1virt-sysprep(1)             Virtualization Support             virt-sysprep(1)
2
3
4

NAME

6       virt-sysprep - Reset, unconfigure or customize a virtual machine so
7       clones can be made
8

SYNOPSIS

10        virt-sysprep [--options] -d domname
11
12        virt-sysprep [--options] -a disk.img [-a disk.img ...]
13

WARNING

15       Using "virt-sysprep" on live virtual machines, or concurrently with
16       other disk editing tools, can be dangerous, potentially causing disk
17       corruption.  The virtual machine must be shut down before you use this
18       command, and disk images must not be edited concurrently.
19

DESCRIPTION

21       Virt-sysprep can reset or unconfigure a virtual machine so that clones
22       can be made from it.  Steps in this process include removing SSH host
23       keys, removing persistent network MAC configuration, and removing user
24       accounts.  Virt-sysprep can also customize a virtual machine, for
25       instance by adding SSH keys, users or logos.  Each step can be enabled
26       or disabled as required.
27
28       Virt-sysprep modifies the guest or disk image in place.  The guest must
29       be shut down.  If you want to preserve the existing contents of the
30       guest, you must snapshot, copy or clone the disk first.  See "COPYING
31       AND CLONING" below.
32
33       You do not need to run virt-sysprep as root.  In fact we'd generally
34       recommend that you don't.  The time you might want to run it as root is
35       when you need root in order to access the disk image, but even in this
36       case it would be better to change the permissions on the disk image to
37       be writable as the non-root user running virt-sysprep.
38
39       "Sysprep" stands for "system preparation" tool.  The name comes from
40       the Microsoft program sysprep.exe which is used to unconfigure Windows
41       machines in preparation for cloning them.  Having said that, virt-
42       sysprep does not currently work on Microsoft Windows guests.  We plan
43       to support Windows sysprepping in a future version, and we already have
44       code to do it.
45

