1virt-sysprep(1) Virtualization Support virt-sysprep(1)
2
6 virt-sysprep - Reset, unconfigure or customize a virtual machine so
7 clones can be made
8
10 virt-sysprep [--options] -d domname
11 virt-sysprep [--options] -a disk.img [-a disk.img ...]
13
15 Using "virt-sysprep" on live virtual machines, or concurrently with
16 other disk editing tools, can be dangerous, potentially causing disk
17 corruption. The virtual machine must be shut down before you use this
18 command, and disk images must not be edited concurrently.
19
21 Virt-sysprep can reset or unconfigure a virtual machine so that clones
22 can be made from it. Steps in this process include removing SSH host
23 keys, removing persistent network MAC configuration, and removing user
24 accounts. Virt-sysprep can also customize a virtual machine, for
25 instance by adding SSH keys, users or logos. Each step can be enabled
26 or disabled as required.
27 Virt-sysprep modifies the guest or disk image in place. The guest must
29 be shut down. If you want to preserve the existing contents of the
30 guest, you must snapshot, copy or clone the disk first. See "COPYING
31 AND CLONING" below.
32 You do not need to run virt-sysprep as root. In fact we'd generally
34 recommend that you don't. The time you might want to run it as root is
35 when you need root in order to access the disk image, but even in this
36 case it would be better to change the permissions on the disk image to
37 be writable as the non-root user running virt-sysprep.
38 "Sysprep" stands for "system preparation" tool. The name comes from
40 the Microsoft program sysprep.exe which is used to unconfigure Windows
41 machines in preparation for cloning them. Having said that, virt-
42 sysprep does not currently work on Microsoft Windows guests. We plan
43 to support Windows sysprepping in a future version, and we already have
44 code to do it.
45
47 --help
48 Display brief help.
49 -a file
51 --add file
52 Add file which should be a disk image from a virtual machine.
53 The format of the disk image is auto-detected. To override this
55 and force a particular format use the --format option.
56 -a URI
58 --add URI
59 Add a remote disk. The URI format is compatible with guestfish.
60 See "ADDING REMOTE STORAGE" in guestfish(1).
61 --colors
63 --colours
64 Use ANSI colour sequences to colourize messages. This is the
65 default when the output is a tty. If the output of the program is
66 redirected to a file, ANSI colour sequences are disabled unless you
67 use this option.
68 -c URI
70 --connect URI
71 If using libvirt, connect to the given URI. If omitted, then we
72 connect to the default libvirt hypervisor.
73 If you specify guest block devices directly (-a), then libvirt is
75 not used at all.
76 -d guest
78 --domain guest
79 Add all the disks from the named libvirt guest. Domain UUIDs can
80 be used instead of names.
81 -n
83 --dry-run
84 Perform a read-only "dry run" on the guest. This runs the sysprep
85 operation, but throws away any changes to the disk at the end.
86 --enable operations
88 Choose which sysprep operations to perform. Give a comma-separated
89 list of operations, for example:
90 --enable ssh-hostkeys,udev-persistent-net
92 would enable ONLY "ssh-hostkeys" and "udev-persistent-net"
94 operations.
95 If the --enable option is not given, then we default to trying most
97 sysprep operations (see --list-operations to show which are
98 enabled).
99 Regardless of the --enable option, sysprep operations are skipped
101 for some guest types.
102 Use --list-operations to list operations supported by a particular
104 version of virt-sysprep.
105 See "OPERATIONS" below for a list and an explanation of each
107 operation.
108 --operation operations
110 --operations operations
111 Choose which sysprep operations to perform. Give a comma-separated
112 list of operations, for example:
113 --operations ssh-hostkeys,udev-persistent-net
115 would enable ONLY "ssh-hostkeys" and "udev-persistent-net"
117 operations.
118 --operations allows you to enable and disable any operation,
120 including the default ones (which would be tried when specifying
121 neither --operations nor --enable) and all the available ones;
122 prepending a "-" in front of an operation name removes it from the
123 list of enabled operations, while the meta-names "defaults" and
124 "all" represent respectively the operations enabled by default and
125 all the available ones. For example:
126 --operations firewall-rules,defaults,-tmp-files
128 would enable the "firewall-rules" operation (regardless whether it
130 is enabled by default), all the default ones, and disable the
131 "tmp-files" operation.
132 --operations can be specified multiple times; the first time the
134 set of enabled operations is empty, while any further --operations
135 affects the operations enabled so far.
136 If the --operations option is not given, then we default to trying
138 most sysprep operations (see --list-operations to show which are
139 enabled).
140 Regardless of the --operations option, sysprep operations are
142 skipped for some guest types.
143 Use --list-operations to list operations supported by a particular
145 version of virt-sysprep.
146 See "OPERATIONS" below for a list and an explanation of each
148 operation.
149 --echo-keys
151 When prompting for keys and passphrases, virt-sysprep normally
152 turns echoing off so you cannot see what you are typing. If you
153 are not worried about Tempest attacks and there is no one else in
154 the room you can specify this flag to see what you are typing.
155 --format raw|qcow2|..
157 --format auto
158 The default for the -a option is to auto-detect the format of the
159 disk image. Using this forces the disk format for -a options which
160 follow on the command line. Using --format auto switches back to
161 auto-detection for subsequent -a options.
162 For example:
164 virt-sysprep --format raw -a disk.img
166 forces raw format (no auto-detection) for disk.img.
168 virt-sysprep --format raw -a disk.img --format auto -a another.img
170 forces raw format (no auto-detection) for disk.img and reverts to
172 auto-detection for another.img.
173 If you have untrusted raw-format guest disk images, you should use
175 this option to specify the disk format. This avoids a possible
176 security problem with malicious guests (CVE-2010-3851).
