Changes for page proxmox

Last modified by Kevin Wiki on 2026/05/18 15:44

From 9.6 to 9.5

From version

12.1

edited by Kevin Wiki
on 2026/05/18 15:44

Change comment: There is no comment for this version

To version

9.6

edited by Kevin Wiki
on 2026/05/18 08:16

Change comment: There is no comment for this version

Raw
Rendered

Summary

Page properties (1 modified, 0 added, 0 removed)

Details

Page properties

Content

@@ -138,20 +138,9 @@
  After creating the VM and before making it into a template there are some programs and settings we want to ensure exists always.
--(% id="cke_bm_721114S" style="display:none" %)** **(%%)**clear bash history** to not leave any configuration in history, clear and disable history file before proceeding:
++qemu-guest-agent is for allowing proxmox to query information from the VM such as IP address, shutdown commands, etc
  {{code language="bash"}}
--unset HISTFILE
--export HISTSIZE=0
--export HISTFILESIZE=0
--
--sudo rm /.bash_history
--rm ~/.bash_history
--{{/code}}
--
--**qemu-guest-agent** is for allowing proxmox to query information from the VM such as IP address, shutdown commands, etc
--
--{{code language="bash"}}
  sudo apt update
  sudo apt upgrade -y
  sudo apt install qemu-guest-agent -y
@@ -160,26 +160,8 @@
  sudo systemctl start qemu-guest-agent.service
  {{/code}}
--**reset machine-id** to not have overlapping ids from same template
++cloud-init is a great hook for installing or configuring programs or receiving variables from cloudinit CDROM drive. Making it easier to change IP, hostname, DNS, username/password, etc between VMs.
--{{code language="bash"}}
--cat /dev/null > /etc/machine-id
--cat /dev/null > /var/lib/dbus/machine-id
--{{/code}}
--
--**cloud-init** is a great hook for installing or configuring programs or receiving variables from cloudinit CDROM drive. Making it easier to change IP, hostname, DNS, username/password, etc between VMs.
--
--If you used a cloud-init base image it will have run the default cloudinit which installs and configures a bunch of systems. To clean this up run:
--```
--```
--Reset cloud-init to run all init and modules at next boot:
--
--{{code language="bash"}}
--cloud-init clean
--{{/code}}
--
--This is a debian example of what we are looking for:
--
  {{code language="yaml"}}
  # The top level settings are used as module
  # and system configuration.
@@ -186,7 +186,10 @@
  # A set of users which may be applied and/or used by various modules
  # when a 'default' entry is found it will reference the 'default_user'
  # from the distro configuration specified below
++users:
++   - default
++
  # If this is set, 'root' will not be able to ssh in and they
  # will get a message to login instead as the default $user
  disable_root: true
@@ -199,13 +199,18 @@
     # which has been a source of surprise.
     preserve_sources_list: true
--# manually managed resolv
--manage_resolv_conf: false
++# If you use datasource_list array, keep array items in a single line.
++# If you use multi line array, ds-identify script won't read array items.
++# Example datasource config
++# datasource:
++#    Ec2:
++#      metadata_urls: [ 'blah.com' ]
++#      timeout: 5 # (defaults to 50 seconds)
++#      max_wait: 10 # (defaults to 120 seconds)
--package_update: true
--packages:
--  - qemu-guest-agent
++
++
  # The modules that run in the 'init' stage
  cloud_init_modules:
   - seed_random
@@ -225,6 +225,8 @@
  # The modules that run in the 'config' stage
  cloud_config_modules:
++ - snap
++ - ssh-import-id
   - keyboard
   - locale
   - set-passwords
@@ -235,11 +235,20 @@
   - timezone
   - disable-ec2-metadata
   - runcmd
++ - byobu
  # The modules that run in the 'final' stage
  cloud_final_modules:
   - package-update-upgrade-install
++ - fan
++ - landscape
++ - lxd
   - write-files-deferred
++ - puppet
++ - chef
++ - mcollective
++ - salt-minion
++ - reset_rmc
   - scripts-vendor
   - scripts-per-once
   - scripts-per-boot
@@ -246,20 +246,25 @@
   - scripts-per-instance
   - scripts-user
   - ssh-authkey-fingerprints
--# - keys-to-console
++ - keys-to-console
   - install-hotplug
--# - phone-home
++ - phone-home
   - final-message
   - power-state-change
--runcmd:
--  - systemctl enable qemu-guest-agent.service
--
  # System and/or distro specific settings
  # (not accessible to handlers/transforms)
  system_info:
     # This will affect which distro class gets used
     distro: debian
++   # Default user name + that default users groups (if added/used)
++   default_user:
++     name: debian
++     lock_passwd: True
++     gecos: Debian
++     groups: [adm, audio, cdrom, dialout, dip, floppy, plugdev, sudo, video]
++     sudo: ["ALL=(ALL) NOPASSWD:ALL"]
++     shell: /bin/bash
     # Other config here will be given to the distro class and/or path classes
     paths:
        cloud_dir: /var/lib/cloud/
@@ -270,428 +270,13 @@
           primary: https://deb.debian.org/debian
           security: https://deb.debian.org/debian-security
     ssh_svcname: ssh
--{{/code}}
--Cleanup script:
--
--{{code language="bash"}}
--#!/usr/bin/env bash
