Bug 1887434 - LVM IDs and Machine ID are same for all new VMs created from sealed template
Summary: LVM IDs and Machine ID are same for all new VMs created from sealed template
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.4.1
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ovirt-4.4.7
: ---
Assignee: Shmuel Melamud
QA Contact: Nisim Simsolo
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-12 12:51 UTC by Marian Jankular
Modified: 2024-10-01 16:57 UTC (History)
7 users (show)

Fixed In Version: ovirt-engine-4.4.7.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-22 15:12:18 UTC
oVirt Team: Virt
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2865 0 None None None 2021-07-22 15:12:56 UTC
oVirt gerrit 115009 0 master MERGED core: Seal VMs on creation 2021-06-16 09:55:34 UTC

Description Marian Jankular 2020-10-12 12:51:24 UTC 
Description of problem:
seal template not working for rhel8 on on rhv 4.4.1 with compatibility mode 4.4

Version-Release number of selected component (if applicable):
rhv 4.4.1

How reproducible:
everytime

Steps to Reproduce:
1. create rhel8 vm
2. create template from rhel8 vm with seal option checked


Actual results:
job succeed however at least below points are not done:
machine-id & lvm-uuids are not removed/changed - newly created vms have same machine uuid as well as lvm uuids

Expected results:
different machine-id and lvm uuids on vms created from template

Additional info:

engine logs:
2020-10-12 12:18:09,968Z INFO  [org.ovirt.engine.core.bll.SealVmTemplateCommand] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-67) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] Running command: SealVmTemplateCommand internal: true. Entities affected :  ID: 1ff0d149-1340-4b13-b140-f53777462004 Type: VmTemplate
2020-10-12 12:18:09,990Z INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.SealDisksVDSCommand] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-67) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] START, SealDisksVDSCommand(HostName = dell-r430-03, SealDisksVDSCommandParameters:{hostId='168694bf-ef3b-470a-9a50-6241c2b75b6c', templateId='1ff0d149-1340-4b13-b140-f53777462004', jobId='3b331f2a-7f45-4695-8264-1002a34bdd00', images='[VdsmImageLocationInfo [storageDomainId=6814fac1-2e9a-4ab3-bbfe-02a14c2049fe, imageGroupId=ba871b16-ef93-4403-b1b7-0b6fc7f72e7a, imageId=1850f43e-a6d5-4689-b687-442777d9964c, generation=null]]'}), log id: 153fbc0e
2020-10-12 12:18:09,996Z INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.SealDisksVDSCommand] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-67) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] FINISH, SealDisksVDSCommand, return: , log id: 153fbc0e
2020-10-12 12:18:11,013Z INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.GetHostJobsVDSCommand] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-82) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] FINISH, GetHostJobsVDSCommand, return: {3b331f2a-7f45-4695-8264-1002a34bdd00=HostJobInfo:{id='3b331f2a-7f45-4695-8264-1002a34bdd00', type='virt', description='seal_vm', status='running', progress='null', error='null'}}, log id: 2ee9175a
2020-10-12 12:18:11,013Z INFO  [org.ovirt.engine.core.bll.VirtJobCallback] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-82) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] Command SealVmTemplate id: 'ee7fefbc-d8e2-47ff-b475-c3e7873e49ad': waiting for job '3b331f2a-7f45-4695-8264-1002a34bdd00' on host 'dell-r430-03' (id: '168694bf-ef3b-470a-9a50-6241c2b75b6c') to complete
2020-10-12 12:18:12,038Z INFO  [org.ovirt.engine.core.bll.SerialChildCommandsExecutionCallback] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-13) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] Command 'AddVmTemplate' (id: 'ac4a088a-afc2-42ab-8190-92969ad7a217') waiting on child command id: 'ee7fefbc-d8e2-47ff-b475-c3e7873e49ad' type:'SealVmTemplate' to complete
2020-10-12 12:18:13,045Z INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.GetHostJobsVDSCommand] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-25) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] FINISH, GetHostJobsVDSCommand, return: {3b331f2a-7f45-4695-8264-1002a34bdd00=HostJobInfo:{id='3b331f2a-7f45-4695-8264-1002a34bdd00', type='virt', description='seal_vm', status='running', progress='null', error='null'}}, log id: 6123683
2020-10-12 12:18:13,046Z INFO  [org.ovirt.engine.core.bll.VirtJobCallback] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-25) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] Command SealVmTemplate id: 'ee7fefbc-d8e2-47ff-b475-c3e7873e49ad': waiting for job '3b331f2a-7f45-4695-8264-1002a34bdd00' on host 'dell-r430-03' (id: '168694bf-ef3b-470a-9a50-6241c2b75b6c') to complete
2020-10-12 12:18:16,063Z INFO  [org.ovirt.engine.core.bll.SerialChildCommandsExecutionCallback] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-87) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] Command 'AddVmTemplate' (id: 'ac4a088a-afc2-42ab-8190-92969ad7a217') waiting on child command id: 'ee7fefbc-d8e2-47ff-b475-c3e7873e49ad' type:'SealVmTemplate' to complete
2020-10-12 12:18:17,075Z INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.GetHostJobsVDSCommand] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-69) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] FINISH, GetHostJobsVDSCommand, return: {3b331f2a-7f45-4695-8264-1002a34bdd00=HostJobInfo:{id='3b331f2a-7f45-4695-8264-1002a34bdd00', type='virt', description='seal_vm', status='running', progress='null', error='null'}}, log id: 4efc1029
2020-10-12 12:18:17,075Z INFO  [org.ovirt.engine.core.bll.VirtJobCallback] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-69) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] Command SealVmTemplate id: 'ee7fefbc-d8e2-47ff-b475-c3e7873e49ad': waiting for job '3b331f2a-7f45-4695-8264-1002a34bdd00' on host 'dell-r430-03' (id: '168694bf-ef3b-470a-9a50-6241c2b75b6c') to complete
2020-10-12 12:18:24,095Z INFO  [org.ovirt.engine.core.bll.SerialChildCommandsExecutionCallback] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-57) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] Command 'AddVmTemplate' (id: 'ac4a088a-afc2-42ab-8190-92969ad7a217') waiting on child command id: 'ee7fefbc-d8e2-47ff-b475-c3e7873e49ad' type:'SealVmTemplate' to complete
