From 51a028e6348f5b2ac49e48206ae2234bba6f9014 Mon Sep 17 00:00:00 2001
From: Michael Trip <michael@alcatrash.org>
Date: Tue, 18 Feb 2020 11:01:57 +0100
Subject: [PATCH] initial commit

---
 README.md                  |  45 ++++++++++++++++++++++-
 vm-firstrun                | Bin 0 -> 4541 bytes
 vm-firstrun.example-config |  10 +++++
 vm-firstrun.service        |  11 ++++++
 vm-firstrun.sh             |  73 +++++++++++++++++++++++++++++++++++++
 vm-seal.sh                 |  44 ++++++++++++++++++++++
 6 files changed, 182 insertions(+), 1 deletion(-)
 create mode 100644 vm-firstrun
 create mode 100644 vm-firstrun.example-config
 create mode 100644 vm-firstrun.service
 create mode 100644 vm-firstrun.sh
 create mode 100644 vm-seal.sh

diff --git a/README.md b/README.md
index f14460c..b74dfd5 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,45 @@
-# template-config
+# EL7 VM Templatization for Proxmox
 
+## Description
+
+These are some handy tools to turn a VM into a template, so that creating a new VM is as simple as (full) clone and boot. There are several assumptions made that may not necessarily match with anyone else's environment:
+  - CentOS 7 minimal install (will probably work on any flavor of EL7)
+  - DHCP server available
+  - rootfs (/) is on the last partition of the primary disk, and is a primary partition
+  - a `centos` user exists on the VM (this is not a hard requirement, nothing bad will happen if it's not true)
+  
+Right now, the main things it will do is on the first time a new VM boots it will:
+  - generate a new hostname (configurable, defaults to using UUIDs)
+  - grow the rootfs
+  
+## Setup
+
+  1. Create a new VM (with a very small disk, like <=8GB) and install CentOS 7 minimal
+  1. Customize new install with whatever software/users/ssh keys you will want on *every* VM by default
+  1. Copy each of the four files to the location specified in the comment at the top:
+      - `cp ./vm-{seal,firstrun}.sh /usr/local/sbin/`
+      - `cp ./vm-firstrun.example-config /etc/sysconfig/vm-firstrun`
+      - `cp ./vm-firstrun.service /etc/systemd/system/vm-firstrun.service`
+  1. Make the two .sh scripts executable: `chmod +x /usr/local/sbin/vm-{seal,firstrun}.sh`
+  1. Let systemd see the new unit file: `systemctl daemon-reload`
+  1. Once all your customizations are done and you're ready to turn it into a template, run: `/usr/local/sbin/vm-seal.sh`
+  1. The VM should shutdown, then in Proxmox you can just right-click and convert to template
+  
+## Usage
+
+After doing the setup, to create a new VM:
+  1. do a full clone of the template
+  1. grow the size of the disk if needed
+  1. start the VM
+  
+If you ever need to make changes to your template:
+  1. follow the above steps to create a new VM from the template
+  1. make your changes on the new VM that will become the new template
+  1. when done making changes, run `/usr/local/sbin/vm-seal.sh`
+  1. after the new VM stops, convert it to a template and delete the old template
+  
+Note that because it touches `/.autorelabel`, the first boot can take a few minutes while the SELinux contexts are re-applied or whatever, if SELinux is disabled in your environment this may not matter.
+
+## How it works
+
+It's very simple, `vm-seal.sh` basically de-configures the parts of the system that should be unique, then removes any log files or anything that shouldn't really be on a newly-installed system. Then it enables `vm-firstrun.service` in systemd and does a shutdown. At the next boot, systemd starts the `vm-firstrun.service` which just runs `vm-firstrun.sh`, which generates a new hostname and grows the rootfs. Then it disables the `vm-firstrun.service` so that it won't run again next time the VM is rebooted. 