177 --key SELECTOR
179 Specify a key for LUKS, to automatically open a LUKS device when
180 using the inspection. "ID" can be either the libguestfs device
181 name, or the UUID of the LUKS device.
182 --key "ID":key:KEY_STRING
184 Use the specified "KEY_STRING" as passphrase.
185 --key "ID":file:FILENAME
187 Read the passphrase from FILENAME.
188 --key "ID":clevis
190 Attempt passphrase-less unlocking for "ID" with Clevis, over
191 the network. Please refer to "ENCRYPTED DISKS" in guestfs(3)
192 for more information on network-bound disk encryption (NBDE).
193 Note that if any such option is present on the command line,
195 QEMU user networking will be automatically enabled for the
196 libguestfs appliance.
197 --keys-from-stdin
199 Read key or passphrase parameters from stdin. The default is to
200 try to read passphrases from the user by opening /dev/tty.
201 If there are multiple encrypted devices then you may need to supply
203 multiple keys on stdin, one per line.
204 --list-operations
206 List the operations supported by the virt-sysprep program.
207 These are listed one per line, with one or more single-space-
209 separated fields, eg:
210 $ virt-sysprep --list-operations
212 bash-history * Remove the bash history in the guest
213 cron-spool * Remove user at-jobs and cron-jobs
214 dhcp-client-state * Remove DHCP client leases
215 dhcp-server-state * Remove DHCP server leases
216 [etc]
217 The first field is the operation name, which can be supplied to
219 --enable. The second field is a "*" character if the operation is
220 enabled by default or blank if not. Subsequent fields on the same
221 line are the description of the operation.
222 Before libguestfs 1.17.33 only the first (operation name) field was
224 shown and all operations were enabled by default.
225 --mount-options mp:opts[;mp:opts;...]
227 Set the mount options used when libguestfs opens the disk image.
228 Note this has no effect on the guest. It is used when opening
229 certain guests such as ones using the UFS (BSD) filesystem.
230 Use a semicolon-separated list of "mountpoint:options" pairs. You
232 may need to quote this list to protect it from the shell.
233 For example:
235 --mount-options "/:noatime"
237 will mount the root directory with "notime". This example:
239 --mount-options "/:noatime;/var:rw,nodiratime"
241 will do the same, plus mount /var with "rw,nodiratime".
243 -q
245 --quiet
246 Don’t print log messages.
247 To enable detailed logging of individual file operations, use -x.
249 --network
251 --no-network
252 Enable or disable network access from the guest during the
253 installation.
254 In virt-sysprep, the network is disabled by default. You must use
256 --network to enable it, in order that options such as --install or
257 --update will work.
258 virt-builder(1) has more information about the security advantages
260 of disabling the network.
261 -v
263 --verbose
264 Enable verbose messages for debugging.
265 -V
267 --version
268 Display version number and exit.
269 --wrap
271 Wrap error, warning, and informative messages. This is the default
272 when the output is a tty. If the output of the program is
273 redirected to a file, wrapping is disabled unless you use this
274 option.
275 -x Enable tracing of libguestfs API calls.
277 --append-line FILE:LINE (see "customize" below)
279 Append a single line of text to the "FILE". If the file does not
280 already end with a newline, then one is added before the appended
281 line. Also a newline is added to the end of the "LINE" string
282 automatically.
283 For example (assuming ordinary shell quoting) this command:
285 --append-line '/etc/hosts:10.0.0.1 foo'
287 will add either "10.0.0.1 foo⏎" or "⏎10.0.0.1 foo⏎" to the file,
289 the latter only if the existing file does not already end with a
290 newline.
291 "⏎" represents a newline character, which is guessed by looking at
293 the existing content of the file, so this command does the right
294 thing for files using Unix or Windows line endings. It also works
295 for empty or non-existent files.
296 To insert several lines, use the same option several times:
298 --append-line '/etc/hosts:10.0.0.1 foo'
300 --append-line '/etc/hosts:10.0.0.2 bar'
301 To insert a blank line before the appended line, do:
303 --append-line '/etc/hosts:'
305 --append-line '/etc/hosts:10.0.0.1 foo'
306 --chmod PERMISSIONS:FILE (see "customize" below)
308 Change the permissions of "FILE" to "PERMISSIONS".
309 Note: "PERMISSIONS" by default would be decimal, unless you prefix
311 it with 0 to get octal, ie. use 0700 not 700.
312 --commands-from-file FILENAME (see "customize" below)
314 Read the customize commands from a file, one (and its arguments)
315 each line.
316 Each line contains a single customization command and its
318 arguments, for example:
319 delete /some/file
321 install some-package
322 password some-user:password:its-new-password
323 Empty lines are ignored, and lines starting with "#" are comments
325 and are ignored as well. Furthermore, arguments can be spread
326 across multiple lines, by adding a "\" (continuation character) at
327 the of a line, for example
328 edit /some/file:\
330 s/^OPT=.*/OPT=ok/
331 The commands are handled in the same order as they are in the file,
333 as if they were specified as --delete /some/file on the command
334 line.
335 --copy SOURCE:DEST (see "customize" below)
337 Copy files or directories recursively inside the guest.
338 Wildcards cannot be used.
340 --copy-in LOCALPATH:REMOTEDIR (see "customize" below)
342 Copy local files or directories recursively into the disk image,
343 placing them in the directory "REMOTEDIR" (which must exist).
344 Wildcards cannot be used.
346 --delete PATH (see "customize" below)
348 Delete a file from the guest. Or delete a directory (and all its
349 contents, recursively).
