diff options
author | Richard W.M. Jones <rjones@redhat.com> | 2011-10-13 15:37:56 +0100 |
---|---|---|
committer | Richard W.M. Jones <rjones@redhat.com> | 2011-10-13 22:36:56 +0100 |
commit | 9e382f1ae33ed25f012596b801e9cc4a440cb74b (patch) | |
tree | 61afe205dd6145d19e9b9393d121df0a46b53869 | |
parent | 189c3d6ac1e3fbd4f8ffbaafdc36b8ad00961284 (diff) | |
download | libguestfs-9e382f1ae33ed25f012596b801e9cc4a440cb74b.tar.gz libguestfs-9e382f1ae33ed25f012596b801e9cc4a440cb74b.tar.xz libguestfs-9e382f1ae33ed25f012596b801e9cc4a440cb74b.zip |
virt-sysprep: Switch to using guestmount, add more features.
This switches virt-sysprep to use guestmount instead of guestfish.
This makes the script a little bit easier to modify for sysadmins.
This commit also adds:
- dhcp-client-state
- dhcp-server-state
- logfiles
- random-seed
- smolt-uuid
- yum-uuid
SELinux relabelling, and a section on security in the manual page.
-rw-r--r-- | Makefile.am | 8 | ||||
-rw-r--r-- | README | 6 | ||||
-rw-r--r-- | TODO | 15 | ||||
-rw-r--r-- | clone/virt-sysprep.in | 313 | ||||
-rwxr-xr-x | clone/virt-sysprep.pod | 105 |
5 files changed, 293 insertions, 154 deletions
diff --git a/Makefile.am b/Makefile.am index 3d44c76a..5170ec8c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -38,9 +38,6 @@ SUBDIRS += fish # virt-tools in C. SUBDIRS += align cat df edit inspector rescue -# virt-tools in shell. -SUBDIRS += clone - # Language bindings. if HAVE_PERL SUBDIRS += perl perl/examples @@ -88,6 +85,11 @@ if HAVE_FUSE SUBDIRS += fuse endif +# virt-tools in shell. This uses guestmount. +if HAVE_FUSE +SUBDIRS += clone +endif + # po-docs must come after tools, inspector. if HAVE_PO4A SUBDIRS += po-docs @@ -134,6 +134,12 @@ To build the Perl tools: - perl-libintl for translating perl code (optional) +To run virt-sysprep: + +- xmlstarlet (optional) + +- virt-sysprep also requires FUSE support since it uses guestmount + Building ---------------------------------------------------------------------- @@ -537,7 +537,6 @@ virt-sysprep ideas ------------------ - touch /.unconfigured ? - - smolt ID - Spacewalk / RHN ID - Kerberos keys - Puppet registration @@ -549,11 +548,8 @@ virt-sysprep ideas . install a firstboot script virt-sysprep --script=/tmp/foo.sh . run an external shell script . run external guestfish script virt-sysprep --fish=/tmp/foo.fish - . rm /var/cache/apt/archives/*deb - - log files (thanks Steve Grubb) - . as well as the obvious log files, also - utmp/wtmp/btmp/tallylog and pam_faillock's data files - - RNG seed (Steve Grubb) + . rm /var/cache/apt/archives/* + - /var/run/* and pam_faillock's data files - homedirs/.ssh directory, especially /root/.ssh (Steve Grubb) - if drives are encrypted, then dm-crypt key should be changed and drives all re-encrypted @@ -564,20 +560,13 @@ virt-sysprep ideas may have picked up some certificates or things. This is an area that you would want to look into. - secure erase of inodes etc using scrub (Steve Grubb) - - touch /.autorelabel if we create any new files (thanks Dan Berrange) - - should we use guestmount instead of guestfish - and would that make it easier to run the tool inside VMs? - other directories that could require cleaning include: - /var/lib/dhcpd/* - /var/lib/dhclient/* /var/cache/gdm/* /var/lib/fprint/* /var/run/* /var/spool/mail/* /var/spool/cron/* /var/lib/AccountService/users/* - /var/cache/yum/* - /var/lib/yum/* (only /var/lib/yum/uuid) /var/lib/sss/db/* /var/lib/samba/* /var/lib/samba/*/* diff --git a/clone/virt-sysprep.in b/clone/virt-sysprep.in index cf4ad969..981ed964 100644 --- a/clone/virt-sysprep.in +++ b/clone/virt-sysprep.in @@ -21,9 +21,12 @@ unset CDPATH program="virt-sysprep" version="@PACKAGE_VERSION@" +# Uncomment this to see every shell command that is executed. +#set -x + TEMP=`getopt \ -o a:c:d:vVx \ - --long help,add:,connect:,domain:,enable:,format::,hostname:,list-operations,verbose,version \ + --long help,add:,connect:,domain:,enable:,format::,hostname:,list-operations,selinux-relabel,no-selinux-relabel,verbose,version \ -n $program -- "$@"` if [ $? != 0 ]; then echo "$program: problem parsing the command line arguments" @@ -31,18 +34,15 @@ if [ $? != 0 ]; then fi eval set -- "$TEMP" -# This array accumulates the arguments we pass through to guestfish. -declare -a guestfish -guestfish[0]="guestfish" -guestfish[1]="--rw" -guestfish[2]="--listen" -guestfish[3]="-i" -i=4 +# This array accumulates the arguments we pass through to guestmount. +declare -a params +i=0 verbose= add_params=0 enable= hostname_param=localhost.localdomain +selinux_relabel=auto usage () { @@ -59,17 +59,17 @@ usage () while true; do case "$1" in -a|--add) - guestfish[i++]="-a" - guestfish[i++]="$2" + params[i++]="-a" + params[i++]="$2" ((add_params++)) shift 2;; -c|--connect) - guestfish[i++]="-c" - guestfish[i++]="$2" + params[i++]="-c" + params[i++]="$2" shift 2;; -d|--domain) - guestfish[i++]="-d" - guestfish[i++]="$2" + params[i++]="-d" + params[i++]="$2" ((add_params++)) shift 2;; --enable) @@ -81,9 +81,9 @@ while true; do shift 2;; --format) if [ -n "$2" ]; then - guestfish[i++]="--format=$2" + params[i++]="--format=$2" else - guestfish[i++]="--format" + params[i++]="--format" fi shift 2;; --help) @@ -94,15 +94,29 @@ while true; do --list-operations) enable=list shift;; + --selinux-relabel) + selinux_relabel=yes + shift;; + --no-selinux-relabel) + selinux_relabel=no + shift;; -v|--verbose) - guestfish[i++]="-v" + params[i++]="-v" verbose=yes shift;; -V|--version) echo "$program $version" exit 0;; -x) - guestfish[i++]="-x" + # Can't pass the -x option directly to guestmount because + # that stops guestmount from forking, which means we can't + # coordinate with guestmount when it has finished + # initializing. So instead set just the underlying option + # in libguestfs by exporting LIBGUESTFS_TRACE. + # Unfortunately (a) this omits FUSE calls, but don't worry + # about that for now, and more importantly (b) trace + # messages disappear into never-never land after the fork. + export LIBGUESTFS_TRACE=1 shift;; --) shift @@ -117,23 +131,41 @@ done # enable all of these, although some of them are only done on certain # guest types (see details below). if [ -z "$enable" ]; then + dhcp_client_state=yes + dhcp_server_state=yes hostname=yes + logfiles=yes net_hwaddr=yes + random_seed=yes + smolt_uuid=yes ssh_hostkeys=yes udev_persistent_net=yes + yum_uuid=yes elif [ "$enable" = "list" ]; then + echo "dhcp-client-state" + echo "dhcp-server-state" echo "hostname" + echo "logfiles" echo "net-hwaddr" + echo "random-seed" + echo "smolt-uuid" echo "ssh-hostkeys" echo "udev-persistent-net" + echo "yum-uuid" exit 0 else for opt in $(echo "$enable" | sed 's/,/ /g'); do case "$opt" in + dhcp-client-state) dhcp_client_state=yes ;; + dhcp-server-state) dhcp_server_state=yes ;; hostname) hostname=yes ;; + logfiles) logfiles=yes ;; net-hwaddr) net_hwaddr=yes ;; + random-seed) random_seed=yes ;; + smolt-uuid) smolt_uuid=yes ;; ssh-hostkeys) ssh_hostkeys=yes ;; udev-persistent-net) udev_persistent_net=yes ;; + yum-uuid) yum_uuid=yes ;; *) echo "error: unknown --enable feature: $opt" exit 1 @@ -161,126 +193,99 @@ fi set -e if [ "$verbose" = "yes" ]; then - echo command: "${guestfish[@]}" + echo params: "${params[@]}" fi # Create a temporary directory for general purpose use during operations. tmpdir="$(mktemp -d)" -# Increase the amount of memory allocated to the appliance because -# we're using augeas. The user can override this by setting -# $LIBGUESTFS_MEMSIZE before running the script. -export LIBGUESTFS_MEMSIZE=${LIBGUESTFS_MEMSIZE:-2048} - -# Call guestfish. -GUESTFISH_PID= -eval $("${guestfish[@]}") -if [ -z "$GUESTFISH_PID" ]; then - echo "$program: guestfish didn't start up, see error messages above" - exit 1 -fi - -# Helper. -gf="guestfish --remote --" - cleanup () { - $gf exit >/dev/null 2>&1 ||: - rm -rf "$tmpdir" ||: + if [ -d $tmpdir/mnt ]; then + fusermount -u $tmpdir/mnt >/dev/null 2>&1 ||: + fi + rm -rf $tmpdir ||: } trap cleanup EXIT ERR -# Launch back-end, inspect for operating systems, and get the guest -# root disk. -root=$($gf inspect-get-roots) - -if [ "$root" = "" ]; then - echo "$program: no operating system was found on this disk" - exit 1 -fi - -if [ "$verbose" = "yes" ]; then - echo root: "$root" -fi - -# Get the guest type. -type="$($gf -inspect-get-type $root)" +# Run virt-inspector and grab inspection information about this guest. +virt-inspector "${params[@]}" > $tmpdir/xml +xmlstarlet sel -t -c \ + "string(/operatingsystems/operatingsystem[position()=1]/name)" \ + $tmpdir/xml > $tmpdir/type +xmlstarlet sel -t -c \ + "string(/operatingsystems/operatingsystem[position()=1]/distro)" \ + $tmpdir/xml > $tmpdir/distro ||: +xmlstarlet sel -t -c \ + "string(/operatingsystems/operatingsystem[position()=1]/package_format)" \ + $tmpdir/xml > $tmpdir/package_format ||: +xmlstarlet sel -t -c \ + "string(/operatingsystems/operatingsystem[position()=1]/package_management)" \ + $tmpdir/xml > $tmpdir/package_management ||: + +type="$(cat $tmpdir/type)" +distro="$(cat $tmpdir/distro)" +package_format="$(cat $tmpdir/package_format)" +package_management="$(cat $tmpdir/package_management)" + +# Mount the disk. +mkdir $tmpdir/mnt +guestmount --rw -i "${params[@]}" $tmpdir/mnt + +mnt="$tmpdir/mnt" -if [ "$type" = "linux" ]; then - distro="$($gf -inspect-get-distro $root)" -fi +#---------------------------------------------------------------------- +# The sysprep operations. -if [ "$type" = "windows" ]; then - systemroot="$($gf -inspect-get-windows-systemroot $root)" +if [ "$dhcp_client_state" = "yes" ]; then + case "$type" in + linux) + rm -rf $mnt/var/lib/dhclient/* + # RHEL 3: + rm -rf $mnt/var/lib/dhcp/* + ;; + esac fi -# Start Augeas if it's a Linux guest. -if [ "$type" = "linux" ]; then - $gf aug-init / 0 - using_augeas=yes +if [ "$dhcp_server_state" = "yes" ]; then + case "$type" in + linux) + rm -rf $mnt/var/lib/dhcpd/* + ;; + esac fi -#---------------------------------------------------------------------- -# Useful functions. - -# erase_line filename regex -# -# Erase