Richard W.M. Jones
2016-Jun-13 10:21 UTC
[Libguestfs] [PATCH] sysprep: Enable the network, add --no-network to disable it
This is just one possible way to fix this bug, but the simplest. Others I considered: - Keeping the network disabled by default. Options like --install wouldn't work and there would be no actionable error message telling users what to do to fix it. - Modifying virt-customize to warn/error/suggest if operations like --install were used but the network was disabled. However it's not always wrong to use --install + --no-network, so getting the right message is difficult. - Disabling any customize operations that are not relevant to virt-sysprep. I think this is unnecessarily harsh. Rich.
Richard W.M. Jones
2016-Jun-13 10:21 UTC
[Libguestfs] [PATCH] sysprep: Enable the network, add --no-network to disable it (RHBZ#1345813).
In commit ae6f726ecc3bc1b67fd76e51a7b1e1a33d4dcfc0 we started to use the virt-customize code to replace various virt-sysprep operations. This had the effect of adding many more possible operationg to virt-sysprep, but some of them (specifically --install) did not work unless the appliance network is enabled. It was not enabled in virt-sysprep, so these operations never worked. This change enables the network by default, so operations such as --install will now work. For enhanced security it is possible to disable the network by adding the --no-network flag. --- sysprep/main.ml | 5 +++++ sysprep/virt-sysprep.pod | 17 +++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/sysprep/main.ml b/sysprep/main.ml index 6f331b5..12fcf48 100644 --- a/sysprep/main.ml +++ b/sysprep/main.ml @@ -40,6 +40,7 @@ let main () let files = ref [] in let libvirturi = ref "" in let mount_opts = ref "" in + let network = ref true in let operations = ref None in let format = ref "auto" in @@ -131,6 +132,8 @@ let main () "--format", Arg.String set_format, s_"format" ^ " " ^ s_"Set format (default: auto)"; "--list-operations", Arg.Unit list_operations, " " ^ s_"List supported operations"; "--mount-options", Arg.Set_string mount_opts, s_"opts" ^ " " ^ s_"Set mount options (eg /:noatime;/var:rw,noatime)"; + "--network", Arg.Set network, " " ^ s_"Enable appliance network (default)"; + "--no-network", Arg.Clear network, " " ^ s_"Disable appliance network"; "--no-selinux-relabel", Arg.Unit (fun () -> ()), " " ^ s_"Compatibility option, does nothing"; "--operation", Arg.String set_operations, " " ^ s_"Enable/disable specific operations"; @@ -192,6 +195,7 @@ read the man page virt-sysprep(1). (* Dereference the rest of the args. *) let dryrun = !dryrun in + let network = !network in let operations = !operations in (* At this point we know which operations are enabled. So call the @@ -212,6 +216,7 @@ read the man page virt-sysprep(1). (* Connect to libguestfs. *) let g = open_guestfs () in + g#set_network network; add g dryrun; g#launch (); diff --git a/sysprep/virt-sysprep.pod b/sysprep/virt-sysprep.pod index d86b1e4..42e6ed7 100644 --- a/sysprep/virt-sysprep.pod +++ b/sysprep/virt-sysprep.pod @@ -219,6 +219,23 @@ Don't print log messages. To enable detailed logging of individual file operations, use I<-x>. +=item B<--network> + +=item B<--no-network> + +Enable or disable network access from the guest during the installation. + +Enabled is the default. Use I<--no-network> to disable access. + +The network only allows outgoing connections and has other minor +limitations. See L<virt-rescue(1)/NETWORK>. + +If you use I<--no-network> then certain other options such as +I<--install> will not work. + +L<virt-builder(1)> has more information about the security advantages +of disabling the network. + =item B<-v> =item B<--verbose> -- 2.7.4
Pino Toscano
2016-Jun-13 12:14 UTC
Re: [Libguestfs] [PATCH] sysprep: Enable the network, add --no-network to disable it (RHBZ#1345813).
On Monday 13 June 2016 11:21:15 Richard W.M. Jones wrote:> In commit ae6f726ecc3bc1b67fd76e51a7b1e1a33d4dcfc0 we started to use > the virt-customize code to replace various virt-sysprep operations. > This had the effect of adding many more possible operationg to > virt-sysprep, but some of them (specifically --install) did not work > unless the appliance network is enabled. It was not enabled in > virt-sysprep, so these operations never worked. > > This change enables the network by default, so operations such as > --install will now work. For enhanced security it is possible to > disable the network by adding the --no-network flag.I'd still disable the network by default. As you wrote, --install and other network-using operations didn't work before, so there is no "compatibility" with them that we need to keep -- users will need to require network to make the command work, and using an explicit --network will make sure the command breaks right away when used with older virt-sysprep. Thanks, -- Pino Toscano
Reasonably Related Threads
- [PATCH] sysprep: Enable the network, add --no-network to disable it (RHBZ#1345813).
- [PATCH v2] sysprep: added --mount-options option to mount selected
- [PATCH v2] sysprep: Add --network to enable the network (RHBZ#1345813).
- Re: [Bug 1046905] New: RFE: add argument to virt-sysprep to disable individual default operations
- [PATCH] sysprep: add no-op --no-selinux-relabel (RHBZ#1148072)