1virt-sysprep(1) Virtualization Support virt-sysprep(1)
2
6 virt-sysprep - Reset, unconfigure or customize a virtual machine so
7 clones can be made
8
10 virt-sysprep [--options] -d domname
11 virt-sysprep [--options] -a disk.img [-a disk.img ...]
13
15 Using "virt-sysprep" on live virtual machines, or concurrently with
16 other disk editing tools, can be dangerous, potentially causing disk
17 corruption. The virtual machine must be shut down before you use this
18 command, and disk images must not be edited concurrently.
19
21 Virt-sysprep can reset or unconfigure a virtual machine so that clones
22 can be made from it. Steps in this process include removing SSH host
23 keys, removing persistent network MAC configuration, and removing user
24 accounts. Virt-sysprep can also customize a virtual machine, for
25 instance by adding SSH keys, users or logos. Each step can be enabled
26 or disabled as required.
27 Virt-sysprep modifies the guest or disk image in place. The guest must
29 be shut down. If you want to preserve the existing contents of the
30 guest, you must snapshot, copy or clone the disk first. See "COPYING
31 AND CLONING" below.
32 You do not need to run virt-sysprep as root. In fact we'd generally
34 recommend that you don't. The time you might want to run it as root is
35 when you need root in order to access the disk image, but even in this
36 case it would be better to change the permissions on the disk image to
37 be writable as the non-root user running virt-sysprep.
38 "Sysprep" stands for "system preparation" tool. The name comes from
40 the Microsoft program sysprep.exe which is used to unconfigure Windows
41 machines in preparation for cloning them. Having said that, virt-
42 sysprep does not currently work on Microsoft Windows guests. We plan
43 to support Windows sysprepping in a future version, and we already have
44 code to do it.
45
47 --help
48 Display brief help.
49 -a file
51 --add file
52 Add file which should be a disk image from a virtual machine.
53 The format of the disk image is auto-detected. To override this
55 and force a particular format use the --format option.
56 -a URI
58 --add URI
59 Add a remote disk. The URI format is compatible with guestfish.
60 See "ADDING REMOTE STORAGE" in guestfish(1).
61 --colors
63 --colours
64 Use ANSI colour sequences to colourize messages. This is the
65 default when the output is a tty. If the output of the program is
66 redirected to a file, ANSI colour sequences are disabled unless you
67 use this option.
68 -c URI
70 --connect URI
71 If using libvirt, connect to the given URI. If omitted, then we
72 connect to the default libvirt hypervisor.
73 If you specify guest block devices directly (-a), then libvirt is
75 not used at all.
76 -d guest
78 --domain guest
79 Add all the disks from the named libvirt guest. Domain UUIDs can
80 be used instead of names.
81 -n
83 --dry-run
84 Perform a read-only "dry run" on the guest. This runs the sysprep
85 operation, but throws away any changes to the disk at the end.
86 --enable operations
88 Choose which sysprep operations to perform. Give a comma-separated
89 list of operations, for example:
90 --enable ssh-hostkeys,udev-persistent-net
92 would enable ONLY "ssh-hostkeys" and "udev-persistent-net"
94 operations.
95 If the --enable option is not given, then we default to trying most
97 sysprep operations (see --list-operations to show which are
98 enabled).
99 Regardless of the --enable option, sysprep operations are skipped
101 for some guest types.
102 Use --list-operations to list operations supported by a particular
104 version of virt-sysprep.
105 See "OPERATIONS" below for a list and an explanation of each
107 operation.
108 --operation operations
110 --operations operations
111 Choose which sysprep operations to perform. Give a comma-separated
112 list of operations, for example:
113 --operations ssh-hostkeys,udev-persistent-net
115 would enable ONLY "ssh-hostkeys" and "udev-persistent-net"
117 operations.
118 --operations allows you to enable and disable any operation,
120 including the default ones (which would be tried when specifying
121 neither --operations nor --enable) and all the available ones;
122 prepending a "-" in front of an operation name removes it from the
123 list of enabled operations, while the meta-names "defaults" and
124 "all" represent respectively the operations enabled by default and
125 all the available ones. For example:
126 --operations firewall-rules,defaults,-tmp-files
128 would enable the "firewall-rules" operation (regardless whether it
130 is enabled by default), all the default ones, and disable the
131 "tmp-files" operation.
132 --operations can be specified multiple times; the first time the
134 set of enabled operations is empty, while any further --operations
135 affects the operations enabled so far.
136 If the --operations option is not given, then we default to trying
138 most sysprep operations (see --list-operations to show which are
139 enabled).
140 Regardless of the --operations option, sysprep operations are
142 skipped for some guest types.
143 Use --list-operations to list operations supported by a particular
145 version of virt-sysprep.
146 See "OPERATIONS" below for a list and an explanation of each
148 operation.
149 --echo-keys
151 When prompting for keys and passphrases, virt-sysprep normally
152 turns echoing off so you cannot see what you are typing. If you
153 are not worried about Tempest attacks and there is no one else in
154 the room you can specify this flag to see what you are typing.
155 --format raw|qcow2|..
157 --format auto
158 The default for the -a option is to auto-detect the format of the
159 disk image. Using this forces the disk format for -a options which
160 follow on the command line. Using --format auto switches back to
161 auto-detection for subsequent -a options.