OPTIONS

47       --help
48           Display brief help.
49
50       -a file
51       --add file
52           Add file which should be a disk image from a virtual machine.
53
54           The format of the disk image is auto-detected.  To override this
55           and force a particular format use the --format option.
56
57       -a URI
58       --add URI
59           Add a remote disk.  The URI format is compatible with guestfish.
60           See "ADDING REMOTE STORAGE" in guestfish(1).
61
62       --colors
63       --colours
64           Use ANSI colour sequences to colourize messages.  This is the
65           default when the output is a tty.  If the output of the program is
66           redirected to a file, ANSI colour sequences are disabled unless you
67           use this option.
68
69       -c URI
70       --connect URI
71           If using libvirt, connect to the given URI.  If omitted, then we
72           connect to the default libvirt hypervisor.
73
74           If you specify guest block devices directly (-a), then libvirt is
75           not used at all.
76
77       -d guest
78       --domain guest
79           Add all the disks from the named libvirt guest.  Domain UUIDs can
80           be used instead of names.
81
82       -n
83       --dry-run
84           Perform a read-only "dry run" on the guest.  This runs the sysprep
85           operation, but throws away any changes to the disk at the end.
86
87       --enable operations
88           Choose which sysprep operations to perform.  Give a comma-separated
89           list of operations, for example:
90
91            --enable ssh-hostkeys,udev-persistent-net
92
93           would enable ONLY "ssh-hostkeys" and "udev-persistent-net"
94           operations.
95
96           If the --enable option is not given, then we default to trying most
97           sysprep operations (see --list-operations to show which are
98           enabled).
99
100           Regardless of the --enable option, sysprep operations are skipped
101           for some guest types.
102
103           Use --list-operations to list operations supported by a particular
104           version of virt-sysprep.
105
106           See "OPERATIONS" below for a list and an explanation of each
107           operation.
108
109       --operation operations
110       --operations operations
111           Choose which sysprep operations to perform.  Give a comma-separated
112           list of operations, for example:
113
114            --operations ssh-hostkeys,udev-persistent-net
115
116           would enable ONLY "ssh-hostkeys" and "udev-persistent-net"
117           operations.
118
119           --operations allows you to enable and disable any operation,
120           including the default ones (which would be tried when specifying
121           neither --operations nor --enable) and all the available ones;
122           prepending a "-" in front of an operation name removes it from the
123           list of enabled operations, while the meta-names "defaults" and
124           "all" represent respectively the operations enabled by default and
125           all the available ones.  For example:
126
127            --operations firewall-rules,defaults,-tmp-files
128
129           would enable the "firewall-rules" operation (regardless whether it
130           is enabled by default), all the default ones, and disable the
131           "tmp-files" operation.
132
133           --operations can be specified multiple times; the first time the
134           set of enabled operations is empty, while any further --operations
135           affects the operations enabled so far.
136
137           If the --operations option is not given, then we default to trying
138           most sysprep operations (see --list-operations to show which are
139           enabled).
140
141           Regardless of the --operations option, sysprep operations are
142           skipped for some guest types.
143
144           Use --list-operations to list operations supported by a particular
145           version of virt-sysprep.
146
147           See "OPERATIONS" below for a list and an explanation of each
148           operation.
149
150       --echo-keys
151           When prompting for keys and passphrases, virt-sysprep normally
152           turns echoing off so you cannot see what you are typing.  If you
153           are not worried about Tempest attacks and there is no one else in
154           the room you can specify this flag to see what you are typing.
155
156       --format raw|qcow2|..
157       --format auto
158           The default for the -a option is to auto-detect the format of the
159           disk image.  Using this forces the disk format for -a options which
160           follow on the command line.  Using --format auto switches back to
161           auto-detection for subsequent -a options.
162
163           For example:
164
165            virt-sysprep --format raw -a disk.img
166
167           forces raw format (no auto-detection) for disk.img.
168
169            virt-sysprep --format raw -a disk.img --format auto -a another.img
170
171           forces raw format (no auto-detection) for disk.img and reverts to
172           auto-detection for another.img.
173
174           If you have untrusted raw-format guest disk images, you should use
175           this option to specify the disk format.  This avoids a possible
176           security problem with malicious guests (CVE-2010-3851).
177
178       --keys-from-stdin
179           Read key or passphrase parameters from stdin.  The default is to
180           try to read passphrases from the user by opening /dev/tty.
181
182       --list-operations
183           List the operations supported by the virt-sysprep program.
184
185           These are listed one per line, with one or more single-space-
186           separated fields, eg:
187
188            $ virt-sysprep --list-operations
189            bash-history * Remove the bash history in the guest
190            cron-spool * Remove user at-jobs and cron-jobs
191            dhcp-client-state * Remove DHCP client leases
192            dhcp-server-state * Remove DHCP server leases
193            [etc]
194
195           The first field is the operation name, which can be supplied to
196           --enable.  The second field is a "*" character if the operation is
197           enabled by default or blank if not.  Subsequent fields on the same
198           line are the description of the operation.
199
200           Before libguestfs 1.17.33 only the first (operation name) field was
201           shown and all operations were enabled by default.
202
203       --mount-options mp:opts[;mp:opts;...]
204           Set the mount options used when libguestfs opens the disk image.
205           Note this has no effect on the guest.  It is used when opening
206           certain guests such as ones using the UFS (BSD) filesystem.
207
208           Use a semicolon-separated list of "mountpoint:options" pairs.  You
209           may need to quote this list to protect it from the shell.
210
211           For example:
212
213            --mount-options "/:noatime"
214
215           will mount the root directory with "notime".  This example:
216
217            --mount-options "/:noatime;/var:rw,nodiratime"
218
219           will do the same, plus mount /var with "rw,nodiratime".
220
221       -q
222       --quiet
223           Don’t print log messages.
224
225           To enable detailed logging of individual file operations, use -x.
226
227       --network
228       --no-network
229           Enable or disable network access from the guest during the
230           installation.
231
232           In virt-sysprep, the network is disabled by default.  You must use
233           --network to enable it, in order that options such as --install or
234           --update will work.
235
236           virt-builder(1) has more information about the security advantages
237           of disabling the network.
238
239       -v
240       --verbose
241           Enable verbose messages for debugging.
242
243       -V
244       --version
245           Display version number and exit.
246
247       -x  Enable tracing of libguestfs API calls.
248
249       --append-line FILE:LINE (see "customize" below)
250           Append a single line of text to the "FILE".  If the file does not
