1virt-sysprep(1) Virtualization Support virt-sysprep(1)
2
6 virt-sysprep - Reset, unconfigure or customize a virtual machine so
7 clones can be made
8
10 virt-sysprep [--options] -d domname
11 virt-sysprep [--options] -a disk.img [-a disk.img ...]
13
15 Using "virt-sysprep" on live virtual machines, or concurrently with
16 other disk editing tools, can be dangerous, potentially causing disk
17 corruption. The virtual machine must be shut down before you use this
18 command, and disk images must not be edited concurrently.
19
21 Virt-sysprep can reset or unconfigure a virtual machine so that clones
22 can be made from it. Steps in this process include removing SSH host
23 keys, removing persistent network MAC configuration, and removing user
24 accounts. Virt-sysprep can also customize a virtual machine, for
25 instance by adding SSH keys, users or logos. Each step can be enabled
26 or disabled as required.
27 Virt-sysprep modifies the guest or disk image in place. The guest must
29 be shut down. If you want to preserve the existing contents of the
30 guest, you must snapshot, copy or clone the disk first. See "COPYING
31 AND CLONING" below.
32 You do not need to run virt-sysprep as root. In fact we'd generally
34 recommend that you don't. The time you might want to run it as root is
35 when you need root in order to access the disk image, but even in this
36 case it would be better to change the permissions on the disk image to
37 be writable as the non-root user running virt-sysprep.
38 "Sysprep" stands for "system preparation" tool. The name comes from
40 the Microsoft program sysprep.exe which is used to unconfigure Windows
41 machines in preparation for cloning them. Having said that, virt-
42 sysprep does not currently work on Microsoft Windows guests. We plan
43 to support Windows sysprepping in a future version, and we already have
44 code to do it.
45
47 --help
48 Display brief help.
49 -a file
51 --add file
52 Add file which should be a disk image from a virtual machine.
53 The format of the disk image is auto-detected. To override this
55 and force a particular format use the --format option.
56 -a URI
58 --add URI
59 Add a remote disk. The URI format is compatible with guestfish.
60 See "ADDING REMOTE STORAGE" in guestfish(1).
61 --colors
63 --colours
64 Use ANSI colour sequences to colourize messages. This is the
65 default when the output is a tty. If the output of the program is
66 redirected to a file, ANSI colour sequences are disabled unless you
67 use this option.
68 -c URI
70 --connect URI
71 If using libvirt, connect to the given URI. If omitted, then we
72 connect to the default libvirt hypervisor.
73 If you specify guest block devices directly (-a), then libvirt is
75 not used at all.
76 -d guest
78 --domain guest
79 Add all the disks from the named libvirt guest. Domain UUIDs can
80 be used instead of names.
81 -n
83 --dry-run
84 Perform a read-only "dry run" on the guest. This runs the sysprep
85 operation, but throws away any changes to the disk at the end.
86 --enable operations
88 Choose which sysprep operations to perform. Give a comma-separated
89 list of operations, for example:
90 --enable ssh-hostkeys,udev-persistent-net
92 would enable ONLY "ssh-hostkeys" and "udev-persistent-net"
94 operations.
95 If the --enable option is not given, then we default to trying most
97 sysprep operations (see --list-operations to show which are
98 enabled).
99 Regardless of the --enable option, sysprep operations are skipped
101 for some guest types.
102 Use --list-operations to list operations supported by a particular
104 version of virt-sysprep.
105 See "OPERATIONS" below for a list and an explanation of each
107 operation.
108 --operation operations
110 --operations operations
111 Choose which sysprep operations to perform. Give a comma-separated
112 list of operations, for example:
113 --operations ssh-hostkeys,udev-persistent-net
115 would enable ONLY "ssh-hostkeys" and "udev-persistent-net"
117 operations.
118 --operations allows you to enable and disable any operation,
120 including the default ones (which would be tried when specifying
121 neither --operations nor --enable) and all the available ones;
122 prepending a "-" in front of an operation name removes it from the
123 list of enabled operations, while the meta-names "defaults" and
124 "all" represent respectively the operations enabled by default and
125 all the available ones. For example:
126 --operations firewall-rules,defaults,-tmp-files
128 would enable the "firewall-rules" operation (regardless whether it
130 is enabled by default), all the default ones, and disable the
131 "tmp-files" operation.
132 --operations can be specified multiple times; the first time the
134 set of enabled operations is empty, while any further --operations
135 affects the operations enabled so far.
136 If the --operations option is not given, then we default to trying
138 most sysprep operations (see --list-operations to show which are
139 enabled).
140 Regardless of the --operations option, sysprep operations are
142 skipped for some guest types.
143 Use --list-operations to list operations supported by a particular
145 version of virt-sysprep.
146 See "OPERATIONS" below for a list and an explanation of each
148 operation.
149 --echo-keys
151 When prompting for keys and passphrases, virt-sysprep normally
152 turns echoing off so you cannot see what you are typing. If you
153 are not worried about Tempest attacks and there is no one else in
154 the room you can specify this flag to see what you are typing.
155 --format raw|qcow2|..
