1virt-sysprep(1) Virtualization Support virt-sysprep(1)
2
6 virt-sysprep - Reset, unconfigure or customize a virtual machine so
7 clones can be made
8
10 virt-sysprep [--options] -d domname
11 virt-sysprep [--options] -a disk.img [-a disk.img ...]
13
15 Using "virt-sysprep" on live virtual machines, or concurrently with
16 other disk editing tools, can be dangerous, potentially causing disk
17 corruption. The virtual machine must be shut down before you use this
18 command, and disk images must not be edited concurrently.
19
21 Virt-sysprep can reset or unconfigure a virtual machine so that clones
22 can be made from it. Steps in this process include removing SSH host
23 keys, removing persistent network MAC configuration, and removing user
24 accounts. Virt-sysprep can also customize a virtual machine, for
25 instance by adding SSH keys, users or logos. Each step can be enabled
26 or disabled as required.
27 Virt-sysprep modifies the guest or disk image in place. The guest must
29 be shut down. If you want to preserve the existing contents of the
30 guest, you must snapshot, copy or clone the disk first. See "COPYING
31 AND CLONING" below.
32 You do not need to run virt-sysprep as root. In fact we'd generally
34 recommend that you don't. The time you might want to run it as root is
35 when you need root in order to access the disk image, but even in this
36 case it would be better to change the permissions on the disk image to
37 be writable as the non-root user running virt-sysprep.
38 "Sysprep" stands for "system preparation" tool. The name comes from
40 the Microsoft program sysprep.exe which is used to unconfigure Windows
41 machines in preparation for cloning them. Having said that, virt-
42 sysprep does not currently work on Microsoft Windows guests. We plan
43 to support Windows sysprepping in a future version, and we already have
44 code to do it.
45
47 --help
48 Display brief help.
49 -a file
51 --add file
52 Add file which should be a disk image from a virtual machine.
53 The format of the disk image is auto-detected. To override this
55 and force a particular format use the --format option.
56 -a URI
58 --add URI
59 Add a remote disk. The URI format is compatible with guestfish.
60 See "ADDING REMOTE STORAGE" in guestfish(1).
61 --colors
63 --colours
64 Use ANSI colour sequences to colourize messages. This is the
65 default when the output is a tty. If the output of the program is
66 redirected to a file, ANSI colour sequences are disabled unless you
67 use this option.
68 -c URI
70 --connect URI
71 If using libvirt, connect to the given URI. If omitted, then we
72 connect to the default libvirt hypervisor.
73 If you specify guest block devices directly (-a), then libvirt is
75 not used at all.
76 -d guest
78 --domain guest
79 Add all the disks from the named libvirt guest. Domain UUIDs can
80 be used instead of names.
81 -n
83 --dry-run
84 Perform a read-only "dry run" on the guest. This runs the sysprep
85 operation, but throws away any changes to the disk at the end.
86 --enable operations
88 Choose which sysprep operations to perform. Give a comma-separated
89 list of operations, for example:
90 --enable ssh-hostkeys,udev-persistent-net
92 would enable ONLY "ssh-hostkeys" and "udev-persistent-net"
94 operations.
95 If the --enable option is not given, then we default to trying most
97 sysprep operations (see --list-operations to show which are
98 enabled).
99 Regardless of the --enable option, sysprep operations are skipped
101 for some guest types.
102 Use --list-operations to list operations supported by a particular
104 version of virt-sysprep.
105 See "OPERATIONS" below for a list and an explanation of each
107 operation.
108 --operation operations
110 --operations operations
111 Choose which sysprep operations to perform. Give a comma-separated
112 list of operations, for example:
113 --operations ssh-hostkeys,udev-persistent-net
115 would enable ONLY "ssh-hostkeys" and "udev-persistent-net"
117 operations.
118 --operations allows you to enable and disable any operation,
120 including the default ones (which would be tried when specifying
121 neither --operations nor --enable) and all the available ones;
122 prepending a "-" in front of an operation name removes it from the
123 list of enabled operations, while the meta-names "defaults" and
124 "all" represent respectively the operations enabled by default and
125 all the available ones. For example:
126 --operations firewall-rules,defaults,-tmp-files
128 would enable the "firewall-rules" operation (regardless whether it
130 is enabled by default), all the default ones, and disable the
131 "tmp-files" operation.
132 --operations can be specified multiple times; the first time the
134 set of enabled operations is empty, while any further --operations
135 affects the operations enabled so far.
136 If the --operations option is not given, then we default to trying
138 most sysprep operations (see --list-operations to show which are
139 enabled).
140 Regardless of the --operations option, sysprep operations are
142 skipped for some guest types.
143 Use --list-operations to list operations supported by a particular
145 version of virt-sysprep.
146 See "OPERATIONS" below for a list and an explanation of each
148 operation.
149 --echo-keys
151 When prompting for keys and passphrases, virt-sysprep normally
152 turns echoing off so you cannot see what you are typing. If you
153 are not worried about Tempest attacks and there is no one else in
154 the room you can specify this flag to see what you are typing.
155 --format raw|qcow2|..
157 --format auto
158 The default for the -a option is to auto-detect the format of the
159 disk image. Using this forces the disk format for -a options which
160 follow on the command line. Using --format auto switches back to
161 auto-detection for subsequent -a options.
162 For example:
164 virt-sysprep --format raw -a disk.img
166 forces raw format (no auto-detection) for disk.img.
168 virt-sysprep --format raw -a disk.img --format auto -a another.img
170 forces raw format (no auto-detection) for disk.img and reverts to
172 auto-detection for another.img.
173 If you have untrusted raw-format guest disk images, you should use
175 this option to specify the disk format. This avoids a possible
176 security problem with malicious guests (CVE-2010-3851).