251           already end with a newline, then one is added before the appended
252           line.  Also a newline is added to the end of the "LINE" string
253           automatically.
254
255           For example (assuming ordinary shell quoting) this command:
256
257            --append-line '/etc/hosts:10.0.0.1 foo'
258
259           will add either "10.0.0.1 foo⏎" or "⏎10.0.0.1 foo⏎" to the file,
260           the latter only if the existing file does not already end with a
261           newline.
262
263           "⏎" represents a newline character, which is guessed by looking at
264           the existing content of the file, so this command does the right
265           thing for files using Unix or Windows line endings.  It also works
266           for empty or non-existent files.
267
268           To insert several lines, use the same option several times:
269
270            --append-line '/etc/hosts:10.0.0.1 foo'
271            --append-line '/etc/hosts:10.0.0.2 bar'
272
273           To insert a blank line before the appended line, do:
274
275            --append-line '/etc/hosts:'
276            --append-line '/etc/hosts:10.0.0.1 foo'
277
278       --chmod PERMISSIONS:FILE (see "customize" below)
279           Change the permissions of "FILE" to "PERMISSIONS".
280
281           Note: "PERMISSIONS" by default would be decimal, unless you prefix
282           it with 0 to get octal, ie. use 0700 not 700.
283
284       --commands-from-file FILENAME (see "customize" below)
285           Read the customize commands from a file, one (and its arguments)
286           each line.
287
288           Each line contains a single customization command and its
289           arguments, for example:
290
291            delete /some/file
292            install some-package
293            password some-user:password:its-new-password
294
295           Empty lines are ignored, and lines starting with "#" are comments
296           and are ignored as well.  Furthermore, arguments can be spread
297           across multiple lines, by adding a "\" (continuation character) at
298           the of a line, for example
299
300            edit /some/file:\
301              s/^OPT=.*/OPT=ok/
302
303           The commands are handled in the same order as they are in the file,
304           as if they were specified as --delete /some/file on the command
305           line.
306
307       --copy SOURCE:DEST (see "customize" below)
308           Copy files or directories recursively inside the guest.
309
310           Wildcards cannot be used.
311
312       --copy-in LOCALPATH:REMOTEDIR (see "customize" below)
313           Copy local files or directories recursively into the disk image,
314           placing them in the directory "REMOTEDIR" (which must exist).
315
316           Wildcards cannot be used.
317
318       --delete PATH (see "customize" below)
319           Delete a file from the guest.  Or delete a directory (and all its
320           contents, recursively).
321
322           You can use shell glob characters in the specified path.  Be
323           careful to escape glob characters from the host shell, if that is
324           required.  For example:
325
326            virt-customize --delete '/var/log/*.log'.
327
328           See also: --upload, --scrub.
329
330       --edit FILE:EXPR (see "customize" below)
331           Edit "FILE" using the Perl expression "EXPR".
332
333           Be careful to properly quote the expression to prevent it from
334           being altered by the shell.
335
336           Note that this option is only available when Perl 5 is installed.
337
338           See "NON-INTERACTIVE EDITING" in virt-edit(1).
339
340       --firstboot SCRIPT (see "customize" below)
341           Install "SCRIPT" inside the guest, so that when the guest first
342           boots up, the script runs (as root, late in the boot process).
343
344           The script is automatically chmod +x after installation in the
345           guest.
346
347           The alternative version --firstboot-command is the same, but it
348           conveniently wraps the command up in a single line script for you.
349
350           You can have multiple --firstboot options.  They run in the same
351           order that they appear on the command line.
352
353           Please take a look at "FIRST BOOT SCRIPTS" in virt-builder(1) for
354           more information and caveats about the first boot scripts.
355
356           See also --run.
357
358       --firstboot-command 'CMD+ARGS' (see "customize" below)
359           Run command (and arguments) inside the guest when the guest first
360           boots up (as root, late in the boot process).
361
362           You can have multiple --firstboot options.  They run in the same
363           order that they appear on the command line.
364
365           Please take a look at "FIRST BOOT SCRIPTS" in virt-builder(1) for
366           more information and caveats about the first boot scripts.
367
368           See also --run.
369
370       --firstboot-install PKG,PKG.. (see "customize" below)
371           Install the named packages (a comma-separated list).  These are
372           installed when the guest first boots using the guest’s package
373           manager (eg. apt, yum, etc.) and the guest’s network connection.
374
375           For an overview on the different ways to install packages, see
376           "INSTALLING PACKAGES" in virt-builder(1).
377
378       --hostname HOSTNAME (see "customize" below)
379           Set the hostname of the guest to "HOSTNAME".  You can use a dotted
380           hostname.domainname (FQDN) if you want.
381
382       --install PKG,PKG.. (see "customize" below)
383           Install the named packages (a comma-separated list).  These are
384           installed during the image build using the guest’s package manager
385           (eg. apt, yum, etc.) and the host’s network connection.
386
387           For an overview on the different ways to install packages, see
388           "INSTALLING PACKAGES" in virt-builder(1).
389
390           See also --update, --uninstall.
391
392       --keep-user-accounts USERS (see "user-account" below)
393           The user accounts to be kept in the guest.  The value of this
394           option is a list of user names separated by comma, where specifying
395           an user means it is going to be kept.  For example:
396
397            --keep-user-accounts mary
398
399           would keep the user account "mary".
400
401           This option can be specified multiple times.
402
403       --link TARGET:LINK[:LINK..] (see "customize" below)
404           Create symbolic link(s) in the guest, starting at "LINK" and
405           pointing at "TARGET".
406
407       --mkdir DIR (see "customize" below)
408           Create a directory in the guest.
409
410           This uses "mkdir -p" so any intermediate directories are created,
411           and it also works if the directory already exists.
412
413       --move SOURCE:DEST (see "customize" below)
414           Move files or directories inside the guest.
415
416           Wildcards cannot be used.
417
418       --no-logfile (see "customize" below)
419           Scrub "builder.log" (log file from build commands) from the image
420           after building is complete.  If you don't want to reveal precisely
421           how the image was built, use this option.
422
423           See also: "LOG FILE".
424
425       --password USER:SELECTOR (see "customize" below)
426           Set the password for "USER".  (Note this option does not create the
427           user account).
428
429           See "USERS AND PASSWORDS" in virt-builder(1) for the format of the
430           "SELECTOR" field, and also how to set up user accounts.
431
432       --password-crypto md5|sha256|sha512 (see "customize" below)
433           When the virt tools change or set a password in the guest, this
434           option sets the password encryption of that password to "md5",
435           "sha256" or "sha512".
436
437           "sha256" and "sha512" require glibc ≥ 2.7 (check crypt(3) inside
438           the guest).
439
440           "md5" will work with relatively old Linux guests (eg. RHEL 3), but
441           is not secure against modern attacks.
442