350 You can use shell glob characters in the specified path. Be
352 careful to escape glob characters from the host shell, if that is
353 required. For example:
354 virt-customize --delete '/var/log/*.log'.
356 See also: --upload, --scrub.
358 --edit FILE:EXPR (see "customize" below)
360 Edit "FILE" using the Perl expression "EXPR".
361 Be careful to properly quote the expression to prevent it from
363 being altered by the shell.
364 Note that this option is only available when Perl 5 is installed.
366 See "NON-INTERACTIVE EDITING" in virt-edit(1).
368 --firstboot SCRIPT (see "customize" below)
370 Install "SCRIPT" inside the guest, so that when the guest first
371 boots up, the script runs (as root, late in the boot process).
372 The script is automatically chmod +x after installation in the
374 guest.
375 The alternative version --firstboot-command is the same, but it
377 conveniently wraps the command up in a single line script for you.
378 You can have multiple --firstboot options. They run in the same
380 order that they appear on the command line.
381 Please take a look at "FIRST BOOT SCRIPTS" in virt-builder(1) for
383 more information and caveats about the first boot scripts.
384 See also --run.
386 --firstboot-command 'CMD+ARGS' (see "customize" below)
388 Run command (and arguments) inside the guest when the guest first
389 boots up (as root, late in the boot process).
390 You can have multiple --firstboot options. They run in the same
392 order that they appear on the command line.
393 Please take a look at "FIRST BOOT SCRIPTS" in virt-builder(1) for
395 more information and caveats about the first boot scripts.
396 See also --run.
398 --firstboot-install PKG,PKG.. (see "customize" below)
400 Install the named packages (a comma-separated list). These are
401 installed when the guest first boots using the guest’s package
402 manager (eg. apt, yum, etc.) and the guest’s network connection.
403 For an overview on the different ways to install packages, see
405 "INSTALLING PACKAGES" in virt-builder(1).
406 --hostname HOSTNAME (see "customize" below)
408 Set the hostname of the guest to "HOSTNAME". You can use a dotted
409 hostname.domainname (FQDN) if you want.
410 --inject-qemu-ga METHOD (see "customize" below)
412 Inject the QEMU Guest Agent into a Windows guest. The guest agent
413 communicates with qemu through a socket in order to provide
414 enhanced features (see qemu-ga(8)). This operation also injects a
415 firstboot script so that the Guest Agent is installed when the
416 guest boots.
417 The parameter is the same as used by the --inject-virtio-win
419 operation.
420 Note that to do a full conversion of a Windows guest from a foreign
422 hypervisor like VMware (which involves many other operations) you
423 should use the virt-v2v(1) tool instead of this.
424 --inject-virtio-win METHOD (see "customize" below)
426 Inject virtio-win drivers into a Windows guest. These drivers add
427 virtio accelerated drivers suitable when running on top of a
428 hypervisor that supports virtio (such as qemu/KVM). The operation
429 also adjusts the Windows Registry so that the drivers are installed
430 when the guest boots.
431 The parameter can be one of:
433 ISO The path to the ISO image containing the virtio-win drivers
435 (eg. /usr/share/virtio-win/virtio-win.iso).
436 DIR The directory containing the unpacked virtio-win drivers (eg.
438 /usr/share/virtio-win).
439 "osinfo"
441 The literal string "osinfo" means to use the libosinfo database
442 to locate the drivers. (See osinfo-query(1).
443 Note that to do a full conversion of a Windows guest from a foreign
445 hypervisor like VMware (which involves many other operations) you
446 should use the virt-v2v(1) tool instead of this.
447 --install PKG,PKG.. (see "customize" below)
449 Install the named packages (a comma-separated list). These are
450 installed during the image build using the guest’s package manager
451 (eg. apt, yum, etc.) and the host’s network connection.
452 For an overview on the different ways to install packages, see
454 "INSTALLING PACKAGES" in virt-builder(1).
455 See also --update, --uninstall.
457 --keep-user-accounts USERS (see "user-account" below)
459 The user accounts to be kept in the guest. The value of this
460 option is a list of user names separated by comma, where specifying
461 an user means it is going to be kept. For example:
462 --keep-user-accounts mary
464 would keep the user account "mary".
466 This option can be specified multiple times.
468 --link TARGET:LINK[:LINK..] (see "customize" below)
470 Create symbolic link(s) in the guest, starting at "LINK" and
471 pointing at "TARGET".
472 --mkdir DIR (see "customize" below)
474 Create a directory in the guest.
475 This uses "mkdir -p" so any intermediate directories are created,
477 and it also works if the directory already exists.
478 --move SOURCE:DEST (see "customize" below)
480 Move files or directories inside the guest.
481 Wildcards cannot be used.
483 --no-logfile (see "customize" below)
485 Scrub "builder.log" (log file from build commands) from the image
486 after building is complete. If you don't want to reveal precisely
487 how the image was built, use this option.
488 See also: "LOG FILE".
490 --no-selinux-relabel (see "customize" below)
492 Do not attempt to correct the SELinux labels of files in the guest.
493 In such guests that support SELinux, customization automatically
495 relabels files so that they have the correct SELinux label. (The
496 relabeling is performed immediately, but if the operation fails,
497 customization will instead touch /.autorelabel on the image to
498 schedule a relabel operation for the next time the image boots.)
499 This option disables the automatic relabeling.
500 The option is a no-op for guests that do not support SELinux.
502 --password USER:SELECTOR (see "customize" below)
504 Set the password for "USER". (Note this option does not create the
505 user account).
506 See "USERS AND PASSWORDS" in virt-builder(1) for the format of the
508 "SELECTOR" field, and also how to set up user accounts.