177 --key SELECTOR
179 Specify a key for LUKS, to automatically open a LUKS device when
180 using the inspection.
181 --key NAME:key:KEY_STRING
183 --key UUID:key:KEY_STRING
184 --key all:key:KEY_STRING
185 "NAME" is the libguestfs device name (eg. "/dev/sda1"). "UUID"
186 is the device UUID. "all" means try the key against any
187 encrypted device.
188 Use the specified "KEY_STRING" as passphrase.
190 --key NAME:file:FILENAME
192 --key UUID:file:FILENAME
193 --key all:file:FILENAME
194 Read the passphrase from FILENAME.
195 --key NAME:clevis
197 --key UUID:clevis
198 --key all:clevis
199 Attempt passphrase-less unlocking for the device with Clevis,
200 over the network. Please refer to "ENCRYPTED DISKS" in
201 guestfs(3) for more information on network-bound disk
202 encryption (NBDE).
203 Note that if any such option is present on the command line,
205 QEMU user networking will be automatically enabled for the
206 libguestfs appliance.
207 --keys-from-stdin
209 Read key or passphrase parameters from stdin. The default is to
210 try to read passphrases from the user by opening /dev/tty.
211 If there are multiple encrypted devices then you may need to supply
213 multiple keys on stdin, one per line.
214 --list-operations
216 List the operations supported by the virt-sysprep program.
217 These are listed one per line, with one or more single-space-
219 separated fields, eg:
220 $ virt-sysprep --list-operations
222 bash-history * Remove the bash history in the guest
223 cron-spool * Remove user at-jobs and cron-jobs
224 dhcp-client-state * Remove DHCP client leases
225 dhcp-server-state * Remove DHCP server leases
226 [etc]
227 The first field is the operation name, which can be supplied to
229 --enable. The second field is a "*" character if the operation is
230 enabled by default or blank if not. Subsequent fields on the same
231 line are the description of the operation.
232 Before libguestfs 1.17.33 only the first (operation name) field was
234 shown and all operations were enabled by default.
235 --mount-options mp:opts[;mp:opts;...]
237 Set the mount options used when libguestfs opens the disk image.
238 Note this has no effect on the guest. It is used when opening
239 certain guests such as ones using the UFS (BSD) filesystem.
240 Use a semicolon-separated list of "mountpoint:options" pairs. You
242 may need to quote this list to protect it from the shell.
243 For example:
245 --mount-options "/:noatime"
247 will mount the root directory with "notime". This example:
249 --mount-options "/:noatime;/var:rw,nodiratime"
251 will do the same, plus mount /var with "rw,nodiratime".
253 -q
255 --quiet
256 Don’t print log messages.
257 To enable detailed logging of individual file operations, use -x.
259 --network
261 --no-network
262 Enable or disable network access from the guest during the
263 installation.
264 In virt-sysprep, the network is disabled by default. You must use
266 --network to enable it, in order that options such as --install or
267 --update will work.
268 virt-builder(1) has more information about the security advantages
270 of disabling the network.
271 -v
273 --verbose
274 Enable verbose messages for debugging.
275 -V
277 --version
278 Display version number and exit.
279 --wrap
281 Wrap error, warning, and informative messages. This is the default
282 when the output is a tty. If the output of the program is
283 redirected to a file, wrapping is disabled unless you use this
284 option.
285 -x Enable tracing of libguestfs API calls.
287 --append-line FILE:LINE (see "customize" below)
289 Append a single line of text to the "FILE". If the file does not
290 already end with a newline, then one is added before the appended
291 line. Also a newline is added to the end of the "LINE" string
292 automatically.
293 For example (assuming ordinary shell quoting) this command:
295 --append-line '/etc/hosts:10.0.0.1 foo'
297 will add either "10.0.0.1 foo⏎" or "⏎10.0.0.1 foo⏎" to the file,
299 the latter only if the existing file does not already end with a
300 newline.
301 "⏎" represents a newline character, which is guessed by looking at
303 the existing content of the file, so this command does the right
304 thing for files using Unix or Windows line endings. It also works
305 for empty or non-existent files.
306 To insert several lines, use the same option several times:
308 --append-line '/etc/hosts:10.0.0.1 foo'
310 --append-line '/etc/hosts:10.0.0.2 bar'
311 To insert a blank line before the appended line, do:
313 --append-line '/etc/hosts:'
315 --append-line '/etc/hosts:10.0.0.1 foo'
316 --chmod PERMISSIONS:FILE (see "customize" below)
318 Change the permissions of "FILE" to "PERMISSIONS".
319 Note: "PERMISSIONS" by default would be decimal, unless you prefix
321 it with 0 to get octal, ie. use 0700 not 700.
322 --chown UID:GID:PATH (see "customize" below)
324 Change the owner user and group ID of a file or directory in the
325 guest. Note:
326 • Only numeric UIDs and GIDs will work, and these may not be the
328 same inside the guest as on the host.
329 • This will not work with Windows guests.
331 For example:
333 virt-customize --chown '0:0:/var/log/audit.log'
335 See also: --upload.
337 --commands-from-file FILENAME (see "customize" below)
339 Read the customize commands from a file, one (and its arguments)
340 each line.
341 Each line contains a single customization command and its
343 arguments, for example:
344 delete /some/file
346 install some-package
347 password some-user:password:its-new-password
348 Empty lines are ignored, and lines starting with "#" are comments
350 and are ignored as well. Furthermore, arguments can be spread
351 across multiple lines, by adding a "\" (continuation character) at
352 the of a line, for example
353 edit /some/file:\
355 s/^OPT=.*/OPT=ok/
356 The commands are handled in the same order as they are in the file,
358 as if they were specified as --delete /some/file on the command
359 line.