443           The default is "sha512" unless libguestfs detects an old guest that
444           didn't have support for SHA-512, in which case it will use "md5".
445           You can override libguestfs by specifying this option.
446
447           Note this does not change the default password encryption used by
448           the guest when you create new user accounts inside the guest.  If
449           you want to do that, then you should use the --edit option to
450           modify "/etc/sysconfig/authconfig" (Fedora, RHEL) or
451           "/etc/pam.d/common-password" (Debian, Ubuntu).
452
453       --remove-user-accounts USERS (see "user-account" below)
454           The user accounts to be removed from the guest.  The value of this
455           option is a list of user names separated by comma, where specifying
456           an user means it is going to be removed.  For example:
457
458            --remove-user-accounts bob,eve
459
460           would only remove the user accounts "bob" and "eve".
461
462           This option can be specified multiple times.
463
464       --root-password SELECTOR (see "customize" below)
465           Set the root password.
466
467           See "USERS AND PASSWORDS" in virt-builder(1) for the format of the
468           "SELECTOR" field, and also how to set up user accounts.
469
470           Note: In virt-builder, if you don't set --root-password then the
471           guest is given a random root password.
472
473       --run SCRIPT (see "customize" below)
474           Run the shell script (or any program) called "SCRIPT" on the disk
475           image.  The script runs virtualized inside a small appliance,
476           chrooted into the guest filesystem.
477
478           The script is automatically chmod +x.
479
480           If libguestfs supports it then a limited network connection is
481           available but it only allows outgoing network connections.  You can
482           also attach data disks (eg. ISO files) as another way to provide
483           data (eg. software packages) to the script without needing a
484           network connection (--attach).  You can also upload data files
485           (--upload).
486
487           You can have multiple --run options.  They run in the same order
488           that they appear on the command line.
489
490           See also: --firstboot, --attach, --upload.
491
492       --run-command 'CMD+ARGS' (see "customize" below)
493           Run the command and arguments on the disk image.  The command runs
494           virtualized inside a small appliance, chrooted into the guest
495           filesystem.
496
497           If libguestfs supports it then a limited network connection is
498           available but it only allows outgoing network connections.  You can
499           also attach data disks (eg. ISO files) as another way to provide
500           data (eg. software packages) to the script without needing a
501           network connection (--attach).  You can also upload data files
502           (--upload).
503
504           You can have multiple --run-command options.  They run in the same
505           order that they appear on the command line.
506
507           See also: --firstboot, --attach, --upload.
508
509       --script SCRIPT (see "script" below)
510           Run the named "SCRIPT" (a shell script or program) against the
511           guest.  The script can be any program on the host.  The script’s
512           current directory will be the guest’s root directory.
513
514           Note: If the script is not on the $PATH, then you must give the
515           full absolute path to the script.
516
517       --scriptdir SCRIPTDIR (see "script" below)
518           The mount point (an empty directory on the host) used when the
519           "script" operation is enabled and one or more scripts are specified
520           using --script parameter(s).
521
522           Note: "SCRIPTDIR" must be an absolute path.
523
524           If --scriptdir is not specified then a temporary mountpoint will be
525           created.
526
527       --scrub FILE (see "customize" below)
528           Scrub a file from the guest.  This is like --delete except that:
529
530           ·   It scrubs the data so a guest could not recover it.
531
532           ·   It cannot delete directories, only regular files.
533
534       --selinux-relabel (see "customize" below)
535           Relabel files in the guest so that they have the correct SELinux
536           label.
537
538           This will attempt to relabel files immediately, but if the
539           operation fails this will instead touch /.autorelabel on the image
540           to schedule a relabel operation for the next time the image boots.
541
542           You should only use this option for guests which support SELinux.
543
544       --sm-attach SELECTOR (see "customize" below)
545           Attach to a pool using "subscription-manager".
546
547           See "SUBSCRIPTION-MANAGER" in virt-builder(1) for the format of the
548           "SELECTOR" field.
549
550       --sm-credentials SELECTOR (see "customize" below)
551           Set the credentials for "subscription-manager".
552
553           See "SUBSCRIPTION-MANAGER" in virt-builder(1) for the format of the
554           "SELECTOR" field.
555
556       --sm-register (see "customize" below)
557           Register the guest using "subscription-manager".
558
559           This requires credentials being set using --sm-credentials.
560
561       --sm-remove (see "customize" below)
562           Remove all the subscriptions from the guest using
563           "subscription-manager".
564
565       --sm-unregister (see "customize" below)
566           Unregister the guest using "subscription-manager".
567
568       --ssh-inject USER[:SELECTOR] (see "customize" below)
569           Inject an ssh key so the given "USER" will be able to log in over
570           ssh without supplying a password.  The "USER" must exist already in
571           the guest.
572
573           See "SSH KEYS" in virt-builder(1) for the format of the "SELECTOR"
574           field.
575
576           You can have multiple --ssh-inject options, for different users and
577           also for more keys for each user.
578
579       --timezone TIMEZONE (see "customize" below)
580           Set the default timezone of the guest to "TIMEZONE".  Use a
581           location string like "Europe/London"
582
583       --touch FILE (see "customize" below)
584           This command performs a touch(1)-like operation on "FILE".
585
586       --truncate FILE (see "customize" below)
587           This command truncates "FILE" to a zero-length file. The file must
588           exist already.
589
590       --truncate-recursive PATH (see "customize" below)
591           This command recursively truncates all files under "PATH" to zero-
592           length.
593
594       --uninstall PKG,PKG.. (see "customize" below)
595           Uninstall the named packages (a comma-separated list).  These are
596           removed during the image build using the guest’s package manager
597           (eg. apt, yum, etc.).  Dependent packages may also need to be
598           uninstalled to satisfy the request.
599
600           See also --install, --update.
601
602       --update (see "customize" below)
603           Do the equivalent of "yum update", "apt-get upgrade", or whatever
604           command is required to update the packages already installed in the
605           template to their latest versions.
606
607           See also --install, --uninstall.
608
609       --upload FILE:DEST (see "customize" below)
610           Upload local file "FILE" to destination "DEST" in the disk image.
611           File owner and permissions from the original are preserved, so you
612           should set them to what you want them to be in the disk image.
613
614           "DEST" could be the final filename.  This can be used to rename the
615           file on upload.
616
617           If "DEST" is a directory name (which must already exist in the
618           guest) then the file is uploaded into that directory, and it keeps
619           the same name as on the local filesystem.
620
621           See also: --mkdir, --delete, --scrub.
622
623       --write FILE:CONTENT (see "customize" below)
624           Write "CONTENT" to "FILE".
625