157 --format auto
158 The default for the -a option is to auto-detect the format of the
159 disk image. Using this forces the disk format for -a options which
160 follow on the command line. Using --format auto switches back to
161 auto-detection for subsequent -a options.
162 For example:
164 virt-sysprep --format raw -a disk.img
166 forces raw format (no auto-detection) for disk.img.
168 virt-sysprep --format raw -a disk.img --format auto -a another.img
170 forces raw format (no auto-detection) for disk.img and reverts to
172 auto-detection for another.img.
173 If you have untrusted raw-format guest disk images, you should use
175 this option to specify the disk format. This avoids a possible
176 security problem with malicious guests (CVE-2010-3851).
177 --keys-from-stdin
179 Read key or passphrase parameters from stdin. The default is to
180 try to read passphrases from the user by opening /dev/tty.
181 --list-operations
183 List the operations supported by the virt-sysprep program.
184 These are listed one per line, with one or more single-space-
186 separated fields, eg:
187 $ virt-sysprep --list-operations
189 bash-history * Remove the bash history in the guest
190 cron-spool * Remove user at-jobs and cron-jobs
191 dhcp-client-state * Remove DHCP client leases
192 dhcp-server-state * Remove DHCP server leases
193 [etc]
194 The first field is the operation name, which can be supplied to
196 --enable. The second field is a "*" character if the operation is
197 enabled by default or blank if not. Subsequent fields on the same
198 line are the description of the operation.
199 Before libguestfs 1.17.33 only the first (operation name) field was
201 shown and all operations were enabled by default.
202 --mount-options mp:opts[;mp:opts;...]
204 Set the mount options used when libguestfs opens the disk image.
205 Note this has no effect on the guest. It is used when opening
206 certain guests such as ones using the UFS (BSD) filesystem.
207 Use a semicolon-separated list of "mountpoint:options" pairs. You
209 may need to quote this list to protect it from the shell.
210 For example:
212 --mount-options "/:noatime"
214 will mount the root directory with "notime". This example:
216 --mount-options "/:noatime;/var:rw,nodiratime"
218 will do the same, plus mount /var with "rw,nodiratime".
220 -q
222 --quiet
223 Don’t print log messages.
224 To enable detailed logging of individual file operations, use -x.
226 --network
228 --no-network
229 Enable or disable network access from the guest during the
230 installation.
231 In virt-sysprep, the network is disabled by default. You must use
233 --network to enable it, in order that options such as --install or
234 --update will work.
235 virt-builder(1) has more information about the security advantages
237 of disabling the network.
238 -v
240 --verbose
241 Enable verbose messages for debugging.
242 -V
244 --version
245 Display version number and exit.
246 -x Enable tracing of libguestfs API calls.
248 --append-line FILE:LINE (see "customize" below)
250 Append a single line of text to the "FILE". If the file does not
251 already end with a newline, then one is added before the appended
252 line. Also a newline is added to the end of the "LINE" string
253 automatically.
254 For example (assuming ordinary shell quoting) this command:
256 --append-line '/etc/hosts:10.0.0.1 foo'
258 will add either "10.0.0.1 foo⏎" or "⏎10.0.0.1 foo⏎" to the file,
260 the latter only if the existing file does not already end with a
261 newline.
262 "⏎" represents a newline character, which is guessed by looking at
264 the existing content of the file, so this command does the right
265 thing for files using Unix or Windows line endings. It also works
266 for empty or non-existent files.
267 To insert several lines, use the same option several times:
269 --append-line '/etc/hosts:10.0.0.1 foo'
271 --append-line '/etc/hosts:10.0.0.2 bar'
272 To insert a blank line before the appended line, do:
274 --append-line '/etc/hosts:'
276 --append-line '/etc/hosts:10.0.0.1 foo'
277 --chmod PERMISSIONS:FILE (see "customize" below)
279 Change the permissions of "FILE" to "PERMISSIONS".
280 Note: "PERMISSIONS" by default would be decimal, unless you prefix
282 it with 0 to get octal, ie. use 0700 not 700.
283 --commands-from-file FILENAME (see "customize" below)
285 Read the customize commands from a file, one (and its arguments)
286 each line.
287 Each line contains a single customization command and its
289 arguments, for example:
290 delete /some/file
292 install some-package
293 password some-user:password:its-new-password
294 Empty lines are ignored, and lines starting with "#" are comments
296 and are ignored as well. Furthermore, arguments can be spread
297 across multiple lines, by adding a "\" (continuation character) at
298 the of a line, for example
299 edit /some/file:\
301 s/^OPT=.*/OPT=ok/
302 The commands are handled in the same order as they are in the file,
304 as if they were specified as --delete /some/file on the command
305 line.
306 --copy SOURCE:DEST (see "customize" below)
308 Copy files or directories recursively inside the guest.
309 Wildcards cannot be used.
311 --copy-in LOCALPATH:REMOTEDIR (see "customize" below)
313 Copy local files or directories recursively into the disk image,
314 placing them in the directory "REMOTEDIR" (which must exist).
315 Wildcards cannot be used.
317 --delete PATH (see "customize" below)
319 Delete a file from the guest. Or delete a directory (and all its
320 contents, recursively).
