RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1285519 - RFE: provide a way to prevent creating artifacts with internal pathnames, e.g. anaconda-ks.cfg
Summary: RFE: provide a way to prevent creating artifacts with internal pathnames, e....
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: anaconda
Version: 7.3
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Martin Kolman
QA Contact: Release Test Team
URL:
Whiteboard:
: 1342663 (view as bug list)
Depends On:
Blocks: 1284582 1295926 1313485 1340477 1340490
TreeView+ depends on / blocked
 
Reported: 2015-11-25 20:03 UTC by Mike Burns
Modified: 2020-01-17 15:36 UTC (History)
9 users (show)

Fixed In Version: anaconda-21.48.22.81-1
Doc Type: Enhancement
Doc Text:
Feature: Make it possible to prevent installation logs and input/output kickstart from being stored on the installed system (this includes image installation). Reason: In some cases (and especially during image installations) it make sense to not save installation logs and kickstarts to the installed system - mostly due to internal URLs and possibly other sensitive information they might contain. Unfortunately the kickstart %post scripts run *before* the logs and kickstarts are copied to the system, so some other way of getting rid of them was needed. Result: The inst.nosave boot & --nosave command line option has been added, which makes it possible to prevent logs & kickstarts from reached the installed system. The nosave option takes the following keywords: input_ks - Disables saving of the input kickstart (if any). output_ks - Disables saving of the output kickstart generated by Anaconda. all_ks -Disables saving of both input and output kickstarts. logs - Disables saving of all installation logs. all - Disables saving of all kickstarts and all logs. At least one keyword is expected and multiple keywords can be provided, delimited by a ",", for example: input_ks,logs
Clone Of:
: 1340477 (view as bug list)
Environment:
Last Closed: 2016-11-03 23:19:20 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2740121 0 None None None 2016-11-02 17:28:02 UTC
Red Hat Product Errata RHEA-2016:2158 0 normal SHIPPED_LIVE anaconda bug fix and enhancement update 2016-11-03 13:13:55 UTC

Description Mike Burns 2015-11-25 20:03:28 UTC
Description of problem:
It would be useful to have a flag or option that prevents creating the anaconda-ks.cfg file under /root.  There is currently no way to avoid this file since the file is written after %post.

The use case that I'm trying to solve is delivering image builds that are initially generated from kickstarts.  These image builds all contain the anaconda-ks.cfg file today because we can't remove it without post-processing using something like guestfish or virt-customize.  This results in internal build locations and other internal information being included in the images.

Comment 1 Jan Stodola 2015-11-26 10:17:13 UTC
I guess that not only anaconda-ks.cfg, but also installation logs should not be copied to /var/log/anaconda/, since they also contain internal locations.

Comment 2 Martin Kolman 2015-11-26 10:37:21 UTC
(In reply to Jan Stodola from comment #1)
> I guess that not only anaconda-ks.cfg, but also installation logs should not
> be copied to /var/log/anaconda/, since they also contain internal locations.
Yeah, that also makes sense, but I guess it should probably be a separate option so that we don't lump them together with kickstarts.

So maybe inst.save_kickstart and inst.save_logs ? 

And if "inst.save_kickstart=0 inst.save_kickstart=0" would be added to boot command line both kickstarts and logs would not be saved to the system.

Comment 3 Jan Stodola 2015-11-26 11:36:56 UTC
ok, two options make sense.

Comment 4 Martin Kolman 2015-12-02 16:01:19 UTC
A patch[0] adding this for Fedora has been posted for review.

[0] https://lists.fedorahosted.org/archives/list/anaconda-patches%40lists.fedorahosted.org/message/W4WDSKJ6OUKBSE2SXFWCP6A2M6OZL37X/

Comment 5 Fabian Deutsch 2015-12-09 15:47:19 UTC
We should also consider dropping other caches liek yum's cache or so.
Basically this has quite a bit of overlap with virt-sysprep IMO.

Comment 6 Martin Kolman 2015-12-14 13:40:38 UTC
(In reply to Fabian Deutsch from comment #5)
> We should also consider dropping other caches liek yum's cache or so.
> Basically this has quite a bit of overlap with virt-sysprep IMO.
We are thinking about making a single boot option that users can use to provide a comma separated list of things Anaconda should not save on the installed system.

For example:

inst.nosave=logs,kickstarts

or

inst.nosave=all

To disable saving of all the "artifacts" that can be specified by the nosave option.

This should be quite easy to extend to various kinds of things as needed.

Comment 7 Fabian Deutsch 2015-12-14 13:48:04 UTC
That sounds like a nice approach.

Please consider to put this in a somewhat isolated library, maybe this can be pulled into a separate tool for existing images.

Comment 12 David Shea 2016-06-03 19:58:16 UTC
*** Bug 1342663 has been marked as a duplicate of this bug. ***

Comment 15 errata-xmlrpc 2016-11-03 23:19:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2158.html


Note You need to log in before you can comment on or make changes to this bug.