OPERATIONS

627       If the --enable/--operations option is not given, then most sysprep
628       operations are enabled.
629
630       Use "virt-sysprep --list-operations" to list all operations for your
631       virt-sysprep binary.  The ones which are enabled by default are marked
632       with a "*" character.  Regardless of the --enable/--operations options,
633       sysprep operations are skipped for some guest types.
634
635       Operations can be individually enabled using the --enable/--operations
636       options.  Use a comma-separated list, for example:
637
638        virt-sysprep --operations ssh-hostkeys,udev-persistent-net [etc..]
639
640       Future versions of virt-sysprep may add more operations.  If you are
641       using virt-sysprep and want predictable behaviour, specify only the
642       operations that you want to have enabled.
643
644       "*" = enabled by default when no --enable/--operations option is given.
645
646   abrt-data *
647       Remove the crash data generated by ABRT.
648
649       Remove the automatically generated ABRT crash data in
650       "/var/spool/abrt/".
651
652   backup-files *
653       Remove editor backup files from the guest.
654
655       The following files are removed from anywhere in the guest filesystem:
656
657       ·   *.bak
658
659       ·   *~
660
661       On Linux and Unix operating systems, only the following filesystems
662       will be examined:
663
664       ·   /etc
665
666       ·   /root
667
668       ·   /srv
669
670       ·   /tmp
671
672       ·   /var
673
674   bash-history *
675       Remove the bash history in the guest.
676
677       Remove the bash history of user "root" and any other users who have a
678       ".bash_history" file in their home directory.
679
680       Notes on bash-history
681
682       Currently this only looks in "/root" and "/home/*" for home
683       directories, so users with home directories in other locations won't
684       have the bash history removed.
685
686   blkid-tab *
687       Remove blkid tab in the guest.
688
689   ca-certificates
690       Remove CA certificates in the guest.
691
692   crash-data *
693       Remove the crash data generated by kexec-tools.
694
695       Remove the automatically generated kdump kernel crash data.
696
697   cron-spool *
698       Remove user at-jobs and cron-jobs.
699
700   customize *
701       Customize the guest.
702
703       Customize the guest by providing virt-customize(1) options for
704       installing packages, editing files and so on.
705
706   dhcp-client-state *
707       Remove DHCP client leases.
708
709   dhcp-server-state *
710       Remove DHCP server leases.
711
712   dovecot-data *
713       Remove Dovecot (mail server) data.
714
715   firewall-rules
716       Remove the firewall rules.
717
718       This removes custom firewall rules by removing
719       "/etc/sysconfig/iptables" or custom firewalld configuration in
720       "/etc/firewalld/*/*".
721
722       Note this is not enabled by default since it may expose guests to
723       exploits.  Use with care.
724
725   flag-reconfiguration
726       Flag the system for reconfiguration.
727
728       For Linux guests, this touches "/.unconfigured", which causes the first
729       boot to interactively query the user for settings such as the root
730       password and timezone.
731
732   fs-uuids
733       Change filesystem UUIDs.
734
735       On guests and filesystem types where this is supported, new random
736       UUIDs are generated and assigned to filesystems.
737
738       Notes on fs-uuids
739
740       The fs-uuids operation is disabled by default because it does not yet
741       find and update all the places in the guest that use the UUIDs.  For
742       example "/etc/fstab" or the bootloader.  Enabling this operation is
743       more likely than not to make your guest unbootable.
744
745       See: https://bugzilla.redhat.com/show_bug.cgi?id=991641
746
747   kerberos-data
748       Remove Kerberos data in the guest.
749
750   logfiles *
751       Remove many log files from the guest.
752
753       On Linux the following files are removed:
754
755       ·   /etc/Pegasus/*.cnf
756
757       ·   /etc/Pegasus/*.crt
758
759       ·   /etc/Pegasus/*.csr
760
761       ·   /etc/Pegasus/*.pem
762
763       ·   /etc/Pegasus/*.srl
764
765       ·   /root/anaconda-ks.cfg
766
767       ·   /root/anaconda-post.log
768
769       ·   /root/initial-setup-ks.cfg
770
771       ·   /root/install.log
772
773       ·   /root/install.log.syslog
774
775       ·   /root/original-ks.cfg
776
777       ·   /var/cache/fontconfig/*
778
779       ·   /var/cache/gdm/*
780
781       ·   /var/cache/man/*
782
783       ·   /var/lib/AccountService/users/*
784
785       ·   /var/lib/fprint/*
786
787       ·   /var/lib/logrotate.status
788
789       ·   /var/log/*.log*
790
791       ·   /var/log/BackupPC/LOG
792
793       ·   /var/log/ConsoleKit/*
794
795       ·   /var/log/anaconda.syslog
796
797       ·   /var/log/anaconda/*
798
799       ·   /var/log/apache2/*_log
800
801       ·   /var/log/apache2/*_log-*
802
803       ·   /var/log/apt/*
804
805       ·   /var/log/aptitude*
806
807       ·   /var/log/audit/*
808
809       ·   /var/log/btmp*
810
811       ·   /var/log/ceph/*.log
812
813       ·   /var/log/chrony/*.log
814
815       ·   /var/log/cron*
816
817       ·   /var/log/cups/*_log*
818
819       ·   /var/log/debug*
820
821       ·   /var/log/dmesg*
822
823       ·   /var/log/exim4/*
824
825       ·   /var/log/faillog*
826
827       ·   /var/log/firewalld*
828
829       ·   /var/log/gdm/*
830
831       ·   /var/log/glusterfs/*glusterd.vol.log
832
833       ·   /var/log/glusterfs/glusterfs.log
834
835       ·   /var/log/grubby*
836
837       ·   /var/log/httpd/*log
838
839       ·   /var/log/installer/*
840
841       ·   /var/log/jetty/jetty-console.log
842
843       ·   /var/log/journal/*
844
845       ·   /var/log/lastlog*
846
847       ·   /var/log/libvirt/libvirtd.log
848
849       ·   /var/log/libvirt/libxl/*.log
850
851       ·   /var/log/libvirt/lxc/*.log
852
853       ·   /var/log/libvirt/qemu/*.log
854
855       ·   /var/log/libvirt/uml/*.log
856
857       ·   /var/log/lightdm/*
858
859       ·   /var/log/mail/*
860
861       ·   /var/log/maillog*
862
863       ·   /var/log/messages*
864
865       ·   /var/log/ntp
866
867       ·   /var/log/ntpstats/*
868
869       ·   /var/log/ppp/connect-errors
870
871       ·   /var/log/rhsm/*
872
873       ·   /var/log/sa/*
874
