similar to: [PATCH 0/2] customize: Allow --selinux-relabel flag to work on cross-architecture builds.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1212807 Since v1: - Combine the virt-builder detection code into virt-customize. - Enables us to delete Architecture and Uname modules completely. Rich.

[ I realized that we were discussing adding this feature, in various private email, IRC, and this long bugzilla thread: https://bugzilla.redhat.com/show_bug.cgi?id=1060423 That's not how we should do things. Let's discuss it on the mailing list. ] One thing that virt-customize/virt-sysprep/virt-builder have to do is relabel SELinux guests. What we do at the moment

Do SELinux relabelling properly.

We can use the setfiles(8) command to relabel the guest filesystem, even though we don't have a policy loaded nor SELinux enabled in the appliance kernel. This also deprecates or removes the old and broken SELinux support. This patch isn't quite complete - I would like to add some tests to the new API. I'm posting here to garner early feedback. Rich.

--- customize/customize_run.ml | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/customize/customize_run.ml b/customize/customize_run.ml index 0f1d72a..cd4616c 100644 --- a/customize/customize_run.ml +++ b/customize/customize_run.ml @@ -338,15 +338,19 @@ exec >>%s 2>&1 if ops.flags.selinux_relabel then ( msg (f_"SELinux

v1 -> v2: - Add simple test of the setfiles API. - Use SELinux_relabel module in virt-v2v (instead of touch /.autorelabel). - Small fixes. Rich.

Add an helper function to run a command in the guest, checking for the host/guest compatibility. This is mostly extracted from the internal do_run helper currently in the Customize_run module of virt-customize. --- mltools/tools_utils.ml | 50 +++++++++++++++++++++++++++++++++++++++++ mltools/tools_utils.mli | 10 +++++++++ 2 files changed, 60 insertions(+) diff --git a/mltools/tools_utils.ml

In commit ae6f726ecc3bc1b67fd76e51a7b1e1a33d4dcfc0 we started to use the virt-customize code to replace various virt-sysprep operations. This had the effect of adding many more possible operations to virt-sysprep, but some of them (specifically --install) did not work unless the appliance network is enabled. It was not enabled in virt-sysprep, so these operations never worked. This change does

This patch series adds a new virt-sysprep operation to offline unenroll a guest from FreeIPA. It does so by removing some configuration files and certificates. It requires a change in libguestfs-common before the series is applied. Pino Toscano (4): customize: port do_run to run_in_guest_command sysprep: add a update_system_ca_store side effect sysprep: ca-certificates: request system CA

This implements the --selinux-relabel option for virt-customize, virt-builder and virt-sysprep. There is no need to autorelabel functionality now. Thanks: Stephen Smalley --- builder/Makefile.am | 1 + builder/virt-builder.pod | 20 +++++++++---------- customize/Makefile.am | 2 ++ customize/SELinux_relabel.ml | 46 +++++++++++++++++++++++++++++++++++++++++++

Just refactoring. Rich.

Continuation/rework of: https://www.redhat.com/archives/libguestfs/2020-May/msg00020.html This is my approach, as I explained here: https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c4 https://www.redhat.com/archives/libguestfs/2020-May/msg00035.html IOW: do not attempt to relabel if the guest is not enforcing, as it is either useless or may fail; few words more are in the comments of patch #3.

Hi, this is the v2 of a series introducing basic support for registering/attaching/unregistering RHEL guests using subscription-manager, so it is possible to do for example: $ virt-customize -a rhel-guest.qcow2 \ --sm-credentials user:file:/path/to/password-file --sm-register \ --sm-attach file:/path/to/pool-file \ --install pkg1 --install pkg2 .. \ --sm-remove --sm-unregister

A common problem that people have with virt-builder and virt-sysprep is which guests that use SELinux, like Fedora and RHEL. In both cases we touch /.autorelabel in the guest, which means the guest has to reboot once during its first boot. Recap: SELinux file labels -------------------------- SELinux requires that files have labels. Access to a file is controlled by the label on that file.

In cases where we are asked to run commands in the guest (eg. options such as --run-command or --install), give a clear error in the cases where the guest arch is not compatible with the host arch. --- customize/customize_run.ml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/customize/customize_run.ml b/customize/customize_run.ml index 08cff0b..0f1d72a 100644 ---

Small helper to normalize an architecture string, so it is easier to compare them and check for compatibilities. Make use of it in guest_arch_compatible, simplifying it. --- mllib/common_utils.ml | 12 ++++++++++-- mllib/common_utils.mli | 5 +++++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/mllib/common_utils.ml b/mllib/common_utils.ml index f9e8996..ca6d470 100644 ---

There's not going to be an easy way to present this patch. It's huge and interconnected. Anyway, what it does is lay the groundwork for a new tool which I'm calling 'virt-customize'. virt-customize is virt-builder, but without the part where it downloads a template from a respository. Just the part where it customizes the template, that is, installing packages, editing

On Tuesday 11 August 2015 15:05:04 Richard W.M. Jones wrote: > On Tue, Aug 11, 2015 at 03:45:11PM +0200, Pino Toscano wrote: > > Small helper to normalize an architecture string, so it is easier to > > compare them and check for compatibilities. > > > > Make use of it in guest_arch_compatible, simplifying it. > > Have a look at: >

This currently only works with numeric UID.GID. In theory in future we could look up IDs from the guest password file (eg. using Augeas) and do the right thing, but that's a bunch more work. For example: $ ./builder/virt-builder fedora-36 --chown 1.1:/var/tmp [ 1.0] Downloading: http://builder.libguestfs.org/fedora-36.xz [ 1.5] Planning how to build this image [ 1.5] Uncompressing [

On 6/29/23 14:50, Richard W.M. Jones wrote: > This currently only works with numeric UID.GID. In theory in future > we could look up IDs from the guest password file (eg. using Augeas) > and do the right thing, but that's a bunch more work. > > For example: > > $ ./builder/virt-builder fedora-36 --chown 1.1:/var/tmp > [ 1.0] Downloading: