.\" Automatically generated by Podwrapper::Man 1.40.2 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
.    if \nF \{\
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{\
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\" ========================================================================
.\"
.IX Title "virt-sysprep 1"
.TH virt-sysprep 1 "2019-02-07" "libguestfs-1.40.2" "Virtualization Support"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
virt\-sysprep \- Reset, unconfigure or customize a virtual machine so clones can be made
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& virt\-sysprep [\-\-options] \-d domname
\&
\& virt\-sysprep [\-\-options] \-a disk.img [\-a disk.img ...]
.Ve
.SH "WARNING"
.IX Header "WARNING"
Using \f(CW\*(C`virt\-sysprep\*(C'\fR
on live virtual machines, or concurrently with other
disk editing tools, can be dangerous, potentially causing disk
corruption.  The virtual machine must be shut down before you use this
command, and disk images must not be edited concurrently.
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Virt-sysprep can reset or unconfigure a virtual machine so that
clones can be made from it.  Steps in this process include removing
\&\s-1SSH\s0 host keys, removing persistent network \s-1MAC\s0 configuration, and
removing user accounts.  Virt-sysprep can also customize a virtual
machine, for instance by adding \s-1SSH\s0 keys, users or logos.  Each step
can be enabled or disabled as required.
.PP
Virt-sysprep modifies the guest or disk image \fIin place\fR.  The guest
must be shut down.  If you want to preserve the existing contents of
the guest, \fIyou must snapshot, copy or clone the disk first\fR.  See
\&\*(L"\s-1COPYING AND CLONING\*(R"\s0 below.
.PP
You do \fInot\fR need to run virt-sysprep as root.  In fact we'd
generally recommend that you don't.  The time you might want to run it
as root is when you need root in order to access the disk image, but
even in this case it would be better to change the permissions on the
disk image to be writable as the non-root user running virt-sysprep.
.PP
\&\*(L"Sysprep\*(R" stands for \*(L"system preparation\*(R" tool.  The name comes from
the Microsoft program \fIsysprep.exe\fR which is used to unconfigure
Windows machines in preparation for cloning them.  Having said that,
virt-sysprep does \fInot\fR currently work on Microsoft Windows guests.
We plan to support Windows sysprepping in a future version, and we
already have code to do it.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-\-help\fR" 4
.IX Item "--help"
Display brief help.
.IP "\fB\-a\fR file" 4
.IX Item "-a file"
.PD 0
.IP "\fB\-\-add\fR file" 4
.IX Item "--add file"
.PD
Add \fIfile\fR which should be a disk image from a virtual machine.
.Sp
The format of the disk image is auto-detected.  To override this and
force a particular format use the \fI\-\-format\fR option.
.IP "\fB\-a\fR \s-1URI\s0" 4
.IX Item "-a URI"
.PD 0
.IP "\fB\-\-add\fR \s-1URI\s0" 4
.IX Item "--add URI"
.PD
Add a remote disk.  The \s-1URI\s0 format is compatible with guestfish.
See \*(L"\s-1ADDING REMOTE STORAGE\*(R"\s0 in \fBguestfish\fR\|(1).
.IP "\fB\-\-colors\fR" 4
.IX Item "--colors"
.PD 0
.IP "\fB\-\-colours\fR" 4
.IX Item "--colours"
.PD
Use \s-1ANSI\s0 colour sequences to colourize messages.  This is the default
when the output is a tty.  If the output of the program is redirected
to a file, \s-1ANSI\s0 colour sequences are disabled unless you use this
option.
.IP "\fB\-c\fR \s-1URI\s0" 4
.IX Item "-c URI"
.PD 0
.IP "\fB\-\-connect\fR \s-1URI\s0" 4
.IX Item "--connect URI"
.PD
If using libvirt, connect to the given \fI\s-1URI\s0\fR.  If omitted, then we
connect to the default libvirt hypervisor.
.Sp
If you specify guest block devices directly (\fI\-a\fR), then libvirt is
not used at all.
.IP "\fB\-d\fR guest" 4
.IX Item "-d guest"
.PD 0
.IP "\fB\-\-domain\fR guest" 4
.IX Item "--domain guest"
.PD
Add all the disks from the named libvirt guest.  Domain UUIDs can be
used instead of names.
.IP "\fB\-n\fR" 4
.IX Item "-n"
.PD 0
.IP "\fB\-\-dry\-run\fR" 4
.IX Item "--dry-run"
.PD
Perform a read-only \*(L"dry run\*(R" on the guest.  This runs the sysprep
operation, but throws away any changes to the disk at the end.
.IP "\fB\-\-enable\fR operations" 4
.IX Item "--enable operations"
Choose which sysprep operations to perform.  Give a comma-separated
list of operations, for example:
.Sp
.Vb 1
\& \-\-enable ssh\-hostkeys,udev\-persistent\-net
.Ve
.Sp
would enable \s-1ONLY\s0 \f(CW\*(C`ssh\-hostkeys\*(C'\fR and \f(CW\*(C`udev\-persistent\-net\*(C'\fR operations.
.Sp
If the \fI\-\-enable\fR option is not given, then we default to trying most
sysprep operations (see \fI\-\-list\-operations\fR to show which are
enabled).
.Sp
Regardless of the \fI\-\-enable\fR option, sysprep operations are skipped
for some guest types.
.Sp
Use \fI\-\-list\-operations\fR to list operations supported by a particular
version of virt-sysprep.
.Sp
See \*(L"\s-1OPERATIONS\*(R"\s0 below for a list and an explanation of each
operation.
.IP "\fB\-\-operation\fR operations" 4
.IX Item "--operation operations"
.PD 0
.IP "\fB\-\-operations\fR operations" 4
.IX Item "--operations operations"
.PD
Choose which sysprep operations to perform.  Give a comma-separated
list of operations, for example:
.Sp
.Vb 1
\& \-\-operations ssh\-hostkeys,udev\-persistent\-net
.Ve
.Sp
would enable \s-1ONLY\s0 \f(CW\*(C`ssh\-hostkeys\*(C'\fR and \f(CW\*(C`udev\-persistent\-net\*(C'\fR operations.
.Sp
\&\fI\-\-operations\fR allows you to enable and disable any operation, including
the default ones (which would be tried when specifying neither
\&\fI\-\-operations\fR nor \fI\-\-enable\fR) and all the available ones; prepending
a \f(CW\*(C`\-\*(C'\fR in front of an operation name removes it from the list of enabled
operations, while the meta-names \f(CW\*(C`defaults\*(C'\fR and \f(CW\*(C`all\*(C'\fR represent
respectively the operations enabled by default and all the available ones.
For example:
.Sp
.Vb 1
\& \-\-operations firewall\-rules,defaults,\-tmp\-files
.Ve
.Sp
would enable the \f(CW\*(C`firewall\-rules\*(C'\fR operation (regardless whether it is enabled by
default), all the default ones, and disable the \f(CW\*(C`tmp\-files\*(C'\fR operation.
.Sp
\&\fI\-\-operations\fR can be specified multiple times; the first time the set
of enabled operations is empty, while any further \fI\-\-operations\fR affects
the operations enabled so far.
.Sp
If the \fI\-\-operations\fR option is not given, then we default to trying most
sysprep operations (see \fI\-\-list\-operations\fR to show which are
enabled).
.Sp
Regardless of the \fI\-\-operations\fR option, sysprep operations are skipped
for some guest types.
.Sp
Use \fI\-\-list\-operations\fR to list operations supported by a particular
version of virt-sysprep.
.Sp
See \*(L"\s-1OPERATIONS\*(R"\s0 below for a list and an explanation of each
operation.
.IP "\fB\-\-echo\-keys\fR" 4
.IX Item "--echo-keys"
When prompting for keys and passphrases, virt-sysprep normally turns
echoing off so you cannot see what you are typing.  If you are not
worried about Tempest attacks and there is no one else in the room
you can specify this flag to see what you are typing.
.IP "\fB\-\-format\fR raw|qcow2|.." 4
.IX Item "--format raw|qcow2|.."
.PD 0
.IP "\fB\-\-format\fR auto" 4
.IX Item "--format auto"
.PD
The default for the \fI\-a\fR option is to auto-detect the format of the
disk image.  Using this forces the disk format for \fI\-a\fR options which
follow on the command line.  Using \fI\-\-format auto\fR switches back to
auto-detection for subsequent \fI\-a\fR options.
.Sp
For example:
.Sp
.Vb 1
\& virt\-sysprep \-\-format raw \-a disk.img
.Ve
.Sp
forces raw format (no auto-detection) for \fIdisk.img\fR.