162 For example:
164 virt-sysprep --format raw -a disk.img
166 forces raw format (no auto-detection) for disk.img.
168 virt-sysprep --format raw -a disk.img --format auto -a another.img
170 forces raw format (no auto-detection) for disk.img and reverts to
172 auto-detection for another.img.
173 If you have untrusted raw-format guest disk images, you should use
175 this option to specify the disk format. This avoids a possible
176 security problem with malicious guests (CVE-2010-3851).
177 --key SELECTOR
179 Specify a key for LUKS, to automatically open a LUKS device when
180 using the inspection. "ID" can be either the libguestfs device
181 name, or the UUID of the LUKS device.
182 --key "ID":key:KEY_STRING
184 Use the specified "KEY_STRING" as passphrase.
185 --key "ID":file:FILENAME
187 Read the passphrase from FILENAME.
188 --keys-from-stdin
190 Read key or passphrase parameters from stdin. The default is to
191 try to read passphrases from the user by opening /dev/tty.
192 If there are multiple encrypted devices then you may need to supply
194 multiple keys on stdin, one per line.
195 --list-operations
197 List the operations supported by the virt-sysprep program.
198 These are listed one per line, with one or more single-space-
200 separated fields, eg:
201 $ virt-sysprep --list-operations
203 bash-history * Remove the bash history in the guest
204 cron-spool * Remove user at-jobs and cron-jobs
205 dhcp-client-state * Remove DHCP client leases
206 dhcp-server-state * Remove DHCP server leases
207 [etc]
208 The first field is the operation name, which can be supplied to
210 --enable. The second field is a "*" character if the operation is
211 enabled by default or blank if not. Subsequent fields on the same
212 line are the description of the operation.
213 Before libguestfs 1.17.33 only the first (operation name) field was
215 shown and all operations were enabled by default.
216 --mount-options mp:opts[;mp:opts;...]
218 Set the mount options used when libguestfs opens the disk image.
219 Note this has no effect on the guest. It is used when opening
220 certain guests such as ones using the UFS (BSD) filesystem.
221 Use a semicolon-separated list of "mountpoint:options" pairs. You
223 may need to quote this list to protect it from the shell.
224 For example:
226 --mount-options "/:noatime"
228 will mount the root directory with "notime". This example:
230 --mount-options "/:noatime;/var:rw,nodiratime"
232 will do the same, plus mount /var with "rw,nodiratime".
234 -q
236 --quiet
237 Don’t print log messages.
238 To enable detailed logging of individual file operations, use -x.
240 --network
242 --no-network
243 Enable or disable network access from the guest during the
244 installation.
245 In virt-sysprep, the network is disabled by default. You must use
247 --network to enable it, in order that options such as --install or
248 --update will work.
249 virt-builder(1) has more information about the security advantages
251 of disabling the network.
252 -v
254 --verbose
255 Enable verbose messages for debugging.
256 -V
258 --version
259 Display version number and exit.
260 -x Enable tracing of libguestfs API calls.
262 --append-line FILE:LINE (see "customize" below)
264 Append a single line of text to the "FILE". If the file does not
265 already end with a newline, then one is added before the appended
266 line. Also a newline is added to the end of the "LINE" string
267 automatically.
268 For example (assuming ordinary shell quoting) this command:
270 --append-line '/etc/hosts:10.0.0.1 foo'
272 will add either "10.0.0.1 foo⏎" or "⏎10.0.0.1 foo⏎" to the file,
274 the latter only if the existing file does not already end with a
275 newline.
276 "⏎" represents a newline character, which is guessed by looking at
278 the existing content of the file, so this command does the right
279 thing for files using Unix or Windows line endings. It also works
280 for empty or non-existent files.
281 To insert several lines, use the same option several times:
283 --append-line '/etc/hosts:10.0.0.1 foo'
285 --append-line '/etc/hosts:10.0.0.2 bar'
286 To insert a blank line before the appended line, do:
288 --append-line '/etc/hosts:'
290 --append-line '/etc/hosts:10.0.0.1 foo'
291 --chmod PERMISSIONS:FILE (see "customize" below)
293 Change the permissions of "FILE" to "PERMISSIONS".
294 Note: "PERMISSIONS" by default would be decimal, unless you prefix
296 it with 0 to get octal, ie. use 0700 not 700.
297 --commands-from-file FILENAME (see "customize" below)
299 Read the customize commands from a file, one (and its arguments)
300 each line.
301 Each line contains a single customization command and its
303 arguments, for example:
304 delete /some/file
306 install some-package
307 password some-user:password:its-new-password
308 Empty lines are ignored, and lines starting with "#" are comments
310 and are ignored as well. Furthermore, arguments can be spread
311 across multiple lines, by adding a "\" (continuation character) at
312 the of a line, for example
313 edit /some/file:\
315 s/^OPT=.*/OPT=ok/
316 The commands are handled in the same order as they are in the file,
318 as if they were specified as --delete /some/file on the command
319 line.
320 --copy SOURCE:DEST (see "customize" below)
322 Copy files or directories recursively inside the guest.
323 Wildcards cannot be used.
325 --copy-in LOCALPATH:REMOTEDIR (see "customize" below)
327 Copy local files or directories recursively into the disk image,
328 placing them in the directory "REMOTEDIR" (which must exist).