2020-10-12 12:18:25,107Z INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.GetHostJobsVDSCommand] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-52) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] FINISH, GetHostJobsVDSCommand, return: {3b331f2a-7f45-4695-8264-1002a34bdd00=HostJobInfo:{id='3b331f2a-7f45-4695-8264-1002a34bdd00', type='virt', description='seal_vm', status='running', progress='null', error='null'}}, log id: 2c6b22cc
2020-10-12 12:18:25,108Z INFO  [org.ovirt.engine.core.bll.VirtJobCallback] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-52) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] Command SealVmTemplate id: 'ee7fefbc-d8e2-47ff-b475-c3e7873e49ad': waiting for job '3b331f2a-7f45-4695-8264-1002a34bdd00' on host 'dell-r430-03' (id: '168694bf-ef3b-470a-9a50-6241c2b75b6c') to complete
2020-10-12 12:18:34,126Z INFO  [org.ovirt.engine.core.bll.SerialChildCommandsExecutionCallback] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-91) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] Command 'AddVmTemplate' (id: 'ac4a088a-afc2-42ab-8190-92969ad7a217') waiting on child command id: 'ee7fefbc-d8e2-47ff-b475-c3e7873e49ad' type:'SealVmTemplate' to complete
2020-10-12 12:18:35,135Z INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.GetHostJobsVDSCommand] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-22) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] FINISH, GetHostJobsVDSCommand, return: {3b331f2a-7f45-4695-8264-1002a34bdd00=HostJobInfo:{id='3b331f2a-7f45-4695-8264-1002a34bdd00', type='virt', description='seal_vm', status='running', progress='null', error='null'}}, log id: a30d688
2020-10-12 12:18:35,136Z INFO  [org.ovirt.engine.core.bll.VirtJobCallback] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-22) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] Command SealVmTemplate id: 'ee7fefbc-d8e2-47ff-b475-c3e7873e49ad': waiting for job '3b331f2a-7f45-4695-8264-1002a34bdd00' on host 'dell-r430-03' (id: '168694bf-ef3b-470a-9a50-6241c2b75b6c') to complete
2020-10-12 12:18:44,247Z INFO  [org.ovirt.engine.core.bll.SerialChildCommandsExecutionCallback] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-65) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] Command 'AddVmTemplate' (id: 'ac4a088a-afc2-42ab-8190-92969ad7a217') waiting on child command id: 'ee7fefbc-d8e2-47ff-b475-c3e7873e49ad' type:'SealVmTemplate' to complete
2020-10-12 12:18:45,258Z INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.GetHostJobsVDSCommand] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-66) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] FINISH, GetHostJobsVDSCommand, return: {3b331f2a-7f45-4695-8264-1002a34bdd00=HostJobInfo:{id='3b331f2a-7f45-4695-8264-1002a34bdd00', type='virt', description='seal_vm', status='running', progress='null', error='null'}}, log id: 63072799
2020-10-12 12:18:45,258Z INFO  [org.ovirt.engine.core.bll.VirtJobCallback] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-66) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] Command SealVmTemplate id: 'ee7fefbc-d8e2-47ff-b475-c3e7873e49ad': waiting for job '3b331f2a-7f45-4695-8264-1002a34bdd00' on host 'dell-r430-03' (id: '168694bf-ef3b-470a-9a50-6241c2b75b6c') to complete
2020-10-12 12:18:54,361Z INFO  [org.ovirt.engine.core.bll.SerialChildCommandsExecutionCallback] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-90) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] Command 'AddVmTemplate' (id: 'ac4a088a-afc2-42ab-8190-92969ad7a217') waiting on child command id: 'ee7fefbc-d8e2-47ff-b475-c3e7873e49ad' type:'SealVmTemplate' to complete
2020-10-12 12:18:55,371Z INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.GetHostJobsVDSCommand] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-35) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] FINISH, GetHostJobsVDSCommand, return: {3b331f2a-7f45-4695-8264-1002a34bdd00=HostJobInfo:{id='3b331f2a-7f45-4695-8264-1002a34bdd00', type='virt', description='seal_vm', status='done', progress='null', error='null'}}, log id: 7ee84b05
2020-10-12 12:18:55,371Z INFO  [org.ovirt.engine.core.bll.VirtJobCallback] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-35) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] Command SealVmTemplate id: 'ee7fefbc-d8e2-47ff-b475-c3e7873e49ad': job '3b331f2a-7f45-4695-8264-1002a34bdd00' execution was completed with VDSM job status 'done'
2020-10-12 12:18:55,373Z INFO  [org.ovirt.engine.core.bll.VirtJobCallback] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-35) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] Command SealVmTemplate id: 'ee7fefbc-d8e2-47ff-b475-c3e7873e49ad': execution was completed, the command status is 'SUCCEEDED'
2020-10-12 12:18:56,374Z INFO  [org.ovirt.engine.core.bll.SealVmTemplateCommand] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-97) [8be7d53e-4f61-4e1b-956a-be4bcd97c90e] Ending command 'org.ovirt.engine.core.bll.SealVmTemplateCommand' successfully.

