[pve-devel] Create template from CT

James A. Coyle james.coyle at jamescoyle.net
Thu Mar 6 11:32:50 CET 2014 

Currently SSH is used. 

Two forms of access are required to create a template: 
1) SSH to the CT to install/ configure/ etc. When I say SSH, this could also be the Java console. 
2) SSH to the HW node to tar the CT. This is where the issue is as this requires a level of access which essentially means that you have access to literally everything on the HW node. 

To me, the 'sensitive' stuff is a feature and not a problem. I have a 'development' key on all my templates so that I can connect with a single key as soon as the CT is created. From there, I can then replace the key as required. I realise this might be quite a unique use case and therefore I'm not so precious about it but I was trying to give an example where you might want to keep the stuff which you guys want to get rid of. I think this should be down to the template creator - leave in what should go into the template and remove what shouldn't... rather than having the templating process messing with it. 


James Coyle 

E: james.coyle at jamescoyle.net 
Skype: jac2703 
Gtalk: jac2703 at gmail.com 
www: www.jamescoyle.net 

----- Original Message -----

From: "Daniel Hunsaker" <danhunsaker at gmail.com> 
To: "James A. Coyle" <james.coyle at jamescoyle.net> 
Cc: pve-devel at pve.proxmox.com, "Dietmar Maurer" <dietmar at proxmox.com> 
Sent: Thursday, 6 March, 2014 10:48:34 AM 
Subject: Re: [pve-devel] Create template from CT 



The backup/restore method isn't intended for distribution-worthy templates, so this tends to be a non-issue. If you have access to do backup/restore, you have access to get at sensitive files within the CTs and backups already anyway. 

Ultimately, since the vast majority of template creation is necessarily manual, the tar step being manual as well is a minimal amount of overhead which preserves the principle of least surprise as a side effect. Unless we *can* make a magic method for removing all the sensitive stuff, we should avoid allowing screwing the whole process up through ignorance by not putting the option in the web interface. 

Out of curiosity, how exactly are you setting up the CTs for conversion if you're not using SSH? 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20140306/f54b83d8/attachment.htm>

More information about the pve-devel mailing list