875       ·   /var/log/secure*
876
877       ·   /var/log/setroubleshoot/*.log
878
879       ·   /var/log/spooler*
880
881       ·   /var/log/squid/*.log
882
883       ·   /var/log/syslog*
884
885       ·   /var/log/tallylog*
886
887       ·   /var/log/tuned/tuned.log
888
889       ·   /var/log/wtmp*
890
891       ·   /var/log/xferlog*
892
893       ·   /var/named/data/named.run
894
895   lvm-uuids *
896       Change LVM2 PV and VG UUIDs.
897
898       On Linux guests that have LVM2 physical volumes (PVs) or volume groups
899       (VGs), new random UUIDs are generated and assigned to those PVs and
900       VGs.
901
902   machine-id *
903       Remove the local machine ID.
904
905       The machine ID is usually generated from a random source during system
906       installation and stays constant for all subsequent boots.  Optionally,
907       for stateless systems it is generated during runtime at boot if it is
908       found to be empty.
909
910   mail-spool *
911       Remove email from the local mail spool directory.
912
913   net-hostname *
914       Remove HOSTNAME and DHCP_HOSTNAME in network interface configuration.
915
916       For Fedora and Red Hat Enterprise Linux, this is removed from "ifcfg-*"
917       files.
918
919   net-hwaddr *
920       Remove HWADDR (hard-coded MAC address) configuration.
921
922       For Fedora and Red Hat Enterprise Linux, this is removed from "ifcfg-*"
923       files.
924
925   pacct-log *
926       Remove the process accounting log files.
927
928       The system wide process accounting will store to the pacct log files if
929       the process accounting is on.
930
931   package-manager-cache *
932       Remove package manager cache.
933
934   pam-data *
935       Remove the PAM data in the guest.
936
937   passwd-backups *
938       Remove /etc/passwd- and similar backup files.
939
940       On Linux the following files are removed:
941
942       ·   /etc/group-
943
944       ·   /etc/gshadow-
945
946       ·   /etc/passwd-
947
948       ·   /etc/shadow-
949
950       ·   /etc/subgid-
951
952       ·   /etc/subuid-
953
954   puppet-data-log *
955       Remove the data and log files of puppet.
956
957   rh-subscription-manager *
958       Remove the RH subscription manager files.
959
960   rhn-systemid *
961       Remove the RHN system ID.
962
963   rpm-db *
964       Remove host-specific RPM database files.
965
966       Remove host-specific RPM database files and locks.  RPM will recreate
967       these files automatically if needed.
968
969   samba-db-log *
970       Remove the database and log files of Samba.
971
972   script *
973       Run arbitrary scripts against the guest.
974
975       The "script" module lets you run arbitrary shell scripts or programs
976       against the guest.
977
978       Note this feature requires FUSE support.  You may have to enable this
979       in your host, for example by adding the current user to the "fuse"
980       group, or by loading a kernel module.
981
982       Use one or more --script parameters to specify scripts or programs that
983       will be run against the guest.
984
985       The script or program is run with its current directory being the
986       guest’s root directory, so relative paths should be used.  For example:
987       "rm etc/resolv.conf" in the script would remove a Linux guest’s DNS
988       configuration file, but "rm /etc/resolv.conf" would (try to) remove the
989       host’s file.
990
991       Normally a temporary mount point for the guest is used, but you can
992       choose a specific one by using the --scriptdir parameter.
993
994       Note: This is different from --firstboot scripts (which run in the
995       context of the guest when it is booting first time).  --script scripts
996       run on the host, not in the guest.
997
998   smolt-uuid *
999       Remove the Smolt hardware UUID.
1000
1001   ssh-hostkeys *
1002       Remove the SSH host keys in the guest.
1003
1004       The SSH host keys are regenerated (differently) next time the guest is
1005       booted.
1006
1007       If, after cloning, the guest gets the same IP address, ssh will give
1008       you a stark warning about the host key changing:
1009
1010        @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1011        @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
1012        @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1013        IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
1014
1015   ssh-userdir *
1016       Remove ".ssh" directories in the guest.
1017
1018       Remove the ".ssh" directory of user "root" and any other users who have
1019       a ".ssh" directory in their home directory.
1020
1021       Notes on ssh-userdir
1022
1023       Currently this only looks in "/root" and "/home/*" for home
1024       directories, so users with home directories in other locations won't
1025       have the ssh files removed.
1026
1027   sssd-db-log *
1028       Remove the database and log files of sssd.
1029
1030   tmp-files *
1031       Remove temporary files.
1032
1033       This removes temporary files under "/tmp" and "/var/tmp".
1034
1035   udev-persistent-net *
1036       Remove udev persistent net rules.
1037
1038       Remove udev persistent net rules which map the guest’s existing MAC
1039       address to a fixed ethernet device (eg. eth0).
1040
1041       After a guest is cloned, the MAC address usually changes.  Since the
1042       old MAC address occupies the old name (eg. eth0), this means the fresh
1043       MAC address is assigned to a new name (eg. eth1) and this is usually
1044       undesirable.  Erasing the udev persistent net rules avoids this.
1045
1046   user-account
1047       Remove the user accounts in the guest.
1048
1049       By default remove all the user accounts and their home directories.
1050       The "root" account is not removed.
1051
1052       See the --remove-user-accounts parameter for a way to specify how to
1053       remove only some users, or to not remove some others.
1054
1055   utmp *
1056       Remove the utmp file.
1057
1058       This file records who is currently logged in on a machine.  In modern
1059       Linux distros it is stored in a ramdisk and hence not part of the
1060       virtual machine’s disk, but it was stored on disk in older distros.
1061
1062   yum-uuid *
1063       Remove the yum UUID.
1064
1065       Yum creates a fresh UUID the next time it runs when it notices that the
1066       original UUID has been erased.
1067