321 You can use shell glob characters in the specified path. Be
323 careful to escape glob characters from the host shell, if that is
324 required. For example:
325 virt-customize --delete '/var/log/*.log'.
327 See also: --upload, --scrub.
329 --edit FILE:EXPR (see "customize" below)
331 Edit "FILE" using the Perl expression "EXPR".
332 Be careful to properly quote the expression to prevent it from
334 being altered by the shell.
335 Note that this option is only available when Perl 5 is installed.
337 See "NON-INTERACTIVE EDITING" in virt-edit(1).
339 --firstboot SCRIPT (see "customize" below)
341 Install "SCRIPT" inside the guest, so that when the guest first
342 boots up, the script runs (as root, late in the boot process).
343 The script is automatically chmod +x after installation in the
345 guest.
346 The alternative version --firstboot-command is the same, but it
348 conveniently wraps the command up in a single line script for you.
349 You can have multiple --firstboot options. They run in the same
351 order that they appear on the command line.
352 Please take a look at "FIRST BOOT SCRIPTS" in virt-builder(1) for
354 more information and caveats about the first boot scripts.
355 See also --run.
357 --firstboot-command 'CMD+ARGS' (see "customize" below)
359 Run command (and arguments) inside the guest when the guest first
360 boots up (as root, late in the boot process).
361 You can have multiple --firstboot options. They run in the same
363 order that they appear on the command line.
364 Please take a look at "FIRST BOOT SCRIPTS" in virt-builder(1) for
366 more information and caveats about the first boot scripts.
367 See also --run.
369 --firstboot-install PKG,PKG.. (see "customize" below)
371 Install the named packages (a comma-separated list). These are
372 installed when the guest first boots using the guest’s package
373 manager (eg. apt, yum, etc.) and the guest’s network connection.
374 For an overview on the different ways to install packages, see
376 "INSTALLING PACKAGES" in virt-builder(1).
377 --hostname HOSTNAME (see "customize" below)
379 Set the hostname of the guest to "HOSTNAME". You can use a dotted
380 hostname.domainname (FQDN) if you want.
381 --install PKG,PKG.. (see "customize" below)
383 Install the named packages (a comma-separated list). These are
384 installed during the image build using the guest’s package manager
385 (eg. apt, yum, etc.) and the host’s network connection.
386 For an overview on the different ways to install packages, see
388 "INSTALLING PACKAGES" in virt-builder(1).
389 See also --update, --uninstall.
391 --keep-user-accounts USERS (see "user-account" below)
393 The user accounts to be kept in the guest. The value of this
394 option is a list of user names separated by comma, where specifying
395 an user means it is going to be kept. For example:
396 --keep-user-accounts mary
398 would keep the user account "mary".
400 This option can be specified multiple times.
402 --link TARGET:LINK[:LINK..] (see "customize" below)
404 Create symbolic link(s) in the guest, starting at "LINK" and
405 pointing at "TARGET".
406 --mkdir DIR (see "customize" below)
408 Create a directory in the guest.
409 This uses "mkdir -p" so any intermediate directories are created,
411 and it also works if the directory already exists.
412 --move SOURCE:DEST (see "customize" below)
414 Move files or directories inside the guest.
415 Wildcards cannot be used.
417 --no-logfile (see "customize" below)
419 Scrub "builder.log" (log file from build commands) from the image
420 after building is complete. If you don't want to reveal precisely
421 how the image was built, use this option.
422 See also: "LOG FILE".
424 --password USER:SELECTOR (see "customize" below)
426 Set the password for "USER". (Note this option does not create the
427 user account).
428 See "USERS AND PASSWORDS" in virt-builder(1) for the format of the
430 "SELECTOR" field, and also how to set up user accounts.
431 --password-crypto md5|sha256|sha512 (see "customize" below)
433 When the virt tools change or set a password in the guest, this
434 option sets the password encryption of that password to "md5",
435 "sha256" or "sha512".
436 "sha256" and "sha512" require glibc ≥ 2.7 (check crypt(3) inside
438 the guest).
439 "md5" will work with relatively old Linux guests (eg. RHEL 3), but
441 is not secure against modern attacks.
442 The default is "sha512" unless libguestfs detects an old guest that
444 didn't have support for SHA-512, in which case it will use "md5".
445 You can override libguestfs by specifying this option.
446 Note this does not change the default password encryption used by
448 the guest when you create new user accounts inside the guest. If
449 you want to do that, then you should use the --edit option to
450 modify "/etc/sysconfig/authconfig" (Fedora, RHEL) or
451 "/etc/pam.d/common-password" (Debian, Ubuntu).
452 --remove-user-accounts USERS (see "user-account" below)
454 The user accounts to be removed from the guest. The value of this
455 option is a list of user names separated by comma, where specifying
456 an user means it is going to be removed. For example:
457 --remove-user-accounts bob,eve
459 would only remove the user accounts "bob" and "eve".
461 This option can be specified multiple times.
463 --root-password SELECTOR (see "customize" below)
465 Set the root password.
466 See "USERS AND PASSWORDS" in virt-builder(1) for the format of the
468 "SELECTOR" field, and also how to set up user accounts.
