If subscriptions are used to build an image, there could be certificates remaining on the machine. A nice enhancement to the tool would be to clean up these certificates. There are two options for this: subscription-manager unregister will remove all certificates and identity from the machine and the subscription service which generated them. subscription-manager clean removes all certificates from the machine, but leaves them intact on the server. It would be nice to have both options available to the user.
virt-sysprep (just like other libguestfs tools) usually do not run any executable found inside the images being mounted (could not be safe, or it could be a different architecture/OS, etc). However, if you are really sure that the host and the guest are compatible (i.e. same OS/distro/version/etc, see also notes in `guestfish help command`), then you can execute the command using guestfish, e.g.: guestfish -i -a your.img command "subscription-manager unregister" Maybe we could have a sysprep operation doing the same, i.e. to run "command" as doable with guestfish (or using the API).
As Pino says, running untrusted executables from guests is something we'd prefer not to do. We wrap everything up in qemu + sVirt + a container, but even so. Is there a file / files / directory we could delete instead? Or a configuration file we could edit?
The equivilane of the clean is to rm /etc/pki/consumer/* rm /etc/pki/entitlement/* My guess is that would be good enough for a first cut. If you need to clear out logs, the they would be in /var/log/rhsm/ And they can all go
(In reply to Bryan Kearney from comment #3) > The equivilane of the clean is to > > rm /etc/pki/consumer/* > rm /etc/pki/entitlement/* > > My guess is that would be good enough for a first cut. If you need to clear > out logs, the they would be in > > /var/log/rhsm/ > > And they can all go Thanks for the feedback! With the two commits https://github.com/libguestfs/libguestfs/commit/f78877c77e502ac829ccbc11207b807bb1688420 https://github.com/libguestfs/libguestfs/commit/4ca4eef0cc6877a595c3d71c09d3dc18a803b638 in libguestfs >= 1.25.35 the logs will be purged together with other logs (in the logfiles operation), and the new rh-subscription-manager operation (enabled by default) will remove the other two directories you mentioned. Feel free to drop us a note if something else need to be removed as part of this.