[Libguestfs] [PATCH] sysprep: Enable the network, add --no-network to disable it (RHBZ#1345813).
Richard W.M. Jones
rjones at redhat.com
Mon Jun 13 10:21:15 UTC 2016
In commit ae6f726ecc3bc1b67fd76e51a7b1e1a33d4dcfc0 we started to use
the virt-customize code to replace various virt-sysprep operations.
This had the effect of adding many more possible operationg to
virt-sysprep, but some of them (specifically --install) did not work
unless the appliance network is enabled. It was not enabled in
virt-sysprep, so these operations never worked.
This change enables the network by default, so operations such as
--install will now work. For enhanced security it is possible to
disable the network by adding the --no-network flag.
---
sysprep/main.ml | 5 +++++
sysprep/virt-sysprep.pod | 17 +++++++++++++++++
2 files changed, 22 insertions(+)
diff --git a/sysprep/main.ml b/sysprep/main.ml
index 6f331b5..12fcf48 100644
--- a/sysprep/main.ml
+++ b/sysprep/main.ml
@@ -40,6 +40,7 @@ let main () =
let files = ref [] in
let libvirturi = ref "" in
let mount_opts = ref "" in
+ let network = ref true in
let operations = ref None in
let format = ref "auto" in
@@ -131,6 +132,8 @@ let main () =
"--format", Arg.String set_format, s_"format" ^ " " ^ s_"Set format (default: auto)";
"--list-operations", Arg.Unit list_operations, " " ^ s_"List supported operations";
"--mount-options", Arg.Set_string mount_opts, s_"opts" ^ " " ^ s_"Set mount options (eg /:noatime;/var:rw,noatime)";
+ "--network", Arg.Set network, " " ^ s_"Enable appliance network (default)";
+ "--no-network", Arg.Clear network, " " ^ s_"Disable appliance network";
"--no-selinux-relabel", Arg.Unit (fun () -> ()),
" " ^ s_"Compatibility option, does nothing";
"--operation", Arg.String set_operations, " " ^ s_"Enable/disable specific operations";
@@ -192,6 +195,7 @@ read the man page virt-sysprep(1).
(* Dereference the rest of the args. *)
let dryrun = !dryrun in
+ let network = !network in
let operations = !operations in
(* At this point we know which operations are enabled. So call the
@@ -212,6 +216,7 @@ read the man page virt-sysprep(1).
(* Connect to libguestfs. *)
let g = open_guestfs () in
+ g#set_network network;
add g dryrun;
g#launch ();
diff --git a/sysprep/virt-sysprep.pod b/sysprep/virt-sysprep.pod
index d86b1e4..42e6ed7 100644
--- a/sysprep/virt-sysprep.pod
+++ b/sysprep/virt-sysprep.pod
@@ -219,6 +219,23 @@ Don't print log messages.
To enable detailed logging of individual file operations, use I<-x>.
+=item B<--network>
+
+=item B<--no-network>
+
+Enable or disable network access from the guest during the installation.
+
+Enabled is the default. Use I<--no-network> to disable access.
+
+The network only allows outgoing connections and has other minor
+limitations. See L<virt-rescue(1)/NETWORK>.
+
+If you use I<--no-network> then certain other options such as
+I<--install> will not work.
+
+L<virt-builder(1)> has more information about the security advantages
+of disabling the network.
+
=item B<-v>
=item B<--verbose>
--
2.7.4
More information about the Libguestfs
mailing list