469 Note: In virt-builder, if you don't set --root-password then the
471 guest is given a random root password.
472 --run SCRIPT (see "customize" below)
474 Run the shell script (or any program) called "SCRIPT" on the disk
475 image. The script runs virtualized inside a small appliance,
476 chrooted into the guest filesystem.
477 The script is automatically chmod +x.
479 If libguestfs supports it then a limited network connection is
481 available but it only allows outgoing network connections. You can
482 also attach data disks (eg. ISO files) as another way to provide
483 data (eg. software packages) to the script without needing a
484 network connection (--attach). You can also upload data files
485 (--upload).
486 You can have multiple --run options. They run in the same order
488 that they appear on the command line.
489 See also: --firstboot, --attach, --upload.
491 --run-command 'CMD+ARGS' (see "customize" below)
493 Run the command and arguments on the disk image. The command runs
494 virtualized inside a small appliance, chrooted into the guest
495 filesystem.
496 If libguestfs supports it then a limited network connection is
498 available but it only allows outgoing network connections. You can
499 also attach data disks (eg. ISO files) as another way to provide
500 data (eg. software packages) to the script without needing a
501 network connection (--attach). You can also upload data files
502 (--upload).
503 You can have multiple --run-command options. They run in the same
505 order that they appear on the command line.
506 See also: --firstboot, --attach, --upload.
508 --script SCRIPT (see "script" below)
510 Run the named "SCRIPT" (a shell script or program) against the
511 guest. The script can be any program on the host. The script’s
512 current directory will be the guest’s root directory.
513 Note: If the script is not on the $PATH, then you must give the
515 full absolute path to the script.
516 --scriptdir SCRIPTDIR (see "script" below)
518 The mount point (an empty directory on the host) used when the
519 "script" operation is enabled and one or more scripts are specified
520 using --script parameter(s).
521 Note: "SCRIPTDIR" must be an absolute path.
523 If --scriptdir is not specified then a temporary mountpoint will be
525 created.
526 --scrub FILE (see "customize" below)
528 Scrub a file from the guest. This is like --delete except that:
529 · It scrubs the data so a guest could not recover it.
531 · It cannot delete directories, only regular files.
533 --selinux-relabel (see "customize" below)
535 Relabel files in the guest so that they have the correct SELinux
536 label.
537 This will attempt to relabel files immediately, but if the
539 operation fails this will instead touch /.autorelabel on the image
540 to schedule a relabel operation for the next time the image boots.
541 You should only use this option for guests which support SELinux.
543 --sm-attach SELECTOR (see "customize" below)
545 Attach to a pool using "subscription-manager".
546 See "SUBSCRIPTION-MANAGER" in virt-builder(1) for the format of the
548 "SELECTOR" field.
549 --sm-credentials SELECTOR (see "customize" below)
551 Set the credentials for "subscription-manager".
552 See "SUBSCRIPTION-MANAGER" in virt-builder(1) for the format of the
554 "SELECTOR" field.
555 --sm-register (see "customize" below)
557 Register the guest using "subscription-manager".
558 This requires credentials being set using --sm-credentials.
560 --sm-remove (see "customize" below)
562 Remove all the subscriptions from the guest using
563 "subscription-manager".
564 --sm-unregister (see "customize" below)
566 Unregister the guest using "subscription-manager".
567 --ssh-inject USER[:SELECTOR] (see "customize" below)
569 Inject an ssh key so the given "USER" will be able to log in over
570 ssh without supplying a password. The "USER" must exist already in
571 the guest.
572 See "SSH KEYS" in virt-builder(1) for the format of the "SELECTOR"
574 field.
575 You can have multiple --ssh-inject options, for different users and
577 also for more keys for each user.
578 --timezone TIMEZONE (see "customize" below)
580 Set the default timezone of the guest to "TIMEZONE". Use a
581 location string like "Europe/London"
582 --touch FILE (see "customize" below)
584 This command performs a touch(1)-like operation on "FILE".
585 --truncate FILE (see "customize" below)
587 This command truncates "FILE" to a zero-length file. The file must
588 exist already.
589 --truncate-recursive PATH (see "customize" below)
591 This command recursively truncates all files under "PATH" to zero-
592 length.
593 --uninstall PKG,PKG.. (see "customize" below)
595 Uninstall the named packages (a comma-separated list). These are
596 removed during the image build using the guest’s package manager
597 (eg. apt, yum, etc.). Dependent packages may also need to be
598 uninstalled to satisfy the request.
599 See also --install, --update.
601 --update (see "customize" below)
603 Do the equivalent of "yum update", "apt-get upgrade", or whatever
604 command is required to update the packages already installed in the
605 template to their latest versions.
606 See also --install, --uninstall.
608 --upload FILE:DEST (see "customize" below)
610 Upload local file "FILE" to destination "DEST" in the disk image.
611 File owner and permissions from the original are preserved, so you
612 should set them to what you want them to be in the disk image.
613 "DEST" could be the final filename. This can be used to rename the
615 file on upload.
616 If "DEST" is a directory name (which must already exist in the
618 guest) then the file is uploaded into that directory, and it keeps
619 the same name as on the local filesystem.
