User Tools

Site Tools


Sidebar

Virtualization

virtualization:vmseal

VM Sealing

VM sealing is where you prepare your VM image as a template so you can create other VMs from it in a clean state. If you are using a straight KVM host, you can install the libguestfs-tools-c (RHEL based distros) which will give you the virt-sysprep tool. We will start off with a virt-sysprep example and then show how it is done manually.

virt-sysprep manpage

Sealing with virt-sysprep

First we copy the template to a new file name we wish to use as the new VM

[[email protected] /var/lib/libvirt/images]
# cp -av --reflink fedora-35-template.qcow2 spadoinkle.qcow2
'fedora-35-template.qcow2' -> 'spadoinkle.qcow2'

Next, we run virt-sysprep against the new image with –hostname to set the hostname of this new VM:

[[email protected] /var/lib/libvirt/images]
# virt-sysprep -a spadoinkle.qcow2 --hostname spadoinkle.example.com
[   0.0] Examining the guest ...
[   5.2] Performing "abrt-data" ...
[   5.2] Performing "backup-files" ...
[   5.8] Performing "bash-history" ...
[   5.8] Performing "blkid-tab" ...
[   5.8] Performing "crash-data" ...
[   5.8] Performing "cron-spool" ...
[   5.8] Performing "dhcp-client-state" ...
[   5.8] Performing "dhcp-server-state" ...
[   5.8] Performing "dovecot-data" ...
[   5.8] Performing "ipa-client" ...
[   5.8] Performing "kerberos-hostkeytab" ...
[   5.8] Performing "logfiles" ...
[   5.9] Performing "machine-id" ...
[   5.9] Performing "mail-spool" ...
[   5.9] Performing "net-hostname" ...
[   5.9] Performing "net-hwaddr" ...
[   5.9] Performing "pacct-log" ...
[   5.9] Performing "package-manager-cache" ...
[   5.9] Performing "pam-data" ...
[   5.9] Performing "passwd-backups" ...
[   5.9] Performing "puppet-data-log" ...
[   6.0] Performing "rh-subscription-manager" ...
[   6.0] Performing "rhn-systemid" ...
[   6.0] Performing "rpm-db" ...
[   6.0] Performing "samba-db-log" ...
[   6.0] Performing "script" ...
[   6.0] Performing "smolt-uuid" ...
[   6.0] Performing "ssh-hostkeys" ...
[   6.0] Performing "ssh-userdir" ...
[   6.0] Performing "sssd-db-log" ...
[   6.0] Performing "tmp-files" ...
[   6.1] Performing "udev-persistent-net" ...
[   6.1] Performing "utmp" ...
[   6.1] Performing "yum-uuid" ...
[   6.1] Performing "customize" ...
[   6.1] Setting a random seed
[   6.1] Setting the machine ID in /etc/machine-id
[   6.1] Setting the hostname: spadoinkle.example.com
[   6.2] Performing "lvm-uuids" ...

Now we have a VM that has no leftover log files, BASH histories, unique machine ID, etc. The new image will regenerate all these things along with unique identifiers.

Manually sealing

When you manually seal a VM, you are logged into the VM template itself and run commands before powering it off. Order of commands is important. Example, you dont want to clear logs first but then they recreate making data while you are trying to seal/prep other things. Example of VM sealing:

#Remove DNF/Yum cache
rm -rf /var/cache/{dnf,yum}
#Clear machine ID so a unique is made on next boot
> /etc/machine-id
#Clear host SSH keys.  New ones get created next boot
rm -fv /etc/ssh/ssh_host_*
#Clear out log files
find /var/log -type f -delete
#Clear out Bash history and then poweroff
history -c && history -w && poweroff
virtualization/vmseal.txt · Last modified: 2021/12/16 18:24 by happybuzzcut