329 Wildcards cannot be used.
331 --delete PATH (see "customize" below)
333 Delete a file from the guest. Or delete a directory (and all its
334 contents, recursively).
335 You can use shell glob characters in the specified path. Be
337 careful to escape glob characters from the host shell, if that is
338 required. For example:
339 virt-customize --delete '/var/log/*.log'.
341 See also: --upload, --scrub.
343 --edit FILE:EXPR (see "customize" below)
345 Edit "FILE" using the Perl expression "EXPR".
346 Be careful to properly quote the expression to prevent it from
348 being altered by the shell.
349 Note that this option is only available when Perl 5 is installed.
351 See "NON-INTERACTIVE EDITING" in virt-edit(1).
353 --firstboot SCRIPT (see "customize" below)
355 Install "SCRIPT" inside the guest, so that when the guest first
356 boots up, the script runs (as root, late in the boot process).
357 The script is automatically chmod +x after installation in the
359 guest.
360 The alternative version --firstboot-command is the same, but it
362 conveniently wraps the command up in a single line script for you.
363 You can have multiple --firstboot options. They run in the same
365 order that they appear on the command line.
366 Please take a look at "FIRST BOOT SCRIPTS" in virt-builder(1) for
368 more information and caveats about the first boot scripts.
369 See also --run.
371 --firstboot-command 'CMD+ARGS' (see "customize" below)
373 Run command (and arguments) inside the guest when the guest first
374 boots up (as root, late in the boot process).
375 You can have multiple --firstboot options. They run in the same
377 order that they appear on the command line.
378 Please take a look at "FIRST BOOT SCRIPTS" in virt-builder(1) for
380 more information and caveats about the first boot scripts.
381 See also --run.
383 --firstboot-install PKG,PKG.. (see "customize" below)
385 Install the named packages (a comma-separated list). These are
386 installed when the guest first boots using the guest’s package
387 manager (eg. apt, yum, etc.) and the guest’s network connection.
388 For an overview on the different ways to install packages, see
390 "INSTALLING PACKAGES" in virt-builder(1).
391 --hostname HOSTNAME (see "customize" below)
393 Set the hostname of the guest to "HOSTNAME". You can use a dotted
394 hostname.domainname (FQDN) if you want.
395 --install PKG,PKG.. (see "customize" below)
397 Install the named packages (a comma-separated list). These are
398 installed during the image build using the guest’s package manager
399 (eg. apt, yum, etc.) and the host’s network connection.
400 For an overview on the different ways to install packages, see
402 "INSTALLING PACKAGES" in virt-builder(1).
403 See also --update, --uninstall.
405 --keep-user-accounts USERS (see "user-account" below)
407 The user accounts to be kept in the guest. The value of this
408 option is a list of user names separated by comma, where specifying
409 an user means it is going to be kept. For example:
410 --keep-user-accounts mary
412 would keep the user account "mary".
414 This option can be specified multiple times.
416 --link TARGET:LINK[:LINK..] (see "customize" below)
418 Create symbolic link(s) in the guest, starting at "LINK" and
419 pointing at "TARGET".
420 --mkdir DIR (see "customize" below)
422 Create a directory in the guest.
423 This uses "mkdir -p" so any intermediate directories are created,
425 and it also works if the directory already exists.
426 --move SOURCE:DEST (see "customize" below)
428 Move files or directories inside the guest.
429 Wildcards cannot be used.
431 --no-logfile (see "customize" below)
433 Scrub "builder.log" (log file from build commands) from the image
434 after building is complete. If you don't want to reveal precisely
435 how the image was built, use this option.
436 See also: "LOG FILE".
438 --password USER:SELECTOR (see "customize" below)
440 Set the password for "USER". (Note this option does not create the
441 user account).
442 See "USERS AND PASSWORDS" in virt-builder(1) for the format of the
444 "SELECTOR" field, and also how to set up user accounts.
445 --password-crypto md5|sha256|sha512 (see "customize" below)
447 When the virt tools change or set a password in the guest, this
448 option sets the password encryption of that password to "md5",
449 "sha256" or "sha512".
450 "sha256" and "sha512" require glibc ≥ 2.7 (check crypt(3) inside
452 the guest).
453 "md5" will work with relatively old Linux guests (eg. RHEL 3), but
455 is not secure against modern attacks.
456 The default is "sha512" unless libguestfs detects an old guest that
458 didn't have support for SHA-512, in which case it will use "md5".
459 You can override libguestfs by specifying this option.
460 Note this does not change the default password encryption used by
462 the guest when you create new user accounts inside the guest. If
463 you want to do that, then you should use the --edit option to
464 modify "/etc/sysconfig/authconfig" (Fedora, RHEL) or
465 "/etc/pam.d/common-password" (Debian, Ubuntu).
466 --remove-user-accounts USERS (see "user-account" below)
468 The user accounts to be removed from the guest. The value of this
469 option is a list of user names separated by comma, where specifying
470 an user means it is going to be removed. For example:
471 --remove-user-accounts bob,eve
473 would only remove the user accounts "bob" and "eve".
475 This option can be specified multiple times.
477 --root-password SELECTOR (see "customize" below)
479 Set the root password.
480 See "USERS AND PASSWORDS" in virt-builder(1) for the format of the
482 "SELECTOR" field, and also how to set up user accounts.