620 See also: --mkdir, --delete, --scrub.
622 --write FILE:CONTENT (see "customize" below)
624 Write "CONTENT" to "FILE".
625
627 If the --enable/--operations option is not given, then most sysprep
628 operations are enabled.
629 Use "virt-sysprep --list-operations" to list all operations for your
631 virt-sysprep binary. The ones which are enabled by default are marked
632 with a "*" character. Regardless of the --enable/--operations options,
633 sysprep operations are skipped for some guest types.
634 Operations can be individually enabled using the --enable/--operations
636 options. Use a comma-separated list, for example:
637 virt-sysprep --operations ssh-hostkeys,udev-persistent-net [etc..]
639 Future versions of virt-sysprep may add more operations. If you are
641 using virt-sysprep and want predictable behaviour, specify only the
642 operations that you want to have enabled.
643 "*" = enabled by default when no --enable/--operations option is given.
645 abrt-data *
647 Remove the crash data generated by ABRT.
648 Remove the automatically generated ABRT crash data in
650 "/var/spool/abrt/".
651 backup-files *
653 Remove editor backup files from the guest.
654 The following files are removed from anywhere in the guest filesystem:
656 · *.bak
658 · *~
660 On Linux and Unix operating systems, only the following filesystems
662 will be examined:
663 · /etc
665 · /root
667 · /srv
669 · /tmp
671 · /var
673 bash-history *
675 Remove the bash history in the guest.
676 Remove the bash history of user "root" and any other users who have a
678 ".bash_history" file in their home directory.
679 Notes on bash-history
681 Currently this only looks in "/root" and "/home/*" for home
683 directories, so users with home directories in other locations won't
684 have the bash history removed.
685 blkid-tab *
687 Remove blkid tab in the guest.
688 ca-certificates
690 Remove CA certificates in the guest.
691 crash-data *
693 Remove the crash data generated by kexec-tools.
694 Remove the automatically generated kdump kernel crash data.
696 cron-spool *
698 Remove user at-jobs and cron-jobs.
699 customize *
701 Customize the guest.
702 Customize the guest by providing virt-customize(1) options for
704 installing packages, editing files and so on.
705 dhcp-client-state *
707 Remove DHCP client leases.
708 dhcp-server-state *
710 Remove DHCP server leases.
711 dovecot-data *
713 Remove Dovecot (mail server) data.
714 firewall-rules
716 Remove the firewall rules.
717 This removes custom firewall rules by removing
719 "/etc/sysconfig/iptables" or custom firewalld configuration in
720 "/etc/firewalld/*/*".
721 Note this is not enabled by default since it may expose guests to
723 exploits. Use with care.
724 flag-reconfiguration
726 Flag the system for reconfiguration.
727 For Linux guests, this touches "/.unconfigured", which causes the first
729 boot to interactively query the user for settings such as the root
730 password and timezone.
731 fs-uuids
733 Change filesystem UUIDs.
734 On guests and filesystem types where this is supported, new random
736 UUIDs are generated and assigned to filesystems.
737 Notes on fs-uuids
739 The fs-uuids operation is disabled by default because it does not yet
741 find and update all the places in the guest that use the UUIDs. For
742 example "/etc/fstab" or the bootloader. Enabling this operation is
743 more likely than not to make your guest unbootable.
744 See: https://bugzilla.redhat.com/show_bug.cgi?id=991641
746 kerberos-data
748 Remove Kerberos data in the guest.
749 logfiles *
751 Remove many log files from the guest.
752 On Linux the following files are removed:
754 · /etc/Pegasus/*.cnf
756 · /etc/Pegasus/*.crt
758 · /etc/Pegasus/*.csr
760 · /etc/Pegasus/*.pem
762 · /etc/Pegasus/*.srl
764 · /root/anaconda-ks.cfg
766 · /root/anaconda-post.log
768 · /root/initial-setup-ks.cfg
770 · /root/install.log
772 · /root/install.log.syslog
774 · /root/original-ks.cfg
776 · /var/cache/fontconfig/*
778 · /var/cache/gdm/*
780 · /var/cache/man/*
782 · /var/lib/AccountService/users/*
784 · /var/lib/fprint/*
786 · /var/lib/logrotate.status
788 · /var/log/*.log*
790 · /var/log/BackupPC/LOG
792 · /var/log/ConsoleKit/*
794 · /var/log/anaconda.syslog
796 · /var/log/anaconda/*
798 · /var/log/apache2/*_log
800 · /var/log/apache2/*_log-*
802 · /var/log/apt/*
804 · /var/log/aptitude*
806 · /var/log/audit/*
808 · /var/log/btmp*
810 · /var/log/ceph/*.log
812 · /var/log/chrony/*.log
814 · /var/log/cron*
816 · /var/log/cups/*_log*
818 · /var/log/debug*
820 · /var/log/dmesg*
822 · /var/log/exim4/*
824 · /var/log/faillog*
826 · /var/log/firewalld*
828 · /var/log/gdm/*
830 · /var/log/glusterfs/*glusterd.vol.log
832 · /var/log/glusterfs/glusterfs.log
834 · /var/log/grubby*
836 · /var/log/httpd/*log
838 · /var/log/installer/*
840 · /var/log/jetty/jetty-console.log
842 · /var/log/journal/*
844 · /var/log/lastlog*
846 · /var/log/libvirt/libvirtd.log
848 · /var/log/libvirt/libxl/*.log
850 · /var/log/libvirt/lxc/*.log
852 · /var/log/libvirt/qemu/*.log
854 · /var/log/libvirt/uml/*.log
856 · /var/log/lightdm/*
858 · /var/log/mail/*
860 · /var/log/maillog*
862 · /var/log/messages*
864 · /var/log/ntp
866 · /var/log/ntpstats/*
868 · /var/log/ppp/connect-errors
870 · /var/log/rhsm/*
872 · /var/log/sa/*
874 · /var/log/secure*
876 · /var/log/setroubleshoot/*.log
878 · /var/log/spooler*
880 · /var/log/squid/*.log
882 · /var/log/syslog*
884 · /var/log/tallylog*
886 · /var/log/tuned/tuned.log
888 · /var/log/wtmp*
890 · /var/log/xferlog*
892 · /var/named/data/named.run
894 lvm-uuids *
896 Change LVM2 PV and VG UUIDs.
897 On Linux guests that have LVM2 physical volumes (PVs) or volume groups
899 (VGs), new random UUIDs are generated and assigned to those PVs and
900 VGs.
901 machine-id *
903 Remove the local machine ID.
904 The machine ID is usually generated from a random source during system
906 installation and stays constant for all subsequent boots. Optionally,
907 for stateless systems it is generated during runtime at boot if it is
908 found to be empty.
909 mail-spool *
911 Remove email from the local mail spool directory.
912 net-hostname *
914 Remove HOSTNAME and DHCP_HOSTNAME in network interface configuration.
915 For Fedora and Red Hat Enterprise Linux, this is removed from "ifcfg-*"
917 files.
918 net-hwaddr *
920 Remove HWADDR (hard-coded MAC address) configuration.
921 For Fedora and Red Hat Enterprise Linux, this is removed from "ifcfg-*"
923 files.
924 pacct-log *
926 Remove the process accounting log files.
927 The system wide process accounting will store to the pacct log files if
929 the process accounting is on.
930 package-manager-cache *
932 Remove package manager cache.
933 pam-data *
935 Remove the PAM data in the guest.
936 passwd-backups *
938 Remove /etc/passwd- and similar backup files.
939 On Linux the following files are removed:
941 · /etc/group-
943 · /etc/gshadow-
945 · /etc/passwd-
947 · /etc/shadow-
949 · /etc/subgid-
951 · /etc/subuid-
953 puppet-data-log *
955 Remove the data and log files of puppet.
956 rh-subscription-manager *
958 Remove the RH subscription manager files.
959 rhn-systemid *
961 Remove the RHN system ID.
962 rpm-db *
964 Remove host-specific RPM database files.
965 Remove host-specific RPM database files and locks. RPM will recreate
967 these files automatically if needed.
968 samba-db-log *
970 Remove the database and log files of Samba.
971 script *
973 Run arbitrary scripts against the guest.
974 The "script" module lets you run arbitrary shell scripts or programs
976 against the guest.
977 Note this feature requires FUSE support. You may have to enable this
979 in your host, for example by adding the current user to the "fuse"
980 group, or by loading a kernel module.
981 Use one or more --script parameters to specify scripts or programs that
983 will be run against the guest.
984 The script or program is run with its current directory being the
986 guest’s root directory, so relative paths should be used. For example:
987 "rm etc/resolv.conf" in the script would remove a Linux guest’s DNS
988 configuration file, but "rm /etc/resolv.conf" would (try to) remove the
989 host’s file.
990 Normally a temporary mount point for the guest is used, but you can
992 choose a specific one by using the --scriptdir parameter.
993 Note: This is different from --firstboot scripts (which run in the
995 context of the guest when it is booting first time). --script scripts
996 run on the host, not in the guest.
997 smolt-uuid *
999 Remove the Smolt hardware UUID.
1000 ssh-hostkeys *
1002 Remove the SSH host keys in the guest.
1003 The SSH host keys are regenerated (differently) next time the guest is
1005 booted.
1006 If, after cloning, the guest gets the same IP address, ssh will give
1008 you a stark warning about the host key changing:
1009 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1011 @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
1012 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1013 IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
1014 ssh-userdir *
1016 Remove ".ssh" directories in the guest.
1017 Remove the ".ssh" directory of user "root" and any other users who have
1019 a ".ssh" directory in their home directory.
1020 Notes on ssh-userdir
1022 Currently this only looks in "/root" and "/home/*" for home
1024 directories, so users with home directories in other locations won't
1025 have the ssh files removed.
1026 sssd-db-log *
1028 Remove the database and log files of sssd.
1029 tmp-files *
1031 Remove temporary files.
1032 This removes temporary files under "/tmp" and "/var/tmp".
1034 udev-persistent-net *
1036 Remove udev persistent net rules.
1037 Remove udev persistent net rules which map the guest’s existing MAC
1039 address to a fixed ethernet device (eg. eth0).