vdsm logs:

2020-10-12 12:18:09,991+0000 INFO  (jsonrpc/0) [api.virt] START seal(job_id='3b331f2a-7f45-4695-8264-1002a34bdd00', sp_id='00000001-0001-0001-0001-00000000030f', images=[{'endpoint_type': 'div', 'sd_id': '6814fac1-2e9a-4ab3-bbfe-02a14c2049fe', 'img_id': 'ba871b16-ef93-4403-b1b7-0b6fc7f72e7a', 'vol_id': '1850f43e-a6d5-4689-b687-442777d9964c'}]) from=::ffff:10.37.192.116,40048, flow_id=8be7d53e-4f61-4e1b-956a-be4bcd97c90e, vmId=1ff0d149-1340-4b13-b140-f53777462004 (api:48)
2020-10-12 12:18:09,992+0000 INFO  (jsonrpc/0) [api.virt] FINISH seal return={'status': {'code': 0, 'message': 'Done'}} from=::ffff:10.37.192.116,40048, flow_id=8be7d53e-4f61-4e1b-956a-be4bcd97c90e, vmId=1ff0d149-1340-4b13-b140-f53777462004 (api:54)
2020-10-12 12:18:09,993+0000 INFO  (jsonrpc/0) [jsonrpc.JsonRpcServer] RPC call VM.seal succeeded in 0.00 seconds (__init__:312)
2020-10-12 12:18:11,008+0000 INFO  (jsonrpc/2) [api.host] FINISH getJobs return={'jobs': {'3b331f2a-7f45-4695-8264-1002a34bdd00': {'id': '3b331f2a-7f45-4695-8264-1002a34bdd00', 'status': 'running', 'description': 'seal_vm', 'job_type': 'virt'}}, 'status': {'code': 0, 'message': 'Done'}} from=::ffff:10.37.192.116,40048, flow_id=8be7d53e-4f61-4e1b-956a-be4bcd97c90e (api:54)
2020-10-12 12:18:13,041+0000 INFO  (jsonrpc/6) [api.host] FINISH getJobs return={'jobs': {'3b331f2a-7f45-4695-8264-1002a34bdd00': {'id': '3b331f2a-7f45-4695-8264-1002a34bdd00', 'status': 'running', 'description': 'seal_vm', 'job_type': 'virt'}}, 'status': {'code': 0, 'message': 'Done'}} from=::ffff:10.37.192.116,40048, flow_id=8be7d53e-4f61-4e1b-956a-be4bcd97c90e (api:54)
2020-10-12 12:18:17,069+0000 INFO  (jsonrpc/0) [api.host] FINISH getJobs return={'jobs': {'3b331f2a-7f45-4695-8264-1002a34bdd00': {'id': '3b331f2a-7f45-4695-8264-1002a34bdd00', 'status': 'running', 'description': 'seal_vm', 'job_type': 'virt'}}, 'status': {'code': 0, 'message': 'Done'}} from=::ffff:10.37.192.116,40048, flow_id=8be7d53e-4f61-4e1b-956a-be4bcd97c90e (api:54)
2020-10-12 12:18:25,101+0000 INFO  (jsonrpc/2) [api.host] FINISH getJobs return={'jobs': {'3b331f2a-7f45-4695-8264-1002a34bdd00': {'id': '3b331f2a-7f45-4695-8264-1002a34bdd00', 'status': 'running', 'description': 'seal_vm', 'job_type': 'virt'}}, 'status': {'code': 0, 'message': 'Done'}} from=::ffff:10.37.192.116,40048, flow_id=8be7d53e-4f61-4e1b-956a-be4bcd97c90e (api:54)
2020-10-12 12:18:35,131+0000 INFO  (jsonrpc/5) [api.host] FINISH getJobs return={'jobs': {'3b331f2a-7f45-4695-8264-1002a34bdd00': {'id': '3b331f2a-7f45-4695-8264-1002a34bdd00', 'status': 'running', 'description': 'seal_vm', 'job_type': 'virt'}}, 'status': {'code': 0, 'message': 'Done'}} from=::ffff:10.37.192.116,40048, flow_id=8be7d53e-4f61-4e1b-956a-be4bcd97c90e (api:54)
2020-10-12 12:18:45,253+0000 INFO  (jsonrpc/5) [api.host] FINISH getJobs return={'jobs': {'3b331f2a-7f45-4695-8264-1002a34bdd00': {'id': '3b331f2a-7f45-4695-8264-1002a34bdd00', 'status': 'running', 'description': 'seal_vm', 'job_type': 'virt'}}, 'status': {'code': 0, 'message': 'Done'}} from=::ffff:10.37.192.116,40048, flow_id=8be7d53e-4f61-4e1b-956a-be4bcd97c90e (api:54)
2020-10-12 12:18:55,366+0000 INFO  (jsonrpc/6) [api.host] FINISH getJobs return={'jobs': {'3b331f2a-7f45-4695-8264-1002a34bdd00': {'id': '3b331f2a-7f45-4695-8264-1002a34bdd00', 'status': 'done', 'description': 'seal_vm', 'job_type': 'virt'}}, 'status': {'code': 0, 'message': 'Done'}} from=::ffff:10.37.192.116,40048, flow_id=8be7d53e-4f61-4e1b-956a-be4bcd97c90e (api:54)
Comment 1 Tomáš Golembiovský 2020-10-21 11:23:55 UTC 
I am not able to reproduce that with current RHV and RHEL 8.2. Both machine ID and LVM UUIDs for PVs and VGs do change. Does this happen only for some specific RHEL 8.x version or some specific guest configuration? Also what is the version of libguestfs-tools-c RPM on the host used to seal the template?
Comment 2 Arik 2020-11-16 14:23:22 UTC 
(In reply to Tomáš Golembiovský from comment #1)
> I am not able to reproduce that with current RHV and RHEL 8.2. Both machine
> ID and LVM UUIDs for PVs and VGs do change. Does this happen only for some
> specific RHEL 8.x version or some specific guest configuration? Also what is
> the version of libguestfs-tools-c RPM on the host used to seal the template?