.Sp
.Vb 1
\& virt\-sysprep \-\-format raw \-a disk.img \-\-format auto \-a another.img
.Ve
.Sp
forces raw format (no auto-detection) for \fIdisk.img\fR and reverts to
auto-detection for \fIanother.img\fR.
.Sp
If you have untrusted raw-format guest disk images, you should use
this option to specify the disk format.  This avoids a possible
security problem with malicious guests (\s-1CVE\-2010\-3851\s0).
.IP "\fB\-\-key\fR \s-1SELECTOR\s0" 4
.IX Item "--key SELECTOR"
Specify a key for \s-1LUKS,\s0 to automatically open a \s-1LUKS\s0 device when using
the inspection.  \f(CW\*(C`SELECTOR\*(C'\fR can be in one of the following formats:
.RS 4
.ie n .IP "\fB\-\-key\fR ""DEVICE"":key:KEY_STRING" 4
.el .IP "\fB\-\-key\fR \f(CWDEVICE\fR:key:KEY_STRING" 4
.IX Item "--key DEVICE:key:KEY_STRING"
Use the specified \f(CW\*(C`KEY_STRING\*(C'\fR as passphrase.
.ie n .IP "\fB\-\-key\fR ""DEVICE"":file:FILENAME" 4
.el .IP "\fB\-\-key\fR \f(CWDEVICE\fR:file:FILENAME" 4
.IX Item "--key DEVICE:file:FILENAME"
Read the passphrase from \fI\s-1FILENAME\s0\fR.
.RE
.RS 4
.RE
.IP "\fB\-\-keys\-from\-stdin\fR" 4
.IX Item "--keys-from-stdin"
Read key or passphrase parameters from stdin.  The default is
to try to read passphrases from the user by opening \fI/dev/tty\fR.
.IP "\fB\-\-list\-operations\fR" 4
.IX Item "--list-operations"
List the operations supported by the virt-sysprep program.
.Sp
These are listed one per line, with one or more single-space-separated
fields, eg:
.Sp
.Vb 6
\& $ virt\-sysprep \-\-list\-operations
\& bash\-history * Remove the bash history in the guest
\& cron\-spool * Remove user at\-jobs and cron\-jobs
\& dhcp\-client\-state * Remove DHCP client leases
\& dhcp\-server\-state * Remove DHCP server leases
\& [etc]
.Ve
.Sp
The first field is the operation name, which can be supplied
to \fI\-\-enable\fR.  The second field is a \f(CW\*(C`*\*(C'\fR character if the
operation is enabled by default or blank if not.  Subsequent
fields on the same line are the description of the operation.
.Sp
Before libguestfs 1.17.33 only the first (operation name) field was
shown and all operations were enabled by default.
.IP "\fB\-\-mount\-options\fR mp:opts[;mp:opts;...]" 4
.IX Item "--mount-options mp:opts[;mp:opts;...]"
Set the mount options used when libguestfs opens the disk image.  Note
this has no effect on the guest.  It is used when opening certain
guests such as ones using the \s-1UFS\s0 (\s-1BSD\s0) filesystem.
.Sp
Use a semicolon-separated list of \f(CW\*(C`mountpoint:options\*(C'\fR pairs.
You may need to quote this list to protect it from the shell.
.Sp
For example:
.Sp
.Vb 1
\& \-\-mount\-options "/:noatime"
.Ve
.Sp
will mount the root directory with \f(CW\*(C`notime\*(C'\fR.  This example:
.Sp
.Vb 1
\& \-\-mount\-options "/:noatime;/var:rw,nodiratime"
.Ve
.Sp
will do the same, plus mount \fI/var\fR with \f(CW\*(C`rw,nodiratime\*(C'\fR.
.IP "\fB\-q\fR" 4
.IX Item "-q"
.PD 0
.IP "\fB\-\-quiet\fR" 4
.IX Item "--quiet"
.PD
Don’t print log messages.
.Sp
To enable detailed logging of individual file operations, use \fI\-x\fR.
.IP "\fB\-\-network\fR" 4
.IX Item "--network"
.PD 0
.IP "\fB\-\-no\-network\fR" 4
.IX Item "--no-network"
.PD
Enable or disable network access from the guest during the installation.
.Sp
In virt-sysprep, the network is \fIdisabled\fR by default.  You must use
\&\fI\-\-network\fR to enable it, in order that options such as \fI\-\-install\fR
or \fI\-\-update\fR will work.
.Sp
\&\fBvirt\-builder\fR\|(1) has more information about the security advantages
of disabling the network.
.IP "\fB\-v\fR" 4
.IX Item "-v"
.PD 0
.IP "\fB\-\-verbose\fR" 4
.IX Item "--verbose"
.PD
Enable verbose messages for debugging.
.IP "\fB\-V\fR" 4
.IX Item "-V"
.PD 0
.IP "\fB\-\-version\fR" 4
.IX Item "--version"
.PD
Display version number and exit.
.IP "\fB\-x\fR" 4
.IX Item "-x"
Enable tracing of libguestfs \s-1API\s0 calls.
.ie n .IP "\fB\-\-append\-line\fR \s-1FILE:LINE\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-append\-line\fR \s-1FILE:LINE\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--append-line FILE:LINE (see customize below)"
Append a single line of text to the \f(CW\*(C`FILE\*(C'\fR.  If the file does not already
end with a newline, then one is added before the appended
line.  Also a newline is added to the end of the \f(CW\*(C`LINE\*(C'\fR string
automatically.
.Sp
For example (assuming ordinary shell quoting) this command:
.Sp
.Vb 1
\& \-\-append\-line \*(Aq/etc/hosts:10.0.0.1 foo\*(Aq
.Ve
.Sp
will add either \f(CW\*(C`10.0.0.1 foo⏎\*(C'\fR or \f(CW\*(C`⏎10.0.0.1 foo⏎\*(C'\fR to
the file, the latter only if the existing file does not
already end with a newline.
.Sp
\&\f(CW\*(C`⏎\*(C'\fR represents a newline character, which is guessed by
looking at the existing content of the file, so this command
does the right thing for files using Unix or Windows line endings.
It also works for empty or non-existent files.
.Sp
To insert several lines, use the same option several times:
.Sp
.Vb 2
\& \-\-append\-line \*(Aq/etc/hosts:10.0.0.1 foo\*(Aq
\& \-\-append\-line \*(Aq/etc/hosts:10.0.0.2 bar\*(Aq
.Ve
.Sp
To insert a blank line before the appended line, do:
.Sp
.Vb 2
\& \-\-append\-line \*(Aq/etc/hosts:\*(Aq
\& \-\-append\-line \*(Aq/etc/hosts:10.0.0.1 foo\*(Aq
.Ve
.ie n .IP "\fB\-\-chmod\fR \s-1PERMISSIONS:FILE\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-chmod\fR \s-1PERMISSIONS:FILE\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--chmod PERMISSIONS:FILE (see customize below)"
Change the permissions of \f(CW\*(C`FILE\*(C'\fR to \f(CW\*(C`PERMISSIONS\*(C'\fR.
.Sp
\&\fINote\fR: \f(CW\*(C`PERMISSIONS\*(C'\fR by default would be decimal, unless you prefix
it with \f(CW0\fR to get octal, ie. use \f(CW0700\fR not \f(CW700\fR.
.ie n .IP "\fB\-\-commands\-from\-file\fR \s-1FILENAME\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-commands\-from\-file\fR \s-1FILENAME\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--commands-from-file FILENAME (see customize below)"
Read the customize commands from a file, one (and its arguments)
each line.
.Sp
Each line contains a single customization command and its arguments,
for example:
.Sp
.Vb 3
\& delete /some/file
\& install some\-package
\& password some\-user:password:its\-new\-password
.Ve
.Sp
Empty lines are ignored, and lines starting with \f(CW\*(C`#\*(C'\fR are comments
and are ignored as well.  Furthermore, arguments can be spread across
multiple lines, by adding a \f(CW\*(C`\e\*(C'\fR (continuation character) at the of
a line, for example
.Sp
.Vb 2
\& edit /some/file:\e
\&   s/^OPT=.*/OPT=ok/
.Ve
.Sp
The commands are handled in the same order as they are in the file,
as if they were specified as \fI\-\-delete /some/file\fR on the command
line.
.ie n .IP "\fB\-\-copy\fR \s-1SOURCE:DEST\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-copy\fR \s-1SOURCE:DEST\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--copy SOURCE:DEST (see customize below)"
Copy files or directories recursively inside the guest.
.Sp
Wildcards cannot be used.
