sysprep: remove ca certificates in the guest

Remove the ca certificates.

Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com>

3 files changed, 62 insertions, 0 deletions

diff --git a/po/POTFILES-ml b/po/POTFILES-ml
index 140d9401..a4f65bf8 100644
--- a/po/POTFILES-ml
+++ b/po/POTFILES-ml
@@ -12,6 +12,7 @@ sysprep/sysprep_gettext.ml
 sysprep/sysprep_operation.ml
 sysprep/sysprep_operation_bash_history.ml
 sysprep/sysprep_operation_blkid_tab.ml
+sysprep/sysprep_operation_ca_certificates.ml
 sysprep/sysprep_operation_cron_spool.ml
 sysprep/sysprep_operation_dhcp_client_state.ml
 sysprep/sysprep_operation_dhcp_server_state.ml
diff --git a/sysprep/Makefile.am b/sysprep/Makefile.am
index 262a9e30..d24ce13f 100644
--- a/sysprep/Makefile.am
+++ b/sysprep/Makefile.am
@@ -36,6 +36,7 @@ SOURCES = \
 	sysprep_operation.mli \
 	sysprep_operation_bash_history.ml \
 	sysprep_operation_blkid_tab.ml \
+	sysprep_operation_ca_certificates.ml \
 	sysprep_operation_cron_spool.ml \
 	sysprep_operation_dhcp_client_state.ml \
 	sysprep_operation_dhcp_server_state.ml \
@@ -71,6 +72,7 @@ OBJECTS = \
 	sysprep_operation.cmx \
 	sysprep_operation_bash_history.cmx \
 	sysprep_operation_blkid_tab.cmx \
+	sysprep_operation_ca_certificates.cmx \
 	sysprep_operation_cron_spool.cmx \
 	sysprep_operation_dhcp_client_state.cmx \
 	sysprep_operation_dhcp_server_state.cmx \
diff --git a/sysprep/sysprep_operation_ca_certificates.ml b/sysprep/sysprep_operation_ca_certificates.ml
new file mode 100644
index 00000000..f603a1fe
--- /dev/null
+++ b/sysprep/sysprep_operation_ca_certificates.ml
@@ -0,0 +1,59 @@
+(* virt-sysprep
+ * Copyright (C) 2012 FUJITSU LIMITED
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *)
+
+open Sysprep_operation
+open Sysprep_gettext.Gettext
+
+module StringSet = Set.Make (String)
+module G = Guestfs
+
+let ca_certificates_perform g root =
+  let typ = g#inspect_get_type root in
+  if typ <> "windows" then (
+    let paths = [ "/etc/pki/CA/certs/*.crt";
+                  "/etc/pki/CA/crl/*.crt";
+                  "/etc/pki/CA/newcerts/*.crt";
+                  "/etc/pki/CA/private/*.key";
+                  "/etc/pki/tls/private/*.key";
+                  "/etc/pki/tls/certs/*.crt"; ] in
+    let excepts = [ "/etc/pki/tls/certs/ca-bundle.crt";
+                    "/etc/pki/tls/certs/ca-bundle.trust.crt"; ] in
+    (* Thanks Rich for this StringSet method *)
+    let paths = List.concat (List.map Array.to_list (List.map g#glob_expand paths)) in
+    let set = List.fold_right StringSet.add paths StringSet.empty in
+    let excepts = List.fold_right StringSet.add excepts StringSet.empty in
+    let set = StringSet.diff set excepts in
+    StringSet.iter (
+      fun filename ->
+        try g#rm filename with G.Error _ -> ()
+    ) set;
+
+    []
+  )
+  else []
+
+let ca_certificates_op = {
+  name = "ca-certificates";
+  enabled_by_default = false;
+  heading = s_"Remove CA certificates in the guest";
+  pod_description = None;
+  extra_args = [];
+  perform = ca_certificates_perform;
+}
+
+let () = register_operation ca_certificates_op