The hypervisors are RHEL 8.2 and RHV 4.4, guest VM is also RHEL 8.2, but it is reproducible in also with RHV 4.3 and RHEL 7.7.
The version is libguestfs-tools-c-1.40.2-24.module+el8.2.1+7154+47ffd890.x86_64
Comment 5 Tomáš Golembiovský 2021-01-11 21:02:39 UTC 
Ok, I understand now. The problem is not that the IDs don't change. The problem is that they change only once (when creating the template). So all new VMs have same IDs, albeit different from the original VM.

* LVM IDs: given the way this works we either would need to run virt-sysprep when creating a new VM (as opposed to when we create a template) or add first-boot scripts to perform the change (possibly followed by reboot, which could be tricky to do right).

* machine ID: this is a regression in libguestfs (commit d5ce659e2c1). The ID is first properly removed, but any customize command that is run afterwards will re-initialize it. This should be fixed in libguestfs.
Comment 6 Richard W.M. Jones 2021-01-12 11:34:51 UTC 
Changing LVM UUIDs is very complex.  virt-sysprep claims to do it, but I'm not
sure it does it correctly in every case.

As for the /etc/machine-id, can you describe how you're using virt-customize/virt-sysprep
and how it's wrong?  Because so much stuff (eg. kernel updates) doesn't work without a
valid machine-id, we currently set it to a random value when we see that /etc/machine-id
exists but has zero length, and otherwise we don't touch it.
Comment 7 Tomáš Golembiovský 2021-01-12 12:07:20 UTC 
(In reply to Richard W.M. Jones from comment #6)
> As for the /etc/machine-id, can you describe how you're using
> virt-customize/virt-sysprep
> and how it's wrong?

The man page says for 'machine-id' operation:

    Remove the local machine ID.

I would argue that this is not happening as there is still machine ID configured when virt-sysprep finishes.

>  Because so much stuff (eg. kernel updates) doesn't work
> without a
> valid machine-id, we currently set it to a random value when we see that
> /etc/machine-id
> exists but has zero length, and otherwise we don't touch it.