483 Note: In virt-builder, if you don't set --root-password then the
485 guest is given a random root password.
486 --run SCRIPT (see "customize" below)
488 Run the shell script (or any program) called "SCRIPT" on the disk
489 image. The script runs virtualized inside a small appliance,
490 chrooted into the guest filesystem.
491 The script is automatically chmod +x.
493 If libguestfs supports it then a limited network connection is
495 available but it only allows outgoing network connections. You can
496 also attach data disks (eg. ISO files) as another way to provide
497 data (eg. software packages) to the script without needing a
498 network connection (--attach). You can also upload data files
499 (--upload).
500 You can have multiple --run options. They run in the same order
502 that they appear on the command line.
503 See also: --firstboot, --attach, --upload.
505 --run-command 'CMD+ARGS' (see "customize" below)
507 Run the command and arguments on the disk image. The command runs
508 virtualized inside a small appliance, chrooted into the guest
509 filesystem.
510 If libguestfs supports it then a limited network connection is
512 available but it only allows outgoing network connections. You can
513 also attach data disks (eg. ISO files) as another way to provide
514 data (eg. software packages) to the script without needing a
515 network connection (--attach). You can also upload data files
516 (--upload).
517 You can have multiple --run-command options. They run in the same
519 order that they appear on the command line.
520 See also: --firstboot, --attach, --upload.
522 --script SCRIPT (see "script" below)
524 Run the named "SCRIPT" (a shell script or program) against the
525 guest. The script can be any program on the host. The script’s
526 current directory will be the guest’s root directory.
527 Note: If the script is not on the $PATH, then you must give the
529 full absolute path to the script.
530 --scriptdir SCRIPTDIR (see "script" below)
532 The mount point (an empty directory on the host) used when the
533 "script" operation is enabled and one or more scripts are specified
534 using --script parameter(s).
535 Note: "SCRIPTDIR" must be an absolute path.
537 If --scriptdir is not specified then a temporary mountpoint will be
539 created.
540 --scrub FILE (see "customize" below)
542 Scrub a file from the guest. This is like --delete except that:
543 • It scrubs the data so a guest could not recover it.
545 • It cannot delete directories, only regular files.
547 --selinux-relabel (see "customize" below)
549 Relabel files in the guest so that they have the correct SELinux
550 label.
551 This will attempt to relabel files immediately, but if the
553 operation fails this will instead touch /.autorelabel on the image
554 to schedule a relabel operation for the next time the image boots.
555 You should only use this option for guests which support SELinux.
557 --sm-attach SELECTOR (see "customize" below)
559 Attach to a pool using "subscription-manager".
560 See "SUBSCRIPTION-MANAGER" in virt-builder(1) for the format of the
562 "SELECTOR" field.
563 --sm-credentials SELECTOR (see "customize" below)
565 Set the credentials for "subscription-manager".
566 See "SUBSCRIPTION-MANAGER" in virt-builder(1) for the format of the
568 "SELECTOR" field.
569 --sm-register (see "customize" below)
571 Register the guest using "subscription-manager".
572 This requires credentials being set using --sm-credentials.
574 --sm-remove (see "customize" below)
576 Remove all the subscriptions from the guest using
577 "subscription-manager".
578 --sm-unregister (see "customize" below)
580 Unregister the guest using "subscription-manager".
581 --ssh-inject USER[:SELECTOR] (see "customize" below)
583 Inject an ssh key so the given "USER" will be able to log in over
584 ssh without supplying a password. The "USER" must exist already in
585 the guest.
586 See "SSH KEYS" in virt-builder(1) for the format of the "SELECTOR"
588 field.
589 You can have multiple --ssh-inject options, for different users and
591 also for more keys for each user.
592 --timezone TIMEZONE (see "customize" below)
594 Set the default timezone of the guest to "TIMEZONE". Use a
595 location string like "Europe/London"
596 --touch FILE (see "customize" below)
598 This command performs a touch(1)-like operation on "FILE".
599 --truncate FILE (see "customize" below)
601 This command truncates "FILE" to a zero-length file. The file must
602 exist already.
603 --truncate-recursive PATH (see "customize" below)
605 This command recursively truncates all files under "PATH" to zero-
606 length.
607 --uninstall PKG,PKG.. (see "customize" below)
609 Uninstall the named packages (a comma-separated list). These are
610 removed during the image build using the guest’s package manager
611 (eg. apt, yum, etc.). Dependent packages may also need to be
612 uninstalled to satisfy the request.
613 See also --install, --update.
615 --update (see "customize" below)
617 Do the equivalent of "yum update", "apt-get upgrade", or whatever
618 command is required to update the packages already installed in the
619 template to their latest versions.
620 See also --install, --uninstall.
622 --upload FILE:DEST (see "customize" below)
624 Upload local file "FILE" to destination "DEST" in the disk image.
625 File owner and permissions from the original are preserved, so you
626 should set them to what you want them to be in the disk image.
627 "DEST" could be the final filename. This can be used to rename the
629 file on upload.
630 If "DEST" is a directory name (which must already exist in the
632 guest) then the file is uploaded into that directory, and it keeps
633 the same name as on the local filesystem.