COPYING AND CLONING

1069       Virt-sysprep can be used as part of a process of cloning guests, or to
1070       prepare a template from which guests can be cloned.  There are many
1071       different ways to achieve this using the virt tools, and this section
1072       is just an introduction.
1073
1074       A virtual machine (when switched off) consists of two parts:
1075
1076       configuration
1077           The configuration or description of the guest.  eg. The libvirt XML
1078           (see "virsh dumpxml"), the running configuration of the guest, or
1079           another external format like OVF.
1080
1081           Some configuration items that might need to be changed:
1082
1083           ·   name
1084
1085           ·   UUID
1086
1087           ·   path to block device(s)
1088
1089           ·   network card MAC address
1090
1091       block device(s)
1092           One or more hard disk images, themselves containing files,
1093           directories, applications, kernels, configuration, etc.
1094
1095           Some things inside the block devices that might need to be changed:
1096
1097           ·   hostname and other net configuration
1098
1099           ·   UUID
1100
1101           ·   SSH host keys
1102
1103           ·   Windows unique security ID (SID)
1104
1105           ·   Puppet registration
1106
1107   COPYING THE BLOCK DEVICE
1108       Starting with an original guest, you probably wish to copy the guest
1109       block device and its configuration to make a template.  Then once you
1110       are happy with the template, you will want to make many clones from it.
1111
1112                               virt-sysprep
1113                                    |
1114                                    v
1115        original guest --------> template ---------->
1116                                             \------> cloned
1117                                              \-----> guests
1118                                               \---->
1119
1120       You can, of course, just copy the block device on the host using cp(1)
1121       or dd(1).
1122
1123                          dd                 dd
1124        original guest --------> template ---------->
1125                                             \------> cloned
1126                                              \-----> guests
1127                                               \---->
1128
1129       There are some smarter (and faster) ways too:
1130
1131                                 snapshot
1132                       template ---------->
1133                                   \------> cloned
1134                                    \-----> guests
1135                                     \---->
1136
1137       You may want to run virt-sysprep twice, once to reset the guest (to
1138       make a template) and a second time to customize the guest for a
1139       specific user:
1140
1141                           virt-sysprep        virt-sysprep
1142                             (reset)      (add user, keys, logos)
1143                                |                   |
1144                        dd      v          dd       v
1145        original guest ----> template ---------> copied ------> custom
1146                                                 template       guest
1147
1148       ·   Create a snapshot using qemu-img:
1149
1150            qemu-img create -f qcow2 -o backing_file=original snapshot.qcow
1151
1152           The advantage is that you don’t need to copy the original (very
1153           fast) and only changes are stored (less storage required).
1154
1155           Note that writing to the backing file once you have created guests
1156           on top of it is not possible: you will corrupt the guests.
1157
1158       ·   Create a snapshot using "lvcreate --snapshot".
1159
1160       ·   Other ways to create snapshots include using filesystems-level
1161           tools (for filesystems such as btrfs).
1162
1163           Most Network Attached Storage (NAS) devices can also create cheap
1164           snapshots from files or LUNs.
1165
1166       ·   Get your NAS to duplicate the LUN.  Most NAS devices can also
1167           duplicate LUNs very cheaply (they copy them on-demand in the
1168           background).
1169
1170       ·   Prepare your template using virt-sparsify(1).  See below.
1171
1172   VIRT-CLONE
1173       A separate tool, virt-clone(1), can be used to duplicate the block
1174       device and/or modify the external libvirt configuration of a guest.  It
1175       will reset the name, UUID and MAC address of the guest in the libvirt
1176       XML.
1177
1178       virt-clone(1) does not use libguestfs and cannot look inside the disk
1179       image.  This was the original motivation to write virt-sysprep.
1180
1181   SPARSIFY
1182                     virt-sparsify
1183        original guest --------> template
1184
1185       virt-sparsify(1) can be used to make the cloning template smaller,
1186       making it easier to compress and/or faster to copy.
1187
1188       Notice that since virt-sparsify also copies the image, you can use it
1189       to make the initial copy (instead of "dd").
1190
1191   RESIZE
1192                                virt-resize
1193                       template ---------->
1194                                   \------> cloned
1195                                    \-----> guests
1196                                     \---->
1197
1198       If you want to give people cloned guests, but let them pick the size of
1199       the guest themselves (eg. depending on how much they are prepared to
1200       pay for disk space), then instead of copying the template, you can run
1201       virt-resize(1).  Virt-resize performs a copy and resize, and thus is
1202       ideal for cloning guests from a template.
1203

