[Libguestfs] [PATCH] sysprep: Enable the network, add --no-network to disable it (RHBZ#1345813).

In commit ae6f726ecc3bc1b67fd76e51a7b1e1a33d4dcfc0 we started to use the virt-customize code to replace various virt-sysprep operations. This had the effect of adding many more possible operationg to virt-sysprep, but some of them (specifically --install) did not work unless the appliance network is enabled. It was not enabled in virt-sysprep, so these operations never worked. This change enables the network by default, so operations such as --install will now work. For enhanced security it is possible to disable the network by adding the --no-network flag. --- sysprep/main.ml | 5 +++++ sysprep/virt-sysprep.pod | 17 +++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/sysprep/main.ml b/sysprep/main.ml index 6f331b5..12fcf48 100644 --- a/sysprep/main.ml +++ b/sysprep/main.ml @@ -40,6 +40,7 @@ let main () = let files = ref [] in let libvirturi = ref "" in let mount_opts = ref "" in + let network = ref true in let operations = ref None in let format = ref "auto" in @@ -131,6 +132,8 @@ let main () = "--format", Arg.String set_format, s_"format" ^ " " ^ s_"Set format (default: auto)"; "--list-operations", Arg.Unit list_operations, " " ^ s_"List supported operations"; "--mount-options", Arg.Set_string mount_opts, s_"opts" ^ " " ^ s_"Set mount options (eg /:noatime;/var:rw,noatime)"; + "--network", Arg.Set network, " " ^ s_"Enable appliance network (default)"; + "--no-network", Arg.Clear network, " " ^ s_"Disable appliance network"; "--no-selinux-relabel", Arg.Unit (fun () -> ()), " " ^ s_"Compatibility option, does nothing"; "--operation", Arg.String set_operations, " " ^ s_"Enable/disable specific operations"; @@ -192,6 +195,7 @@ read the man page virt-sysprep(1). (* Dereference the rest of the args. *) let dryrun = !dryrun in + let network = !network in let operations = !operations in (* At this point we know which operations are enabled. So call the @@ -212,6 +216,7 @@ read the man page virt-sysprep(1). (* Connect to libguestfs. *) let g = open_guestfs () in + g#set_network network; add g dryrun; g#launch (); diff --git a/sysprep/virt-sysprep.pod b/sysprep/virt-sysprep.pod index d86b1e4..42e6ed7 100644 --- a/sysprep/virt-sysprep.pod +++ b/sysprep/virt-sysprep.pod @@ -219,6 +219,23 @@ Don't print log messages. To enable detailed logging of individual file operations, use I<-x>. +=item B<--network> + +=item B<--no-network> + +Enable or disable network access from the guest during the installation. + +Enabled is the default. Use I<--no-network> to disable access. + +The network only allows outgoing connections and has other minor +limitations. See L<virt-rescue(1)/NETWORK>. + +If you use I<--no-network> then certain other options such as +I<--install> will not work. + +L<virt-builder(1)> has more information about the security advantages +of disabling the network. + =item B<-v> =item B<--verbose> -- 2.7.4