> > secret keys, passwords, unique ids, IPs, logs, .... > > Obviously, anything you leave on the machine will be replicated to the next > CT created from the template. This is a feature, and not a problem.
No, IMHO this is a big security risk! > Creating a > template will require a couple of IQ points - and for the scenario you mention > they should use backup and not create a template. This is the same if you do > it manually - they will need to be removed if you do not wish them to be in > the Template. No, this is really not the same for me. > > > I'd really like to get this feature available in Proxmox as every > > > time I create a new template I have to SSH to the box and tar the CT > > > folder. It's such a simple process and it drives me crazy every time I > > > have > to SSH to the box. > > > > > > Is there any way of getting this feature into Proxmox - even if it > > > means completely changing how it's implemented, or is this just a > > > no-go from the start? > > > > I see the following problems with this approach: > > > > 1.) Our security model assumes the OpenVZ templates do not contain > > secrets (templates are readable by all storage users). So a simply > > copy of existing VMs is likely to leak passwords and other secret data! > > I agree - I didn't realise that template storage was not protected. Perhaps we > could create a new storage role which would be used for templates? I have no plans to change that model. > > 2.) Many software packages (and admins) copy IP addresses or hostname > > into configuration files. This will lead to non-functional templates. > > This would be a problem whichever way you look at it. Your 'supported' way > of creating a backup and restoring it would have the same trouble. The difference is that this is already implemented. > > 3.) Containers can contain custom network configs (veth, ...). . This > > will also lead to non-functional templates. > > Again, this would be an issue with your supported method. see above. I suggest you simple use restore, and then apply a script to do the changes you want? _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