509 --password-crypto md5|sha256|sha512 (see "customize" below)
511 When the virt tools change or set a password in the guest, this
512 option sets the password encryption of that password to "md5",
513 "sha256" or "sha512".
514 "sha256" and "sha512" require glibc ≥ 2.7 (check crypt(3) inside
516 the guest).
517 "md5" will work with relatively old Linux guests (eg. RHEL 3), but
519 is not secure against modern attacks.
520 The default is "sha512" unless libguestfs detects an old guest that
522 didn't have support for SHA-512, in which case it will use "md5".
523 You can override libguestfs by specifying this option.
524 Note this does not change the default password encryption used by
526 the guest when you create new user accounts inside the guest. If
527 you want to do that, then you should use the --edit option to
528 modify "/etc/sysconfig/authconfig" (Fedora, RHEL) or
529 "/etc/pam.d/common-password" (Debian, Ubuntu).
530 --remove-user-accounts USERS (see "user-account" below)
532 The user accounts to be removed from the guest. The value of this
533 option is a list of user names separated by comma, where specifying
534 an user means it is going to be removed. For example:
535 --remove-user-accounts bob,eve
537 would only remove the user accounts "bob" and "eve".
539 This option can be specified multiple times.
541 --root-password SELECTOR (see "customize" below)
543 Set the root password.
544 See "USERS AND PASSWORDS" in virt-builder(1) for the format of the
546 "SELECTOR" field, and also how to set up user accounts.
547 Note: In virt-builder, if you don't set --root-password then the
549 guest is given a random root password.
550 --run SCRIPT (see "customize" below)
552 Run the shell script (or any program) called "SCRIPT" on the disk
553 image. The script runs virtualized inside a small appliance,
554 chrooted into the guest filesystem.
555 The script is automatically chmod +x.
557 If libguestfs supports it then a limited network connection is
559 available but it only allows outgoing network connections. You can
560 also attach data disks (eg. ISO files) as another way to provide
561 data (eg. software packages) to the script without needing a
562 network connection (--attach). You can also upload data files
563 (--upload).
564 You can have multiple --run options. They run in the same order
566 that they appear on the command line.
567 See also: --firstboot, --attach, --upload.
569 --run-command 'CMD+ARGS' (see "customize" below)
571 Run the command and arguments on the disk image. The command runs
572 virtualized inside a small appliance, chrooted into the guest
573 filesystem.
574 If libguestfs supports it then a limited network connection is
576 available but it only allows outgoing network connections. You can
577 also attach data disks (eg. ISO files) as another way to provide
578 data (eg. software packages) to the script without needing a
579 network connection (--attach). You can also upload data files
580 (--upload).
581 You can have multiple --run-command options. They run in the same
583 order that they appear on the command line.
584 See also: --firstboot, --attach, --upload.
586 --script SCRIPT (see "script" below)
588 Run the named "SCRIPT" (a shell script or program) against the
589 guest. The script can be any program on the host. The script’s
590 current directory will be the guest’s root directory.
591 Note: If the script is not on the $PATH, then you must give the
593 full absolute path to the script.
594 --scriptdir SCRIPTDIR (see "script" below)
596 The mount point (an empty directory on the host) used when the
597 "script" operation is enabled and one or more scripts are specified
598 using --script parameter(s).
599 Note: "SCRIPTDIR" must be an absolute path.
601 If --scriptdir is not specified then a temporary mountpoint will be
603 created.
604 --scrub FILE (see "customize" below)
606 Scrub a file from the guest. This is like --delete except that:
607 • It scrubs the data so a guest could not recover it.
609 • It cannot delete directories, only regular files.
611 --selinux-relabel (see "customize" below)
613 This is a compatibility option that does nothing.
614 --sm-attach SELECTOR (see "customize" below)
616 Attach to a pool using "subscription-manager".
617 See "SUBSCRIPTION-MANAGER" in virt-builder(1) for the format of the
619 "SELECTOR" field.
620 --sm-credentials SELECTOR (see "customize" below)
622 Set the credentials for "subscription-manager".
623 See "SUBSCRIPTION-MANAGER" in virt-builder(1) for the format of the
625 "SELECTOR" field.
626 --sm-register (see "customize" below)
628 Register the guest using "subscription-manager".
629 This requires credentials being set using --sm-credentials.
631 --sm-remove (see "customize" below)
633 Remove all the subscriptions from the guest using
634 "subscription-manager".
635 --sm-unregister (see "customize" below)
637 Unregister the guest using "subscription-manager".
638 --ssh-inject USER[:SELECTOR] (see "customize" below)
640 Inject an ssh key so the given "USER" will be able to log in over
641 ssh without supplying a password. The "USER" must exist already in
642 the guest.
643 See "SSH KEYS" in virt-builder(1) for the format of the "SELECTOR"
645 field.
646 You can have multiple --ssh-inject options, for different users and
648 also for more keys for each user.
649 --timezone TIMEZONE (see "customize" below)
651 Set the default timezone of the guest to "TIMEZONE". Use a
652 location string like "Europe/London"
653 --touch FILE (see "customize" below)
655 This command performs a touch(1)-like operation on "FILE".
656 --truncate FILE (see "customize" below)
658 This command truncates "FILE" to a zero-length file. The file must
659 exist already.
660 --truncate-recursive PATH (see "customize" below)
662 This command recursively truncates all files under "PATH" to zero-
663 length.
664 --uninstall PKG,PKG.. (see "customize" below)
666 Uninstall the named packages (a comma-separated list). These are
667 removed during the image build using the guest’s package manager
668 (eg. apt, yum, etc.). Dependent packages may also need to be
669 uninstalled to satisfy the request.