360 --copy SOURCE:DEST (see "customize" below)
362 Copy files or directories recursively inside the guest.
363 Wildcards cannot be used.
365 --copy-in LOCALPATH:REMOTEDIR (see "customize" below)
367 Copy local files or directories recursively into the disk image,
368 placing them in the directory "REMOTEDIR" (which must exist).
369 Wildcards cannot be used.
371 --delete PATH (see "customize" below)
373 Delete a file from the guest. Or delete a directory (and all its
374 contents, recursively).
375 You can use shell glob characters in the specified path. Be
377 careful to escape glob characters from the host shell, if that is
378 required. For example:
379 virt-customize --delete '/var/log/*.log'.
381 See also: --upload, --scrub.
383 --edit FILE:EXPR (see "customize" below)
385 Edit "FILE" using the Perl expression "EXPR".
386 Be careful to properly quote the expression to prevent it from
388 being altered by the shell.
389 Note that this option is only available when Perl 5 is installed.
391 See "NON-INTERACTIVE EDITING" in virt-edit(1).
393 --firstboot SCRIPT (see "customize" below)
395 Install "SCRIPT" inside the guest, so that when the guest first
396 boots up, the script runs (as root, late in the boot process).
397 The script is automatically chmod +x after installation in the
399 guest.
400 The alternative version --firstboot-command is the same, but it
402 conveniently wraps the command up in a single line script for you.
403 You can have multiple --firstboot options. They run in the same
405 order that they appear on the command line.
406 Please take a look at "FIRST BOOT SCRIPTS" in virt-builder(1) for
408 more information and caveats about the first boot scripts.
409 See also --run.
411 --firstboot-command 'CMD+ARGS' (see "customize" below)
413 Run command (and arguments) inside the guest when the guest first
414 boots up (as root, late in the boot process).
415 You can have multiple --firstboot options. They run in the same
417 order that they appear on the command line.
418 Please take a look at "FIRST BOOT SCRIPTS" in virt-builder(1) for
420 more information and caveats about the first boot scripts.
421 See also --run.
423 --firstboot-install PKG,PKG.. (see "customize" below)
425 Install the named packages (a comma-separated list). These are
426 installed when the guest first boots using the guest’s package
427 manager (eg. apt, yum, etc.) and the guest’s network connection.
428 For an overview on the different ways to install packages, see
430 "INSTALLING PACKAGES" in virt-builder(1).
431 --hostname HOSTNAME (see "customize" below)
433 Set the hostname of the guest to "HOSTNAME". You can use a dotted
434 hostname.domainname (FQDN) if you want.
435 --inject-qemu-ga METHOD (see "customize" below)
437 Inject the QEMU Guest Agent into a Windows guest. The guest agent
438 communicates with qemu through a socket in order to provide
439 enhanced features (see qemu-ga(8)). This operation also injects a
440 firstboot script so that the Guest Agent is installed when the
441 guest boots.
442 The parameter is the same as used by the --inject-virtio-win
444 operation.
445 Note that to do a full conversion of a Windows guest from a foreign
447 hypervisor like VMware (which involves many other operations) you
448 should use the virt-v2v(1) tool instead of this.
449 --inject-virtio-win METHOD (see "customize" below)
451 Inject virtio-win drivers into a Windows guest. These drivers add
452 virtio accelerated drivers suitable when running on top of a
453 hypervisor that supports virtio (such as qemu/KVM). The operation
454 also adjusts the Windows Registry so that the drivers are installed
455 when the guest boots.
456 The parameter can be one of:
458 ISO The path to the ISO image containing the virtio-win drivers
460 (eg. /usr/share/virtio-win/virtio-win.iso).
461 DIR The directory containing the unpacked virtio-win drivers (eg.
463 /usr/share/virtio-win).
464 "osinfo"
466 The literal string "osinfo" means to use the libosinfo database
467 to locate the drivers. (See osinfo-query(1).
468 Note that to do a full conversion of a Windows guest from a foreign
470 hypervisor like VMware (which involves many other operations) you
471 should use the virt-v2v(1) tool instead of this.
472 --install PKG,PKG.. (see "customize" below)
474 Install the named packages (a comma-separated list). These are
475 installed during the image build using the guest’s package manager
476 (eg. apt, yum, etc.) and the host’s network connection.
477 For an overview on the different ways to install packages, see
479 "INSTALLING PACKAGES" in virt-builder(1).
480 See also --update, --uninstall.
482 --keep-user-accounts USERS (see "user-account" below)
484 The user accounts to be kept in the guest. The value of this
485 option is a list of user names separated by comma, where specifying
486 an user means it is going to be kept. For example:
487 --keep-user-accounts mary
489 would keep the user account "mary".
491 This option can be specified multiple times.
493 --link TARGET:LINK[:LINK..] (see "customize" below)
495 Create symbolic link(s) in the guest, starting at "LINK" and
496 pointing at "TARGET".
497 --mkdir DIR (see "customize" below)
499 Create a directory in the guest.
500 This uses "mkdir -p" so any intermediate directories are created,
502 and it also works if the directory already exists.
503 --move SOURCE:DEST (see "customize" below)
505 Move files or directories inside the guest.
506 Wildcards cannot be used.
508 --no-logfile (see "customize" below)
510 Scrub "builder.log" (log file from build commands) from the image
511 after building is complete. If you don't want to reveal precisely
512 how the image was built, use this option.
513 See also: "LOG FILE".
515 --no-selinux-relabel (see "customize" below)
517 Do not attempt to correct the SELinux labels of files in the guest.
518 In such guests that support SELinux, customization automatically
520 relabels files so that they have the correct SELinux label. (The
521 relabeling is performed immediately, but if the operation fails,
522 customization will instead touch /.autorelabel on the image to
523 schedule a relabel operation for the next time the image boots.)
524 This option disables the automatic relabeling.
525 The option is a no-op for guests that do not support SELinux.
527 --password USER:SELECTOR (see "customize" below)
529 Set the password for "USER". (Note this option does not create the
530 user account).
