Hide Forgot
Description of problem: The tog-pegasus package generates self-signed certificates in /etc/Pegasus (specifically, server.pem, file.pem (the private key) and client.pem (the trusted CA chain). These should be removed when running virt-sysprep. Version-Release number of selected component (if applicable): libguestfs-1.22.6-15.el7 How reproducible: Every time Steps to Reproduce: 1. Run virt-sysprep Actual results: Pegasus certificates remain in /etc/Pegasus Expected results: Pegasus certificates should be removed so that they can be regenerated on the new system. Additional info:
(In reply to Stephen Gallagher from comment #0) > The tog-pegasus package generates self-signed certificates in /etc/Pegasus > (specifically, server.pem, file.pem (the private key) and client.pem (the > trusted CA chain). These should be removed when running virt-sysprep. Easy enough to do. The only question I have about this is: should virt-sysprep remove a) only /etc/Pegasus/server.pem, /etc/Pegasus/file.pem, /etc/Pegasus/client.pem b) /etc/Pegasus/*.pem (any certificate there) c) /etc/Pegasus/ as a whole, wiping certs, config, etc ?
(In reply to Pino Toscano from comment #1) > (In reply to Stephen Gallagher from comment #0) > > The tog-pegasus package generates self-signed certificates in /etc/Pegasus > > (specifically, server.pem, file.pem (the private key) and client.pem (the > > trusted CA chain). These should be removed when running virt-sysprep. > > Easy enough to do. > > The only question I have about this is: should virt-sysprep remove > a) only /etc/Pegasus/server.pem, /etc/Pegasus/file.pem, > /etc/Pegasus/client.pem These are the most important ones (and the only ones that exist today), but... > b) /etc/Pegasus/*.pem (any certificate there) > c) /etc/Pegasus/ as a whole, wiping certs, config, etc > ? In order to be future-compatible with some other changes I'm proposing there, we should probably remove *.pem, *.cnf, *.csr, *.crt and *.srl (note: .cnf != .conf)
Upstream has a --delete option which lets you delete arbitrary paths, files and globs, so giving you pretty much ultimate flexibility. I wonder if we'd be better off just backporting that option?
(In reply to Stephen Gallagher from comment #2) > In order to be future-compatible with some other changes I'm proposing > there, we should probably remove *.pem, *.cnf, *.csr, *.crt and *.srl > (note: .cnf != .conf) Posted as upstream patch for virt-sysprep: https://www.redhat.com/archives/libguestfs/2013-December/msg00073.html (In reply to Richard W.M. Jones from comment #3) > Upstream has a --delete option which lets you delete arbitrary > paths, files and globs, so giving you pretty much ultimate > flexibility. I wonder if we'd be better off just backporting > that option? Maybe we could backport --delete, along with some of the recent additions in logfiles (this and #1039540)?
Upstream now: https://github.com/libguestfs/libguestfs/commit/30936f499e08919a351d3d46c7e26a30dea697ea
Bug 1042780 has been added to request support for the --delete option.
Verified with libguestfs-1.27.62-1.1.el7 Steps to verify: 1. Start the guest image and create files. [host]#qemu-kvm -m 1024M -smp 4 -drive file=$PWD/RHEL-Server-6.6-64-hvm.raw -vnc :1& [guest]#ll /etc/Pegasus ls: cannot access /etc/Pegasus: No such file or directory [guest]#mkdir /etc/Pegasus [guest]#touch test1.pem, test2.cnf, test3.csr, test4.crt test5.srl test6 [guest]#shutdown -h now 2. Use virt-sysprep and start the guest image again. [host]#virt-sysprep -a RHEL-Server-6.6-64-hvm.raw [host]#qemu-kvm -m 1024M -smp 4 -drive file=$PWD/RHEL-Server-6.6-64-hvm.raw -vnc :1& [guest]# ls /etc/Pegasus/ test6 From step 2, the file *.pem, *.cnf, *.csr, *.crt and *.srl was removed, so bug is fixed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0303.html