On Mon, Feb 14, 2022 at 11:29 PM Nathanaël Blanchet <blanchet@abes.fr> wrote:

Le 14 févr. 2022 21:09, Arik Hadas <ahadas@redhat.com> a écrit :

On Mon, Feb 14, 2022 at 8:44 PM Nathanaël Blanchet <blanchet@abes.fr> wrote:

Le 14/02/2022 à 17:45, Arik Hadas a écrit :

On Mon, Feb 14, 2022 at 4:52 PM Nathanaël Blanchet <blanchet@abes.fr> wrote:

Hello,

I noticed that a vm created from a "sealed" template is initially mount
on one host with libguestfs, with a virt-sysprep process, before getting
ready to be used.

This should be unuseful given that the template is already sealed. Is
there a reason to that?

Yes, we do this in order to produce different LVM IDs and machine IDs for the provisioned VMs, see: https://gerrit.ovirt.org/c/ovirt-engine/+/115009

okay, but, I modified the /usr/lib/python3.6/site-packages/vdsm/virtsysprep.py file like following:

args = ['--hostname', 'localhost', ''--selinux-relabel', '--update', '--network']"

in order to update packages on template creation.

The template creation still works and the template is checked as sealed and os is updated, but now the vm creation never ends up and I have to manually kill the virt-sysprep process to stop the infinite process creation.

I believed it was a good workaround to get updated templates, but I had to rollback to default virt-sysprep args configuration, unless there is trick do to so?

If you create the VM from the webadmin, you can uncheck the 'sealed' option in the new-vm dialog to skip the second execution of virt-sysprep on the VM

If you create it from REST-API (or the VM portal), you might want to change the configuration of the template in the database:

update vm_static set is_template_sealed='f' where vm_name='<your template's name>';

Thanks for this useful tip, but as you said if second seal has been designed it is to produce different VM IDs... So what will happen if I skip this process?

It was that way (i.e., without sysprep-ing the vm volumes) for years - if that worked well for you, you shouldn't notice a difference

Secondly I'd like to know if there is a way to skip the second seal from the template with oVirt VM ansible module( don't seem to be), it is safer than modifying the DB.

Ansible is in the second category (since it is based on oVirt's REST-API) so yeah, I don't see a different way you can achieve this at the moment

And you're right, it's not recommended to modify the DB directly but the same goes for changing the VDSM source files ;)

Anyway, that is_template_sealed field only affects the UI (presenting whether the template is sealed) and this functionality (deciding whether virt-sysprep should be executed on the vm volumes) - so changing it should be safe.