531 See "USERS AND PASSWORDS" in virt-builder(1) for the format of the
533 "SELECTOR" field, and also how to set up user accounts.
534 --password-crypto md5|sha256|sha512 (see "customize" below)
536 When the virt tools change or set a password in the guest, this
537 option sets the password encryption of that password to "md5",
538 "sha256" or "sha512".
539 "sha256" and "sha512" require glibc ≥ 2.7 (check crypt(3) inside
541 the guest).
542 "md5" will work with relatively old Linux guests (eg. RHEL 3), but
544 is not secure against modern attacks.
545 The default is "sha512" unless libguestfs detects an old guest that
547 didn't have support for SHA-512, in which case it will use "md5".
548 You can override libguestfs by specifying this option.
549 Note this does not change the default password encryption used by
551 the guest when you create new user accounts inside the guest. If
552 you want to do that, then you should use the --edit option to
553 modify "/etc/sysconfig/authconfig" (Fedora, RHEL) or
554 "/etc/pam.d/common-password" (Debian, Ubuntu).
555 --remove-user-accounts USERS (see "user-account" below)
557 The user accounts to be removed from the guest. The value of this
558 option is a list of user names separated by comma, where specifying
559 an user means it is going to be removed. For example:
560 --remove-user-accounts bob,eve
562 would only remove the user accounts "bob" and "eve".
564 This option can be specified multiple times.
566 --root-password SELECTOR (see "customize" below)
568 Set the root password.
569 See "USERS AND PASSWORDS" in virt-builder(1) for the format of the
571 "SELECTOR" field, and also how to set up user accounts.
572 Note: In virt-builder, if you don't set --root-password then the
574 guest is given a random root password.
575 --run SCRIPT (see "customize" below)
577 Run the shell script (or any program) called "SCRIPT" on the disk
578 image. The script runs virtualized inside a small appliance,
579 chrooted into the guest filesystem.
580 The script is automatically chmod +x.
582 If libguestfs supports it then a limited network connection is
584 available but it only allows outgoing network connections. You can
585 also attach data disks (eg. ISO files) as another way to provide
586 data (eg. software packages) to the script without needing a
587 network connection (--attach). You can also upload data files
588 (--upload).
589 You can have multiple --run options. They run in the same order
591 that they appear on the command line.
592 See also: --firstboot, --attach, --upload.
594 --run-command 'CMD+ARGS' (see "customize" below)
596 Run the command and arguments on the disk image. The command runs
597 virtualized inside a small appliance, chrooted into the guest
598 filesystem.
599 If libguestfs supports it then a limited network connection is
601 available but it only allows outgoing network connections. You can
602 also attach data disks (eg. ISO files) as another way to provide
603 data (eg. software packages) to the script without needing a
604 network connection (--attach). You can also upload data files
605 (--upload).
606 You can have multiple --run-command options. They run in the same
608 order that they appear on the command line.
609 See also: --firstboot, --attach, --upload.
611 --script SCRIPT (see "script" below)
613 Run the named "SCRIPT" (a shell script or program) against the
614 guest. The script can be any program on the host. The script’s
615 current directory will be the guest’s root directory.
616 Note: If the script is not on the $PATH, then you must give the
618 full absolute path to the script.
619 --scriptdir SCRIPTDIR (see "script" below)
621 The mount point (an empty directory on the host) used when the
622 "script" operation is enabled and one or more scripts are specified
623 using --script parameter(s).
624 Note: "SCRIPTDIR" must be an absolute path.
626 If --scriptdir is not specified then a temporary mountpoint will be
628 created.
629 --scrub FILE (see "customize" below)
631 Scrub a file from the guest. This is like --delete except that:
632 • It scrubs the data so a guest could not recover it.
634 • It cannot delete directories, only regular files.
636 --selinux-relabel (see "customize" below)
638 This is a compatibility option that does nothing.
639 --sm-attach SELECTOR (see "customize" below)
641 Attach to a pool using "subscription-manager".
642 See "SUBSCRIPTION-MANAGER" in virt-builder(1) for the format of the
644 "SELECTOR" field.
645 --sm-credentials SELECTOR (see "customize" below)
647 Set the credentials for "subscription-manager".
648 See "SUBSCRIPTION-MANAGER" in virt-builder(1) for the format of the
650 "SELECTOR" field.
651 --sm-register (see "customize" below)
653 Register the guest using "subscription-manager".
654 This requires credentials being set using --sm-credentials.
656 --sm-remove (see "customize" below)
658 Remove all the subscriptions from the guest using
659 "subscription-manager".
660 --sm-unregister (see "customize" below)
662 Unregister the guest using "subscription-manager".
663 --ssh-inject USER[:SELECTOR] (see "customize" below)
665 Inject an ssh key so the given "USER" will be able to log in over
666 ssh without supplying a password. The "USER" must exist already in
667 the guest.
668 See "SSH KEYS" in virt-builder(1) for the format of the "SELECTOR"
670 field.
671 You can have multiple --ssh-inject options, for different users and
673 also for more keys for each user.
674 --tar-in TARFILE:REMOTEDIR (see "customize" below)
676 Copy local files or directories from a local tar file called
677 "TARFILE" into the disk image, placing them in the directory
678 "REMOTEDIR" (which must exist). Note that the tar file must be
679 uncompressed (.tar.gz files will not work here)
680 --timezone TIMEZONE (see "customize" below)
682 Set the default timezone of the guest to "TIMEZONE". Use a
683 location string like "Europe/London"
684 --touch FILE (see "customize" below)
686 This command performs a touch(1)-like operation on "FILE".
687 --truncate FILE (see "customize" below)
689 This command truncates "FILE" to a zero-length file. The file must
690 exist already.