The solution would be to run the machine-id operation as last, just before filesystems are unmounted. That would make sure no other operation later recreates it with new value.


Of course, running virt-sysprep on newly created VMs (instead of on templates) would help us solve both issues.
Comment 8 Richard W.M. Jones 2021-01-14 10:51:40 UTC 
(In reply to Tomáš Golembiovský from comment #7)
> (In reply to Richard W.M. Jones from comment #6)
> > As for the /etc/machine-id, can you describe how you're using
> > virt-customize/virt-sysprep
> > and how it's wrong?
> 
> The man page says for 'machine-id' operation:
> 
>     Remove the local machine ID.

As this is a default operation, I'm tempted to change the description of
this to "Change the local machine ID to a new random value".

However it would be worth having a new, non-default operation which really
removes /etc/machine-id (or maybe leaves it as an empty file).  It would
suppress the default action of recreating /etc/machine-id.  There are a couple
of bugs already for this:
https://bugzilla.redhat.com/show_bug.cgi?id=1554546
https://bugzilla.redhat.com/show_bug.cgi?id=1557042
Comment 9 Shmuel Melamud 2021-05-19 23:51:25 UTC 
As I understand, there is only one way to solve all these problems (LVM IDs, Machine ID, and there may be others) - it is to run virt-sysprep just after a VM is created from a template. So let's go forward with this approach. There should be an option for 'sealing VM' in the VM creation dialog and it should be turned off by default, correct? What about VM pools?
Comment 10 Arik 2021-05-20 14:13:41 UTC 
(In reply to Shmuel Melamud from comment #9)
> There should be an option for 'sealing VM' in the VM creation dialog and it
> should be turned off by default, correct?

The downside of this approach is that it requires clients to make changes on their side in order to get this.
It may also raise the question of what's the difference between sealing the template and sealing the vm that is based on it, unless we deprecate the former.
I would rather prefer to apply it (i.e., sealing the VM) by default also when clients ask to seal the template using the existing API - so existing clients like the backup providers would get this without making any change.

> What about VM pools?

Yes, that's the problematic part with what I'm suggesting, that it can add insignificant overhead to the creation of large VM pools.

As create-template is not an operation that is done frequently, how about the following procedure:
1. when the user asks to seal a template, we would still execute virt-sysprep on it and mark it as sealed
2. by default, we'll run virt-sysprep when creating a VM from a sealed template, unless asked otherwise
3. by default, we won't run virt-sysprep when create a VM pool from a sealed template, unless asked otherwise

The rational behind this is that VM pools, especially (or "maybe only") the stateless ones, are not subject to backups and you want to create them rather fast (for testing, for class rooms, etc)
In other use cases, we can probably spend a bit more time to achieve "better" sealing of the VM at the expense of higher overhead in its creation

Would that make sense?
Comment 11 Arik 2021-05-23 10:39:51 UTC 
(In reply to Arik from comment #10)
> > What about VM pools?
> 
> Yes, that's the problematic part with what I'm suggesting, that it can add
> insignificant overhead to the creation of large VM pools.

What I meant to say here is "not negligible" (not "insignificant")
Comment 18 Nisim Simsolo 2021-07-06 10:03:08 UTC 
Verified:
ovirt-engine-4.4.7.4-0.9.el8ev
vdsm-4.40.70.4-1.el8ev.x86_64
qemu-kvm-5.2.0-16.module+el8.4.0+11536+725e25d9.2.x86_64
libvirt-daemon-7.0.0-14.1.module+el8.4.0+11095+d46acebf.x86_64

Verification scenario:
see https://bugzilla.redhat.com/show_bug.cgi?id=1887434#c14
Comment 22 errata-xmlrpc 2021-07-22 15:12:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: RHV Manager (ovirt-engine) security update [ovirt-4.4.7]), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2865
Note You need to log in before you can comment on or make changes to this bug.