670 See also --install, --update.
672 --update (see "customize" below)
674 Do the equivalent of "yum update", "apt-get upgrade", or whatever
675 command is required to update the packages already installed in the
676 template to their latest versions.
677 See also --install, --uninstall.
679 --upload FILE:DEST (see "customize" below)
681 Upload local file "FILE" to destination "DEST" in the disk image.
682 File owner and permissions from the original are preserved, so you
683 should set them to what you want them to be in the disk image.
684 "DEST" could be the final filename. This can be used to rename the
686 file on upload.
687 If "DEST" is a directory name (which must already exist in the
689 guest) then the file is uploaded into that directory, and it keeps
690 the same name as on the local filesystem.
691 See also: --mkdir, --delete, --scrub.
693 --write FILE:CONTENT (see "customize" below)
695 Write "CONTENT" to "FILE".
696
698 If the --enable/--operations option is not given, then most sysprep
699 operations are enabled.
700 Use "virt-sysprep --list-operations" to list all operations for your
702 virt-sysprep binary. The ones which are enabled by default are marked
703 with a "*" character. Regardless of the --enable/--operations options,
704 sysprep operations are skipped for some guest types.
705 Operations can be individually enabled using the --enable/--operations
707 options. Use a comma-separated list, for example:
708 virt-sysprep --operations ssh-hostkeys,udev-persistent-net [etc..]
710 Future versions of virt-sysprep may add more operations. If you are
712 using virt-sysprep and want predictable behaviour, specify only the
713 operations that you want to have enabled.
714 "*" = enabled by default when no --enable/--operations option is given.
716 abrt-data *
718 Remove the crash data generated by ABRT.
719 Remove the automatically generated ABRT crash data in
721 "/var/spool/abrt/".
722 backup-files *
724 Remove editor backup files from the guest.
725 The following files are removed from anywhere in the guest filesystem:
727 · *.bak
729 · *~
731 On Linux and Unix operating systems, only the following filesystems
733 will be examined:
734 · /etc
736 · /root
738 · /srv
740 · /tmp
742 · /var
744 bash-history *
746 Remove the bash history in the guest.
747 Remove the bash history of user "root" and any other users who have a
749 ".bash_history" file in their home directory.
750 Notes on bash-history
752 Currently this only looks in "/root" and "/home/*" for home
754 directories, so users with home directories in other locations won't
755 have the bash history removed.
756 blkid-tab *
758 Remove blkid tab in the guest.
759 ca-certificates
761 Remove CA certificates in the guest.
762 In case any certificate is removed, the system CA store is updated.
764 crash-data *
766 Remove the crash data generated by kexec-tools.
767 Remove the automatically generated kdump kernel crash data.
769 cron-spool *
771 Remove user at-jobs and cron-jobs.
772 customize *
774 Customize the guest.
775 Customize the guest by providing virt-customize(1) options for
777 installing packages, editing files and so on.
778 dhcp-client-state *
780 Remove DHCP client leases.
781 dhcp-server-state *
783 Remove DHCP server leases.
784 dovecot-data *
786 Remove Dovecot (mail server) data.
787 firewall-rules
789 Remove the firewall rules.
790 This removes custom firewall rules by removing
792 "/etc/sysconfig/iptables" or custom firewalld configuration in
793 "/etc/firewalld/*/*".
794 Note this is not enabled by default since it may expose guests to
796 exploits. Use with care.
797 flag-reconfiguration
799 Flag the system for reconfiguration.
800 For Linux guests, this touches "/.unconfigured", which causes the first
802 boot to interactively query the user for settings such as the root
803 password and timezone.
804 fs-uuids
806 Change filesystem UUIDs.
807 On guests and filesystem types where this is supported, new random
809 UUIDs are generated and assigned to filesystems.
810 Notes on fs-uuids
812 The fs-uuids operation is disabled by default because it does not yet
814 find and update all the places in the guest that use the UUIDs. For
815 example "/etc/fstab" or the bootloader. Enabling this operation is
816 more likely than not to make your guest unbootable.
817 See: https://bugzilla.redhat.com/show_bug.cgi?id=991641
819 ipa-client *
821 Remove the IPA files.
822 Remove all the files related to an IPA (Identity, Policy, Audit)
824 system. This effectively unenrolls the guest from an IPA server
825 without interacting with it.