691 --truncate-recursive PATH (see "customize" below)
693 This command recursively truncates all files under "PATH" to zero-
694 length.
695 --uninstall PKG,PKG.. (see "customize" below)
697 Uninstall the named packages (a comma-separated list). These are
698 removed during the image build using the guest’s package manager
699 (eg. apt, yum, etc.). Dependent packages may also need to be
700 uninstalled to satisfy the request.
701 See also --install, --update.
703 --update (see "customize" below)
705 Do the equivalent of "yum update", "apt-get upgrade", or whatever
706 command is required to update the packages already installed in the
707 template to their latest versions.
708 See also --install, --uninstall.
710 --upload FILE:DEST (see "customize" below)
712 Upload local file "FILE" to destination "DEST" in the disk image.
713 File owner and permissions from the original are preserved, so you
714 should set them to what you want them to be in the disk image.
715 "DEST" could be the final filename. This can be used to rename the
717 file on upload.
718 If "DEST" is a directory name (which must already exist in the
720 guest) then the file is uploaded into that directory, and it keeps
721 the same name as on the local filesystem.
722 See also: --mkdir, --delete, --scrub.
724 --write FILE:CONTENT (see "customize" below)
726 Write "CONTENT" to "FILE".
727
729 If the --enable/--operations option is not given, then most sysprep
730 operations are enabled.
731 Use "virt-sysprep --list-operations" to list all operations for your
733 virt-sysprep binary. The ones which are enabled by default are marked
734 with a "*" character. Regardless of the --enable/--operations options,
735 sysprep operations are skipped for some guest types.
736 Operations can be individually enabled using the --enable/--operations
738 options. Use a comma-separated list, for example:
739 virt-sysprep --operations ssh-hostkeys,udev-persistent-net [etc..]
741 Future versions of virt-sysprep may add more operations. If you are
743 using virt-sysprep and want predictable behaviour, specify only the
744 operations that you want to have enabled.
745 "*" = enabled by default when no --enable/--operations option is given.
747 abrt-data *
749 Remove the crash data generated by ABRT.
750 Remove the automatically generated ABRT crash data in
752 "/var/spool/abrt/".
753 backup-files *
755 Remove editor backup files from the guest.
756 The following files are removed from anywhere in the guest filesystem:
758 · *.bak
760 · *~
762 On Linux and Unix operating systems, only the following filesystems
764 will be examined:
765 · /etc
767 · /root
769 · /srv
771 · /tmp
773 · /var
775 bash-history *
777 Remove the bash history in the guest.
778 Remove the bash history of user "root" and any other users who have a
780 ".bash_history" file in their home directory.
781 Notes on bash-history
783 Currently this only looks in "/root" and "/home/*" for home
785 directories, so users with home directories in other locations won't
786 have the bash history removed.
787 blkid-tab *
789 Remove blkid tab in the guest.
790 ca-certificates
792 Remove CA certificates in the guest.
793 In case any certificate is removed, the system CA store is updated.
795 crash-data *
797 Remove the crash data generated by kexec-tools.
798 Remove the automatically generated kdump kernel crash data.
800 cron-spool *
802 Remove user at-jobs and cron-jobs.
803 customize *
805 Customize the guest.
806 Customize the guest by providing virt-customize(1) options for
808 installing packages, editing files and so on.
809 dhcp-client-state *
811 Remove DHCP client leases.
812 dhcp-server-state *
814 Remove DHCP server leases.
815 dovecot-data *
817 Remove Dovecot (mail server) data.
818 firewall-rules
820 Remove the firewall rules.
821 This removes custom firewall rules by removing
823 "/etc/sysconfig/iptables" or custom firewalld configuration in
824 "/etc/firewalld/*/*".
825 Note this is not enabled by default since it may expose guests to
827 exploits. Use with care.
828 flag-reconfiguration
830 Flag the system for reconfiguration.
831 For Linux guests, this touches "/.unconfigured", which causes the first
833 boot to interactively query the user for settings such as the root
834 password and timezone.
835 fs-uuids
837 Change filesystem UUIDs.
838 On guests and filesystem types where this is supported, new random
840 UUIDs are generated and assigned to filesystems.
841 Notes on fs-uuids
843 The fs-uuids operation is disabled by default because it does not yet
845 find and update all the places in the guest that use the UUIDs. For
846 example "/etc/fstab" or the bootloader. Enabling this operation is
847 more likely than not to make your guest unbootable.
848 See: https://bugzilla.redhat.com/show_bug.cgi?id=991641
850 ipa-client *
852 Remove the IPA files.
853 Remove all the files related to an IPA (Identity, Policy, Audit)
855 system. This effectively unenrolls the guest from an IPA server
856 without interacting with it.
