs by specifying this option."
}
];
perform_on_filesystems = Some password_perform;
}
let () = register_operation op

67
sysprep/sysprep_operation_timezone.ml
View File

@@ -1,67 +0,0 @@
(* virt-sysprep
* Copyright (C) 2014 Red Hat Inc.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*)
open Printf
open Common_utils
open Sysprep_operation
open Common_gettext.Gettext
module G = Guestfs
let timezone = ref None
let timezone_perform (g : Guestfs.guestfs) root side_effects =
match !timezone with
| None -> ()
| Some tz ->
if Timezone.set_timezone ~prog g root tz then
side_effects#created_file ()
let op = {
defaults with
name = "timezone";
enabled_by_default = true;
heading = s_"Change the default timezone of the guest";
pod_description = Some (s_"\
This operation changes the default timezone of the guest to the value
given in the I<--timezone> parameter.
If the I<--timezone> parameter is not given, then the timezone is not
changed.
This parameter affects the default timezone that users see when they log
in, but they can still change their timezone per-user account.");
pod_notes = Some (s_"\
Currently this can only set the timezone on Linux guests.");
extra_args = [
let set_timezone str = timezone := Some str in
{ extra_argspec = "--timezone", Arg.String set_timezone, s_"timezone" ^ " " ^ s_"New timezone";
extra_pod_argval = Some "TIMEZONE";
extra_pod_description = s_"\
Change the timezone. Use a location string such as C<Europe/London>"
}
];
perform_on_filesystems = Some timezone_perform;
}
let () = register_operation op

2
sysprep/test-virt-sysprep-passwords.sh
View File

@@ -59,7 +59,7 @@ echo 123456 > password
./virt-sysprep \
-a passwords.qcow2 \
--enable password \
--enable customize \
--password test01:password:123456 \
--password test02:password:123456:7890 \
--password test03:file:./password \

16
sysprep/virt-sysprep.pod
View File

@@ -134,10 +134,10 @@ operations, while the meta-names C<defaults> and C<all> represent
respectively the operations enabled by default and all the available ones.
For example:
--operations delete,defaults,-hostname
--operations firewall-rules,defaults,-tmp-files
would enable the C<delete> operation (regardless whether it is enabled by
default), all the default ones, and disable the C<hostname> operation.
would enable the C<firewall-rules> operation (regardless whether it is enabled by
default), all the default ones, and disable the C<tmp-files> operation.
I<--operations> can be specified multiple times; the first time the set
of enabled operations is empty, while any further I<--operations> affects
@@ -502,19 +502,19 @@ content in directory entries and inodes.
I<(This section applies to Linux guests only)>
The virt-sysprep C<random-seed> operation writes a few bytes of
randomness from the host into the guest's random seed file.
For supported guests, virt-sysprep writes a few bytes of randomness
from the host into the guest's random seed file.
If this is just done once and the guest is cloned from the same
template, then each guest will start with the same entropy, and things
like SSH host keys and TCP sequence numbers may be predictable.
Therefore you should arrange to add more randomness I<after> cloning
from a template too, which can be done by just enabling the
C<random-seed> operation:
from a template too, which can be done by enabling just the customize
module:
cp template.img newguest.img
virt-sysprep --enable random-seed -a newguest.img
virt-sysprep --enable customize -a newguest.img
=head2 SELINUX RELABELLING