Bug 1285519 - RFE: provide a way to prevent creating artifacts with internal pathnames, e.g. anaconda-ks.cfg
RFE: provide a way to prevent creating artifacts with internal pathnames, e....
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: anaconda (Show other bugs)
7.3
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Martin Kolman
Release Test Team
: FutureFeature
: 1342663 (view as bug list)
Depends On:
Blocks: 1295926 1313485 1284582 1340477 1340490
  Show dependency treegraph
 
Reported: 2015-11-25 15:03 EST by Mike Burns
Modified: 2016-11-03 19:19 EDT (History)
9 users (show)

See Also:
Fixed In Version: anaconda-21.48.22.81-1
Doc Type: Enhancement
Doc Text:
Feature: Make it possible to prevent installation logs and input/output kickstart from being stored on the installed system (this includes image installation). Reason: In some cases (and especially during image installations) it make sense to not save installation logs and kickstarts to the installed system - mostly due to internal URLs and possibly other sensitive information they might contain. Unfortunately the kickstart %post scripts run *before* the logs and kickstarts are copied to the system, so some other way of getting rid of them was needed. Result: The inst.nosave boot & --nosave command line option has been added, which makes it possible to prevent logs & kickstarts from reached the installed system. The nosave option takes the following keywords: input_ks - Disables saving of the input kickstart (if any). output_ks - Disables saving of the output kickstart generated by Anaconda. all_ks -Disables saving of both input and output kickstarts. logs - Disables saving of all installation logs. all - Disables saving of all kickstarts and all logs. At least one keyword is expected and multiple keywords can be provided, delimited by a ",", for example: input_ks,logs
Story Points: ---
Clone Of:
: 1340477 (view as bug list)
Environment:
Last Closed: 2016-11-03 19:19:20 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2740121 None None None 2016-11-02 13:28 EDT

  None (edit)
Description Mike Burns 2015-11-25 15:03:28 EST
Description of problem:
It would be useful to have a flag or option that prevents creating the anaconda-ks.cfg file under /root.  There is currently no way to avoid this file since the file is written after %post.

The use case that I'm trying to solve is delivering image builds that are initially generated from kickstarts.  These image builds all contain the anaconda-ks.cfg file today because we can't remove it without post-processing using something like guestfish or virt-customize.  This results in internal build locations and other internal information being included in the images.
Comment 1 Jan Stodola 2015-11-26 05:17:13 EST
I guess that not only anaconda-ks.cfg, but also installation logs should not be copied to /var/log/anaconda/, since they also contain internal locations.
Comment 2 Martin Kolman 2015-11-26 05:37:21 EST
(In reply to Jan Stodola from comment #1)
> I guess that not only anaconda-ks.cfg, but also installation logs should not
> be copied to /var/log/anaconda/, since they also contain internal locations.
Yeah, that also makes sense, but I guess it should probably be a separate option so that we don't lump them together with kickstarts.

So maybe inst.save_kickstart and inst.save_logs ? 

And if "inst.save_kickstart=0 inst.save_kickstart=0" would be added to boot command line both kickstarts and logs would not be saved to the system.
Comment 3 Jan Stodola 2015-11-26 06:36:56 EST
ok, two options make sense.
Comment 4 Martin Kolman 2015-12-02 11:01:19 EST
A patch[0] adding this for Fedora has been posted for review.

[0] https://lists.fedorahosted.org/archives/list/anaconda-patches%40lists.fedorahosted.org/message/W4WDSKJ6OUKBSE2SXFWCP6A2M6OZL37X/
Comment 5 Fabian Deutsch 2015-12-09 10:47:19 EST
We should also consider dropping other caches liek yum's cache or so.
Basically this has quite a bit of overlap with virt-sysprep IMO.
Comment 6 Martin Kolman 2015-12-14 08:40:38 EST
(In reply to Fabian Deutsch from comment #5)
> We should also consider dropping other caches liek yum's cache or so.
> Basically this has quite a bit of overlap with virt-sysprep IMO.
We are thinking about making a single boot option that users can use to provide a comma separated list of things Anaconda should not save on the installed system.

For example:

inst.nosave=logs,kickstarts

or

inst.nosave=all

To disable saving of all the "artifacts" that can be specified by the nosave option.

This should be quite easy to extend to various kinds of things as needed.
Comment 7 Fabian Deutsch 2015-12-14 08:48:04 EST
That sounds like a nice approach.

Please consider to put this in a somewhat isolated library, maybe this can be pulled into a separate tool for existing images.
Comment 12 David Shea 2016-06-03 15:58:16 EDT
*** Bug 1342663 has been marked as a duplicate of this bug. ***
Comment 15 errata-xmlrpc 2016-11-03 19:19:20 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2158.html

Note You need to log in before you can comment on or make changes to this bug.