1980922 – virt-sysprep doesn't cleanup NetworkManager connection files

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1980922 - virt-sysprep doesn't cleanup NetworkManager connection files

Summary: virt-sysprep doesn't cleanup NetworkManager connection files

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	guestfs-tools
Sub Component:
Version:	CentOS Stream
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	beta
Target Release:	---
Assignee:	Laszlo Ersek
QA Contact:	YongkuiGuo
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-07-09 21:32 UTC by Alex Schultz
Modified:	2024-12-20 20:26 UTC (History)
CC List:	7 users (show)
Fixed In Version:	guestfs-tools-1.46.1-6.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-05-17 13:07:48 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2022:2461	0	None	None	None	2022-05-17 13:07:51 UTC

Internal Links: 2211896

Description Alex Schultz 2021-07-09 21:32:34 UTC

Description of problem:

With legacy network scripts going away in 9, everything is now managed by NetworkManager which means we end up with connections left over in /etc/NetworkManager/system-connections/ after running virt-install. Running virt-sysprep on a CentOS9 image doesn't cleanup these which leads to weird issues when you reboot a vm.  I've also seen the same issue on CentOS Stream 8 VMs where NetworkManager thinks the left over ens1p0 interface from the image creation process causes the network not to function on reboot.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Use virt-install to create a CentOS Stream 9 qcow https://github.com/mwhahaha/cloud-images/blob/main/centos-9.stream.virt-install-cmd
2. run virt-sysprep on the image

Actual results:
/etc/NetworkManager/system-connections/ens1p0.connection exists

Expected results:
Network connection shouldn't be there.


Additional info:

Comment 1 Richard W.M. Jones 2021-07-19 07:35:48 UTC

Is removing everything matching
/etc/NetworkManager/system-connections/*.connection
a valid thing to do here?

Comment 2 YongkuiGuo 2021-07-20 10:07:40 UTC

I can not reproduce this issue, maybe some details are different from what Alex said.

Steps:

-----------------------------------
1. Use virt-install to create a CentOS Stream 9 image (https://github.com/mwhahaha/cloud-images/blob/main/centos-9.stream.virt-install-cmd)

2. Set a password for CentOS Stream 9 image with virt-customize command
virt-customize --root-password password:redhat --uninstall cloud-init --selinux-relabel -a centos-9-stream.img

3. Run virt-sysprep on CentOS Stream 9 image
virt-sysprep -a centos-9-stream.img

4. Reboot the CentOS Stream 9 image
virt-install --import --vcpus 2 --ram 2048 --disk format=qcow2,path=centos-9-stream.img  --network network=default,model=virtio -noautoconsole --nographics --name test1
...
CentOS Stream 9
Kernel 5.13.0-1.el9.x86_64 on an x86_64

localhost login: root
Password: 
[root@localhost ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:f2:b3:3b brd ff:ff:ff:ff:ff:ff
    altname enp0s2
    inet 192.168.122.103/24 brd 192.168.122.255 scope global dynamic noprefixroute ens2
       valid_lft 3589sec preferred_lft 3589sec
    inet6 fe80::621b:8145:4e5e:4a03/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

[root@localhost ~]# nmcli device
DEVICE  TYPE      STATE      CONNECTION         
ens2    ethernet  connected  Wired connection 1 
lo      loopback  unmanaged  --  
               
[root@localhost ~]# nmcli connection show
NAME                UUID                                  TYPE      DEVICE 
Wired connection 1  63b29e4d-3049-3583-81f8-26d4ae46bf51  ethernet  ens2   
enp1s0              936d6a28-fe0a-4643-b8e1-948302fd0400  ethernet  -- 

[root@localhost ~]# ll /etc/NetworkManager/system-connections/
total 4
-rw-------. 1 root root 242 Jul 20 05:15 enp1s0.nmconnection

-----------------------------------

The /etc/NetworkManager/system-connections/enp1s0.nmconnection has not been deleted by virt-sysprep, but seems it doesn't affect the reboot process and network function. In RHEL8, virt-sysprep also won't delete the /etc/sysconfig/network-scripts/ifcfg-*.

Is there anything I missed?