826 This operation does not run "ipa-client".
828 kerberos-data
830 Remove Kerberos data in the guest.
831 kerberos-hostkeytab *
833 Remove the Kerberos host keytab file in the guest.
834 logfiles *
836 Remove many log files from the guest.
837 On Linux the following files are removed:
839 · /etc/Pegasus/*.cnf
841 · /etc/Pegasus/*.crt
843 · /etc/Pegasus/*.csr
845 · /etc/Pegasus/*.pem
847 · /etc/Pegasus/*.srl
849 · /root/anaconda-ks.cfg
851 · /root/anaconda-post.log
853 · /root/initial-setup-ks.cfg
855 · /root/install.log
857 · /root/install.log.syslog
859 · /root/original-ks.cfg
861 · /var/cache/fontconfig/*
863 · /var/cache/gdm/*
865 · /var/cache/man/*
867 · /var/lib/AccountService/users/*
869 · /var/lib/fprint/*
871 · /var/lib/logrotate.status
873 · /var/log/*.log*
875 · /var/log/BackupPC/LOG
877 · /var/log/ConsoleKit/*
879 · /var/log/anaconda.syslog
881 · /var/log/anaconda/*
883 · /var/log/apache2/*_log
885 · /var/log/apache2/*_log-*
887 · /var/log/apt/*
889 · /var/log/aptitude*
891 · /var/log/audit/*
893 · /var/log/btmp*
895 · /var/log/ceph/*.log
897 · /var/log/chrony/*.log
899 · /var/log/cron*
901 · /var/log/cups/*_log*
903 · /var/log/debug*
905 · /var/log/dmesg*
907 · /var/log/exim4/*
909 · /var/log/faillog*
911 · /var/log/firewalld*
913 · /var/log/gdm/*
915 · /var/log/glusterfs/*glusterd.vol.log
917 · /var/log/glusterfs/glusterfs.log
919 · /var/log/grubby*
921 · /var/log/httpd/*log
923 · /var/log/installer/*
925 · /var/log/jetty/jetty-console.log
927 · /var/log/journal/*
929 · /var/log/lastlog*
931 · /var/log/libvirt/libvirtd.log
933 · /var/log/libvirt/libxl/*.log
935 · /var/log/libvirt/lxc/*.log
937 · /var/log/libvirt/qemu/*.log
939 · /var/log/libvirt/uml/*.log
941 · /var/log/lightdm/*
943 · /var/log/mail/*
945 · /var/log/maillog*
947 · /var/log/messages*
949 · /var/log/ntp
951 · /var/log/ntpstats/*
953 · /var/log/ppp/connect-errors
955 · /var/log/rhsm/*
957 · /var/log/sa/*
959 · /var/log/secure*
961 · /var/log/setroubleshoot/*.log
963 · /var/log/spooler*
965 · /var/log/squid/*.log
967 · /var/log/syslog*
969 · /var/log/tallylog*
971 · /var/log/tuned/tuned.log
973 · /var/log/wtmp*
975 · /var/log/xferlog*
977 · /var/named/data/named.run
979 lvm-system-devices *
981 Remove LVM2 system.devices file.
982 On Linux guests, LVM2's scanning for physical volumes (PVs) may be
984 restricted to those block devices whose WWIDs are listed in
985 "/etc/lvm/devices/system.devices". When cloning VMs, WWIDs may change,
986 breaking "lvm pvscan". Remove "/etc/lvm/devices/system.devices".
987 lvm-uuids *
989 Change LVM2 PV and VG UUIDs.
990 On Linux guests that have LVM2 physical volumes (PVs) or volume groups
992 (VGs), new random UUIDs are generated and assigned to those PVs and
993 VGs.
994 machine-id *
996 Remove the local machine ID.
997 The machine ID is usually generated from a random source during system
999 installation and stays constant for all subsequent boots. Optionally,
1000 for stateless systems it is generated during runtime at boot if it is
1001 found to be empty.
1002 mail-spool *
1004 Remove email from the local mail spool directory.
1005 net-hostname *
1007 Remove HOSTNAME and DHCP_HOSTNAME in network interface configuration.
1008 For Fedora and Red Hat Enterprise Linux, this is removed from "ifcfg-*"
1010 files.
1011 net-hwaddr *
1013 Remove HWADDR (hard-coded MAC address) configuration.
1014 For Fedora and Red Hat Enterprise Linux, this is removed from "ifcfg-*"
1016 files.
1017 net-nmconn *
1019 Remove system-local NetworkManager connection profiles (keyfiles).
1020 On Fedora and Red Hat Enterprise Linux, remove the
1022 "/etc/NetworkManager/system-connections/*.nmconnection" files.
1023 pacct-log *
1025 Remove the process accounting log files.
1026 The system wide process accounting will store to the pacct log files if
1028 the process accounting is on.
1029 package-manager-cache *
1031 Remove package manager cache.
1032 pam-data *
1034 Remove the PAM data in the guest.
1035 passwd-backups *
1037 Remove /etc/passwd- and similar backup files.
1038 On Linux the following files are removed:
1040 · /etc/group-
1042 · /etc/gshadow-
1044 · /etc/passwd-
1046 · /etc/shadow-
1048 · /etc/subgid-
1050 · /etc/subuid-
1052 puppet-data-log *
1054 Remove the data and log files of puppet.
1055 rh-subscription-manager *
1057 Remove the RH subscription manager files.
1058 rhn-systemid *
1060 Remove the RHN system ID.
1061 rpm-db *
1063 Remove host-specific RPM database files.
1064 Remove host-specific RPM database files and locks. RPM will recreate
1066 these files automatically if needed.
1067 samba-db-log *
1069 Remove the database and log files of Samba.
1070 script *
1072 Run arbitrary scripts against the guest.
1073 The "script" module lets you run arbitrary shell scripts or programs
1075 against the guest.
1076 Note this feature requires FUSE support. You may have to enable this
1078 in your host, for example by adding the current user to the "fuse"
1079 group, or by loading a kernel module.
1080 Use one or more --script parameters to specify scripts or programs that
1082 will be run against the guest.
1083 The script or program is run with its current directory being the
1085 guest’s root directory, so relative paths should be used. For example:
1086 "rm etc/resolv.conf" in the script would remove a Linux guest’s DNS
1087 configuration file, but "rm /etc/resolv.conf" would (try to) remove the
1088 host’s file.
1089 Normally a temporary mount point for the guest is used, but you can
1091 choose a specific one by using the --scriptdir parameter.
1092 Note: This is different from --firstboot scripts (which run in the
1094 context of the guest when it is booting first time). --script scripts
1095 run on the host, not in the guest.
1096 smolt-uuid *
1098 Remove the Smolt hardware UUID.
1099 ssh-hostkeys *
1101 Remove the SSH host keys in the guest.
1102 The SSH host keys are regenerated (differently) next time the guest is
1104 booted.
1105 If, after cloning, the guest gets the same IP address, ssh will give
1107 you a stark warning about the host key changing:
1108 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1110 @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
1111 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1112 IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
1113 ssh-userdir *
1115 Remove ".ssh" directories in the guest.
1116 Remove the ".ssh" directory of user "root" and any other users who have
1118 a ".ssh" directory in their home directory.