1040 After a guest is cloned, the MAC address usually changes. Since the
1042 old MAC address occupies the old name (eg. eth0), this means the fresh
1043 MAC address is assigned to a new name (eg. eth1) and this is usually
1044 undesirable. Erasing the udev persistent net rules avoids this.
1045 user-account
1047 Remove the user accounts in the guest.
1048 By default remove all the user accounts and their home directories.
1050 The "root" account is not removed.
1051 See the --remove-user-accounts parameter for a way to specify how to
1053 remove only some users, or to not remove some others.
1054 utmp *
1056 Remove the utmp file.
1057 This file records who is currently logged in on a machine. In modern
1059 Linux distros it is stored in a ramdisk and hence not part of the
1060 virtual machine’s disk, but it was stored on disk in older distros.
1061 yum-uuid *
1063 Remove the yum UUID.
1064 Yum creates a fresh UUID the next time it runs when it notices that the
1066 original UUID has been erased.
1067
1069 Virt-sysprep can be used as part of a process of cloning guests, or to
1070 prepare a template from which guests can be cloned. There are many
1071 different ways to achieve this using the virt tools, and this section
1072 is just an introduction.
1073 A virtual machine (when switched off) consists of two parts:
1075 configuration
1077 The configuration or description of the guest. eg. The libvirt XML
1078 (see "virsh dumpxml"), the running configuration of the guest, or
1079 another external format like OVF.
1080 Some configuration items that might need to be changed:
1082 · name
1084 · UUID
1086 · path to block device(s)
1088 · network card MAC address
1090 block device(s)
1092 One or more hard disk images, themselves containing files,
1093 directories, applications, kernels, configuration, etc.
1094 Some things inside the block devices that might need to be changed:
1096 · hostname and other net configuration
1098 · UUID
1100 · SSH host keys
1102 · Windows unique security ID (SID)
1104 · Puppet registration
1106 COPYING THE BLOCK DEVICE
1108 Starting with an original guest, you probably wish to copy the guest
1109 block device and its configuration to make a template. Then once you
1110 are happy with the template, you will want to make many clones from it.
1111 virt-sysprep
1113 |
1114 v
1115 original guest --------> template ---------->
1116 \------> cloned
1117 \-----> guests
1118 \---->
1119 You can, of course, just copy the block device on the host using cp(1)
1121 or dd(1).
1122 dd dd
1124 original guest --------> template ---------->
1125 \------> cloned
1126 \-----> guests
1127 \---->
1128 There are some smarter (and faster) ways too:
1130 snapshot
1132 template ---------->
1133 \------> cloned
1134 \-----> guests
1135 \---->
1136 You may want to run virt-sysprep twice, once to reset the guest (to
1138 make a template) and a second time to customize the guest for a
1139 specific user:
1140 virt-sysprep virt-sysprep
1142 (reset) (add user, keys, logos)
1143 | |
1144 dd v dd v
1145 original guest ----> template ---------> copied ------> custom
1146 template guest
1147 · Create a snapshot using qemu-img:
1149 qemu-img create -f qcow2 -o backing_file=original snapshot.qcow
1151 The advantage is that you don’t need to copy the original (very
1153 fast) and only changes are stored (less storage required).
1154 Note that writing to the backing file once you have created guests
1156 on top of it is not possible: you will corrupt the guests.
1157 · Create a snapshot using "lvcreate --snapshot".
1159 · Other ways to create snapshots include using filesystems-level
1161 tools (for filesystems such as btrfs).
1162 Most Network Attached Storage (NAS) devices can also create cheap
1164 snapshots from files or LUNs.
1165 · Get your NAS to duplicate the LUN. Most NAS devices can also
1167 duplicate LUNs very cheaply (they copy them on-demand in the
1168 background).
1169 · Prepare your template using virt-sparsify(1). See below.
1171 VIRT-CLONE
1173 A separate tool, virt-clone(1), can be used to duplicate the block
1174 device and/or modify the external libvirt configuration of a guest. It
1175 will reset the name, UUID and MAC address of the guest in the libvirt
1176 XML.
1177 virt-clone(1) does not use libguestfs and cannot look inside the disk
1179 image. This was the original motivation to write virt-sysprep.
1180 SPARSIFY
1182 virt-sparsify
1183 original guest --------> template
1184 virt-sparsify(1) can be used to make the cloning template smaller,
1186 making it easier to compress and/or faster to copy.
1187 Notice that since virt-sparsify also copies the image, you can use it
1189 to make the initial copy (instead of "dd").
1190 RESIZE
1192 virt-resize
1193 template ---------->
1194 \------> cloned
1195 \-----> guests
1196 \---->
1197 If you want to give people cloned guests, but let them pick the size of
1199 the guest themselves (eg. depending on how much they are prepared to
1200 pay for disk space), then instead of copying the template, you can run
1201 virt-resize(1). Virt-resize performs a copy and resize, and thus is
1202 ideal for cloning guests from a template.
1203
1205 The two options --firstboot and --script both supply shell scripts that
1206 are run against the guest. However these two options are significantly
1207 different.
1208 --firstboot script uploads the file "script" into the guest and
1210 arranges that it will run, in the guest, when the guest is next booted.