857 This operation does not run "ipa-client".
859 kerberos-data
861 Remove Kerberos data in the guest.
862 kerberos-hostkeytab *
864 Remove the Kerberos host keytab file in the guest.
865 logfiles *
867 Remove many log files from the guest.
868 On Linux the following files are removed:
870 · /etc/Pegasus/*.cnf
872 · /etc/Pegasus/*.crt
874 · /etc/Pegasus/*.csr
876 · /etc/Pegasus/*.pem
878 · /etc/Pegasus/*.srl
880 · /root/anaconda-ks.cfg
882 · /root/anaconda-post.log
884 · /root/initial-setup-ks.cfg
886 · /root/install.log
888 · /root/install.log.syslog
890 · /root/original-ks.cfg
892 · /var/cache/fontconfig/*
894 · /var/cache/gdm/*
896 · /var/cache/man/*
898 · /var/lib/AccountService/users/*
900 · /var/lib/fprint/*
902 · /var/lib/logrotate.status
904 · /var/log/*.log*
906 · /var/log/BackupPC/LOG
908 · /var/log/ConsoleKit/*
910 · /var/log/anaconda.syslog
912 · /var/log/anaconda/*
914 · /var/log/apache2/*_log
916 · /var/log/apache2/*_log-*
918 · /var/log/apt/*
920 · /var/log/aptitude*
922 · /var/log/audit/*
924 · /var/log/btmp*
926 · /var/log/ceph/*.log
928 · /var/log/chrony/*.log
930 · /var/log/cron*
932 · /var/log/cups/*_log*
934 · /var/log/debug*
936 · /var/log/dmesg*
938 · /var/log/exim4/*
940 · /var/log/faillog*
942 · /var/log/firewalld*
944 · /var/log/gdm/*
946 · /var/log/glusterfs/*glusterd.vol.log
948 · /var/log/glusterfs/glusterfs.log
950 · /var/log/grubby*
952 · /var/log/httpd/*log
954 · /var/log/installer/*
956 · /var/log/jetty/jetty-console.log
958 · /var/log/journal/*
960 · /var/log/lastlog*
962 · /var/log/libvirt/libvirtd.log
964 · /var/log/libvirt/libxl/*.log
966 · /var/log/libvirt/lxc/*.log
968 · /var/log/libvirt/qemu/*.log
970 · /var/log/libvirt/uml/*.log
972 · /var/log/lightdm/*
974 · /var/log/mail/*
976 · /var/log/maillog*
978 · /var/log/messages*
980 · /var/log/ntp
982 · /var/log/ntpstats/*
984 · /var/log/ppp/connect-errors
986 · /var/log/rhsm/*
988 · /var/log/sa/*
990 · /var/log/secure*
992 · /var/log/setroubleshoot/*.log
994 · /var/log/spooler*
996 · /var/log/squid/*.log
998 · /var/log/syslog*
1000 · /var/log/tallylog*
1002 · /var/log/tuned/tuned.log
1004 · /var/log/wtmp*
1006 · /var/log/xferlog*
1008 · /var/named/data/named.run
1010 lvm-system-devices *
1012 Remove LVM2 system.devices file.
1013 On Linux guests, LVM2's scanning for physical volumes (PVs) may be
1015 restricted to those block devices whose WWIDs are listed in
1016 "/etc/lvm/devices/system.devices". When cloning VMs, WWIDs may change,
1017 breaking "lvm pvscan". Remove "/etc/lvm/devices/system.devices".
1018 lvm-uuids *
1020 Change LVM2 PV and VG UUIDs.
1021 On Linux guests that have LVM2 physical volumes (PVs) or volume groups
1023 (VGs), new random UUIDs are generated and assigned to those PVs and
1024 VGs.
1025 machine-id *
1027 Remove the local machine ID.
1028 The machine ID is usually generated from a random source during system
1030 installation and stays constant for all subsequent boots. Optionally,
1031 for stateless systems it is generated during runtime at boot if it is
1032 found to be empty.
1033 mail-spool *
1035 Remove email from the local mail spool directory.
1036 net-hostname *
1038 Remove HOSTNAME and DHCP_HOSTNAME in network interface configuration.
1039 For Fedora and Red Hat Enterprise Linux, this is removed from "ifcfg-*"
1041 files.
1042 net-hwaddr *
1044 Remove HWADDR (hard-coded MAC address) configuration.
1045 For Fedora and Red Hat Enterprise Linux, this is removed from "ifcfg-*"
1047 files.
1048 net-nmconn *
1050 Remove system-local NetworkManager connection profiles (keyfiles).
1051 On Fedora and Red Hat Enterprise Linux, remove the
1053 "/etc/NetworkManager/system-connections/*.nmconnection" files.
1054 pacct-log *
1056 Remove the process accounting log files.
1057 The system wide process accounting will store to the pacct log files if
1059 the process accounting is on.
1060 package-manager-cache *
1062 Remove package manager cache.
1063 pam-data *
1065 Remove the PAM data in the guest.
1066 passwd-backups *
1068 Remove /etc/passwd- and similar backup files.
1069 On Linux the following files are removed:
1071 · /etc/group-
1073 · /etc/gshadow-
1075 · /etc/passwd-
1077 · /etc/shadow-
1079 · /etc/subgid-
1081 · /etc/subuid-
1083 puppet-data-log *
1085 Remove the data and log files of puppet.
1086 rh-subscription-manager *
1088 Remove the RH subscription manager files.
1089 rhn-systemid *
1091 Remove the RHN system ID.
1092 rpm-db *
1094 Remove host-specific RPM database files.
1095 Remove host-specific RPM database files and locks. RPM will recreate
1097 these files automatically if needed.
1098 samba-db-log *
1100 Remove the database and log files of Samba.
1101 script *
1103 Run arbitrary scripts against the guest.
1104 The "script" module lets you run arbitrary shell scripts or programs
1106 against the guest.
1107 Note this feature requires FUSE support. You may have to enable this
1109 in your host, for example by adding the current user to the "fuse"
1110 group, or by loading a kernel module.
1111 Use one or more --script parameters to specify scripts or programs that
1113 will be run against the guest.
1114 The script or program is run with its current directory being the
1116 guest’s root directory, so relative paths should be used. For example:
1117 "rm etc/resolv.conf" in the script would remove a Linux guest’s DNS
1118 configuration file, but "rm /etc/resolv.conf" would (try to) remove the
1119 host’s file.
1120 Normally a temporary mount point for the guest is used, but you can
1122 choose a specific one by using the --scriptdir parameter.
1123 Note: This is different from --firstboot scripts (which run in the
1125 context of the guest when it is booting first time). --script scripts
1126 run on the host, not in the guest.
1127 smolt-uuid *
1129 Remove the Smolt hardware UUID.
1130 ssh-hostkeys *
1132 Remove the SSH host keys in the guest.
1133 The SSH host keys are regenerated (differently) next time the guest is
1135 booted.