.ie n .IP "\fB\-\-copy\-in\fR \s-1LOCALPATH:REMOTEDIR\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-copy\-in\fR \s-1LOCALPATH:REMOTEDIR\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--copy-in LOCALPATH:REMOTEDIR (see customize below)"
Copy local files or directories recursively into the disk image,
placing them in the directory \f(CW\*(C`REMOTEDIR\*(C'\fR (which must exist).
.Sp
Wildcards cannot be used.
.ie n .IP "\fB\-\-delete\fR \s-1PATH\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-delete\fR \s-1PATH\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--delete PATH (see customize below)"
Delete a file from the guest.  Or delete a directory (and all its
contents, recursively).
.Sp
You can use shell glob characters in the specified path.  Be careful
to escape glob characters from the host shell, if that is required.
For example:
.Sp
.Vb 1
\& virt\-customize \-\-delete \*(Aq/var/log/*.log\*(Aq.
.Ve
.Sp
See also: \fI\-\-upload\fR, \fI\-\-scrub\fR.
.ie n .IP "\fB\-\-edit\fR \s-1FILE:EXPR\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-edit\fR \s-1FILE:EXPR\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--edit FILE:EXPR (see customize below)"
Edit \f(CW\*(C`FILE\*(C'\fR using the Perl expression \f(CW\*(C`EXPR\*(C'\fR.
.Sp
Be careful to properly quote the expression to prevent it from
being altered by the shell.
.Sp
Note that this option is only available when Perl 5 is installed.
.Sp
See \*(L"NON-INTERACTIVE \s-1EDITING\*(R"\s0 in \fBvirt\-edit\fR\|(1).
.ie n .IP "\fB\-\-firstboot\fR \s-1SCRIPT\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-firstboot\fR \s-1SCRIPT\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--firstboot SCRIPT (see customize below)"
Install \f(CW\*(C`SCRIPT\*(C'\fR inside the guest, so that when the guest first boots
up, the script runs (as root, late in the boot process).
.Sp
The script is automatically chmod +x after installation in the guest.
.Sp
The alternative version \fI\-\-firstboot\-command\fR is the same, but it
conveniently wraps the command up in a single line script for you.
.Sp
You can have multiple \fI\-\-firstboot\fR options.  They run in the same
order that they appear on the command line.
.Sp
Please take a look at \*(L"\s-1FIRST BOOT SCRIPTS\*(R"\s0 in \fBvirt\-builder\fR\|(1) for more
information and caveats about the first boot scripts.
.Sp
See also \fI\-\-run\fR.
.ie n .IP "\fB\-\-firstboot\-command\fR '\s-1CMD+ARGS\s0' (see ""customize"" below)" 4
.el .IP "\fB\-\-firstboot\-command\fR '\s-1CMD+ARGS\s0' (see \f(CWcustomize\fR below)" 4
.IX Item "--firstboot-command 'CMD+ARGS' (see customize below)"
Run command (and arguments) inside the guest when the guest first
boots up (as root, late in the boot process).
.Sp
You can have multiple \fI\-\-firstboot\fR options.  They run in the same
order that they appear on the command line.
.Sp
Please take a look at \*(L"\s-1FIRST BOOT SCRIPTS\*(R"\s0 in \fBvirt\-builder\fR\|(1) for more
information and caveats about the first boot scripts.
.Sp
See also \fI\-\-run\fR.
.ie n .IP "\fB\-\-firstboot\-install\fR \s-1PKG,PKG..\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-firstboot\-install\fR \s-1PKG,PKG..\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--firstboot-install PKG,PKG.. (see customize below)"
Install the named packages (a comma-separated list).  These are
installed when the guest first boots using the guest’s package manager
(eg. apt, yum, etc.) and the guest’s network connection.
.Sp
For an overview on the different ways to install packages, see
\&\*(L"\s-1INSTALLING PACKAGES\*(R"\s0 in \fBvirt\-builder\fR\|(1).
.ie n .IP "\fB\-\-hostname\fR \s-1HOSTNAME\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-hostname\fR \s-1HOSTNAME\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--hostname HOSTNAME (see customize below)"
Set the hostname of the guest to \f(CW\*(C`HOSTNAME\*(C'\fR.  You can use a
dotted hostname.domainname (\s-1FQDN\s0) if you want.
.ie n .IP "\fB\-\-install\fR \s-1PKG,PKG..\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-install\fR \s-1PKG,PKG..\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--install PKG,PKG.. (see customize below)"
Install the named packages (a comma-separated list).  These are
installed during the image build using the guest’s package manager
(eg. apt, yum, etc.) and the host’s network connection.
.Sp
For an overview on the different ways to install packages, see
\&\*(L"\s-1INSTALLING PACKAGES\*(R"\s0 in \fBvirt\-builder\fR\|(1).
.Sp
See also \fI\-\-update\fR, \fI\-\-uninstall\fR.
.ie n .IP "\fB\-\-keep\-user\-accounts\fR \s-1USERS\s0 (see ""user\-account"" below)" 4
.el .IP "\fB\-\-keep\-user\-accounts\fR \s-1USERS\s0 (see \f(CWuser\-account\fR below)" 4
.IX Item "--keep-user-accounts USERS (see user-account below)"
The user accounts to be kept in the guest.
The value of this option is a list of user names separated by comma,
where specifying an user means it is going to be kept.
For example:
.Sp
.Vb 1
\& \-\-keep\-user\-accounts mary
.Ve
.Sp
would keep the user account \f(CW\*(C`mary\*(C'\fR.
.Sp
This option can be specified multiple times.
.ie n .IP "\fB\-\-link\fR TARGET:LINK[:LINK..] (see ""customize"" below)" 4
.el .IP "\fB\-\-link\fR TARGET:LINK[:LINK..] (see \f(CWcustomize\fR below)" 4
.IX Item "--link TARGET:LINK[:LINK..] (see customize below)"
Create symbolic link(s) in the guest, starting at \f(CW\*(C`LINK\*(C'\fR and
pointing at \f(CW\*(C`TARGET\*(C'\fR.
.ie n .IP "\fB\-\-mkdir\fR \s-1DIR\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-mkdir\fR \s-1DIR\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--mkdir DIR (see customize below)"
Create a directory in the guest.
.Sp
This uses \f(CW\*(C`mkdir \-p\*(C'\fR so any intermediate directories are created,
and it also works if the directory already exists.
.ie n .IP "\fB\-\-move\fR \s-1SOURCE:DEST\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-move\fR \s-1SOURCE:DEST\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--move SOURCE:DEST (see customize below)"
Move files or directories inside the guest.
.Sp
Wildcards cannot be used.
.ie n .IP "\fB\-\-no\-logfile\fR (see ""customize"" below)" 4
.el .IP "\fB\-\-no\-logfile\fR (see \f(CWcustomize\fR below)" 4
.IX Item "--no-logfile (see customize below)"
Scrub \f(CW\*(C`builder.log\*(C'\fR (log file from build commands) from the image
after building is complete.  If you don't want to reveal precisely how
the image was built, use this option.
.Sp
See also: \*(L"\s-1LOG FILE\*(R"\s0.
.ie n .IP "\fB\-\-password\fR \s-1USER:SELECTOR\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-password\fR \s-1USER:SELECTOR\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--password USER:SELECTOR (see customize below)"
Set the password for \f(CW\*(C`USER\*(C'\fR.  (Note this option does \fInot\fR
create the user account).
.Sp
See \*(L"\s-1USERS AND PASSWORDS\*(R"\s0 in \fBvirt\-builder\fR\|(1) for the format of
the \f(CW\*(C`SELECTOR\*(C'\fR field, and also how to set up user accounts.
.ie n .IP "\fB\-\-password\-crypto\fR md5|sha256|sha512 (see ""customize"" below)" 4
.el .IP "\fB\-\-password\-crypto\fR md5|sha256|sha512 (see \f(CWcustomize\fR below)" 4
.IX Item "--password-crypto md5|sha256|sha512 (see customize below)"
When the virt tools change or set a password in the guest, this
option sets the password encryption of that password to
\&\f(CW\*(C`md5\*(C'\fR, \f(CW\*(C`sha256\*(C'\fR or \f(CW\*(C`sha512\*(C'\fR.
.Sp
\&\f(CW\*(C`sha256\*(C'\fR and \f(CW\*(C`sha512\*(C'\fR require glibc ≥ 2.7 (check \fBcrypt\fR\|(3) inside
the guest).
.Sp
\&\f(CW\*(C`md5\*(C'\fR will work with relatively old Linux guests (eg. \s-1RHEL 3\s0), but
is not secure against modern attacks.
.Sp
The default is \f(CW\*(C`sha512\*(C'\fR unless libguestfs detects an old guest that
didn't have support for \s-1SHA\-512,\s0 in which case it will use \f(CW\*(C`md5\*(C'\fR.