\ No newline at end of file
diff --git a/vm-firstrun b/vm-firstrun
new file mode 100644
index 0000000000000000000000000000000000000000..75438897d10447b74ce3fd6a4126f68cc32aa943
GIT binary patch
literal 4541
zcmcJTXH-*L8iu17fzXR|klt$oNR^sPQF;-O8WK7o1*3o<(gguQKsrhXFDONd(nPvI
zXi}w$R0Bdp7!Vk|cjme-GqcwG(C@6h&-wQ~>s@=j`+JY^6_Rrx!1p?YA+P@N@vluE
zKn{Sw<(-_s@`|$35IF<{0*5)nq-EjqU>Mk0Mo~@{At3{EMkvb4D!}BOVPF>pI7~(k
zrU-^PffW%jh^!Ob*##_vfXgDJEX;v`Gk9Eyjq$%4lKs(;yXiS44G;jJqyPZSeriKg
zsD`!yRMH#%SLayE+4vE8+MwBHSbjjA@=LW5A<>b`#_GUT;bQe1e8yGz4JF+3tiJOj
z$Bnb&{WGm)#&jHy;3~wv+q1oU(e~4-1<kWVIvf6Zxkn*)`b|HmH12MU*MESaZ$PCK
z&Fy!$y({*{F^;C$B6V>k7B$(zO0H*vOgS0^1TMd5&&y4<BhoK1UcXSXeP0?E8K2S#
zXVV3O*iyusr)5KBYRy?)x4b+jm6*rEx|+0?NCFU!>=BalpplYvY_OpL+%9Z4TFclz
zgM1VAZm8IqBJ$xLf?-dIb}IC1KhEnz6>u=xey;ZB#TAholWWu()l?>|T9@)V@H4N<
zCR;zOe9JZ#ugmKwCh=He6It=b5Vv<?c3W1@B#mgehiYXu-QpkS?(Qq&r>3bufJL>}
zlH-+R07lz2yXtd7r8mZ<%mnhyi^hZw7OxEk0zXN<9}aG5)8SkY0rcEvxX#h(AQE>L
z+a!q3AthK3IrJP@MopBan^u;s1=QrT4{a&s!~{8ZqqZK+yeO_<f7E@asQO$hIxOlR
zw+Q`UuWFrW6D^3)LipH2Kgr`biQ?EQlXcB%kSkKumA#R@VFaxwcgaIq#vMs^c7M3&
zl9X2YVgD<c_TB=fYU3@^IIZTEH+WBf9yS#c%)?|2N6*{=^6C1e-!{{N4hfIcf|~nw
zq+omY0__Ca-1RTahC!}ViveL^=nJ<{!8qEj-*iD4v^JAOMmLOB`DC$IQm!f;aaFH$
zSXRh(p)QEm(%6?y|HJus5PQFYa0tc%xio++VDAf24J@%0@?}tha^<ZTY;U^)fjiYR
z953IEwe*NHxCT8xF2743eE8e@bc1n^SM_&pd(=1(P4pno!0y%aR^F|Q+aKyb#%Jp8
zu0$IZ$>^_b9}B!Xu+6CTz$;b^Cd~C$QDg-zdPMQ&xRQ<H$_sPi;wxXK2A~5w6F}6}
zxHw*I8YcRbwKwP^dnlPMdihgN6}nWCYsPw!FFiHvd1)8)Be~$ivTPkL%JMDBtir8y
zQn6MQwx_{S&zXlFh;u!^(+lCQMoO#CQdi*e3>rP5tcV#QR?D6twU*!P{cl^a+7TFp
zKa(1CgcSjV`*uW%Ii;BJ8D#gy4B1Re8S<A?U=D#(Xgs*o29x0K5D}O_OvAEdO)BcT
zUSM!HV!fJDzof*TJAGSx*bvp|ZmLv5Xfs6l^2UR%dp-&fpp)qoD`s=ON?ua45!{k+
zfa0O>XjqrzHq-#O3z)Koe6+GLE19UZ?Pkhq4qSI(L?-gi8SC3L2n-#QE{j&6nV2!_
zX#YYJA;F7nNebl?sNN`!BuqasM>6FC#W;v47QiBEOAc@?i&){l`2vA$R$<=<FFh>I
z9RY@sP%SOdqP@HZFLi%?^HjM(8T7KNGxgv#5v1JJwbvSw6}e)XnnS37ai3pZmt8QO
zz}F}hlwF!7N71MojIP=c**M;Ayym5eX=k56`5hI-bR}-!LD5+(vZCH_`e#da{Pc-(
zR1@LWseXV(a58eL@_rPa<Pq*oQ+TQ7OC^?Cu~7DZ%tL2dT#E=dl0>)@=5-`FS_{)G