634 See also: --mkdir, --delete, --scrub.
636 --write FILE:CONTENT (see "customize" below)
638 Write "CONTENT" to "FILE".
639
641 If the --enable/--operations option is not given, then most sysprep
642 operations are enabled.
643 Use "virt-sysprep --list-operations" to list all operations for your
645 virt-sysprep binary. The ones which are enabled by default are marked
646 with a "*" character. Regardless of the --enable/--operations options,
647 sysprep operations are skipped for some guest types.
648 Operations can be individually enabled using the --enable/--operations
650 options. Use a comma-separated list, for example:
651 virt-sysprep --operations ssh-hostkeys,udev-persistent-net [etc..]
653 Future versions of virt-sysprep may add more operations. If you are
655 using virt-sysprep and want predictable behaviour, specify only the
656 operations that you want to have enabled.
657 "*" = enabled by default when no --enable/--operations option is given.
659 abrt-data *
661 Remove the crash data generated by ABRT.
662 Remove the automatically generated ABRT crash data in
664 "/var/spool/abrt/".
665 backup-files *
667 Remove editor backup files from the guest.
668 The following files are removed from anywhere in the guest filesystem:
670 · *.bak
672 · *~
674 On Linux and Unix operating systems, only the following filesystems
676 will be examined:
677 · /etc
679 · /root
681 · /srv
683 · /tmp
685 · /var
687 bash-history *
689 Remove the bash history in the guest.
690 Remove the bash history of user "root" and any other users who have a
692 ".bash_history" file in their home directory.
693 Notes on bash-history
695 Currently this only looks in "/root" and "/home/*" for home
697 directories, so users with home directories in other locations won't
698 have the bash history removed.
699 blkid-tab *
701 Remove blkid tab in the guest.
702 ca-certificates
704 Remove CA certificates in the guest.
705 In case any certificate is removed, the system CA store is updated.
707 crash-data *
709 Remove the crash data generated by kexec-tools.
710 Remove the automatically generated kdump kernel crash data.
712 cron-spool *
714 Remove user at-jobs and cron-jobs.
715 customize *
717 Customize the guest.
718 Customize the guest by providing virt-customize(1) options for
720 installing packages, editing files and so on.
721 dhcp-client-state *
723 Remove DHCP client leases.
724 dhcp-server-state *
726 Remove DHCP server leases.
727 dovecot-data *
729 Remove Dovecot (mail server) data.
730 firewall-rules
732 Remove the firewall rules.
733 This removes custom firewall rules by removing
735 "/etc/sysconfig/iptables" or custom firewalld configuration in
736 "/etc/firewalld/*/*".
737 Note this is not enabled by default since it may expose guests to
739 exploits. Use with care.
740 flag-reconfiguration
742 Flag the system for reconfiguration.
743 For Linux guests, this touches "/.unconfigured", which causes the first
745 boot to interactively query the user for settings such as the root
746 password and timezone.
747 fs-uuids
749 Change filesystem UUIDs.
750 On guests and filesystem types where this is supported, new random
752 UUIDs are generated and assigned to filesystems.
753 Notes on fs-uuids
755 The fs-uuids operation is disabled by default because it does not yet
757 find and update all the places in the guest that use the UUIDs. For
758 example "/etc/fstab" or the bootloader. Enabling this operation is
759 more likely than not to make your guest unbootable.
760 See: https://bugzilla.redhat.com/show_bug.cgi?id=991641
762 ipa-client *
764 Remove the IPA files.
765 Remove all the files related to an IPA (Identity, Policy, Audit)
767 system. This effectively unenrolls the guest from an IPA server
768 without interacting with it.
