Aaron Copley asked:
If I need to deploy Red Hat 7 from template, I would like to take the recommended steps to make my “golden image” clean. It should boot to the first boot prompt and guide the user through the typical steps.
In Red Hat 5/6, I followed the documentation provided by the vendor. However, I cannot find the equivalent for Red Hat 7. Specifically,
touch /.unconfigured does not trigger the first boot setup.
9.3.1. Sealing a Linux Virtual Machine for Deployment as a Template
Generalize (seal) a Linux virtual machine before making it into a template. This prevents conflicts between virtual machines deployed from the template.
Procedure 9.6. Sealing a Linux Virtual Machine
Log in to the virtual machine. Flag the system for re-configuration by running the following command as root:
# touch /.unconfigured
- Remove ssh host keys. Run:
# rm -rf /etc/ssh/ssh_host_*
- Remove /etc/udev/rules.d/70-*. Run:
# rm -rf /etc/udev/rules.d/70-*
- Remove the HWADDR= and UUID= line from
- Optionally delete all the logs from
/var/logand build logs from
- Shut down the virtual machine. Run:
Edit: Steps 1 & 7 can be combined by running
sys-unconfig last. Or, have a look at
virt-sysprep from libguestfs-tools-c which does much, much more.
[user@hostname ~]$ virt-sysprep --list-operations abrt-data * Remove the crash data generated by ABRT bash-history * Remove the bash history in the guest blkid-tab * Remove blkid tab in the guest ca-certificates Remove CA certificates in the guest crash-data * Remove the crash data generated by kexec-tools cron-spool * Remove user at-jobs and cron-jobs delete * Delete specified files or directories dhcp-client-state * Remove DHCP client leases dhcp-server-state * Remove DHCP server leases dovecot-data * Remove Dovecot (mail server) data firewall-rules Remove the firewall rules firstboot * Add scripts to run once at next boot flag-reconfiguration Flag the system for reconfiguration hostname * Change the hostname of the guest kerberos-data Remove Kerberos data in the guest logfiles * Remove many log files from the guest lvm-uuids * Change LVM2 PV and VG UUIDs machine-id * Remove the local machine ID mail-spool * Remove email from the local mail spool directory net-hostname * Remove HOSTNAME in network interface configuration net-hwaddr * Remove HWADDR (hard-coded MAC address) configuration pacct-log * Remove the process accounting log files package-manager-cache * Remove package manager cache pam-data * Remove the PAM data in the guest password * Set root or user password puppet-data-log * Remove the data and log files of puppet random-seed * Generate random seed for guest rhn-systemid * Remove the RHN system ID rpm-db * Remove host-specific RPM database files samba-db-log * Remove the database and log files of Samba script * Run arbitrary scripts against the guest smolt-uuid * Remove the Smolt hardware UUID ssh-hostkeys * Remove the SSH host keys in the guest ssh-userdir * Remove ".ssh" directories in the guest sssd-db-log * Remove the database and log files of sssd tmp-files * Remove temporary files udev-persistent-net * Remove udev persistent net rules user-account Remove the user accounts in the guest utmp * Remove the utmp file yum-uuid * Remove the yum UUID
What we think of as the initial setup is actually in three parts. The first two are:
- Initial setup, which asks you to accept the license and create a user
- Firstboot, which asks you to configure kdump and (on RHEL) set up your subscription
Both of these are now enabled via systemd; once complete they disable themselves.
So, all you should have to do is remove any local user(s) created during the first Initial Setup process and re-enable these services:
systemctl enable initial-setup-graphical.service systemctl enable firstboot-graphical.service > /etc/sysconfig/firstboot
I’m not entirely sure about the third part, which asks you for your language and to create a user account or to to join the machine to a domain. This, at least, will continue coming back until you actually complete the wizard. (So don’t do that.)
It still may be a good idea to clean-up host keys and any hardware specific configuration. (Mac addresses in udev rules and interface configuration files.)
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.