Comment 3 Alex Schultz 2021-07-20 15:21:09 UTC

I think i'm running into a bug in cloud-init that's conflicting with network manager.  We can ignore that part for now as I need to write that up.  In terms of leaving the config around, I don't think we should. We've run into issues with network-scripts historically because the images have left ifcfg-ens3 around and restarting the network services fails.  Any interfaces used during the image build should be purged via sysprep so that we don't up with latent issues later.


https://bugs.launchpad.net/tripleo/+bug/1866202
https://bugs.centos.org/view.php?id=17133

Comment 4 Richard W.M. Jones 2021-07-20 15:25:19 UTC

While I agree that virt-sysprep should do it, I'll note that you
can do this already with:

  virt-sysprep ... --delete "/etc/NetworkManager/system-connections/*.connection"

Comment 6 Frank Liang 2021-08-24 10:04:38 UTC

When build ec2 image from ks file, there is a boot time issue bz1862930 because of dirty data generated by NM in '/etc/resolv.conf'.

I am wondering if virt-sysprep can clean it if others do not know this point.

Below is '/etc/resolv.conf' content which impacts boot time on aws.
# guestfish -a rhel-ec2-8.5-919.x86_64.raw -i sh 'cat  /etc/resolv.conf'
# Generated by NetworkManager
nameserver 192.168.122.1

Comment 7 Laszlo Ersek 2021-11-30 15:17:39 UTC

(In reply to Frank Liang from comment #6)
> When build ec2 image from ks file, there is a boot time issue bz1862930
> because of dirty data generated by NM in '/etc/resolv.conf'.
> 
> I am wondering if virt-sysprep can clean it if others do not know this point.
> 
> Below is '/etc/resolv.conf' content which impacts boot time on aws.
> # guestfish -a rhel-ec2-8.5-919.x86_64.raw -i sh 'cat  /etc/resolv.conf'
> # Generated by NetworkManager
> nameserver 192.168.122.1

This does not seem necessary:

https://code.engineering.redhat.com/gerrit/c/spin-kickstarts/+/266458
superseded by:
https://code.engineering.redhat.com/gerrit/c/spin-kickstarts/+/266717

Comment 8 Laszlo Ersek 2021-11-30 16:07:36 UTC

(In reply to YongkuiGuo from comment #2)
> In RHEL8, virt-sysprep also won't delete the
> /etc/sysconfig/network-scripts/ifcfg-*.

(In reply to Alex Schultz from comment #3)
> In terms of leaving the config around, I don't think we should. We've
> run into issues with network-scripts historically because the images
> have left ifcfg-ens3 around and restarting the network services
> fails.  Any interfaces used during the image build should be purged
> via sysprep so that we don't up with latent issues later.

virt-sysprep already has two actions related to this, namely
"net-hostname" and "net-hwaddr". Both actions update the files matching

  /etc/sysconfig/network-scripts/ifcfg-*

The former removes HOSTNAME=... and DHCP_HOSTNAME=... entries, the
latter removes HWADDR=... lines.

The first action comes originally from commit 5311c50f52cd ("sysprep:
remove hostname from ifcfg-*", 2012-09-03; v1.45.1); the second action
from commit 44e04a6fca6a ("Rewrite virt-sysprep.", 2012-03-31; v1.45.1).

Both operations are enabled by default. And neither seems compatible
with the idea of removing the ifcfg-* files altogether.

By extension, why is it right to remove

  /etc/NetworkManager/system-connections/*.nmconnection

whole-sale? (Note BTW: the file suffix is not ".connection", but
".nmconnection".)

Should we retire "net-hostname" and "net-hwaddr", replacing them with an
operation that removes these files entirely?

Comment 9 Alex Schultz 2021-11-30 16:16:06 UTC

(In reply to Laszlo Ersek from comment #8)
> (In reply to YongkuiGuo from comment #2)
> > In RHEL8, virt-sysprep also won't delete the
> > /etc/sysconfig/network-scripts/ifcfg-*.
> 
> (In reply to Alex Schultz from comment #3)
> > In terms of leaving the config around, I don't think we should. We've
> > run into issues with network-scripts historically because the images
> > have left ifcfg-ens3 around and restarting the network services
> > fails.  Any interfaces used during the image build should be purged
> > via sysprep so that we don't up with latent issues later.
> 
> virt-sysprep already has two actions related to this, namely
> "net-hostname" and "net-hwaddr". Both actions update the files matching
> 
>   /etc/sysconfig/network-scripts/ifcfg-*
> 
> The former removes HOSTNAME=... and DHCP_HOSTNAME=... entries, the
> latter removes HWADDR=... lines.
> 
> The first action comes originally from commit 5311c50f52cd ("sysprep:
> remove hostname from ifcfg-*", 2012-09-03; v1.45.1); the second action
> from commit 44e04a6fca6a ("Rewrite virt-sysprep.", 2012-03-31; v1.45.1).
> 
> Both operations are enabled by default. And neither seems compatible
> with the idea of removing the ifcfg-* files altogether.
> 
> By extension, why is it right to remove
> 
>   /etc/NetworkManager/system-connections/*.nmconnection
> 
> whole-sale? (Note BTW: the file suffix is not ".connection", but
> ".nmconnection".)
> 

It's actually problematic to leave the files in place at all. Just because when creating an image an ens3 exist, doesn't mean ens3 exists on startup of the image. This has lead to networking (and by extension also NetworkManager) failures.  This existing cleanup is insufficient.  