1119 Notes on ssh-userdir
1121 Currently this only looks in "/root" and "/home/*" for home
1123 directories, so users with home directories in other locations won't
1124 have the ssh files removed.
1125 sssd-db-log *
1127 Remove the database and log files of sssd.
1128 tmp-files *
1130 Remove temporary files.
1131 This removes temporary files under "/tmp" and "/var/tmp".
1133 udev-persistent-net *
1135 Remove udev persistent net rules.
1136 Remove udev persistent net rules which map the guest’s existing MAC
1138 address to a fixed ethernet device (eg. eth0).
1139 After a guest is cloned, the MAC address usually changes. Since the
1141 old MAC address occupies the old name (eg. eth0), this means the fresh
1142 MAC address is assigned to a new name (eg. eth1) and this is usually
1143 undesirable. Erasing the udev persistent net rules avoids this.
1144 user-account
1146 Remove the user accounts in the guest.
1147 By default remove all the user accounts and their home directories.
1149 The "root" account is not removed.
1150 See the --remove-user-accounts parameter for a way to specify how to
1152 remove only some users, or to not remove some others.
1153 utmp *
1155 Remove the utmp file.
1156 This file records who is currently logged in on a machine. In modern
1158 Linux distros it is stored in a ramdisk and hence not part of the
1159 virtual machine’s disk, but it was stored on disk in older distros.
1160 yum-uuid *
1162 Remove the yum UUID.
1163 Yum creates a fresh UUID the next time it runs when it notices that the
1165 original UUID has been erased.
1166
1168 Virt-sysprep can be used as part of a process of cloning guests, or to
1169 prepare a template from which guests can be cloned. There are many
1170 different ways to achieve this using the virt tools, and this section
1171 is just an introduction.
1172 A virtual machine (when switched off) consists of two parts:
1174 configuration
1176 The configuration or description of the guest. eg. The libvirt XML
1177 (see "virsh dumpxml"), the running configuration of the guest, or
1178 another external format like OVF.
1179 Some configuration items that might need to be changed:
1181 • name
1183 • UUID
1185 • path to block device(s)
1187 • network card MAC address
1189 block device(s)
1191 One or more hard disk images, themselves containing files,
1192 directories, applications, kernels, configuration, etc.
1193 Some things inside the block devices that might need to be changed:
1195 • hostname and other net configuration
1197 • UUID
1199 • SSH host keys
1201 • Windows unique security ID (SID)
1203 • Puppet registration
1205 COPYING THE BLOCK DEVICE
1207 Starting with an original guest, you probably wish to copy the guest
1208 block device and its configuration to make a template. Then once you
1209 are happy with the template, you will want to make many clones from it.
1210 virt-sysprep
1212 |
1213 v
1214 original guest --------> template ---------->
1215 \------> cloned
1216 \-----> guests
1217 \---->
1218 You can, of course, just copy the block device on the host using cp(1)
1220 or dd(1).
1221 dd dd
1223 original guest --------> template ---------->
1224 \------> cloned
1225 \-----> guests
1226 \---->
1227 There are some smarter (and faster) ways too:
1229 snapshot
1231 template ---------->
1232 \------> cloned
1233 \-----> guests
1234 \---->
1235 You may want to run virt-sysprep twice, once to reset the guest (to
1237 make a template) and a second time to customize the guest for a
1238 specific user:
1239 virt-sysprep virt-sysprep
1241 (reset) (add user, keys, logos)
1242 | |
1243 dd v dd v
1244 original guest ----> template ---------> copied ------> custom
1245 template guest
1246 • Create a snapshot using qemu-img:
1248 qemu-img create -f qcow2 -o backing_file=original snapshot.qcow
1250 The advantage is that you don’t need to copy the original (very
1252 fast) and only changes are stored (less storage required).
1253 Note that writing to the backing file once you have created guests
1255 on top of it is not possible: you will corrupt the guests.
1256 • Create a snapshot using "lvcreate --snapshot".
1258 • Other ways to create snapshots include using filesystems-level
1260 tools (for filesystems such as btrfs).
1261 Most Network Attached Storage (NAS) devices can also create cheap
1263 snapshots from files or LUNs.
1264 • Get your NAS to duplicate the LUN. Most NAS devices can also
1266 duplicate LUNs very cheaply (they copy them on-demand in the
1267 background).
1268 • Prepare your template using virt-sparsify(1). See below.
1270 VIRT-CLONE
1272 A separate tool, virt-clone(1), can be used to duplicate the block
1273 device and/or modify the external libvirt configuration of a guest. It
1274 will reset the name, UUID and MAC address of the guest in the libvirt
1275 XML.
1276 virt-clone(1) does not use libguestfs and cannot look inside the disk
1278 image. This was the original motivation to write virt-sysprep.
1279 SPARSIFY
1281 virt-sparsify
1282 original guest --------> template
1283 virt-sparsify(1) can be used to make the cloning template smaller,
1285 making it easier to compress and/or faster to copy.
1286 Notice that since virt-sparsify also copies the image, you can use it
1288 to make the initial copy (instead of "dd").
1289 RESIZE
1291 virt-resize
1292 template ---------->
1293 \------> cloned
1294 \-----> guests
1295 \---->
1296 If you want to give people cloned guests, but let them pick the size of
1298 the guest themselves (eg. depending on how much they are prepared to
1299 pay for disk space), then instead of copying the template, you can run
1300 virt-resize(1). Virt-resize performs a copy and resize, and thus is
1301 ideal for cloning guests from a template.
