On Mon, Feb 14, 2022 at 11:29 PM Nathanaël Blanchet <blanchet(a)abes.fr&gt; wrote: Le 14 févr. 2022 21:09, Arik Hadas <ahadas(a)redhat.com&gt; a écrit : On Mon, Feb 14, 2022 at 8:44 PM Nathanaël Blanchet <blanchet(a)abes.fr&gt; wrote: Le 14/02/2022 à 17:45, Arik Hadas a écrit : On Mon, Feb 14, 2022 at 4:52 PM Nathanaël Blanchet <blanchet(a)abes.fr&gt; wrote: Hello, I noticed that a vm created from a "sealed" template is initially mount on one host with libguestfs, with a virt-sysprep process, before getting ready to be used. This should be unuseful given that the template is already sealed. Is there a reason to that? Yes, we do this in order to produce different LVM IDs and machine IDs for the provisioned VMs, see: https://gerrit.ovirt.org/c/ovirt-engine/+/115009 okay, but, I modified  the /usr/lib/python3.6/site-packages/vdsm/virtsysprep.py file like following: args = ['--hostname', 'localhost', ''--selinux-relabel', '--update', '--network']" in order to update packages on template creation. The template creation still works and the template is checked as sealed and os is updated, but now the vm creation never ends up and I have to manually kill the virt-sysprep process to stop the infinite process creation. I believed it was a good workaround to get updated templates, but I had to rollback to default virt-sysprep args configuration, unless there is trick do to so? If you create the VM from the webadmin, you can uncheck the 'sealed' option in the new-vm dialog to skip the second execution of virt-sysprep on the VM If you create it from REST-API (or the VM portal), you might want to change the configuration of the template in the database: update vm_static set is_template_sealed='f' where vm_name='<your template's name>'; Thanks for this useful tip, but as you said if second seal has been designed it is to produce different VM IDs... So what will happen if I skip this process? It was that way (i.e., without sysprep-ing the vm volumes) for years - if that worked well for you, you shouldn't notice a difference Secondly I'd like to know if there is a way to skip the second seal from the template with oVirt VM ansible module( don't seem to be), it is safer than modifying the DB. Ansible is in the second category (since it is based on oVirt's REST-API) so yeah, I don't see a different way you can achieve this at the moment And you're right, it's not recommended to modify the DB directly but the same goes for changing the VDSM source files ;) Anyway, that is_template_sealed field only affects the UI (presenting whether the template is sealed) and this functionality (deciding whether virt-sysprep should be executed on the vm volumes) - so changing it should be safe.

-- Nathanaël Blanchet Supervision réseau SIRE 227 avenue Professeur-Jean-Louis-Viala 34193 MONTPELLIER CEDEX 5 Tél. 33 (0)4 67 54 84 55 Fax  33 (0)4 67 54 84 14 blanchet(a)abes.fr _______________________________________________ Users mailing list -- users(a)ovirt.org To unsubscribe send an email to users-leave(a)ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/7VSOFV3TFSM... -- Nathanaël Blanchet Supervision réseau SIRE 227 avenue Professeur-Jean-Louis-Viala 34193 MONTPELLIER CEDEX 5 Tél. 33 (0)4 67 54 84 55 Fax 33 (0)4 67 54 84 14 blanchet(a)abes.fr

On Tue, Feb 15, 2022 at 12:26 PM Nathanaël Blanchet <blanchet(a)abes.fr&gt; wrote: Le 15/02/2022 à 10:32, Arik Hadas a écrit : > > > On Mon, Feb 14, 2022 at 11:29 PM Nathanaël Blanchet > <blanchet(a)abes.fr&gt; wrote: > > > > Le 14 févr. 2022 21:09, Arik Hadas <ahadas(a)redhat.com&gt; a écrit : > > > > On Mon, Feb 14, 2022 at 8:44 PM Nathanaël Blanchet > <blanchet(a)abes.fr&gt; wrote: > > > Le 14/02/2022 à 17:45, Arik Hadas a écrit : > > > > On Mon, Feb 14, 2022 at 4:52 PM Nathanaël > Blanchet <blanchet(a)abes.fr&gt; wrote: > > Hello, > > I noticed that a vm created from a "sealed" > template is initially mount > on one host with libguestfs, with a > virt-sysprep process, before getting > ready to be used. > > This should be unuseful given that the > template is already sealed. Is > there a reason to that? > > > Yes, we do this in order to produce different LVM > IDs and machine IDs for the provisioned VMs, see: > https://gerrit.ovirt.org/c/ovirt-engine/+/115009 > > okay, but, I modified  the > /usr/lib/python3.6/site-packages/vdsm/virtsysprep.py > file like following: > > args = ['--hostname', 'localhost', > ''--selinux-relabel', '--update', '--network']" > > in order to update packages on  template creation. > > The template creation still works and the template is > checked as sealed and os is updated, but now the vm > creation never ends up and I have to manually kill > the virt-sysprep process to stop the infinite process > creation. > > I believed it was a good workaround to get updated > templates, but I had to rollback to default > virt-sysprep args configuration, unless there is > trick do to so? > > If you create the VM from the webadmin, you can uncheck > the 'sealed' option in the new-vm dialog to skip the > second execution of virt-sysprep on the VM > If you create it from REST-API (or the VM portal), you > might want to change the configuration of the template in > the database: > update vm_static set is_template_sealed='f' where > vm_name='<your template's name>'; > > Thanks for this useful tip, but as you said if second seal > has been designed it is to produce different VM IDs... So > what will happen if I skip this process? > > > It was that way (i.e., without sysprep-ing the vm volumes) for > years - if that worked well for you, you shouldn't notice a > difference > > Secondly I'd like to know if there is a way to skip the > second seal from the template with oVirt VM ansible module( > don't seem to be), it is safer than modifying the DB. > > > Ansible is in the second category (since it is based on > oVirt's REST-API) so yeah, I don't see a different way you can > achieve this at the moment > And you're right, it's not recommended to modify the DB directly > but the same goes for changing the VDSM source files ;) > Anyway, that is_template_sealed field only affects the UI > (presenting whether the template is sealed) and this > functionality (deciding whether virt-sysprep should be executed > on the vm volumes) - so changing it should be safe. Thank you it works as expected now. But giving that my templates are auto-created, is there a way to set is_template_sealed to false at template creation rather than manually doing it in a second time? We change the database via Ansible during the deployment of hosted engine [1], maybe you can do it in a similar way.. Filed https://bugzilla.redhat.com/show_bug.cgi?id=2054681 for adding the configuration we have at the webadmin to the API

[1] https://github.com/oVirt/ovirt-ansible-collection/blob/1.6.6-1/roles/host...

> > > > -- > Nathanaël Blanchet > > Supervision réseau > SIRE > 227 avenue Professeur-Jean-Louis-Viala > 34193 MONTPELLIER CEDEX 5 > Tél. 33 (0)4 67 54 84 55 > Fax  33 (0)4 67 54 84 14 > blanchet(a)abes.fr > _______________________________________________ > Users mailing list -- users(a)ovirt.org > To unsubscribe send an email to > users-leave(a)ovirt.org > Privacy Statement: > https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/7VSOFV3TFSM... > > -- > Nathanaël Blanchet > > Supervision réseau > SIRE > 227 avenue Professeur-Jean-Louis-Viala > 34193 MONTPELLIER CEDEX 5 > Tél. 33 (0)4 67 54 84 55 > Fax 33 (0)4 67 54 84 14 > blanchet(a)abes.fr > > -- Nathanaël Blanchet Supervision réseau SIRE 227 avenue Professeur-Jean-Louis-Viala 34193 MONTPELLIER CEDEX 5 Tél. 33 (0)4 67 54 84 55 Fax 33 (0)4 67 54 84 14 blanchet(a)abes.fr