Bug 1041552

Summary: virt-sysprep should remove Pegasus certificates
Product: Red Hat Enterprise Linux 7 Reporter: Stephen Gallagher <sgallagh>
Component: libguestfsAssignee: Richard W.M. Jones <rjones>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.0CC: leiwang, mbooth, ptoscano, rdoty, sct, sgallagh
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libguestfs-1.27.56-1.1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1042780 (view as bug list) Environment:
Last Closed: 2015-03-05 13:43:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1041555    
Bug Blocks:    

Description Stephen Gallagher 2013-12-12 17:02:49 UTC 
Description of problem:
The tog-pegasus package generates self-signed certificates in /etc/Pegasus (specifically, server.pem, file.pem (the private key) and client.pem (the trusted CA chain). These should be removed when running virt-sysprep.

Version-Release number of selected component (if applicable):
libguestfs-1.22.6-15.el7

How reproducible:
Every time

Steps to Reproduce:
1. Run virt-sysprep

Actual results:
Pegasus certificates remain in /etc/Pegasus

Expected results:
Pegasus certificates should be removed so that they can be regenerated on the new system.

Additional info:
Comment 1 Pino Toscano 2013-12-12 17:17:20 UTC 
(In reply to Stephen Gallagher from comment #0)
> The tog-pegasus package generates self-signed certificates in /etc/Pegasus
> (specifically, server.pem, file.pem (the private key) and client.pem (the
> trusted CA chain). These should be removed when running virt-sysprep.

Easy enough to do.

The only question I have about this is: should virt-sysprep remove
a) only /etc/Pegasus/server.pem, /etc/Pegasus/file.pem, /etc/Pegasus/client.pem
b) /etc/Pegasus/*.pem (any certificate there)
c) /etc/Pegasus/ as a whole, wiping certs, config, etc
?
Comment 2 Stephen Gallagher 2013-12-12 17:37:18 UTC 
(In reply to Pino Toscano from comment #1)
> (In reply to Stephen Gallagher from comment #0)
> > The tog-pegasus package generates self-signed certificates in /etc/Pegasus
> > (specifically, server.pem, file.pem (the private key) and client.pem (the
> > trusted CA chain). These should be removed when running virt-sysprep.
> 
> Easy enough to do.
> 
> The only question I have about this is: should virt-sysprep remove
> a) only /etc/Pegasus/server.pem, /etc/Pegasus/file.pem,
> /etc/Pegasus/client.pem

These are the most important ones (and the only ones that exist today), but...

> b) /etc/Pegasus/*.pem (any certificate there)
> c) /etc/Pegasus/ as a whole, wiping certs, config, etc
> ?

In order to be future-compatible with some other changes I'm proposing there, we should probably remove *.pem, *.cnf, *.csr, *.crt and *.srl  (note: .cnf != .conf)
Comment 3 Richard W.M. Jones 2013-12-12 18:14:34 UTC 
Upstream has a --delete option which lets you delete arbitrary
paths, files and globs, so giving you pretty much ultimate
flexibility.  I wonder if we'd be better off just backporting
that option?
Comment 4 Pino Toscano 2013-12-13 10:12:18 UTC 
(In reply to Stephen Gallagher from comment #2)
> In order to be future-compatible with some other changes I'm proposing
> there, we should probably remove *.pem, *.cnf, *.csr, *.crt and *.srl 
> (note: .cnf != .conf)

Posted as upstream patch for virt-sysprep:
https://www.redhat.com/archives/libguestfs/2013-December/msg00073.html

(In reply to Richard W.M. Jones from comment #3)
> Upstream has a --delete option which lets you delete arbitrary
> paths, files and globs, so giving you pretty much ultimate
> flexibility.  I wonder if we'd be better off just backporting
> that option?

Maybe we could backport --delete, along with some of the recent additions in logfiles (this and #1039540)?
Comment 5 Richard W.M. Jones 2013-12-13 10:51:41 UTC 
Upstream now:
https://github.com/libguestfs/libguestfs/commit/30936f499e08919a351d3d46c7e26a30dea697ea
Comment 6 Richard W.M. Jones 2013-12-13 10:54:54 UTC 
Bug 1042780 has been added to request support for the --delete option.
Comment 11 jiyu 2014-10-13 06:21:31 UTC 
Verified with libguestfs-1.27.62-1.1.el7

Steps to verify:
1. Start the guest image and create files.
  [host]#qemu-kvm -m 1024M -smp 4 -drive file=$PWD/RHEL-Server-6.6-64-hvm.raw -vnc :1&
  [guest]#ll /etc/Pegasus
  ls: cannot access /etc/Pegasus: No such file or directory
  [guest]#mkdir /etc/Pegasus
  [guest]#touch test1.pem, test2.cnf, test3.csr, test4.crt test5.srl test6
  [guest]#shutdown -h now

2. Use virt-sysprep and start the guest image again.
  [host]#virt-sysprep -a RHEL-Server-6.6-64-hvm.raw
  [host]#qemu-kvm -m 1024M -smp 4 -drive file=$PWD/RHEL-Server-6.6-64-hvm.raw -vnc :1&
  [guest]# ls /etc/Pegasus/
  test6

From step 2, the file  *.pem, *.cnf, *.csr, *.crt and *.srl was removed, so bug is fixed.
Comment 13 errata-xmlrpc 2015-03-05 13:43:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0303.html