1211 (The script will only run once, at the "first boot").
1212 --script script runs the shell "script" on the host, with its current
1214 directory inside the guest filesystem.
1215 If you needed, for example, to "yum install" new packages, then you
1217 must not use --script for this, since that would (a) run the "yum"
1218 command on the host and (b) wouldn't have access to the same resources
1219 (repositories, keys, etc.) as the guest. Any command that needs to run
1220 on the guest must be run via --firstboot.
1221 On the other hand if you need to make adjustments to the guest
1223 filesystem (eg. copying in files), then --script is ideal since (a) it
1224 has access to the host filesystem and (b) you will get immediate
1225 feedback on errors.
1226 Either or both options can be used multiple times on the command line.
1228
1230 Although virt-sysprep removes some sensitive information from the
1231 guest, it does not pretend to remove all of it. You should examine the
1232 "OPERATIONS" above and the guest afterwards.
1233 Sensitive files are simply removed. The data they contained may still
1235 exist on the disk, easily recovered with a hex editor or undelete tool.
1236 The --scrub option can be used to scrub files instead of just deleting
1237 them. virt-sparsify(1) is another way to remove this content. See
1238 also the scrub(1) command to get rid of deleted content in directory
1239 entries and inodes.
1240 RANDOM SEED
1242 (This section applies to Linux guests only)
1243 For supported guests, virt-sysprep writes a few bytes of randomness
1245 from the host into the guest’s random seed file.
1246 If this is just done once and the guest is cloned from the same
1248 template, then each guest will start with the same entropy, and things
1249 like SSH host keys and TCP sequence numbers may be predictable.
1250 Therefore you should arrange to add more randomness after cloning from
1252 a template too, which can be done by enabling just the customize
1253 module:
1254 cp template.img newguest.img
1256 virt-sysprep --enable customize -a newguest.img
1257
1259 For guests which make use of SELinux, special handling for them might
1260 be needed when using operations which create new files or alter
1261 existing ones.
1262 For further details, see "SELINUX" in virt-builder(1).
1264
1266 Windows 8 "fast startup" can prevent virt-sysprep from working. See
1267 "WINDOWS HIBERNATION AND WINDOWS 8 FAST STARTUP" in guestfs(3).
1268
1270 This program returns 0 on success, or 1 if there was an error.
1271
1273 "VIRT_TOOLS_DATA_DIR"
1274 This can point to the directory containing data files used for
1275 Windows firstboot installation.
1276 Normally you do not need to set this. If not set, a compiled-in
1278 default will be used (something like /usr/share/virt-tools).
1279 This directory may contain the following files:
1281 rhsrvany.exe
1283 This is the RHSrvAny Windows binary, used to install a
1284 "firstboot" script in Windows guests. It is required if you
1285 intend to use the --firstboot or --firstboot-command options
1286 with Windows guests.
1287 See also: "https://github.com/rwmjones/rhsrvany"
1289 pvvxsvc.exe
1291 This is a Windows binary shipped with SUSE VMDP, used to
1292 install a "firstboot" script in Windows guests. It is required
1293 if you intend to use the --firstboot or --firstboot-command
1294 options with Windows guests.
1295 For other environment variables, see "ENVIRONMENT VARIABLES" in
1297 guestfs(3).
1298
1300 guestfs(3), guestfish(1), virt-builder(1), virt-clone(1),
1301 virt-customize(1), virt-rescue(1), virt-resize(1), virt-sparsify(1),
1302 virsh(1), lvcreate(8), qemu-img(1), scrub(1), http://libguestfs.org/,
1303 http://libvirt.org/.
1304
1306 Richard W.M. Jones http://people.redhat.com/~rjones/
1307 Wanlong Gao, Fujitsu Ltd.
1309
1311 Copyright (C) 2011-2018 Red Hat Inc.
1312 Copyright (C) 2012 Fujitsu Ltd.
1314
1316 This program is free software; you can redistribute it and/or modify it
1317 under the terms of the GNU General Public License as published by the
1318 Free Software Foundation; either version 2 of the License, or (at your
1319 option) any later version.
1320 This program is distributed in the hope that it will be useful, but
1322 WITHOUT ANY WARRANTY; without even the implied warranty of
1323 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
1324 General Public License for more details.
1325 You should have received a copy of the GNU General Public License along
1327 with this program; if not, write to the Free Software Foundation, Inc.,
1328 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
1329
1331 To get a list of bugs against libguestfs, use this link:
1332 https://bugzilla.redhat.com/buglist.cgi?component=libguestfs&product=Virtualization+Tools
1333 To report a new bug against libguestfs, use this link:
1335 https://bugzilla.redhat.com/enter_bug.cgi?component=libguestfs&product=Virtualization+Tools
1336 When reporting a bug, please supply:
1338 · The version of libguestfs.
1340 · Where you got libguestfs (eg. which Linux distro, compiled from
1342 source, etc)
1343 · Describe the bug accurately and give a way to reproduce it.
1345 · Run libguestfs-test-tool(1) and paste the complete, unedited output
1347 into the bug report.
1348libguestfs-1.38.2 2018-05-15 virt-sysprep(1)