line(s) in a file that match the given regex. -erase_line () -{ - $gf download "$1" "$tmpdir/file" - sed "/$2/d" < "$tmpdir/file" > "$tmpdir/file.1" - $gf upload "$tmpdir/file.1" "$1" -} - -# prepend_line filename line -# -# Prepend a line to a file (this is better than appending, because it -# works even when the original file isn't terminated with a newline). -prepend_line () -{ - $gf download "$1" "$tmpdir/file" - echo "$2" > "$tmpdir/file.1" - cat "$tmpdir/file.1" "$tmpdir/file" >> "$tmpdir/file.2" - $gf upload "$tmpdir/file.2" "$1" -} - -# rm_files wildcard -# -# Remove files. Doesn't fail if no files exist. Note the wildcard -# parameter cannot contain spaces or characters that need special -# quoting. -rm_files () -{ - files=$($gf glob-expand "$1") - for f in $files; do - $gf rm "$f" - done -} - -# rm_file filename -# -# Remove a single file. No error if the file doesn't exist or is not -# a file. -rm_file () -{ - t=$($gf is-file "$1") - if [ "$t" = "true" ]; then - $gf rm "$1" - fi -} - -#---------------------------------------------------------------------- -# The sysprep operations. - if [ "$hostname" = "yes" ]; then case "$type/$distro" in linux/fedora) - $gf aug-set /files/etc/sysconfig/network/HOSTNAME "$hostname_param" - augeas_save_needed=yes + echo "HOSTNAME=$hostname_param" > $mnt/etc/sysconfig/network.new + sed '/^HOSTNAME=/d' < $mnt/etc/sysconfig/network >> $mnt/etc/sysconfig/network.new + mv -f $mnt/etc/sysconfig/network.new $mnt/etc/sysconfig/network + created_files=yes ;; linux/debian|linux/ubuntu) - $gf write /etc/hostname "$hostname_param" + echo "$hostname_param" > $mnt/etc/hostname + created_files=yes + ;; + esac +fi + +if [ "$logfiles" = "yes" ]; then + case "$type" in + linux) + rm -rf $mnt/var/log/*.log* + rm -rf $mnt/var/log/audit/* + rm -rf $mnt/var/log/btmp* + rm -rf $mnt/var/log/cron* + rm -rf $mnt/var/log/dmesg* + rm -rf $mnt/var/log/lastlog* + rm -rf $mnt/var/log/maillog* + rm -rf $mnt/var/log/mail/* + rm -rf $mnt/var/log/messages* + rm -rf $mnt/var/log/secure* + rm -rf $mnt/var/log/spooler* + rm -rf $mnt/var/log/tallylog* + rm -rf $mnt/var/log/wtmp* ;; esac fi @@ -288,35 +293,77 @@ fi if [ "$net_hwaddr" = "yes" ]; then case "$type/$distro" in linux/fedora) - # XXX these filenames can have spaces and untrusted chars in them! - nodes=$( $gf aug-ls /files/etc/sysconfig/network-scripts | - grep /files/etc/sysconfig/network-scripts/ifcfg- ) - for node in $nodes; do - $gf -aug-rm "$node/HWADDR" >/dev/null - augeas_save_needed=yes - done + if [ -d $mnt/etc/sysconfig/network-scripts ]; then + rm_hwaddr () + { + sed '/^HWADDR=/d' < "$1" > "$1.new" + mv -f "$1.new" "$1" + } + export -f rm_hwaddr + find $mnt/etc/sysconfig/network-scripts \ + -name 'ifcfg-*' -type f \ + -exec bash -c 'rm_hwaddr "$0"' {} \; + created_files=yes + fi ;; esac fi +if [ "$random_seed" = "yes" -a "$type" = "linux" ]; then + f= + if [ -f $mnt/var/lib/random-seed ]; then + # Fedora + f=$mnt/var/lib/random-seed + elif [ -f $mnt/var/lib/urandom/random-seed ]; then + # Debian + f=$mnt/var/lib/urandom/random-seed + fi + if [ -n "$f" ]; then + dd if=/dev/random of="$f" bs=8 count=1 conv=nocreat,notrunc 2>/dev/null + fi +fi + +if [ "$smolt_uuid" = "yes" -a "$type" = "linux" ]; then + rm -f $mnt/etc/sysconfig/hw-uuid + rm -f $mnt/etc/smolt/uuid + rm -f $mnt/etc/smolt/hw-uuid +fi + if [ "$ssh_hostkeys" = "yes" -a "$type" != "windows" ]; then - rm_files "/etc/ssh/*_host_*" + rm -rf $mnt/etc/ssh/*_host_* fi if [ "$udev_persistent_net" = "yes" -a "$type" = "linux" ]; then - rm_file /etc/udev/rules.d/70-persistent-net.rules + rm -f $mnt/etc/udev/rules.d/70-persistent-net.rules +fi + +if [ "$yum_uuid" = "yes" -a "$package_management" = "yum" ]; then + rm -f $mnt/var/lib/yum/uuid fi #---------------------------------------------------------------------- # Clean up and close down. -if [ "$using_augeas" = "yes" -a "$augeas_save_needed" = "yes" ]; then - $gf aug-save - $gf aug-close -fi +# If we created any new files and the guest uses SELinux, then we have +# to relabel the filesystem on boot. Could do with a better way to +# test "guest uses SELinux" (XXX). +case "$selinux_relabel/$created_files" in + yes/*) + touch $mnt/.autorelabel;; + auto/yes) + case "$type/$distro" in + linux/fedora|linux/rhel|linux/centos|linux/scientificlinux|linux/redhat-based) + touch $mnt/.autorelabel + ;; + esac + ;; +esac + +sync + +fusermount -u $tmpdir/mnt +rm -rf $tmpdir -$gf umount-all -$gf sync -$gf exit +trap - EXIT ERR exit 0 diff --git a/clone/virt-sysprep.pod b/clone/virt-sysprep.pod index cc8e44f4..fa10b9ea 100755 --- a/clone/virt-sysprep.pod +++ b/clone/virt-sysprep.pod @@ -26,6 +26,12 @@ must be shut down. If you want to preserve the existing contents of the guest, you I<must copy or clone the disk first>. See L</COPYING AND CLONING> below. +You do I<not> need to run virt-sysprep as root. In fact we'd +generally recommend that you don't. The time you might want to run it +as root is when you need root in order to access the disk image, but +even in this case it would be better to change the permissions on the +disk image to be writable as the non-root user running virt-sysprep. + "Sysprep" stands for "system preparation" tool. The name comes from the Microsoft program C<sysprep.exe> which is used to unconfigure Windows machines in preparation for cloning them. Having said that, @@ -119,6 +125,16 @@ If not given, defaults to C<localhost.localdomain>. List the operations supported by the virt-sysprep program. +=item B<--selinux-relabel> + +=item B<--no-selinux-relabel> + +I<--selinux-relabel> forces SELinux relabelling next time the guest +boots. I<--no-selinux-relabel> disables relabelling. + +The default is to try to detect if SELinux relabelling is required. +See L</SELINUX RELABELLING> below for more details. + =item B<-v> =item B<--verbose> @@ -151,22 +167,45 @@ Use a comma-separated list, for example: To list the operations supported by the current version of virt-sysprep, use I<--list-operations>. +=head2 dhcp-client-state + +Remove DHCP client leases. + +=head2 dhcp-server-state + +Remove DHCP server leases. + =head2 hostname -This changes the hostname of the guest to the value given in the +Changes the hostname of the guest to the value given in the I<--hostname> parameter. If the I<--hostname> parameter is not given, then the hostname is changed to C<localhost.localdomain>. +=head2 logfiles + +Remove many log files. + =head2 net-hwaddr Remove HWADDR (hard-coded MAC address) configuration. For Fedora and Red Hat Enterprise Linux, this is removed from C<ifcfg-*> files. +=head2 random-seed + +Write some random bytes from the host into the random seed file of +the guest. + +See C</RANDOM SEED> below. + +=head2 