Bug 1063374 - [RFE] enable subscription manager clean or unregister operation to sysprep
Summary: [RFE] enable subscription manager clean or unregister operation to sysprep
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Virtualization Tools
Classification: Community
Component: libguestfs
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Richard W.M. Jones
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-02-10 15:13 UTC by Bryan Kearney
Modified: 2014-02-13 14:31 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-02-13 14:31:01 UTC
Embargoed:

Attachments (Terms of Use)

Description Bryan Kearney 2014-02-10 15:13:37 UTC 
If subscriptions are used to build an image, there could be certificates remaining on the machine. A nice enhancement to the tool would be to clean up these certificates. There are two options for this:

subscription-manager unregister

will remove all certificates and identity from the machine and the subscription service which generated them.

subscription-manager clean removes all certificates from the machine, but leaves them intact on the server. It would be nice to have both options available to the user.
Comment 1 Pino Toscano 2014-02-10 16:20:28 UTC 
virt-sysprep (just like other libguestfs tools) usually do not run any executable found inside the images being mounted (could not be safe, or it could be a different architecture/OS, etc).

However, if you are really sure that the host and the guest are compatible (i.e. same OS/distro/version/etc, see also notes in `guestfish help command`), then you can execute the command using guestfish, e.g.:

  guestfish -i -a your.img command "subscription-manager unregister"

Maybe we could have a sysprep operation doing the same, i.e. to run "command" as doable with guestfish (or using the API).
Comment 2 Richard W.M. Jones 2014-02-12 17:20:07 UTC 
As Pino says, running untrusted executables from guests is
something we'd prefer not to do.  We wrap everything up in
qemu + sVirt + a container, but even so.

Is there a file / files / directory we could delete instead?
Or a configuration file we could edit?
Comment 3 Bryan Kearney 2014-02-12 17:53:06 UTC 
The equivilane of the clean is to 

rm /etc/pki/consumer/*
rm /etc/pki/entitlement/*

My guess is that would be good enough for a first cut. If you need to clear out logs, the they would be in 

/var/log/rhsm/

And they can all go
Comment 4 Pino Toscano 2014-02-13 14:31:01 UTC 
(In reply to Bryan Kearney from comment #3)
> The equivilane of the clean is to 
> 
> rm /etc/pki/consumer/*
> rm /etc/pki/entitlement/*
> 
> My guess is that would be good enough for a first cut. If you need to clear
> out logs, the they would be in 
> 
> /var/log/rhsm/
> 
> And they can all go

Thanks for the feedback!

With the two commits
https://github.com/libguestfs/libguestfs/commit/f78877c77e502ac829ccbc11207b807bb1688420
https://github.com/libguestfs/libguestfs/commit/4ca4eef0cc6877a595c3d71c09d3dc18a803b638
in libguestfs >= 1.25.35 the logs will be purged together with other logs (in the logfiles operation), and the new rh-subscription-manager operation (enabled by default) will remove the other two directories you mentioned.

Feel free to drop us a note if something else need to be removed as part of this.
Note You need to log in before you can comment on or make changes to this bug.