1136 If, after cloning, the guest gets the same IP address, ssh will give
1138 you a stark warning about the host key changing:
1139 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1141 @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
1142 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1143 IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
1144 ssh-userdir *
1146 Remove ".ssh" directories in the guest.
1147 Remove the ".ssh" directory of user "root" and any other users who have
1149 a ".ssh" directory in their home directory.
1150 Notes on ssh-userdir
1152 Currently this only looks in "/root" and "/home/*" for home
1154 directories, so users with home directories in other locations won't
1155 have the ssh files removed.
1156 sssd-db-log *
1158 Remove the database and log files of sssd.
1159 tmp-files *
1161 Remove temporary files.
1162 This removes temporary files under "/tmp" and "/var/tmp".
1164 udev-persistent-net *
1166 Remove udev persistent net rules.
1167 Remove udev persistent net rules which map the guest’s existing MAC
1169 address to a fixed ethernet device (eg. eth0).
1170 After a guest is cloned, the MAC address usually changes. Since the
1172 old MAC address occupies the old name (eg. eth0), this means the fresh
1173 MAC address is assigned to a new name (eg. eth1) and this is usually
1174 undesirable. Erasing the udev persistent net rules avoids this.
1175 user-account
1177 Remove the user accounts in the guest.
1178 By default remove all the user accounts and their home directories.
1180 The "root" account is not removed.
1181 See the --remove-user-accounts parameter for a way to specify how to
1183 remove only some users, or to not remove some others.
1184 utmp *
1186 Remove the utmp file.
1187 This file records who is currently logged in on a machine. In modern
1189 Linux distros it is stored in a ramdisk and hence not part of the
1190 virtual machine’s disk, but it was stored on disk in older distros.
1191 yum-uuid *
1193 Remove the yum UUID.
1194 Yum creates a fresh UUID the next time it runs when it notices that the
1196 original UUID has been erased.
1197
1199 Virt-sysprep can be used as part of a process of cloning guests, or to
1200 prepare a template from which guests can be cloned. There are many
1201 different ways to achieve this using the virt tools, and this section
1202 is just an introduction.
1203 A virtual machine (when switched off) consists of two parts:
1205 configuration
1207 The configuration or description of the guest. eg. The libvirt XML
1208 (see "virsh dumpxml"), the running configuration of the guest, or
1209 another external format like OVF.
1210 Some configuration items that might need to be changed:
1212 • name
1214 • UUID
1216 • path to block device(s)
1218 • network card MAC address
1220 block device(s)
1222 One or more hard disk images, themselves containing files,
1223 directories, applications, kernels, configuration, etc.
1224 Some things inside the block devices that might need to be changed:
1226 • hostname and other net configuration
1228 • UUID
1230 • SSH host keys
1232 • Windows unique security ID (SID)
1234 • Puppet registration
1236 COPYING THE BLOCK DEVICE
1238 Starting with an original guest, you probably wish to copy the guest
1239 block device and its configuration to make a template. Then once you
1240 are happy with the template, you will want to make many clones from it.
1241 virt-sysprep
1243 |
1244 v
1245 original guest --------> template ---------->
1246 \------> cloned
1247 \-----> guests
1248 \---->
1249 You can, of course, just copy the block device on the host using cp(1)
1251 or dd(1).
1252 dd dd
1254 original guest --------> template ---------->
1255 \------> cloned
1256 \-----> guests
1257 \---->
1258 There are some smarter (and faster) ways too:
1260 snapshot
1262 template ---------->
1263 \------> cloned
1264 \-----> guests
1265 \---->
1266 You may want to run virt-sysprep twice, once to reset the guest (to
1268 make a template) and a second time to customize the guest for a
1269 specific user:
1270 virt-sysprep virt-sysprep
1272 (reset) (add user, keys, logos)
1273 | |
1274 dd v dd v
1275 original guest ----> template ---------> copied ------> custom
1276 template guest
1277 • Create a snapshot using qemu-img:
1279 qemu-img create -f qcow2 -o backing_file=original snapshot.qcow
1281 The advantage is that you don’t need to copy the original (very
1283 fast) and only changes are stored (less storage required).
1284 Note that writing to the backing file once you have created guests
1286 on top of it is not possible: you will corrupt the guests.
1287 • Create a snapshot using "lvcreate --snapshot".
1289 • Other ways to create snapshots include using filesystems-level
1291 tools (for filesystems such as btrfs).
1292 Most Network Attached Storage (NAS) devices can also create cheap
1294 snapshots from files or LUNs.
1295 • Get your NAS to duplicate the LUN. Most NAS devices can also
1297 duplicate LUNs very cheaply (they copy them on-demand in the
1298 background).
1299 • Prepare your template using virt-sparsify(1). See below.
1301 VIRT-CLONE
1303 A separate tool, virt-clone(1), can be used to duplicate the block
1304 device and/or modify the external libvirt configuration of a guest. It
1305 will reset the name, UUID and MAC address of the guest in the libvirt
1306 XML.
1307 virt-clone(1) does not use libguestfs and cannot look inside the disk
1309 image. This was the original motivation to write virt-sysprep.
1310 SPARSIFY
1312 virt-sparsify
1313 original guest --------> template
1314 virt-sparsify(1) can be used to make the cloning template smaller,
1316 making it easier to compress and/or faster to copy.
1317 Notice that since virt-sparsify also copies the image, you can use it
1319 to make the initial copy (instead of "dd").
1320 RESIZE
1322 virt-resize
1323 template ---------->
1324 \------> cloned
1325 \-----> guests
1326 \---->
1327 If you want to give people cloned guests, but let them pick the size of
1329 the guest themselves (eg. depending on how much they are prepared to
1330 pay for disk space), then instead of copying the template, you can run
1331 virt-resize(1). Virt-resize performs a copy and resize, and thus is
1332 ideal for cloning guests from a template.