z5slpI9N?W>>2zKNY&-&=-SqWimv~b4a3PDbbfaHXn7TP2*td~s%x1aUJC&Xf?qwzE
zbUHSZ4rnq?!0fl@4<w|5^QYfT><4u{9r(s~jwk@xO4pAxG*Pb4%nutn%zGcnO@UA3
z8S~ty`MVJ>Ne`dP`F;zWEcj0~Vw|^xi#rDEi@AZ6MBH-nMtLD5oPCfk?yi41GXmcT
z3YBIA&P^9RShofH_H(mMT^S7HPr`v<=4X$BP26Xj2m?ct1k7cHO!n~nY_WySCbr0q
z7jVMO*o<!~5?Zw3dN^sFa$maT-eT?C0mhW}i5f1)b<IjjDaNCDzi+xdL>3Crv{iBz
z=fP0mB>%FKnIQB=uDVwvz0X^!Xe*DAt{kcZs@12CjL6tK%hBBs!QO@l<Gp?AkhwE|
zS89-0K9qT)QuoQS`(;XD5g44iGvY6aEaH@@Tcv5W4^+bi*4l(np^tSnE?kB#wkl9q
zcUSOjD)DA=T^TS|b<g*MC>NMCEX4wsw{#l&`$EB2Br6cTVt!%s^m^hP4+0CJ!qDM&
zVYZJiiKazalu5oOm%r@XUR*8|{NxxUo>>bti0(3@S7;j8U8rQSQ&@k{K#{)5c-&be
zy22Yn@w&CI-DBFvMN*?!WXI<E1tZ4bQzwaJe9GZ52>{SR4ggsFI(^*!k|x>G+h<aV
z@hIB?ono1HwIBi4T%c+5Zivc2>;kID&d#9g9_MF|Pr^7iYpLVI?1$=PJnNR1(>@Tl
zRlZ{5u-k%B`P95F%-J{3Y9OoB(^5-X5(8g+5&&08zTJVY%Gl{r$oIq7f@93xkgwgW
zo+poBQ4~(VeDNShtdoYvda7wiBn$aKs8w3#E=DMs&<7!=R`z<=x{2&HwY4rrYw-u)
zO@3=m&i&wlu5CRK>lj{TPFwDy)<5$)8j%Rqx7u`A5uhbwCdGL>=P@WgW4OEd`KyF&
z!`xkNLr2~y$5zZo>DrzILm1f6pTHzw(e}CP_YDO{QHJ}^$cLzp^UR|M%rtz(O?5gH
zQ0JF4W9}=OJa%ANm%R>(ce~AIP<Zp2!}+T2om;om2nR)YiKXW`%Zbh@u?|UjkodGh
zOccO~Q{QmeoST7@LJhO7&aR%y<nxr<v?3-fnPW8z8oe4RS*TL%r^fZ3x|vf$q|d3j
z1yvUsGa5ByA2!g@xAOMgXXLWw5ye6Hew{VAq&DcopqsyP+BBt5&dq)~vvHa_D_}~M
z*6zX6EnfxBxD7U$WYtf{H&|p2mxBgSf@b4)^goSa!7O(;?P*-vT$gQX!w=K%OGku#
z(JMBGqcYaV_43Ldd0l(l`|WoMJlEPq?FQ+&oS@J1YL$4I+_9>-7)s{imUN{{_6fTk
zjQb)ZZmM~EUP1!exSH$EQoeykF`fI!DFdV--ln}~wZ?(3@*#P{nNKx2C{!f-#U=-O
zc{^#((emS2TaNSo_r9p)(_F5}$&-J2i$Bd;bNNfXq3`e$+?p%~ciX2nE-N=>#lkv$
zXDj*v5EC_LWkba)rBEaGJDpK81FezBa6_FEn_ps*u{ZMwX*g*D9_7f7+g!dD_iBD3
zZl5`Nc2ABY%{XE!5Q&mirAfF?aZz&!H6@fAD+@_*gD$)S(JzMJx=SbTrFow>o8qCW
zS7X_CV#m=?Ug(cceTlOdJX323C6myLr*|A>)p%1k=SJM#ZsE^<|7uoULDKrkkOKM|
z7`fnYqOQ{p<``9L59r+mu^z>ZJ<~lb^Uf}e;9BC0QBxb|eG~gcYp^iYbU7HWFpU!c
zUaf;Gb^3(u#Bhfr(29b|-fq<seCCuF>uibGF1dTjF4_|}o?Z6i(6MOumy;yC@uYYc
zkugG+Tta|Qy>~+!D$0;^j$ypR^>5Rt8D?4yQHt%B%9p4qj=+ye{%)Tv?qAOuoB;sN
zo>+wW&$b6F!pTb#`@<T%6DyEy+>{YFvqRQu^vMGvk!Aj-wYYc=6uqw_FXhdiDQ5a<
zy*>nBe)AX+y0r@3NinBUAx9^QV$CJpP|;$|`w?`u*WX>euNRbcCrAxHdr?z-;;jn1
zu5bn-wpxpuyx)R*X7QDIYW4PGp)2E7e1$FdTJj7HQ@r|AQ#||FUaWVYqe(d@l{s(?