Related https://bugs.centos.org/view.php?id=15475 https://bugs.centos.org/view.php?id=17133
  
> Should we retire "net-hostname" and "net-hwaddr", replacing them with an
> operation that removes these files entirely?

IMHO yes but I'm just an end user.

Comment 10 Richard W.M. Jones 2021-11-30 16:39:37 UTC

I'd prefer to leave the old operations around.  Removing them would break
scripts and also people processing old guests.

Adding a new operation which deletes *.nmconnection sounds like a good idea
from reading the comments, but I'm not an expert.

Comment 11 Laszlo Ersek 2021-12-01 11:18:43 UTC

According to 'virt-sysprep --list-operations':

net-hostname * Remove HOSTNAME and DHCP_HOSTNAME in network interface configuration
net-hwaddr * Remove HWADDR (hard-coded MAC address) configuration

The asterisks indicate that these are default actions. (As I noted earlier.)

Should we make the removal of *.nmconnection default as well?

Here's why I'm asking:

(1) If we delete *.nmconnection by default, then that could be considered inconsistent with virt-sysprep *not* removing ifcfg-* files by default. (And deleting ifcfg-* by default would conflict with the above, default, net-hostname and net-hwaddr actions.)

(2) If we do *not* delete *.nmconnection by default, then we'll require the user to spell it out manually, with either "--enable" or "--operations". But with the exact same effort, the user could just use the "--delete" option on *.nmconnection, like Rich suggested in comment 4.

I'm fine either way (remove *.nmconnection implicitly or explicitly), but I can't decide it myself. Please advise. Thanks!

Comment 12 Richard W.M. Jones 2021-12-01 11:25:30 UTC

It does sound like a default operation.  It seems reasonable to have virt-sysprep
clean up NetworkManager connections by default, since they are likely to contain
details about the environment where a template is built.

Comment 13 Laszlo Ersek 2021-12-02 13:10:58 UTC

[guestfs-tools PATCH] sysprep: remove system-local NetworkManager connection profiles (keyfiles)
Message-Id: <20211202131006.12774-1-lersek>
https://listman.redhat.com/archives/libguestfs/2021-December/msg00021.html

Comment 14 Laszlo Ersek 2021-12-03 13:33:22 UTC

(In reply to Laszlo Ersek from comment #13)
> [guestfs-tools PATCH] sysprep: remove system-local NetworkManager connection profiles (keyfiles)
> Message-Id: <20211202131006.12774-1-lersek>
> https://listman.redhat.com/archives/libguestfs/2021-December/msg00021.html

Upstream commit 903819ecf480.

Comment 17 YongkuiGuo 2021-12-06 06:33:48 UTC

Test with package:
guestfs-tools-1.46.1-6.el9.x86_64


Steps:

1. On rhel9 host
# virt-ls -l -a centos-9-stream.img /etc/NetworkManager/system-connections/
total 4
drwxr-xr-x. 2 root root  33 Jul 20 09:15 .
drwxr-xr-x. 7 root root 134 Jul 20 09:14 ..
-rw-------. 1 root root 242 Jul 20 09:15 enp1s0.nmconnection

2. 
# virt-sysprep -a centos-9-stream.img
...
[   5.5] Performing "net-nmconn" ...
...

3.
# virt-ls -l -a centos-9-stream.img /etc/NetworkManager/system-connections/
total 0
drwxr-xr-x. 2 root root   6 Dec  6 06:29 .
drwxr-xr-x. 7 root root 134 Jul 20 09:14 ..

enp1s0.nmconnection file was deleted by virt-sysprep command.

Comment 21 YongkuiGuo 2021-12-08 06:21:12 UTC

Verified this bug as this issue has fixed according to the RHEL9 nightly compose test result.

Comment 23 errata-xmlrpc 2022-05-17 13:07:48 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: guestfs-tools), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2461

Note You need to log in before you can comment on or make changes to this bug.