1302
1304 The two options --firstboot and --script both supply shell scripts that
1305 are run against the guest. However these two options are significantly
1306 different.
1307 --firstboot script uploads the file "script" into the guest and
1309 arranges that it will run, in the guest, when the guest is next booted.
1310 (The script will only run once, at the "first boot").
1311 --script script runs the shell "script" on the host, with its current
1313 directory inside the guest filesystem.
1314 If you needed, for example, to "yum install" new packages, then you
1316 must not use --script for this, since that would (a) run the "yum"
1317 command on the host and (b) wouldn't have access to the same resources
1318 (repositories, keys, etc.) as the guest. Any command that needs to run
1319 on the guest must be run via --firstboot.
1320 On the other hand if you need to make adjustments to the guest
1322 filesystem (eg. copying in files), then --script is ideal since (a) it
1323 has access to the host filesystem and (b) you will get immediate
1324 feedback on errors.
1325 Either or both options can be used multiple times on the command line.
1327
1329 Virtual machines that employ full disk encryption internally to the
1330 guest should not be considered for cloning and distribution, as it
1331 provides multiple parties with the same internal volume key, enabling
1332 any one such party to decrypt all the other clones. Refer to the LUKS
1333 FAQ for details.
1334 Although virt-sysprep removes some sensitive information from the
1336 guest, it does not pretend to remove all of it. You should examine the
1337 "OPERATIONS" above and the guest afterwards.
1338 Sensitive files are simply removed. The data they contained may still
1340 exist on the disk, easily recovered with a hex editor or undelete tool.
1341 The --scrub option can be used to scrub files instead of just deleting
1342 them. virt-sparsify(1) is another way to remove this content. See
1343 also the scrub(1) command to get rid of deleted content in directory
1344 entries and inodes.
1345 RANDOM SEED
1347 (This section applies to Linux guests only)
1348 For supported guests, virt-sysprep writes a few bytes of randomness
1350 from the host into the guest’s random seed file.
1351 If this is just done once and the guest is cloned from the same
1353 template, then each guest will start with the same entropy, and things
1354 like SSH host keys and TCP sequence numbers may be predictable.
1355 Therefore you should arrange to add more randomness after cloning from
1357 a template too, which can be done by enabling just the customize
1358 module:
1359 cp template.img newguest.img
1361 virt-sysprep --enable customize -a newguest.img
1362
1364 For guests which make use of SELinux, special handling for them might
1365 be needed when using operations which create new files or alter
1366 existing ones.
1367 For further details, see "SELINUX" in virt-builder(1).
1369
1371 Windows 8 "fast startup" can prevent virt-sysprep from working. See
1372 "WINDOWS HIBERNATION AND WINDOWS 8 FAST STARTUP" in guestfs(3).
1373
1375 This program returns 0 on success, or 1 if there was an error.
1376
1378 "VIRT_TOOLS_DATA_DIR"
1379 This can point to the directory containing data files used for
1380 Windows firstboot installation.
1381 Normally you do not need to set this. If not set, a compiled-in
1383 default will be used (something like /usr/share/virt-tools).
1384 This directory may contain the following files:
1386 rhsrvany.exe
1388 This is the RHSrvAny Windows binary, used to install a
1389 "firstboot" script in Windows guests. It is required if you
1390 intend to use the --firstboot or --firstboot-command options
1391 with Windows guests.
1392 See also: "https://github.com/rwmjones/rhsrvany"
1394 pvvxsvc.exe
1396 This is a Windows binary shipped with SUSE VMDP, used to
1397 install a "firstboot" script in Windows guests. It is required
1398 if you intend to use the --firstboot or --firstboot-command
1399 options with Windows guests.
1400 For other environment variables, see "ENVIRONMENT VARIABLES" in
1402 guestfs(3).
1403
1405 guestfs(3), guestfish(1), virt-builder(1), virt-clone(1),
1406 virt-customize(1), virt-rescue(1), virt-resize(1), virt-sparsify(1),
1407 virsh(1), lvcreate(8), qemu-img(1), scrub(1), http://libguestfs.org/,
1408 http://libvirt.org/.
1409
1411 Richard W.M. Jones http://people.redhat.com/~rjones/
1412 Wanlong Gao, Fujitsu Ltd.
1414
1416 Copyright (C) 2011-2023 Red Hat Inc.
1417 Copyright (C) 2012 Fujitsu Ltd.
1419
1421 This program is free software; you can redistribute it and/or modify it
1422 under the terms of the GNU General Public License as published by the
1423 Free Software Foundation; either version 2 of the License, or (at your
1424 option) any later version.
1425 This program is distributed in the hope that it will be useful, but
1427 WITHOUT ANY WARRANTY; without even the implied warranty of
1428 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
1429 General Public License for more details.
1430 You should have received a copy of the GNU General Public License along
1432 with this program; if not, write to the Free Software Foundation, Inc.,
1433 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
1434
1436 To get a list of bugs against libguestfs, use this link:
1437 https://bugzilla.redhat.com/buglist.cgi?component=libguestfs&product=Virtualization+Tools
1438 To report a new bug against libguestfs, use this link:
1440 https://bugzilla.redhat.com/enter_bug.cgi?component=libguestfs&product=Virtualization+Tools
1441 When reporting a bug, please supply:
1443 • The version of libguestfs.
1445 • Where you got libguestfs (eg. which Linux distro, compiled from
1447 source, etc)
1448 • Describe the bug accurately and give a way to reproduce it.
1450 • Run libguestfs-test-tool(1) and paste the complete, unedited output
1452 into the bug report.
1453guestfs-tools-1.50.1 2023-04-06 virt-sysprep(1)