You can override libguestfs by specifying this option.
.Sp
Note this does not change the default password encryption used
by the guest when you create new user accounts inside the guest.
If you want to do that, then you should use the \fI\-\-edit\fR option
to modify \f(CW\*(C`/etc/sysconfig/authconfig\*(C'\fR (Fedora, \s-1RHEL\s0) or
\&\f(CW\*(C`/etc/pam.d/common\-password\*(C'\fR (Debian, Ubuntu).
.ie n .IP "\fB\-\-remove\-user\-accounts\fR \s-1USERS\s0 (see ""user\-account"" below)" 4
.el .IP "\fB\-\-remove\-user\-accounts\fR \s-1USERS\s0 (see \f(CWuser\-account\fR below)" 4
.IX Item "--remove-user-accounts USERS (see user-account below)"
The user accounts to be removed from the guest.
The value of this option is a list of user names separated by comma,
where specifying an user means it is going to be removed.
For example:
.Sp
.Vb 1
\& \-\-remove\-user\-accounts bob,eve
.Ve
.Sp
would only remove the user accounts \f(CW\*(C`bob\*(C'\fR and \f(CW\*(C`eve\*(C'\fR.
.Sp
This option can be specified multiple times.
.ie n .IP "\fB\-\-root\-password\fR \s-1SELECTOR\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-root\-password\fR \s-1SELECTOR\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--root-password SELECTOR (see customize below)"
Set the root password.
.Sp
See \*(L"\s-1USERS AND PASSWORDS\*(R"\s0 in \fBvirt\-builder\fR\|(1) for the format of
the \f(CW\*(C`SELECTOR\*(C'\fR field, and also how to set up user accounts.
.Sp
Note: In virt-builder, if you \fIdon't\fR set \fI\-\-root\-password\fR
then the guest is given a \fIrandom\fR root password.
.ie n .IP "\fB\-\-run\fR \s-1SCRIPT\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-run\fR \s-1SCRIPT\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--run SCRIPT (see customize below)"
Run the shell script (or any program) called \f(CW\*(C`SCRIPT\*(C'\fR on the disk
image.  The script runs virtualized inside a small appliance, chrooted
into the guest filesystem.
.Sp
The script is automatically chmod +x.
.Sp
If libguestfs supports it then a limited network connection is
available but it only allows outgoing network connections.  You can
also attach data disks (eg. \s-1ISO\s0 files) as another way to provide data
(eg. software packages) to the script without needing a network
connection (\fI\-\-attach\fR).  You can also upload data files (\fI\-\-upload\fR).
.Sp
You can have multiple \fI\-\-run\fR options.  They run
in the same order that they appear on the command line.
.Sp
See also: \fI\-\-firstboot\fR, \fI\-\-attach\fR, \fI\-\-upload\fR.
.ie n .IP "\fB\-\-run\-command\fR '\s-1CMD+ARGS\s0' (see ""customize"" below)" 4
.el .IP "\fB\-\-run\-command\fR '\s-1CMD+ARGS\s0' (see \f(CWcustomize\fR below)" 4
.IX Item "--run-command 'CMD+ARGS' (see customize below)"
Run the command and arguments on the disk image.  The command runs
virtualized inside a small appliance, chrooted into the guest filesystem.
.Sp
If libguestfs supports it then a limited network connection is
available but it only allows outgoing network connections.  You can
also attach data disks (eg. \s-1ISO\s0 files) as another way to provide data
(eg. software packages) to the script without needing a network
connection (\fI\-\-attach\fR).  You can also upload data files (\fI\-\-upload\fR).
.Sp
You can have multiple \fI\-\-run\-command\fR options.  They run
in the same order that they appear on the command line.
.Sp
See also: \fI\-\-firstboot\fR, \fI\-\-attach\fR, \fI\-\-upload\fR.
.ie n .IP "\fB\-\-script\fR \s-1SCRIPT\s0 (see ""script"" below)" 4
.el .IP "\fB\-\-script\fR \s-1SCRIPT\s0 (see \f(CWscript\fR below)" 4
.IX Item "--script SCRIPT (see script below)"
Run the named \f(CW\*(C`SCRIPT\*(C'\fR (a shell script or program) against the
guest.  The script can be any program on the host.  The script’s
current directory will be the guest’s root directory.
.Sp
\&\fBNote:\fR If the script is not on the \f(CW$PATH\fR, then you must give
the full absolute path to the script.
.ie n .IP "\fB\-\-scriptdir\fR \s-1SCRIPTDIR\s0 (see ""script"" below)" 4
.el .IP "\fB\-\-scriptdir\fR \s-1SCRIPTDIR\s0 (see \f(CWscript\fR below)" 4
.IX Item "--scriptdir SCRIPTDIR (see script below)"
The mount point (an empty directory on the host) used when
the \f(CW\*(C`script\*(C'\fR operation is enabled and one or more scripts
are specified using \fI\-\-script\fR parameter(s).
.Sp
\&\fBNote:\fR \f(CW\*(C`SCRIPTDIR\*(C'\fR \fBmust\fR be an absolute path.
.Sp
If \fI\-\-scriptdir\fR is not specified then a temporary mountpoint
will be created.
.ie n .IP "\fB\-\-scrub\fR \s-1FILE\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-scrub\fR \s-1FILE\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--scrub FILE (see customize below)"
Scrub a file from the guest.  This is like \fI\-\-delete\fR except that:
.RS 4
.IP "\(bu" 4
It scrubs the data so a guest could not recover it.
.IP "\(bu" 4
It cannot delete directories, only regular files.
.RE
.RS 4
.RE
.ie n .IP "\fB\-\-selinux\-relabel\fR (see ""customize"" below)" 4
.el .IP "\fB\-\-selinux\-relabel\fR (see \f(CWcustomize\fR below)" 4
.IX Item "--selinux-relabel (see customize below)"
Relabel files in the guest so that they have the correct SELinux label.
.Sp
This will attempt to relabel files immediately, but if the operation fails
this will instead touch \fI/.autorelabel\fR on the image to schedule a
relabel operation for the next time the image boots.
.Sp
You should only use this option for guests which support SELinux.
.ie n .IP "\fB\-\-sm\-attach\fR \s-1SELECTOR\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-sm\-attach\fR \s-1SELECTOR\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--sm-attach SELECTOR (see customize below)"
Attach to a pool using \f(CW\*(C`subscription\-manager\*(C'\fR.
.Sp
See \*(L"SUBSCRIPTION-MANAGER\*(R" in \fBvirt\-builder\fR\|(1) for the format of
the \f(CW\*(C`SELECTOR\*(C'\fR field.
.ie n .IP "\fB\-\-sm\-credentials\fR \s-1SELECTOR\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-sm\-credentials\fR \s-1SELECTOR\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--sm-credentials SELECTOR (see customize below)"
Set the credentials for \f(CW\*(C`subscription\-manager\*(C'\fR.
.Sp
See \*(L"SUBSCRIPTION-MANAGER\*(R" in \fBvirt\-builder\fR\|(1) for the format of
the \f(CW\*(C`SELECTOR\*(C'\fR field.
.ie n .IP "\fB\-\-sm\-register\fR (see ""customize"" below)" 4
.el .IP "\fB\-\-sm\-register\fR (see \f(CWcustomize\fR below)" 4
.IX Item "--sm-register (see customize below)"
Register the guest using \f(CW\*(C`subscription\-manager\*(C'\fR.
.Sp
This requires credentials being set using \fI\-\-sm\-credentials\fR.
.ie n .IP "\fB\-\-sm\-remove\fR (see ""customize"" below)" 4
.el .IP "\fB\-\-sm\-remove\fR (see \f(CWcustomize\fR below)" 4
.IX Item "--sm-remove (see customize below)"
Remove all the subscriptions from the guest using
\&\f(CW\*(C`subscription\-manager\*(C'\fR.
.ie n .IP "\fB\-\-sm\-unregister\fR (see ""customize"" below)" 4
.el .IP "\fB\-\-sm\-unregister\fR (see \f(CWcustomize\fR below)" 4
.IX Item "--sm-unregister (see customize below)"
Unregister the guest using \f(CW\*(C`subscription\-manager\*(C'\fR.
.ie n .IP "\fB\-\-ssh\-inject\fR USER[:SELECTOR] (see ""customize"" below)" 4
.el .IP "\fB\-\-ssh\-inject\fR USER[:SELECTOR] (see \f(CWcustomize\fR below)" 4
.IX Item "--ssh-inject USER[:SELECTOR] (see customize below)"
Inject an ssh key so the given \f(CW\*(C`USER\*(C'\fR will be able to log in over
ssh without supplying a password.  The \f(CW\*(C`USER\*(C'\fR must exist already
in the guest.