769 This operation does not run "ipa-client".
771 kerberos-data
773 Remove Kerberos data in the guest.
774 kerberos-hostkeytab *
776 Remove the Kerberos host keytab file in the guest.
777 logfiles *
779 Remove many log files from the guest.
780 On Linux the following files are removed:
782 · /etc/Pegasus/*.cnf
784 · /etc/Pegasus/*.crt
786 · /etc/Pegasus/*.csr
788 · /etc/Pegasus/*.pem
790 · /etc/Pegasus/*.srl
792 · /root/anaconda-ks.cfg
794 · /root/anaconda-post.log
796 · /root/initial-setup-ks.cfg
798 · /root/install.log
800 · /root/install.log.syslog
802 · /root/original-ks.cfg
804 · /var/cache/fontconfig/*
806 · /var/cache/gdm/*
808 · /var/cache/man/*
810 · /var/lib/AccountService/users/*
812 · /var/lib/fprint/*
814 · /var/lib/logrotate.status
816 · /var/log/*.log*
818 · /var/log/BackupPC/LOG
820 · /var/log/ConsoleKit/*
822 · /var/log/anaconda.syslog
824 · /var/log/anaconda/*
826 · /var/log/apache2/*_log
828 · /var/log/apache2/*_log-*
830 · /var/log/apt/*
832 · /var/log/aptitude*
834 · /var/log/audit/*
836 · /var/log/btmp*
838 · /var/log/ceph/*.log
840 · /var/log/chrony/*.log
842 · /var/log/cron*
844 · /var/log/cups/*_log*
846 · /var/log/debug*
848 · /var/log/dmesg*
850 · /var/log/exim4/*
852 · /var/log/faillog*
854 · /var/log/firewalld*
856 · /var/log/gdm/*
858 · /var/log/glusterfs/*glusterd.vol.log
860 · /var/log/glusterfs/glusterfs.log
862 · /var/log/grubby*
864 · /var/log/httpd/*log
866 · /var/log/installer/*
868 · /var/log/jetty/jetty-console.log
870 · /var/log/journal/*
872 · /var/log/lastlog*
874 · /var/log/libvirt/libvirtd.log
876 · /var/log/libvirt/libxl/*.log
878 · /var/log/libvirt/lxc/*.log
880 · /var/log/libvirt/qemu/*.log
882 · /var/log/libvirt/uml/*.log
884 · /var/log/lightdm/*
886 · /var/log/mail/*
888 · /var/log/maillog*
890 · /var/log/messages*
892 · /var/log/ntp
894 · /var/log/ntpstats/*
896 · /var/log/ppp/connect-errors
898 · /var/log/rhsm/*
900 · /var/log/sa/*
902 · /var/log/secure*
904 · /var/log/setroubleshoot/*.log
906 · /var/log/spooler*
908 · /var/log/squid/*.log
910 · /var/log/syslog*
912 · /var/log/tallylog*
914 · /var/log/tuned/tuned.log
916 · /var/log/wtmp*
918 · /var/log/xferlog*
920 · /var/named/data/named.run
922 lvm-uuids *
924 Change LVM2 PV and VG UUIDs.
925 On Linux guests that have LVM2 physical volumes (PVs) or volume groups
927 (VGs), new random UUIDs are generated and assigned to those PVs and
928 VGs.
929 machine-id *
931 Remove the local machine ID.
932 The machine ID is usually generated from a random source during system
934 installation and stays constant for all subsequent boots. Optionally,
935 for stateless systems it is generated during runtime at boot if it is
936 found to be empty.
937 mail-spool *
939 Remove email from the local mail spool directory.
940 net-hostname *
942 Remove HOSTNAME and DHCP_HOSTNAME in network interface configuration.
943 For Fedora and Red Hat Enterprise Linux, this is removed from "ifcfg-*"
945 files.
946 net-hwaddr *
948 Remove HWADDR (hard-coded MAC address) configuration.
949 For Fedora and Red Hat Enterprise Linux, this is removed from "ifcfg-*"
951 files.
952 pacct-log *
954 Remove the process accounting log files.
955 The system wide process accounting will store to the pacct log files if
957 the process accounting is on.
958 package-manager-cache *
960 Remove package manager cache.
961 pam-data *
963 Remove the PAM data in the guest.
964 passwd-backups *
966 Remove /etc/passwd- and similar backup files.
967 On Linux the following files are removed:
969 · /etc/group-
971 · /etc/gshadow-
973 · /etc/passwd-
975 · /etc/shadow-
977 · /etc/subgid-
979 · /etc/subuid-
981 puppet-data-log *
983 Remove the data and log files of puppet.
984 rh-subscription-manager *
986 Remove the RH subscription manager files.
987 rhn-systemid *
989 Remove the RHN system ID.
990 rpm-db *
992 Remove host-specific RPM database files.
993 Remove host-specific RPM database files and locks. RPM will recreate
995 these files automatically if needed.
996 samba-db-log *
998 Remove the database and log files of Samba.
999 script *
1001 Run arbitrary scripts against the guest.
1002 The "script" module lets you run arbitrary shell scripts or programs
1004 against the guest.
1005 Note this feature requires FUSE support. You may have to enable this
1007 in your host, for example by adding the current user to the "fuse"
1008 group, or by loading a kernel module.
1009 Use one or more --script parameters to specify scripts or programs that
1011 will be run against the guest.
1012 The script or program is run with its current directory being the
1014 guest’s root directory, so relative paths should be used. For example:
1015 "rm etc/resolv.conf" in the script would remove a Linux guest’s DNS
1016 configuration file, but "rm /etc/resolv.conf" would (try to) remove the
1017 host’s file.
1018 Normally a temporary mount point for the guest is used, but you can
1020 choose a specific one by using the --scriptdir parameter.
1021 Note: This is different from --firstboot scripts (which run in the
1023 context of the guest when it is booting first time). --script scripts
1024 run on the host, not in the guest.
1025 smolt-uuid *
1027 Remove the Smolt hardware UUID.
1028 ssh-hostkeys *
1030 Remove the SSH host keys in the guest.
1031 The SSH host keys are regenerated (differently) next time the guest is
1033 booted.
1034 If, after cloning, the guest gets the same IP address, ssh will give
1036 you a stark warning about the host key changing:
1037 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1039 @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
1040 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1041 IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
1042 ssh-userdir *
1044 Remove ".ssh" directories in the guest.
1045 Remove the ".ssh" directory of user "root" and any other users who have
1047 a ".ssh" directory in their home directory.
1048 Notes on ssh-userdir
1050 Currently this only looks in "/root" and "/home/*" for home
1052 directories, so users with home directories in other locations won't
1053 have the ssh files removed.
1054 sssd-db-log *
1056 Remove the database and log files of sssd.
1057 tmp-files *
1059 Remove temporary files.
1060 This removes temporary files under "/tmp" and "/var/tmp".
1062 udev-persistent-net *
1064 Remove udev persistent net rules.
1065 Remove udev persistent net rules which map the guest’s existing MAC
1067 address to a fixed ethernet device (eg. eth0).