zLjQ#tQIB`zD@xUiT0ua(1X7D$zD$1-Fr9Bz&7x`QZLztL47f`Te_W4x8o8A-I%@Cx
z@FU~GwlEkNug_P|qTHGAgsH)}ZqT162wtyA*eKpNEmrY;kL4sGq-}K>b;v9=IeZ;C
zQxy7pLGlI}ALM>lKz}i|O-LznPI?0^+T6&&-`qEV&UST`8<@ZD(~S?Xj9BRcO^jC)
zbTB<(E>qX6z0BPGc}%<f6HCKwk3gJXR<yH91<hE4Uo#Oe8echc76AC)Ve#ZXJSo~g
zU%w_g{u|)GhsW=oPfpfJp-<M&%dY<!C4WfqC&}sQ={v)pB>N}f_UDoOAG6eHwA16t
z4>W$#Uxjvhcsb2<dPMlaq)qnAn0~mzX`IuR^aID4@+ae*HYnpO!1LeRoj-ZZPaIK<
N8UPRm{J(!y{t0+uLh=9r

literal 0
HcmV?d00001

diff --git a/vm-firstrun.example-config b/vm-firstrun.example-config
new file mode 100644
index 0000000..80a1918
--- /dev/null
+++ b/vm-firstrun.example-config
@@ -0,0 +1,10 @@
+# /etc/sysconfig/vm-firstrun
+# CFG_HOSTNAME_SCRIPT="uuidgen"
+# CFG_HOSTNAME_PREFIX=""
+# CFG_HOSTNAME_POSTFIX=""
+# CFG_DOMAIN="localdomain"
+# CFG_ROOTFS_DISK="/dev/sda"
+# CFG_ROOTFS_PARTITION="3"
+# CFG_ROOTFS_TYPE="xfs"
+# CFG_SERVICE_NAME="vm-firstrun"
+
diff --git a/vm-firstrun.service b/vm-firstrun.service
new file mode 100644
index 0000000..ae279fc
--- /dev/null
+++ b/vm-firstrun.service
@@ -0,0 +1,11 @@
+# /etc/systemd/system/vm-firstrun.service
+[Unit]
+Description=Initialize this template-created VM
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/sbin/vm-firstrun.sh
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/vm-firstrun.sh b/vm-firstrun.sh
new file mode 100644
index 0000000..1b53e78
--- /dev/null
+++ b/vm-firstrun.sh
@@ -0,0 +1,73 @@
+#!/bin/bash
+
+# /usr/local/sbin/vm-firstrun.sh
+
+# This script depends on having these packages installed:
+#   - cloud-utils-growpart
+#   - parted
+
+# This should be a simple bash file that sets the CFG_* variables
+[ -f /etc/sysconfig/vm-firstrun ] && . /etc/sysconfig/vm-firstrun
+
+## Set default values for anything that wasn't already set
+# This will be run at firstboot to generate the hostname
+CFG_HOSTNAME_SCRIPT="${CFG_HOSTNAME_SCRIPT:=uuidgen}"
+# These can be set in config, there's just no reason for a default besides (blank)
+# CFG_HOSTNAME_PREFIX="${CFG_HOSTNAME_PREFIX:=}"
+# CFG_HOSTNAME_POSTFIX="${CFG_HOSTNAME_POSTFIX:=}"
+CFG_DOMAIN="${CFG_DOMAIN:=localdomain}"
+CFG_ROOTFS_DISK="${CFG_ROOTFS_DISK:=/dev/sda}"
+CFG_ROOTFS_PARTITION="${CFG_ROOTFS_PARTITION:=3}"
+CFG_ROOTFS_TYPE="${CFG_ROOTFS_TYPE:=xfs}"
+CFG_SERVICE_NAME="${CFG_SERVICE_NAME:=vm-firstrun}"
+
+## Helper Functions
+function log() {
+    echo "$@" | logger --stderr -t vm-firstrun
+}
+
+
+## Do the things
+old_hostname="$(hostname -f)"