.Sp
See \*(L"\s-1SSH KEYS\*(R"\s0 in \fBvirt\-builder\fR\|(1) for the format of
the \f(CW\*(C`SELECTOR\*(C'\fR field.
.Sp
You can have multiple \fI\-\-ssh\-inject\fR options, for different users
and also for more keys for each user.
.ie n .IP "\fB\-\-timezone\fR \s-1TIMEZONE\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-timezone\fR \s-1TIMEZONE\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--timezone TIMEZONE (see customize below)"
Set the default timezone of the guest to \f(CW\*(C`TIMEZONE\*(C'\fR.  Use a location
string like \f(CW\*(C`Europe/London\*(C'\fR
.ie n .IP "\fB\-\-touch\fR \s-1FILE\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-touch\fR \s-1FILE\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--touch FILE (see customize below)"
This command performs a \fBtouch\fR\|(1)\-like operation on \f(CW\*(C`FILE\*(C'\fR.
.ie n .IP "\fB\-\-truncate\fR \s-1FILE\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-truncate\fR \s-1FILE\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--truncate FILE (see customize below)"
This command truncates \f(CW\*(C`FILE\*(C'\fR to a zero-length file. The file must exist
already.
.ie n .IP "\fB\-\-truncate\-recursive\fR \s-1PATH\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-truncate\-recursive\fR \s-1PATH\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--truncate-recursive PATH (see customize below)"
This command recursively truncates all files under \f(CW\*(C`PATH\*(C'\fR to zero-length.
.ie n .IP "\fB\-\-uninstall\fR \s-1PKG,PKG..\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-uninstall\fR \s-1PKG,PKG..\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--uninstall PKG,PKG.. (see customize below)"
Uninstall the named packages (a comma-separated list).  These are
removed during the image build using the guest’s package manager
(eg. apt, yum, etc.).  Dependent packages may also need to be
uninstalled to satisfy the request.
.Sp
See also \fI\-\-install\fR, \fI\-\-update\fR.
.ie n .IP "\fB\-\-update\fR (see ""customize"" below)" 4
.el .IP "\fB\-\-update\fR (see \f(CWcustomize\fR below)" 4
.IX Item "--update (see customize below)"
Do the equivalent of \f(CW\*(C`yum update\*(C'\fR, \f(CW\*(C`apt\-get upgrade\*(C'\fR, or whatever
command is required to update the packages already installed in the
template to their latest versions.
.Sp
See also \fI\-\-install\fR, \fI\-\-uninstall\fR.
.ie n .IP "\fB\-\-upload\fR \s-1FILE:DEST\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-upload\fR \s-1FILE:DEST\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--upload FILE:DEST (see customize below)"
Upload local file \f(CW\*(C`FILE\*(C'\fR to destination \f(CW\*(C`DEST\*(C'\fR in the disk image.
File owner and permissions from the original are preserved, so you
should set them to what you want them to be in the disk image.
.Sp
\&\f(CW\*(C`DEST\*(C'\fR could be the final filename.  This can be used to rename
the file on upload.
.Sp
If \f(CW\*(C`DEST\*(C'\fR is a directory name (which must already exist in the guest)
then the file is uploaded into that directory, and it keeps the same
name as on the local filesystem.
.Sp
See also: \fI\-\-mkdir\fR, \fI\-\-delete\fR, \fI\-\-scrub\fR.
.ie n .IP "\fB\-\-write\fR \s-1FILE:CONTENT\s0 (see ""customize"" below)" 4
.el .IP "\fB\-\-write\fR \s-1FILE:CONTENT\s0 (see \f(CWcustomize\fR below)" 4
.IX Item "--write FILE:CONTENT (see customize below)"
Write \f(CW\*(C`CONTENT\*(C'\fR to \f(CW\*(C`FILE\*(C'\fR.
.SH "OPERATIONS"
.IX Header "OPERATIONS"
If the \fI\-\-enable\fR/\fI\-\-operations\fR option is \fInot\fR given,
then most sysprep operations are enabled.
.PP
Use \f(CW\*(C`virt\-sysprep \-\-list\-operations\*(C'\fR to list all operations for your
virt-sysprep binary.  The ones which are enabled by default are marked
with a \f(CW\*(C`*\*(C'\fR character.  Regardless of the \fI\-\-enable\fR/\fI\-\-operations\fR
options, sysprep operations are skipped for some guest types.
.PP
Operations can be individually enabled using the
\&\fI\-\-enable\fR/\fI\-\-operations\fR options.
Use a comma-separated list, for example:
.PP
.Vb 1
\& virt\-sysprep \-\-operations ssh\-hostkeys,udev\-persistent\-net [etc..]
.Ve
.PP
Future versions of virt-sysprep may add more operations.  If you are
using virt-sysprep and want predictable behaviour, specify only the
operations that you want to have enabled.
.PP
\&\f(CW\*(C`*\*(C'\fR = enabled by default when no \fI\-\-enable\fR/\fI\-\-operations\fR option
is given.
.SS "\fBabrt-data\fP *"
.IX Subsection "abrt-data *"
Remove the crash data generated by \s-1ABRT.\s0
.PP
Remove the automatically generated \s-1ABRT\s0 crash data in
\&\f(CW\*(C`/var/spool/abrt/\*(C'\fR.
.SS "\fBbackup-files\fP *"
.IX Subsection "backup-files *"
Remove editor backup files from the guest.
.PP
The following files are removed from anywhere in the guest
filesystem:
.IP "·" 4
*.bak
.IP "·" 4
*~
.PP
On Linux and Unix operating systems, only the following filesystems
will be examined:
.IP "·" 4
/etc
.IP "·" 4
/root
.IP "·" 4
/srv
.IP "·" 4
/tmp
.IP "·" 4
/var
.SS "\fBbash-history\fP *"
.IX Subsection "bash-history *"
Remove the bash history in the guest.
.PP
Remove the bash history of user \*(L"root\*(R" and any other users
who have a \f(CW\*(C`.bash_history\*(C'\fR file in their home directory.
.PP
\fINotes on bash-history\fR
.IX Subsection "Notes on bash-history"
.PP
Currently this only looks in \f(CW\*(C`/root\*(C'\fR and \f(CW\*(C`/home/*\*(C'\fR for
home directories, so users with home directories in other
locations won't have the bash history removed.
.SS "\fBblkid-tab\fP *"
.IX Subsection "blkid-tab *"
Remove blkid tab in the guest.
.SS "\fBca-certificates\fP"
.IX Subsection "ca-certificates"
Remove \s-1CA\s0 certificates in the guest.
.SS "\fBcrash-data\fP *"
.IX Subsection "crash-data *"
Remove the crash data generated by kexec-tools.
.PP
Remove the automatically generated kdump kernel crash data.
.SS "\fBcron-spool\fP *"
.IX Subsection "cron-spool *"
Remove user at-jobs and cron-jobs.
.SS "\fBcustomize\fP *"
.IX Subsection "customize *"
Customize the guest.
.PP
Customize the guest by providing \fBvirt\-customize\fR\|(1) options
for installing packages, editing files and so on.
.SS "\fBdhcp-client-state\fP *"
.IX Subsection "dhcp-client-state *"
Remove \s-1DHCP\s0 client leases.
.SS "\fBdhcp-server-state\fP *"
.IX Subsection "dhcp-server-state *"
Remove \s-1DHCP\s0 server leases.
.SS "\fBdovecot-data\fP *"
.IX Subsection "dovecot-data *"
Remove Dovecot (mail server) data.
.SS "\fBfirewall-rules\fP"
.IX Subsection "firewall-rules"
Remove the firewall rules.
.PP
This removes custom firewall rules by removing \f(CW\*(C`/etc/sysconfig/iptables\*(C'\fR
or custom firewalld configuration in \f(CW\*(C`/etc/firewalld/*/*\*(C'\fR.
.PP
Note this is \fInot\fR enabled by default since it may expose guests to
exploits.  Use with care.
.SS "\fBflag-reconfiguration\fP"
.IX Subsection "flag-reconfiguration"
Flag the system for reconfiguration.
.PP
For Linux guests, this touches \f(CW\*(C`/.unconfigured\*(C'\fR, which causes
the first boot to interactively query the user for settings such
as the root password and timezone.
.SS "\fBfs-uuids\fP"
.IX Subsection "fs-uuids"
Change filesystem UUIDs.
.PP
On guests and filesystem types where this is supported,
new random UUIDs are generated and assigned to filesystems.