1068 After a guest is cloned, the MAC address usually changes. Since the
1070 old MAC address occupies the old name (eg. eth0), this means the fresh
1071 MAC address is assigned to a new name (eg. eth1) and this is usually
1072 undesirable. Erasing the udev persistent net rules avoids this.
1073 user-account
1075 Remove the user accounts in the guest.
1076 By default remove all the user accounts and their home directories.
1078 The "root" account is not removed.
1079 See the --remove-user-accounts parameter for a way to specify how to
1081 remove only some users, or to not remove some others.
1082 utmp *
1084 Remove the utmp file.
1085 This file records who is currently logged in on a machine. In modern
1087 Linux distros it is stored in a ramdisk and hence not part of the
1088 virtual machine’s disk, but it was stored on disk in older distros.
1089 yum-uuid *
1091 Remove the yum UUID.
1092 Yum creates a fresh UUID the next time it runs when it notices that the
1094 original UUID has been erased.
1095
1097 Virt-sysprep can be used as part of a process of cloning guests, or to
1098 prepare a template from which guests can be cloned. There are many
1099 different ways to achieve this using the virt tools, and this section
1100 is just an introduction.
1101 A virtual machine (when switched off) consists of two parts:
1103 configuration
1105 The configuration or description of the guest. eg. The libvirt XML
1106 (see "virsh dumpxml"), the running configuration of the guest, or
1107 another external format like OVF.
1108 Some configuration items that might need to be changed:
1110 • name
1112 • UUID
1114 • path to block device(s)
1116 • network card MAC address
1118 block device(s)
1120 One or more hard disk images, themselves containing files,
1121 directories, applications, kernels, configuration, etc.
1122 Some things inside the block devices that might need to be changed:
1124 • hostname and other net configuration
1126 • UUID
1128 • SSH host keys
1130 • Windows unique security ID (SID)
1132 • Puppet registration
1134 COPYING THE BLOCK DEVICE
1136 Starting with an original guest, you probably wish to copy the guest
1137 block device and its configuration to make a template. Then once you
1138 are happy with the template, you will want to make many clones from it.
1139 virt-sysprep
1141 |
1142 v
1143 original guest --------> template ---------->
1144 \------> cloned
1145 \-----> guests
1146 \---->
1147 You can, of course, just copy the block device on the host using cp(1)
1149 or dd(1).
1150 dd dd
1152 original guest --------> template ---------->
1153 \------> cloned
1154 \-----> guests
1155 \---->
1156 There are some smarter (and faster) ways too:
1158 snapshot
1160 template ---------->
1161 \------> cloned
1162 \-----> guests
1163 \---->
1164 You may want to run virt-sysprep twice, once to reset the guest (to
1166 make a template) and a second time to customize the guest for a
1167 specific user:
1168 virt-sysprep virt-sysprep
1170 (reset) (add user, keys, logos)
1171 | |
1172 dd v dd v
1173 original guest ----> template ---------> copied ------> custom
1174 template guest
1175 • Create a snapshot using qemu-img:
1177 qemu-img create -f qcow2 -o backing_file=original snapshot.qcow
1179 The advantage is that you don’t need to copy the original (very
1181 fast) and only changes are stored (less storage required).
1182 Note that writing to the backing file once you have created guests
1184 on top of it is not possible: you will corrupt the guests.
1185 • Create a snapshot using "lvcreate --snapshot".
1187 • Other ways to create snapshots include using filesystems-level
1189 tools (for filesystems such as btrfs).
1190 Most Network Attached Storage (NAS) devices can also create cheap
1192 snapshots from files or LUNs.
1193 • Get your NAS to duplicate the LUN. Most NAS devices can also
1195 duplicate LUNs very cheaply (they copy them on-demand in the
1196 background).
1197 • Prepare your template using virt-sparsify(1). See below.
1199 VIRT-CLONE
1201 A separate tool, virt-clone(1), can be used to duplicate the block
1202 device and/or modify the external libvirt configuration of a guest. It
1203 will reset the name, UUID and MAC address of the guest in the libvirt
1204 XML.
1205 virt-clone(1) does not use libguestfs and cannot look inside the disk
1207 image. This was the original motivation to write virt-sysprep.
1208 SPARSIFY
1210 virt-sparsify
1211 original guest --------> template
1212 virt-sparsify(1) can be used to make the cloning template smaller,
1214 making it easier to compress and/or faster to copy.
1215 Notice that since virt-sparsify also copies the image, you can use it
1217 to make the initial copy (instead of "dd").
1218 RESIZE
1220 virt-resize
1221 template ---------->
1222 \------> cloned
1223 \-----> guests
1224 \---->
1225 If you want to give people cloned guests, but let them pick the size of
1227 the guest themselves (eg. depending on how much they are prepared to
1228 pay for disk space), then instead of copying the template, you can run
1229 virt-resize(1). Virt-resize performs a copy and resize, and thus is
1230 ideal for cloning guests from a template.
1231
1233 The two options --firstboot and --script both supply shell scripts that
1234 are run against the guest. However these two options are significantly
1235 different.