+new_hostname="${CFG_HOSTNAME_PREFIX}$(${CFG_HOSTNAME_SCRIPT})${CFG_HOSTNAME_POSTFIX}"
+if ! [ -z "${CFG_DOMAIN}" ]; then
+    new_hostname="${new_hostname}.${CFG_DOMAIN}"
+fi
+
+log "Setting hostname from '${old_hostname}' to '${new_hostname}'"
+hostnamectl set-hostname "${new_hostname}"
+
+if [ -b "${CFG_ROOTFS_DISK}" ]; then
+    if [ -b "${CFG_ROOTFS_DISK}${CFG_ROOTFS_PARTITION}" ]; then
+        # expand the partition
+        log "Expanding rootfs partition"
+        growpart "${CFG_ROOTFS_DISK}" "${CFG_ROOTFS_PARTITION}"
+        # reload partition table
+        log "Reloading partition table"
+        partprobe "${CFG_ROOTFS_DISK}"
+
+        # grow the rootfs
+        case "${CFG_ROOTFS_TYPE}" in
+            xfs)
+                log "Growing rootfs of type: ${CFG_ROOTFS_TYPE}"
+                xfs_growfs /
+                ;;
+            ext*)
+                log "Growing ${CFG_ROOTFS_TYPE} rootfs on device: ${CFG_ROOTFS_DISK}${CFG_ROOTFS_PARTITION}"
+                resize2fs "${CFG_ROOTFS_DISK}${CFG_ROOTFS_PARTITION}"
+                ;;
+            *)
+                log "Unsupported rootfs type: ${CFG_ROOTFS_TYPE}"
+                log "Doing nothing, please grow the fs manually"
+                ;;
+        esac
+    else
+        log "rootfs partition not found, unable to expand: ${CFG_ROOTFS_DISK}${CFG_ROOTFS_PARTITION}"
+    fi
+else
+    log "rootfs disk not found, unable to expand: ${CFG_ROOTFS_DISK}"
+fi
+
+log "initial config done, disabling myself"
+systemctl disable "${CFG_SERVICE_NAME}"
+
diff --git a/vm-seal.sh b/vm-seal.sh
new file mode 100644
index 0000000..78c9b7f
--- /dev/null
+++ b/vm-seal.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+# /usr/local/sbin/vm-seal.sh
+
+unset HISTFILE
+
+yum update -y
+yum clean all -y
+
+: > /etc/machine-id
+hostnamectl set-hostname localhost.localdomain
+systemctl enable vm-firstrun
+
+rm -f /etc/ssh/ssh_host_*
+
+rm -rf /root/.ssh/
+rm -f /root/anaconda-ks.cfg
+rm -f /root/.bash_history
+
+rm -f /home/centos/.bash_history
+rm -f /home/centos/.ssh/known_hosts
+
+rm -f /var/log/boot.log
+rm -f /var/log/cron
+rm -f /var/log/dmesg
+rm -f /var/log/grubby
+rm -f /var/log/lastlog
+rm -f /var/log/maillog
+rm -f /var/log/messages
+rm -f /var/log/secure
+rm -f /var/log/spooler
+rm -f /var/log/tallylog
+rm -f /var/log/wpa_supplicant.log
+rm -f /var/log/wtmp
+rm -f /var/log/yum.log
+rm -f /var/log/audit/audit.log
+rm -f /var/log/tuned/tuned.log
+
+updatedb
+
+touch /.autorelabel
+
+sys-unconfig
+