.PP
\fINotes on fs-uuids\fR
.IX Subsection "Notes on fs-uuids"
.PP
The fs-uuids operation is disabled by default because it does
not yet find and update all the places in the guest that use
the UUIDs.  For example \f(CW\*(C`/etc/fstab\*(C'\fR or the bootloader.
Enabling this operation is more likely than not to make your
guest unbootable.
.PP
See: https://bugzilla.redhat.com/show_bug.cgi?id=991641
.SS "\fBkerberos-data\fP"
.IX Subsection "kerberos-data"
Remove Kerberos data in the guest.
.SS "\fBlogfiles\fP *"
.IX Subsection "logfiles *"
Remove many log files from the guest.
.PP
On Linux the following files are removed:
.IP "·" 4
/etc/Pegasus/*.cnf
.IP "·" 4
/etc/Pegasus/*.crt
.IP "·" 4
/etc/Pegasus/*.csr
.IP "·" 4
/etc/Pegasus/*.pem
.IP "·" 4
/etc/Pegasus/*.srl
.IP "·" 4
/root/anaconda\-ks.cfg
.IP "·" 4
/root/anaconda\-post.log
.IP "·" 4
/root/initial\-setup\-ks.cfg
.IP "·" 4
/root/install.log
.IP "·" 4
/root/install.log.syslog
.IP "·" 4
/root/original\-ks.cfg
.IP "·" 4
/var/cache/fontconfig/*
.IP "·" 4
/var/cache/gdm/*
.IP "·" 4
/var/cache/man/*
.IP "·" 4
/var/lib/AccountService/users/*
.IP "·" 4
/var/lib/fprint/*
.IP "·" 4
/var/lib/logrotate.status
.IP "·" 4
/var/log/*.log*
.IP "·" 4
/var/log/BackupPC/LOG
.IP "·" 4
/var/log/ConsoleKit/*
.IP "·" 4
/var/log/anaconda.syslog
.IP "·" 4
/var/log/anaconda/*
.IP "·" 4
/var/log/apache2/*_log
.IP "·" 4
/var/log/apache2/*_log\-*
.IP "·" 4
/var/log/apt/*
.IP "·" 4
/var/log/aptitude*
.IP "·" 4
/var/log/audit/*
.IP "·" 4
/var/log/btmp*
.IP "·" 4
/var/log/ceph/*.log
.IP "·" 4
/var/log/chrony/*.log
.IP "·" 4
/var/log/cron*
.IP "·" 4
/var/log/cups/*_log*
.IP "·" 4
/var/log/debug*
.IP "·" 4
/var/log/dmesg*
.IP "·" 4
/var/log/exim4/*
.IP "·" 4
/var/log/faillog*
.IP "·" 4
/var/log/firewalld*
.IP "·" 4
/var/log/gdm/*
.IP "·" 4
/var/log/glusterfs/*glusterd.vol.log
.IP "·" 4
/var/log/glusterfs/glusterfs.log
.IP "·" 4
/var/log/grubby*
.IP "·" 4
/var/log/httpd/*log
.IP "·" 4
/var/log/installer/*
.IP "·" 4
/var/log/jetty/jetty\-console.log
.IP "·" 4
/var/log/journal/*
.IP "·" 4
/var/log/lastlog*
.IP "·" 4
/var/log/libvirt/libvirtd.log
.IP "·" 4
/var/log/libvirt/libxl/*.log
.IP "·" 4
/var/log/libvirt/lxc/*.log
.IP "·" 4
/var/log/libvirt/qemu/*.log
.IP "·" 4
/var/log/libvirt/uml/*.log
.IP "·" 4
/var/log/lightdm/*
.IP "·" 4
/var/log/mail/*
.IP "·" 4
/var/log/maillog*
.IP "·" 4
/var/log/messages*
.IP "·" 4
/var/log/ntp
.IP "·" 4
/var/log/ntpstats/*
.IP "·" 4
/var/log/ppp/connect\-errors
.IP "·" 4
/var/log/rhsm/*
.IP "·" 4
/var/log/sa/*
.IP "·" 4
/var/log/secure*
.IP "·" 4
/var/log/setroubleshoot/*.log
.IP "·" 4
/var/log/spooler*
.IP "·" 4
/var/log/squid/*.log
.IP "·" 4
/var/log/syslog*
.IP "·" 4
/var/log/tallylog*
.IP "·" 4
/var/log/tuned/tuned.log
.IP "·" 4
/var/log/wtmp*
.IP "·" 4
/var/log/xferlog*
.IP "·" 4
/var/named/data/named.run
.SS "\fBlvm-uuids\fP *"
.IX Subsection "lvm-uuids *"
Change \s-1LVM2 PV\s0 and \s-1VG\s0 UUIDs.
.PP
On Linux guests that have \s-1LVM2\s0 physical volumes (PVs) or volume groups (VGs),
new random UUIDs are generated and assigned to those PVs and VGs.
.SS "\fBmachine-id\fP *"
.IX Subsection "machine-id *"
Remove the local machine \s-1ID.\s0
.PP
The machine \s-1ID\s0 is usually generated from a random source during system
installation and stays constant for all subsequent boots.  Optionally,
for stateless systems it is generated during runtime at boot if it is
found to be empty.
.SS "\fBmail-spool\fP *"
.IX Subsection "mail-spool *"
Remove email from the local mail spool directory.
.SS "\fBnet-hostname\fP *"
.IX Subsection "net-hostname *"
Remove \s-1HOSTNAME\s0 and \s-1DHCP_HOSTNAME\s0 in network interface configuration.
.PP
For Fedora and Red Hat Enterprise Linux,
this is removed from \f(CW\*(C`ifcfg\-*\*(C'\fR files.
.SS "\fBnet-hwaddr\fP *"
.IX Subsection "net-hwaddr *"
Remove \s-1HWADDR\s0 (hard-coded \s-1MAC\s0 address) configuration.
.PP
For Fedora and Red Hat Enterprise Linux,
this is removed from \f(CW\*(C`ifcfg\-*\*(C'\fR files.
.SS "\fBpacct-log\fP *"
.IX Subsection "pacct-log *"
Remove the process accounting log files.
.PP
The system wide process accounting will store to the pacct
log files if the process accounting is on.
.SS "\fBpackage-manager-cache\fP *"
.IX Subsection "package-manager-cache *"
Remove package manager cache.
.SS "\fBpam-data\fP *"
.IX Subsection "pam-data *"
Remove the \s-1PAM\s0 data in the guest.
.SS "\fBpasswd-backups\fP *"
.IX Subsection "passwd-backups *"
Remove /etc/passwd\- and similar backup files.
.PP
On Linux the following files are removed:
.IP "·" 4
/etc/group\-
.IP "·" 4
/etc/gshadow\-
.IP "·" 4
/etc/passwd\-
.IP "·" 4
/etc/shadow\-
.IP "·" 4
/etc/subgid\-
.IP "·" 4
/etc/subuid\-
.SS "\fBpuppet-data-log\fP *"
.IX Subsection "puppet-data-log *"
Remove the data and log files of puppet.
.SS "\fBrh-subscription-manager\fP *"
.IX Subsection "rh-subscription-manager *"
Remove the \s-1RH\s0 subscription manager files.
.SS "\fBrhn-systemid\fP *"
.IX Subsection "rhn-systemid *"
Remove the \s-1RHN\s0 system \s-1ID.\s0
.SS "\fBrpm-db\fP *"
.IX Subsection "rpm-db *"
Remove host-specific \s-1RPM\s0 database files.
.PP
Remove host-specific \s-1RPM\s0 database files and locks.  \s-1RPM\s0 will
recreate these files automatically if needed.
.SS "\fBsamba-db-log\fP *"
.IX Subsection "samba-db-log *"
Remove the database and log files of Samba.
.SS "\fBscript\fP *"
.IX Subsection "script *"
Run arbitrary scripts against the guest.
.PP
The \f(CW\*(C`script\*(C'\fR module lets you run arbitrary shell scripts or programs
against the guest.
.PP
Note this feature requires \s-1FUSE\s0 support.  You may have to enable
this in your host, for example by adding the current user to the
\&\f(CW\*(C`fuse\*(C'\fR group, or by loading a kernel module.
.PP
Use one or more \fI\-\-script\fR parameters to specify scripts or programs
that will be run against the guest.
.PP
The script or program is run with its current directory being the
guest’s root directory, so relative paths should be used.  For
example: \f(CW\*(C`rm etc/resolv.conf\*(C'\fR in the script would remove a Linux
guest’s \s-1DNS\s0 configuration file, but \f(CW\*(C`rm /etc/resolv.conf\*(C'\fR would
(try to) remove the host’s file.