1236 --firstboot script uploads the file "script" into the guest and
1238 arranges that it will run, in the guest, when the guest is next booted.
1239 (The script will only run once, at the "first boot").
1240 --script script runs the shell "script" on the host, with its current
1242 directory inside the guest filesystem.
1243 If you needed, for example, to "yum install" new packages, then you
1245 must not use --script for this, since that would (a) run the "yum"
1246 command on the host and (b) wouldn't have access to the same resources
1247 (repositories, keys, etc.) as the guest. Any command that needs to run
1248 on the guest must be run via --firstboot.
1249 On the other hand if you need to make adjustments to the guest
1251 filesystem (eg. copying in files), then --script is ideal since (a) it
1252 has access to the host filesystem and (b) you will get immediate
1253 feedback on errors.
1254 Either or both options can be used multiple times on the command line.
1256
1258 Although virt-sysprep removes some sensitive information from the
1259 guest, it does not pretend to remove all of it. You should examine the
1260 "OPERATIONS" above and the guest afterwards.
1261 Sensitive files are simply removed. The data they contained may still
1263 exist on the disk, easily recovered with a hex editor or undelete tool.
1264 The --scrub option can be used to scrub files instead of just deleting
1265 them. virt-sparsify(1) is another way to remove this content. See
1266 also the scrub(1) command to get rid of deleted content in directory
1267 entries and inodes.
1268 RANDOM SEED
1270 (This section applies to Linux guests only)
1271 For supported guests, virt-sysprep writes a few bytes of randomness
1273 from the host into the guest’s random seed file.
1274 If this is just done once and the guest is cloned from the same
1276 template, then each guest will start with the same entropy, and things
1277 like SSH host keys and TCP sequence numbers may be predictable.
1278 Therefore you should arrange to add more randomness after cloning from
1280 a template too, which can be done by enabling just the customize
1281 module:
1282 cp template.img newguest.img
1284 virt-sysprep --enable customize -a newguest.img
1285
1287 For guests which make use of SELinux, special handling for them might
1288 be needed when using operations which create new files or alter
1289 existing ones.
1290 For further details, see "SELINUX" in virt-builder(1).
1292
1294 Windows 8 "fast startup" can prevent virt-sysprep from working. See
1295 "WINDOWS HIBERNATION AND WINDOWS 8 FAST STARTUP" in guestfs(3).
1296
1298 This program returns 0 on success, or 1 if there was an error.
1299
1301 "VIRT_TOOLS_DATA_DIR"
1302 This can point to the directory containing data files used for
1303 Windows firstboot installation.
1304 Normally you do not need to set this. If not set, a compiled-in
1306 default will be used (something like /usr/share/virt-tools).
1307 This directory may contain the following files:
1309 rhsrvany.exe
1311 This is the RHSrvAny Windows binary, used to install a
1312 "firstboot" script in Windows guests. It is required if you
1313 intend to use the --firstboot or --firstboot-command options
1314 with Windows guests.
1315 See also: "https://github.com/rwmjones/rhsrvany"
1317 pvvxsvc.exe
1319 This is a Windows binary shipped with SUSE VMDP, used to
1320 install a "firstboot" script in Windows guests. It is required
1321 if you intend to use the --firstboot or --firstboot-command
1322 options with Windows guests.
1323 For other environment variables, see "ENVIRONMENT VARIABLES" in
1325 guestfs(3).
1326
1328 guestfs(3), guestfish(1), virt-builder(1), virt-clone(1),
1329 virt-customize(1), virt-rescue(1), virt-resize(1), virt-sparsify(1),
1330 virsh(1), lvcreate(8), qemu-img(1), scrub(1), http://libguestfs.org/,
1331 http://libvirt.org/.
1332
1334 Richard W.M. Jones http://people.redhat.com/~rjones/
1335 Wanlong Gao, Fujitsu Ltd.
1337
1339 Copyright (C) 2011-2020 Red Hat Inc.
1340 Copyright (C) 2012 Fujitsu Ltd.
1342
1344 This program is free software; you can redistribute it and/or modify it
1345 under the terms of the GNU General Public License as published by the
1346 Free Software Foundation; either version 2 of the License, or (at your
1347 option) any later version.
1348 This program is distributed in the hope that it will be useful, but
1350 WITHOUT ANY WARRANTY; without even the implied warranty of
1351 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
1352 General Public License for more details.
1353 You should have received a copy of the GNU General Public License along
1355 with this program; if not, write to the Free Software Foundation, Inc.,
1356 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
1357
1359 To get a list of bugs against libguestfs, use this link:
1360 https://bugzilla.redhat.com/buglist.cgi?component=libguestfs&product=Virtualization+Tools
1361 To report a new bug against libguestfs, use this link:
1363 https://bugzilla.redhat.com/enter_bug.cgi?component=libguestfs&product=Virtualization+Tools
1364 When reporting a bug, please supply:
1366 • The version of libguestfs.
1368 • Where you got libguestfs (eg. which Linux distro, compiled from
1370 source, etc)
1371 • Describe the bug accurately and give a way to reproduce it.
1373 • Run libguestfs-test-tool(1) and paste the complete, unedited output
1375 into the bug report.
1376guestfs-tools-1.46.1 2021-05-13 virt-sysprep(1)