smolt-uuid + +Remove the Smolt hardware UUID. + =head2 ssh-hostkeys -This erases the SSH host keys in the guest. +Remove the SSH host keys in the guest. The SSH host keys are regenerated (differently) next time the guest is booted. @@ -181,14 +220,21 @@ you a stark warning about the host key changing: =head2 udev-persistent-net -This erases udev persistent net rules which map the guest's existing -MAC address to a fixed ethernet device (eg. eth0). +Remove udev persistent net rules which map the guest's existing MAC +address to a fixed ethernet device (eg. eth0). After a guest is cloned, the MAC address usually changes. Since the old MAC address occupies the old name (eg. eth0), this means the fresh MAC address is assigned to a new name (eg. eth1) and this is usually undesirable. Erasing the udev persistent net rules avoids this. +=head2 yum-uuid + +Remove the yum UUID. + +yum creates a fresh UUID the next time it runs when it notices that +the original UUID has been erased. + =head1 COPYING AND CLONING Virt-sysprep can be used as part of a process of cloning guests, or to @@ -356,6 +402,54 @@ to pay for disk space), then instead of copying the template, you can run L<virt-resize(1)>. Virt-resize performs a copy and resize, and thus is ideal for cloning guests from a template. +=head1 SECURITY + +Although virt-sysprep removes some sensitive information from +the guest, it does not pretend to remove all of it. You should +examine the L</OPERATIONS> above, and the implementation of +the operations in the shell script. + +You should also examine the guest afterwards. + +Sensitive files are simply removed. The data they contained may still +exist on the disk, easily recovered with a hex editor or undelete +tool. Use L<virt-sparsify(1)> as one way to remove this content. See +also the L<scrub(1)> command to get rid of deleted content in +directory entries and inodes. + +=head2 RANDOM SEED + +I<(This section applies to Linux guests only)> + +The virt-sysprep C<random-seed> operation writes a few bytes of +randomness from the host into the guest's random seed file. + +If this is just done once and the guest is cloned from the same +template, then each guest will start with the same entropy, and things +like SSH host keys and TCP sequence numbers may be predictable. + +Therefore you should arrange to add more randomness I<after> cloning +from a template too, which can be done by just enabling the +C<random-seed> operation: + + cp template.img newguest.img + virt-sysprep --enable=random-seed -a newguest.img + +=head2 SELINUX RELABELLING + +I<(This section applies to Linux guests using SELinux only)> + +If any new files are created by virt-sysprep, then virt-sysprep +touches C</.autorelabel> so that these will be correctly labelled by +SELinux the next time the guest is booted. This process interrupts +boot and can take some time. + +You can force relabelling for all guests by supplying the +I<--selinux-relabel> option. + +You can disable relabelling entirely by supplying the +I<--no-selinux-relabel> option. + =head1 SHELL QUOTING Libvirt guest names can contain arbitrary characters, some of which @@ -376,8 +470,9 @@ L<virt-rescue(1)>, L<virt-resize(1)>, L<virt-sparsify(1)>, L<virsh(1)>, -L<qemu-img(1)>, L<lvcreate(8)>, +L<qemu-img(1)>, +L<scrub(1)>, L<http://libguestfs.org/>, L<http://libvirt.org/>. |