Libguestfs - Jun 2016 - [PATCH] sysprep: Enable the network, add --no-network to disable it

This is just one possible way to fix this bug, but the simplest.

Others I considered:

 - Keeping the network disabled by default.  Options like --install
   wouldn't work and there would be no actionable error message
   telling users what to do to fix it.

 - Modifying virt-customize to warn/error/suggest if operations like
   --install were used but the network was disabled.  However it's not
   always wrong to use --install + --no-network, so getting the right
   message is difficult.

 - Disabling any customize operations that are not relevant to
   virt-sysprep.  I think this is unnecessarily harsh.

Rich.

In commit ae6f726ecc3bc1b67fd76e51a7b1e1a33d4dcfc0 we started to use
the virt-customize code to replace various virt-sysprep operations.
This had the effect of adding many more possible operationg to
virt-sysprep, but some of them (specifically --install) did not work
unless the appliance network is enabled.  It was not enabled in
virt-sysprep, so these operations never worked.

This change enables the network by default, so operations such as
--install will now work.  For enhanced security it is possible to
disable the network by adding the --no-network flag.
---
 sysprep/main.ml          |  5 +++++
 sysprep/virt-sysprep.pod | 17 +++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/sysprep/main.ml b/sysprep/main.ml
index 6f331b5..12fcf48 100644
--- a/sysprep/main.ml
+++ b/sysprep/main.ml
@@ -40,6 +40,7 @@ let main ()      let files = ref [] in
     let libvirturi = ref "" in
     let mount_opts = ref "" in
+    let network = ref true in
     let operations = ref None in
 
     let format = ref "auto" in
@@ -131,6 +132,8 @@ let main ()        "--format",  Arg.String
set_format,     s_"format" ^ " " ^ s_"Set format
(default: auto)";
       "--list-operations", Arg.Unit list_operations, " " ^
s_"List supported operations";
       "--mount-options", Arg.Set_string mount_opts,
s_"opts" ^ " " ^ s_"Set mount options (eg
/:noatime;/var:rw,noatime)";
+      "--network", Arg.Set network,           " " ^
s_"Enable appliance network (default)";
+      "--no-network", Arg.Clear network,      " " ^
s_"Disable appliance network";
       "--no-selinux-relabel", Arg.Unit (fun () -> ()),
                                               " " ^
s_"Compatibility option, does nothing";
       "--operation",  Arg.String set_operations, " " ^
s_"Enable/disable specific operations";
@@ -192,6 +195,7 @@ read the man page virt-sysprep(1).
 
     (* Dereference the rest of the args. *)
     let dryrun = !dryrun in
+    let network = !network in
     let operations = !operations in
 
     (* At this point we know which operations are enabled.  So call the
@@ -212,6 +216,7 @@ read the man page virt-sysprep(1).
 
     (* Connect to libguestfs. *)
     let g = open_guestfs () in
+    g#set_network network;
     add g dryrun;
     g#launch ();
 
diff --git a/sysprep/virt-sysprep.pod b/sysprep/virt-sysprep.pod
index d86b1e4..42e6ed7 100644
--- a/sysprep/virt-sysprep.pod
+++ b/sysprep/virt-sysprep.pod
@@ -219,6 +219,23 @@ Don't print log messages.
 
 To enable detailed logging of individual file operations, use I<-x>.
 
+=item B<--network>
+
+=item B<--no-network>
+
+Enable or disable network access from the guest during the installation.
+
+Enabled is the default.  Use I<--no-network> to disable access.
+
+The network only allows outgoing connections and has other minor
+limitations.  See L<virt-rescue(1)/NETWORK>.
+
+If you use I<--no-network> then certain other options such as
+I<--install> will not work.
+
+L<virt-builder(1)> has more information about the security advantages
+of disabling the network.
+
 =item B<-v>
 
 =item B<--verbose>
-- 
2.7.4

On Monday 13 June 2016 11:21:15 Richard W.M. Jones
wrote:
> In commit ae6f726ecc3bc1b67fd76e51a7b1e1a33d4dcfc0 we started to use
> the virt-customize code to replace various virt-sysprep operations.
> This had the effect of adding many more possible operationg to
> virt-sysprep, but some of them (specifically --install) did not work
> unless the appliance network is enabled.  It was not enabled in
> virt-sysprep, so these operations never worked.
> 
> This change enables the network by default, so operations such as
> --install will now work.  For enhanced security it is possible to
> disable the network by adding the --no-network flag.
I'd still disable the network by default.  As you wrote, --install
and other network-using operations didn't work before, so there is
no "compatibility" with them that we need to keep -- users will need
to require network to make the command work, and using an explicit
--network will make sure the command breaks right away when used with
older virt-sysprep.

Thanks,
-- 
Pino Toscano