.PP
Normally a temporary mount point for the guest is used, but you
can choose a specific one by using the \fI\-\-scriptdir\fR parameter.
.PP
\&\fBNote:\fR This is different from \fI\-\-firstboot\fR scripts (which run
in the context of the guest when it is booting first time).
\&\fI\-\-script\fR scripts run on the host, not in the guest.
.SS "\fBsmolt-uuid\fP *"
.IX Subsection "smolt-uuid *"
Remove the Smolt hardware \s-1UUID.\s0
.SS "\fBssh-hostkeys\fP *"
.IX Subsection "ssh-hostkeys *"
Remove the \s-1SSH\s0 host keys in the guest.
.PP
The \s-1SSH\s0 host keys are regenerated (differently) next time the guest is
booted.
.PP
If, after cloning, the guest gets the same \s-1IP\s0 address, ssh will give
you a stark warning about the host key changing:
.PP
.Vb 4
\& @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
\& @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
\& @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
\& IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
.Ve
.SS "\fBssh-userdir\fP *"
.IX Subsection "ssh-userdir *"
Remove \*(L".ssh\*(R" directories in the guest.
.PP
Remove the \f(CW\*(C`.ssh\*(C'\fR directory of user \*(L"root\*(R" and any other
users who have a \f(CW\*(C`.ssh\*(C'\fR directory in their home directory.
.PP
\fINotes on ssh-userdir\fR
.IX Subsection "Notes on ssh-userdir"
.PP
Currently this only looks in \f(CW\*(C`/root\*(C'\fR and \f(CW\*(C`/home/*\*(C'\fR for
home directories, so users with home directories in other
locations won't have the ssh files removed.
.SS "\fBsssd-db-log\fP *"
.IX Subsection "sssd-db-log *"
Remove the database and log files of sssd.
.SS "\fBtmp-files\fP *"
.IX Subsection "tmp-files *"
Remove temporary files.
.PP
This removes temporary files under \f(CW\*(C`/tmp\*(C'\fR and \f(CW\*(C`/var/tmp\*(C'\fR.
.SS "\fBudev-persistent-net\fP *"
.IX Subsection "udev-persistent-net *"
Remove udev persistent net rules.
.PP
Remove udev persistent net rules which map the guest’s existing \s-1MAC\s0
address to a fixed ethernet device (eg. eth0).
.PP
After a guest is cloned, the \s-1MAC\s0 address usually changes.  Since the
old \s-1MAC\s0 address occupies the old name (eg. eth0), this means the fresh
\&\s-1MAC\s0 address is assigned to a new name (eg. eth1) and this is usually
undesirable.  Erasing the udev persistent net rules avoids this.
.SS "\fBuser-account\fP"
.IX Subsection "user-account"
Remove the user accounts in the guest.
.PP
By default remove all the user accounts and their home directories.
The \*(L"root\*(R" account is not removed.
.PP
See the \fI\-\-remove\-user\-accounts\fR parameter for a way to specify
how to remove only some users, or to not remove some others.
.SS "\fButmp\fP *"
.IX Subsection "utmp *"
Remove the utmp file.
.PP
This file records who is currently logged in on a machine.  In modern
Linux distros it is stored in a ramdisk and hence not part of the
virtual machine’s disk, but it was stored on disk in older distros.
.SS "\fByum-uuid\fP *"
.IX Subsection "yum-uuid *"
Remove the yum \s-1UUID.\s0
.PP
Yum creates a fresh \s-1UUID\s0 the next time it runs when it notices that the
original \s-1UUID\s0 has been erased.
.SH "COPYING AND CLONING"
.IX Header "COPYING AND CLONING"
Virt-sysprep can be used as part of a process of cloning guests, or to
prepare a template from which guests can be cloned.  There are many
different ways to achieve this using the virt tools, and this section
is just an introduction.
.PP
A virtual machine (when switched off) consists of two parts:
.IP "\fIconfiguration\fR" 4
.IX Item "configuration"
The configuration or description of the guest.  eg. The libvirt
\&\s-1XML\s0 (see \f(CW\*(C`virsh dumpxml\*(C'\fR), the running configuration of the guest,
or another external format like \s-1OVF.\s0
.Sp
Some configuration items that might need to be changed:
.RS 4
.IP "\(bu" 4
name
.IP "\(bu" 4
\&\s-1UUID\s0
.IP "\(bu" 4
path to block device(s)
.IP "\(bu" 4
network card \s-1MAC\s0 address
.RE
.RS 4
.RE
.IP "\fIblock device(s)\fR" 4
.IX Item "block device(s)"
One or more hard disk images, themselves containing files,
directories, applications, kernels, configuration, etc.
.Sp
Some things inside the block devices that might need to be changed:
.RS 4
.IP "\(bu" 4
hostname and other net configuration
.IP "\(bu" 4
\&\s-1UUID\s0
.IP "\(bu" 4
\&\s-1SSH\s0 host keys
.IP "\(bu" 4
Windows unique security \s-1ID\s0 (\s-1SID\s0)
.IP "\(bu" 4
Puppet registration
.RE
.RS 4
.RE
.SS "\s-1COPYING THE BLOCK DEVICE\s0"
.IX Subsection "COPYING THE BLOCK DEVICE"
Starting with an original guest, you probably wish to copy the guest
block device and its configuration to make a template.  Then once you
are happy with the template, you will want to make many clones from
it.
.PP
.Vb 7
\&                        virt\-sysprep
\&                             |
\&                             v
\& original guest \-\-\-\-\-\-\-\-> template \-\-\-\-\-\-\-\-\-\->
\&                                      \e\-\-\-\-\-\-> cloned
\&                                       \e\-\-\-\-\-> guests
\&                                        \e\-\-\-\->
.Ve
.PP
You can, of course, just copy the block device on the host using
\&\fBcp\fR\|(1) or \fBdd\fR\|(1).
.PP
.Vb 5
\&                   dd                 dd
\& original guest \-\-\-\-\-\-\-\-> template \-\-\-\-\-\-\-\-\-\->
\&                                      \e\-\-\-\-\-\-> cloned
\&                                       \e\-\-\-\-\-> guests
\&                                        \e\-\-\-\->
.Ve
.PP
There are some smarter (and faster) ways too:
.PP
.Vb 5
\&                          snapshot
\&                template \-\-\-\-\-\-\-\-\-\->
\&                            \e\-\-\-\-\-\-> cloned
\&                             \e\-\-\-\-\-> guests
\&                              \e\-\-\-\->
.Ve
.PP
You may want to run virt-sysprep twice, once to reset the guest (to
make a template) and a second time to customize the guest for a
specific user:
.PP
.Vb 6
\&                    virt\-sysprep        virt\-sysprep
\&                      (reset)      (add user, keys, logos)
\&                         |                   |
\&                 dd      v          dd       v
\& original guest \-\-\-\-> template \-\-\-\-\-\-\-\-\-> copied \-\-\-\-\-\-> custom
\&                                          template       guest
.Ve
.IP "\(bu" 4
Create a snapshot using qemu-img:
.Sp
.Vb 1
\& qemu\-img create \-f qcow2 \-o backing_file=original snapshot.qcow
.Ve
.Sp
The advantage is that you don’t need to copy the original (very fast)
and only changes are stored (less storage required).
.Sp
Note that writing to the backing file once you have created guests on
top of it is not possible: you will corrupt the guests.
.IP "\(bu" 4
Create a snapshot using \f(CW\*(C`lvcreate \-\-snapshot\*(C'\fR.
.IP "\(bu" 4
Other ways to create snapshots include using filesystems-level tools
(for filesystems such as btrfs).
.Sp
Most Network Attached Storage (\s-1NAS\s0) devices can also create cheap
snapshots from files or LUNs.
.IP "\(bu" 4
Get your \s-1NAS\s0 to duplicate the \s-1LUN.\s0  Most \s-1NAS\s0 devices can also
duplicate LUNs very cheaply (they copy them on-demand in the
background).
.IP "\(bu" 4
Prepare your template using \fBvirt\-sparsify\fR\|(1).  See below.
.SS "VIRT-CLONE"
.IX Subsection "VIRT-CLONE"
A separate tool, \fBvirt\-clone\fR\|(1), can be used to duplicate the block
device and/or modify the external libvirt configuration of a guest.
It will reset the name, \s-1UUID\s0 and \s-1MAC\s0 address of the guest in the
libvirt \s-1XML.\s0
.PP
\&\fBvirt\-clone\fR\|(1) does not use libguestfs and cannot look inside the
disk image.  This was the original motivation to write virt-sysprep.