1333
1335 The two options --firstboot and --script both supply shell scripts that
1336 are run against the guest. However these two options are significantly
1337 different.
1338 --firstboot script uploads the file "script" into the guest and
1340 arranges that it will run, in the guest, when the guest is next booted.
1341 (The script will only run once, at the "first boot").
1342 --script script runs the shell "script" on the host, with its current
1344 directory inside the guest filesystem.
1345 If you needed, for example, to "yum install" new packages, then you
1347 must not use --script for this, since that would (a) run the "yum"
1348 command on the host and (b) wouldn't have access to the same resources
1349 (repositories, keys, etc.) as the guest. Any command that needs to run
1350 on the guest must be run via --firstboot.
1351 On the other hand if you need to make adjustments to the guest
1353 filesystem (eg. copying in files), then --script is ideal since (a) it
1354 has access to the host filesystem and (b) you will get immediate
1355 feedback on errors.
1356 Either or both options can be used multiple times on the command line.
1358
1360 Virtual machines that employ full disk encryption internally to the
1361 guest should not be considered for cloning and distribution, as it
1362 provides multiple parties with the same internal volume key, enabling
1363 any one such party to decrypt all the other clones. Refer to the LUKS
1364 FAQ for details.
1365 Although virt-sysprep removes some sensitive information from the
1367 guest, it does not pretend to remove all of it. You should examine the
1368 "OPERATIONS" above and the guest afterwards.
1369 Sensitive files are simply removed. The data they contained may still
1371 exist on the disk, easily recovered with a hex editor or undelete tool.
1372 The --scrub option can be used to scrub files instead of just deleting
1373 them. virt-sparsify(1) is another way to remove this content. See
1374 also the scrub(1) command to get rid of deleted content in directory
1375 entries and inodes.
1376 RANDOM SEED
1378 (This section applies to Linux guests only)
1379 For supported guests, virt-sysprep writes a few bytes of randomness
1381 from the host into the guest’s random seed file.
1382 If this is just done once and the guest is cloned from the same
1384 template, then each guest will start with the same entropy, and things
1385 like SSH host keys and TCP sequence numbers may be predictable.
1386 Therefore you should arrange to add more randomness after cloning from
1388 a template too, which can be done by enabling just the customize
1389 module:
1390 cp template.img newguest.img
1392 virt-sysprep --enable customize -a newguest.img
1393
1395 For guests which make use of SELinux, special handling for them might
1396 be needed when using operations which create new files or alter
1397 existing ones.
1398 For further details, see "SELINUX" in virt-builder(1).
1400
1402 Windows 8 "fast startup" can prevent virt-sysprep from working. See
1403 "WINDOWS HIBERNATION AND WINDOWS 8 FAST STARTUP" in guestfs(3).
1404
1406 This program returns 0 on success, or 1 if there was an error.
1407
1409 "VIRT_TOOLS_DATA_DIR"
1410 This can point to the directory containing data files used for
1411 Windows firstboot installation.
1412 Normally you do not need to set this. If not set, a compiled-in
1414 default will be used (something like /usr/share/virt-tools).
1415 This directory may contain the following files:
1417 rhsrvany.exe
1419 This is the RHSrvAny Windows binary, used to install a
1420 "firstboot" script in Windows guests. It is required if you
1421 intend to use the --firstboot or --firstboot-command options
1422 with Windows guests.
1423 See also: "https://github.com/rwmjones/rhsrvany"
1425 pvvxsvc.exe
1427 This is a Windows binary shipped with SUSE VMDP, used to
1428 install a "firstboot" script in Windows guests. It is required
1429 if you intend to use the --firstboot or --firstboot-command
1430 options with Windows guests.
1431 For other environment variables, see "ENVIRONMENT VARIABLES" in
1433 guestfs(3).
1434
1436 guestfs(3), guestfish(1), virt-builder(1), virt-clone(1),
1437 virt-customize(1), virt-rescue(1), virt-resize(1), virt-sparsify(1),
1438 virsh(1), lvcreate(8), qemu-img(1), scrub(1), http://libguestfs.org/,
1439 http://libvirt.org/.
1440
1442 Richard W.M. Jones http://people.redhat.com/~rjones/
1443 Wanlong Gao, Fujitsu Ltd.
1445
1447 Copyright (C) 2011-2023 Red Hat Inc.
1448 Copyright (C) 2012 Fujitsu Ltd.
1450
1452 This program is free software; you can redistribute it and/or modify it
1453 under the terms of the GNU General Public License as published by the
1454 Free Software Foundation; either version 2 of the License, or (at your
1455 option) any later version.
1456 This program is distributed in the hope that it will be useful, but
1458 WITHOUT ANY WARRANTY; without even the implied warranty of
1459 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
1460 General Public License for more details.
1461 You should have received a copy of the GNU General Public License along
1463 with this program; if not, write to the Free Software Foundation, Inc.,
1464 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
1465
1467 To get a list of bugs against libguestfs, use this link:
1468 https://bugzilla.redhat.com/buglist.cgi?component=libguestfs&product=Virtualization+Tools
1469 To report a new bug against libguestfs, use this link:
1471 https://bugzilla.redhat.com/enter_bug.cgi?component=libguestfs&product=Virtualization+Tools
1472 When reporting a bug, please supply:
1474 • The version of libguestfs.
1476 • Where you got libguestfs (eg. which Linux distro, compiled from
1478 source, etc)
1479 • Describe the bug accurately and give a way to reproduce it.
1481 • Run libguestfs-test-tool(1) and paste the complete, unedited output
1483 into the bug report.
1484guestfs-tools-1.51.6 2023-12-09 virt-sysprep(1)