On Wed, May 09, 2012 at 12:45:50PM +0100, Richard W.M. Jones wrote: > On Wed, May 09, 2012 at 06:08:54PM +0800, Wanlong Gao wrote: > > Remove the ca certificates. > > > > Signed-off-by: Wanlong Gao <[email protected]> > > --- > > sysprep/Makefile.am | 2 + > > sysprep/sysprep_operation_ca_certificates.ml | 62 > > ++++++++++++++++++++++++++ > > 2 files changed, 64 insertions(+) > > create mode 100644 sysprep/sysprep_operation_ca_certificates.ml > > > > diff --git a/sysprep/Makefile.am b/sysprep/Makefile.am > > index d82e5ae..c6292cc 100644 > > --- a/sysprep/Makefile.am > > +++ b/sysprep/Makefile.am > > @@ -35,6 +35,7 @@ SOURCES = \ > > sysprep_operation.ml \ > > sysprep_operation.mli \ > > sysprep_operation_bash_history.ml \ > > + sysprep_operation_ca_certificates.ml \ > > sysprep_operation_cron_spool.ml \ > > sysprep_operation_dhcp_client_state.ml \ > > sysprep_operation_dhcp_server_state.ml \ > > @@ -68,6 +69,7 @@ OBJECTS = \ > > utils.cmx \ > > sysprep_operation.cmx \ > > sysprep_operation_bash_history.cmx \ > > + sysprep_operation_ca_certificates.cmx \ > > sysprep_operation_cron_spool.cmx \ > > sysprep_operation_dhcp_client_state.cmx \ > > sysprep_operation_dhcp_server_state.cmx \ > > diff --git a/sysprep/sysprep_operation_ca_certificates.ml > > b/sysprep/sysprep_operation_ca_certificates.ml > > new file mode 100644 > > index 0000000..82b4189 > > --- /dev/null > > +++ b/sysprep/sysprep_operation_ca_certificates.ml > > @@ -0,0 +1,62 @@ > > +(* virt-sysprep > > + * Copyright (C) 2012 FUJITSU LIMITED > > + * > > + * This program is free software; you can redistribute it and/or modify > > + * it under the terms of the GNU General Public License as published by > > + * the Free Software Foundation; either version 2 of the License, or > > + * (at your option) any later version. > > + * > > + * This program is distributed in the hope that it will be useful, > > + * but WITHOUT ANY WARRANTY; without even the implied warranty of > > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > > + * GNU General Public License for more details. > > + * > > + * You should have received a copy of the GNU General Public License along > > + * with this program; if not, write to the Free Software Foundation, Inc., > > + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. > > + *) > > + > > +open Sysprep_operation > > +open Sysprep_gettext.Gettext > > + > > +module G = Guestfs > > + > > +let ca_certificates_perform g root = > > + let typ = g#inspect_get_type root in > > + if typ <> "windows" then ( > > + let paths = [ "/etc/pki/CA/certs/*"; > > + "/etc/pki/CA/crl/*"; > > + "/etc/pki/CA/newcerts/*"; > > + "/etc/pki/CA/private/*"; > > + "/etc/pki/tls/private/*"; > > + "/etc/pki/tls/certs/*.crt"; ] in > > + let excepts = [ "/etc/pki/tls/certs/ca-bundle.crt"; > > + "/etc/pki/tls/certs/ca-bundle.trust.crt"; ] in > > I've no idea if it is correct to remove these files. These > directories on my machines are all empty. Also what happens if a user > adds a custom certificate to a machine? Perhaps this operation should > be included in sysprep but disabled by default?
If we're going to do this, then we need to distinguish between CA certificates and server/client certificates. The latter are issued per machine/user and should be removed, the former are global per organization & should be left untouched. While considering this area, we should also kill off any kerberos host principals. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ Libguestfs mailing list [email protected] https://www.redhat.com/mailman/listinfo/libguestfs
