Description of problem: Template seal, for a rhel VM seem to be not working. Published a rhel VM to a template, once with seal, and once without seal. Then created VMs from these 2 templates. BOTH VMs had under /etc/ssh same content: ssh]# ls AuthorizedPrinicipals moduli sshd_config ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key ca_user_key.pub ssh_config sshd_config.rpmnew ssh_host_ecdsa_key.pub ssh_host_ed25519_key.pub ssh_host_rsa_key.pub While for the VM, created from a sealed template, this path is expected to be empty. Version-Release number of selected component (if applicable): CFME-5.9.0.8/RHV-4.1.7 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
According to the admin guide, 'sealing' should: " Specifies whether a template is sealed. 'Sealing' is an operation that erases all machine-specific configurations from a filesystem, including SSH keys, UDEV rules, MAC addresses, system ID, and hostname. This setting prevents a virtual machine based on this template from inheriting the configuration of the source virtual machine." Can you try the exact action from RHV and see if the created VM is different than when created from ManageIQ ? That would allow to pinpoint on the origin of the issue - whether it is only RHV bug on the specific setup or ManageIQ issue.
I compared the seal template on RHV & CFME: * On RHV-4.1.7, 1. Make template from an original RHEL VM, that contain /root/.ssh/known_hosts file, with seal template option. 2. Create a VM from this template: /root/.ssh/known_hosts do not exist. * On CFME-5.9.0.10, 1. On CFME Publish same original RHEL VM to a template, with choosing seal template. 2. On RHV side, create a VM from this published template: /root/.ssh/known_hosts exist, with same content as in this file, on the original RHEL VM. Moti, Can you please check? (I can provide details on the tested env, if required).
https://github.com/ManageIQ/manageiq-providers-ovirt/pull/167
New commit detected on ManageIQ/manageiq-providers-ovirt/master: https://github.com/ManageIQ/manageiq-providers-ovirt/commit/3f7cd93cae3b4286bd8166c07b185b1e14befa76 commit 3f7cd93cae3b4286bd8166c07b185b1e14befa76 Author: Moti Asayag <masayag> AuthorDate: Mon Dec 4 13:27:42 2017 +0200 Commit: Moti Asayag <masayag> CommitDate: Mon Dec 4 16:52:32 2017 +0200 Fix Seal option of publish VM Due to latest rename of property name in publish vm yaml file from :seal to :seal_template, sealing option wasn't processed properly. In addition, the property should be send as part of the request header, therefore should be specified in the second parameter of the Template.add(template, {:seal => ...}) method. https://bugzilla.redhat.com/show_bug.cgi?id=1514895 .../providers/redhat/infra_manager/ovirt_services/strategies/v4.rb | 2 +- app/models/manageiq/providers/redhat/infra_manager/provision/cloning.rb | 2 +- .../manageiq/providers/redhat/infra_manager/provision_workflow.rb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-)