Bug 1514895

Summary: [RHV] Template Seal option, chosen as part of Publish VM to a template dialog is not working.
Product: Red Hat CloudForms Management Engine Reporter: Ilanit Stein <istein>
Component: ProvidersAssignee: Moti Asayag <masayag>
Status: CLOSED CURRENTRELEASE QA Contact: Ilanit Stein <istein>
Severity: high Docs Contact:
Priority: high    
Version: 5.9.0CC: gblomqui, istein, jfrey, jhardy, masayag, obarenbo, simaishi
Target Milestone: GAKeywords: TestOnly
Target Release: 5.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: rhev
Fixed In Version: 5.10.0.0 Doc Type: Enhancement
Doc Text:
Feature: Support 'Seal template' as part of 'publish vm' flow. Reason: Allowing the user to decide if the created template should be sealed. Taken from RHV admin guide: " Specifies whether a template is sealed. 'Sealing' is an operation that erases all machine-specific configurations from a filesystem, including SSH keys, UDEV rules, MAC addresses, system ID, and hostname. This setting prevents a virtual machine based on this template from inheriting the configuration of the source virtual machine." Result: The user will be able to check or uncheck a checkbox that will instruct how the template should be created. This feature is applicable for Linux vms only.
 Story Points: ---
Clone Of:
: 1525242 (view as bug list) Environment:
Last Closed: 2018-06-21 21:21:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: Bug
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: RHEVM Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1525242    

Description Ilanit Stein 2017-11-19 10:02:56 UTC 
Description of problem:
Template seal, for a rhel VM seem to be not working.

Published a rhel VM to a template, once with seal,
and once without seal.

Then created VMs from these 2 templates.

BOTH VMs had under /etc/ssh same content:
ssh]# ls 
AuthorizedPrinicipals  moduli      sshd_config         ssh_host_ecdsa_key      ssh_host_ed25519_key      ssh_host_rsa_key 
ca_user_key.pub        ssh_config  sshd_config.rpmnew  ssh_host_ecdsa_key.pub  ssh_host_ed25519_key.pub  ssh_host_rsa_key.pub

While for the VM, created from a sealed template,
this path is expected to be empty.

Version-Release number of selected component (if applicable):
CFME-5.9.0.8/RHV-4.1.7

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Moti Asayag 2017-11-26 15:02:53 UTC 
According to the admin guide, 'sealing' should:
" Specifies whether a template is sealed. 'Sealing' is an operation that erases all machine-specific configurations
  from a filesystem, including SSH keys, UDEV rules, MAC addresses, system ID, and hostname. This setting
   prevents a virtual machine based on this template from inheriting the configuration of the source virtual machine."


Can you try the exact action from RHV and see if the created VM is different than when created from ManageIQ ?
That would allow to pinpoint on the origin of the issue - whether it is only RHV bug on the specific setup or ManageIQ issue.
Comment 3 Ilanit Stein 2017-11-29 14:14:32 UTC 
I compared the seal template on RHV & CFME:

* On RHV-4.1.7,
1. Make template from an original RHEL VM, that contain /root/.ssh/known_hosts file,
with seal template option.
2. Create a VM from this template: 
/root/.ssh/known_hosts do not exist.

* On CFME-5.9.0.10,
1. On CFME Publish same original RHEL VM to a template, with choosing seal template.
2. On RHV side, create a VM from this published template:
/root/.ssh/known_hosts exist,
with same content as in this file, on the original RHEL VM.


Moti,
Can you please check?
(I can provide details on the tested env, if required).
Comment 4 CFME Bot 2017-12-04 11:49:17 UTC 
https://github.com/ManageIQ/manageiq-providers-ovirt/pull/167
Comment 5 CFME Bot 2017-12-07 11:24:32 UTC 
New commit detected on ManageIQ/manageiq-providers-ovirt/master:
https://github.com/ManageIQ/manageiq-providers-ovirt/commit/3f7cd93cae3b4286bd8166c07b185b1e14befa76

commit 3f7cd93cae3b4286bd8166c07b185b1e14befa76
Author:     Moti Asayag <masayag>
AuthorDate: Mon Dec 4 13:27:42 2017 +0200
Commit:     Moti Asayag <masayag>
CommitDate: Mon Dec 4 16:52:32 2017 +0200

    Fix Seal option of publish VM
    
    Due to latest rename of property name in publish vm yaml file from :seal
    to :seal_template, sealing option wasn't processed properly.
    
    In addition, the property should be send as part of the request header,
    therefore should be specified in the second parameter of the
    Template.add(template, {:seal => ...}) method.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1514895

 .../providers/redhat/infra_manager/ovirt_services/strategies/v4.rb      | 2 +-
 app/models/manageiq/providers/redhat/infra_manager/provision/cloning.rb | 2 +-
 .../manageiq/providers/redhat/infra_manager/provision_workflow.rb       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)