.SS "\s-1SPARSIFY\s0"
.IX Subsection "SPARSIFY"
.Vb 2
\&              virt\-sparsify
\& original guest \-\-\-\-\-\-\-\-> template
.Ve
.PP
\&\fBvirt\-sparsify\fR\|(1) can be used to make the cloning template smaller,
making it easier to compress and/or faster to copy.
.PP
Notice that since virt-sparsify also copies the image, you can use it
to make the initial copy (instead of \f(CW\*(C`dd\*(C'\fR).
.SS "\s-1RESIZE\s0"
.IX Subsection "RESIZE"
.Vb 5
\&                         virt\-resize
\&                template \-\-\-\-\-\-\-\-\-\->
\&                            \e\-\-\-\-\-\-> cloned
\&                             \e\-\-\-\-\-> guests
\&                              \e\-\-\-\->
.Ve
.PP
If you want to give people cloned guests, but let them pick the size
of the guest themselves (eg. depending on how much they are prepared
to pay for disk space), then instead of copying the template, you can
run \fBvirt\-resize\fR\|(1).  Virt-resize performs a copy and resize, and
thus is ideal for cloning guests from a template.
.SH "FIRSTBOOT VS SCRIPT"
.IX Header "FIRSTBOOT VS SCRIPT"
The two options \fI\-\-firstboot\fR and \fI\-\-script\fR both supply shell
scripts that are run against the guest.  However these two options are
significantly different.
.PP
\&\fI\-\-firstboot script\fR uploads the file \f(CW\*(C`script\*(C'\fR into the guest
and arranges that it will run, in the guest, when the guest is
next booted.  (The script will only run once, at the \*(L"first boot\*(R").
.PP
\&\fI\-\-script script\fR runs the shell \f(CW\*(C`script\*(C'\fR \fIon the host\fR, with its
current directory inside the guest filesystem.
.PP
If you needed, for example, to \f(CW\*(C`yum install\*(C'\fR new packages, then you
\&\fImust not\fR use \fI\-\-script\fR for this, since that would (a) run the
\&\f(CW\*(C`yum\*(C'\fR command on the host and (b) wouldn't have access to the same
resources (repositories, keys, etc.) as the guest.  Any command that
needs to run on the guest \fImust\fR be run via \fI\-\-firstboot\fR.
.PP
On the other hand if you need to make adjustments to the guest
filesystem (eg. copying in files), then \fI\-\-script\fR is ideal since (a)
it has access to the host filesystem and (b) you will get immediate
feedback on errors.
.PP
Either or both options can be used multiple times on the command line.
.SH "SECURITY"
.IX Header "SECURITY"
Although virt-sysprep removes some sensitive information from the
guest, it does not pretend to remove all of it.  You should examine
the \*(L"\s-1OPERATIONS\*(R"\s0 above and the guest afterwards.
.PP
Sensitive files are simply removed.  The data they contained may still
exist on the disk, easily recovered with a hex editor or undelete
tool.  The \fI\-\-scrub\fR option can be used to scrub files instead of
just deleting them.  \fBvirt\-sparsify\fR\|(1) is another way to remove this
content.  See also the \fBscrub\fR\|(1) command to get rid of deleted
content in directory entries and inodes.
.SS "\s-1RANDOM SEED\s0"
.IX Subsection "RANDOM SEED"
\&\fI(This section applies to Linux guests only)\fR
.PP
For supported guests, virt-sysprep writes a few bytes of randomness
from the host into the guest’s random seed file.
.PP
If this is just done once and the guest is cloned from the same
template, then each guest will start with the same entropy, and things
like \s-1SSH\s0 host keys and \s-1TCP\s0 sequence numbers may be predictable.
.PP
Therefore you should arrange to add more randomness \fIafter\fR cloning
from a template too, which can be done by enabling just the customize
module:
.PP
.Vb 2
\& cp template.img newguest.img
\& virt\-sysprep \-\-enable customize \-a newguest.img
.Ve
.SH "SELINUX"
.IX Header "SELINUX"
For guests which make use of SELinux, special handling for them might
be needed when using operations which create new files or alter
existing ones.
.PP
For further details, see \*(L"\s-1SELINUX\*(R"\s0 in \fBvirt\-builder\fR\|(1).
.SH "WINDOWS 8"
.IX Header "WINDOWS 8"
Windows 8 \*(L"fast startup\*(R" can prevent virt-sysprep from working.
See \*(L"\s-1WINDOWS HIBERNATION AND WINDOWS 8 FAST STARTUP\*(R"\s0 in \fBguestfs\fR\|(3).
.SH "EXIT STATUS"
.IX Header "EXIT STATUS"
This program returns 0 on success, or 1 if there was an error.
.SH "ENVIRONMENT VARIABLES"
.IX Header "ENVIRONMENT VARIABLES"
.ie n .IP """VIRT_TOOLS_DATA_DIR""" 4
.el .IP "\f(CWVIRT_TOOLS_DATA_DIR\fR" 4
.IX Item "VIRT_TOOLS_DATA_DIR"
This can point to the directory containing data files used for Windows
firstboot installation.
.Sp
Normally you do not need to set this.  If not set, a compiled-in
default will be used (something like \fI/usr/share/virt\-tools\fR).
.Sp
This directory may contain the following files:
.RS 4
.IP "\fIrhsrvany.exe\fR" 4
.IX Item "rhsrvany.exe"
This is the RHSrvAny Windows binary, used to install a \*(L"firstboot\*(R"
script in Windows guests.  It is required if you intend to use the
\&\fI\-\-firstboot\fR or \fI\-\-firstboot\-command\fR options with Windows guests.
.Sp
See also: \f(CW\*(C`https://github.com/rwmjones/rhsrvany\*(C'\fR
.IP "\fIpvvxsvc.exe\fR" 4
.IX Item "pvvxsvc.exe"
This is a Windows binary shipped with \s-1SUSE VMDP,\s0 used to install a \*(L"firstboot\*(R"
script in Windows guests.  It is required if you intend to use the
\&\fI\-\-firstboot\fR or \fI\-\-firstboot\-command\fR options with Windows guests.
.RE
.RS 4
.RE
.PP
For other environment variables, see \*(L"\s-1ENVIRONMENT VARIABLES\*(R"\s0 in \fBguestfs\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBguestfs\fR\|(3),
\&\fBguestfish\fR\|(1),
\&\fBvirt\-builder\fR\|(1),
\&\fBvirt\-clone\fR\|(1),
\&\fBvirt\-customize\fR\|(1),
\&\fBvirt\-rescue\fR\|(1),
\&\fBvirt\-resize\fR\|(1),
\&\fBvirt\-sparsify\fR\|(1),
\&\fBvirsh\fR\|(1),
\&\fBlvcreate\fR\|(8),
\&\fBqemu\-img\fR\|(1),
\&\fBscrub\fR\|(1),
http://libguestfs.org/,
http://libvirt.org/.
.SH "AUTHORS"
.IX Header "AUTHORS"
Richard W.M. Jones http://people.redhat.com/~rjones/
.PP
Wanlong Gao, Fujitsu Ltd.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright (C) 2011\-2019 Red Hat Inc.
.PP
Copyright (C) 2012 Fujitsu Ltd.
.SH "LICENSE"
.IX Header "LICENSE"
This program is free software; you can redistribute it and/or modify it
under the terms of the \s-1GNU\s0 General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version.
.PP
This program is distributed in the hope that it will be useful, but
\&\s-1WITHOUT ANY WARRANTY\s0; without even the implied warranty of
\&\s-1MERCHANTABILITY\s0 or \s-1FITNESS FOR A PARTICULAR PURPOSE.\s0  See the \s-1GNU\s0
General Public License for more details.
.PP
You should have received a copy of the \s-1GNU\s0 General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, \s-1MA 02110\-1301 USA.\s0
.SH "BUGS"
.IX Header "BUGS"
To get a list of bugs against libguestfs, use this link:
https://bugzilla.redhat.com/buglist.cgi?component=libguestfs&product=Virtualization+Tools
.PP
To report a new bug against libguestfs, use this link:
https://bugzilla.redhat.com/enter_bug.cgi?component=libguestfs&product=Virtualization+Tools
.PP
When reporting a bug, please supply:
.IP "\(bu" 4
The version of libguestfs.
.IP "\(bu" 4
Where you got libguestfs (eg. which Linux distro, compiled from source, etc)
.IP "\(bu" 4
Describe the bug accurately and give a way to reproduce it.
.IP "\(bu" 4
Run \fBlibguestfs\-test\-tool\fR\|(1) and paste the \fBcomplete, unedited\fR
output into the bug report.