FIRSTBOOT VS SCRIPT

1205       The two options --firstboot and --script both supply shell scripts that
1206       are run against the guest.  However these two options are significantly
1207       different.
1208
1209       --firstboot script uploads the file "script" into the guest and
1210       arranges that it will run, in the guest, when the guest is next booted.
1211       (The script will only run once, at the "first boot").
1212
1213       --script script runs the shell "script" on the host, with its current
1214       directory inside the guest filesystem.
1215
1216       If you needed, for example, to "yum install" new packages, then you
1217       must not use --script for this, since that would (a) run the "yum"
1218       command on the host and (b) wouldn't have access to the same resources
1219       (repositories, keys, etc.) as the guest.  Any command that needs to run
1220       on the guest must be run via --firstboot.
1221
1222       On the other hand if you need to make adjustments to the guest
1223       filesystem (eg. copying in files), then --script is ideal since (a) it
1224       has access to the host filesystem and (b) you will get immediate
1225       feedback on errors.
1226
1227       Either or both options can be used multiple times on the command line.
1228

SECURITY

1230       Although virt-sysprep removes some sensitive information from the
1231       guest, it does not pretend to remove all of it.  You should examine the
1232       "OPERATIONS" above and the guest afterwards.
1233
1234       Sensitive files are simply removed.  The data they contained may still
1235       exist on the disk, easily recovered with a hex editor or undelete tool.
1236       The --scrub option can be used to scrub files instead of just deleting
1237       them.  virt-sparsify(1) is another way to remove this content.  See
1238       also the scrub(1) command to get rid of deleted content in directory
1239       entries and inodes.
1240
1241   RANDOM SEED
1242       (This section applies to Linux guests only)
1243
1244       For supported guests, virt-sysprep writes a few bytes of randomness
1245       from the host into the guest’s random seed file.
1246
1247       If this is just done once and the guest is cloned from the same
1248       template, then each guest will start with the same entropy, and things
1249       like SSH host keys and TCP sequence numbers may be predictable.
1250
1251       Therefore you should arrange to add more randomness after cloning from
1252       a template too, which can be done by enabling just the customize
1253       module:
1254
1255        cp template.img newguest.img
1256        virt-sysprep --enable customize -a newguest.img
1257

SELINUX

1259       For guests which make use of SELinux, special handling for them might
1260       be needed when using operations which create new files or alter
1261       existing ones.
1262
1263       For further details, see "SELINUX" in virt-builder(1).
1264

WINDOWS 8

1266       Windows 8 "fast startup" can prevent virt-sysprep from working.  See
1267       "WINDOWS HIBERNATION AND WINDOWS 8 FAST STARTUP" in guestfs(3).
1268

EXIT STATUS

1270       This program returns 0 on success, or 1 if there was an error.
1271

ENVIRONMENT VARIABLES

1273       "VIRT_TOOLS_DATA_DIR"
1274           This can point to the directory containing data files used for
1275           Windows firstboot installation.
1276
1277           Normally you do not need to set this.  If not set, a compiled-in
1278           default will be used (something like /usr/share/virt-tools).
1279
1280           This directory may contain the following files:
1281
1282           rhsrvany.exe
1283               This is the RHSrvAny Windows binary, used to install a
1284               "firstboot" script in Windows guests.  It is required if you
1285               intend to use the --firstboot or --firstboot-command options
1286               with Windows guests.
1287
1288               See also: "https://github.com/rwmjones/rhsrvany"
1289
1290           pvvxsvc.exe
1291               This is a Windows binary shipped with SUSE VMDP, used to
1292               install a "firstboot" script in Windows guests.  It is required
1293               if you intend to use the --firstboot or --firstboot-command
1294               options with Windows guests.
1295
1296       For other environment variables, see "ENVIRONMENT VARIABLES" in
1297       guestfs(3).
1298

SEE ALSO

1300       guestfs(3), guestfish(1), virt-builder(1), virt-clone(1),
1301       virt-customize(1), virt-rescue(1), virt-resize(1), virt-sparsify(1),
1302       virsh(1), lvcreate(8), qemu-img(1), scrub(1), http://libguestfs.org/,
1303       http://libvirt.org/.
1304

AUTHORS

1306       Richard W.M. Jones http://people.redhat.com/~rjones/
1307
1308       Wanlong Gao, Fujitsu Ltd.
1309
1311       Copyright (C) 2011-2018 Red Hat Inc.
1312
1313       Copyright (C) 2012 Fujitsu Ltd.
1314

LICENSE

1316       This program is free software; you can redistribute it and/or modify it
1317       under the terms of the GNU General Public License as published by the
1318       Free Software Foundation; either version 2 of the License, or (at your
1319       option) any later version.
1320
1321       This program is distributed in the hope that it will be useful, but
1322       WITHOUT ANY WARRANTY; without even the implied warranty of
1323       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
1324       General Public License for more details.
1325
1326       You should have received a copy of the GNU General Public License along
1327       with this program; if not, write to the Free Software Foundation, Inc.,
1328       51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
1329

BUGS

1331       To get a list of bugs against libguestfs, use this link:
1332       https://bugzilla.redhat.com/buglist.cgi?component=libguestfs&product=Virtualization+Tools
1333
1334       To report a new bug against libguestfs, use this link:
1335       https://bugzilla.redhat.com/enter_bug.cgi?component=libguestfs&product=Virtualization+Tools
1336
1337       When reporting a bug, please supply:
1338
1339       ·   The version of libguestfs.
1340
1341       ·   Where you got libguestfs (eg. which Linux distro, compiled from
1342           source, etc)
1343
1344       ·   Describe the bug accurately and give a way to reproduce it.
1345
1346       ·   Run libguestfs-test-tool(1) and paste the complete, unedited output
1347           into the bug report.
1348
1349
1350
1351libguestfs-1.38.2                 2018-05-15                   virt-sysprep(1)
Impressum