--# =============================================================================
--# cloud-init Cleanup & Uninstall Script
--# Generated from: cloud.cfg (Debian, default user: debian)
--#
--# What this script does:
--#   1. Reverses all cloud-init module side effects
--#   2. Removes packages installed by cloud-init modules
--#   3. Restores config files to pre-cloud-init state where possible
--#   4. Cleans up cloud-init's own state/cache
--#
--# Usage:
--#   sudo bash cloudinit-cleanup.sh [--dry-run] [--full-uninstall]
--#
--#   --dry-run         Print what would be done, make no changes
--#   --full-uninstall  Also remove cloud-init itself (not just its effects)
--#
--# WARNING: Run this only on instances you intend to decommission or reprovision.
--#          Some operations (hostname reset, user removal) are destructive.
--# =============================================================================
--
--set -euo pipefail
--
--# ── Colour helpers ────────────────────────────────────────────────────────────
--RED='\033[0;31m'; YELLOW='\033[1;33m'; GREEN='\033[0;32m'
--CYAN='\033[0;36m'; BOLD='\033[1m'; RESET='\033[0m'
--
--info()    { echo -e "${CYAN}[INFO]${RESET}  $*"; }
--ok()      { echo -e "${GREEN}[OK]${RESET}    $*"; }
--warn()    { echo -e "${YELLOW}[WARN]${RESET}  $*"; }
--danger()  { echo -e "${RED}[DANGER]${RESET} $*"; }
--section() { echo -e "\n${BOLD}━━━  $* ━━━${RESET}"; }
--
--# ── Argument parsing ──────────────────────────────────────────────────────────
--DRY_RUN=false
--FULL_UNINSTALL=false
--
--for arg in "$@"; do
--  case "$arg" in
--    --dry-run)         DRY_RUN=true ;;
--    --full-uninstall)  FULL_UNINSTALL=true ;;
--    --help|-h)
--      sed -n '3,20p' "$0" | sed 's/^# \?//'
--      exit 0
--      ;;
--    *)
--      echo "Unknown argument: $arg" >&2
--      exit 1
--      ;;
--  esac
--done
--
--# ── Root check ────────────────────────────────────────────────────────────────
--if [[ $EUID -ne 0 ]]; then
--  danger "This script must be run as root (sudo)."
--  exit 1
--fi
--
--# ── Dry-run wrapper ───────────────────────────────────────────────────────────
--# All destructive calls go through run() so --dry-run is respected everywhere
--run() {
--  if $DRY_RUN; then
--    echo -e "  ${YELLOW}[DRY-RUN]${RESET} $*"
--  else
--    eval "$@"
--  fi
--}
--
--$DRY_RUN && warn "DRY-RUN mode — no changes will be made.\n"
--
--# =============================================================================
--# 1. CLOUD_INIT_MODULES — init stage
--# =============================================================================
--
--# ── ca-certs ──────────────────────────────────────────────────────────────────
--section "ca-certs"
--info "Removing custom CAs added by cloud-init..."
--
--# cloud-init drops certs into /usr/local/share/ca-certificates/
--if ls /usr/local/share/ca-certificates/cloud-init-* &>/dev/null 2>&1; then
--  run "rm -f /usr/local/share/ca-certificates/cloud-init-*"
--  run "update-ca-certificates --fresh"
--  ok "Custom CAs removed and trust store rebuilt."
--else
--  info "No cloud-init-managed custom CAs found."
--fi
--
--run "rm -f /var/lib/cloud/instance/sem/config_ca_certs"
--
--# ── rsyslog ───────────────────────────────────────────────────────────────────
--section "rsyslog"
--info "Removing cloud-init rsyslog configuration..."
--run "rm -f /etc/rsyslog.d/20-cloud-init.conf"
--if systemctl is-active --quiet rsyslog 2>/dev/null; then
--  run "systemctl restart rsyslog"
--  ok "rsyslog restarted."
--fi
--run "rm -f /var/lib/cloud/instance/sem/config_rsyslog"
--
--# ── users-groups (default user: debian) ──────────────────────────────────────
--section "users-groups — default user 'debian'"
--warn "Removing user 'debian' and their home directory."
--warn "Ensure you have another admin account before doing this!"
--
--if id debian &>/dev/null 2>&1; then
--  # Kill any active sessions for this user first
--  run "pkill -u debian || true"
--  run "deluser --remove-home debian 2>/dev/null || userdel -r debian 2>/dev/null || true"
--  ok "User 'debian' removed."
--else
--  info "User 'debian' does not exist, skipping."
--fi
--
--# Remove groups that were created for this user (only if empty/unused)
--for grp in adm audio cdrom dialout dip floppy plugdev video; do
--  if getent group "$grp" &>/dev/null; then
--    info "Group '$grp' exists (system group — leaving in place)."
--  fi
--done
--
--run "rm -f /var/lib/cloud/instance/sem/config_users_groups"
--
--# =============================================================================
--# 2. CLOUD_CONFIG_MODULES — config stage
--# =============================================================================
--
--# ── snap ──────────────────────────────────────────────────────────────────────
--section "snap"
--if command -v snap &>/dev/null; then
--  info "Removing all installed snaps..."
--  # Snaps must be removed in dependency order; loop until none left
--  while snap list 2>/dev/null | grep -v "^Name" | grep -q .; do
--    snap list 2>/dev/null | awk 'NR>1 {print $1}' | while read -r pkg; do
--      run "snap remove --purge '$pkg' 2>/dev/null || true"
--    done
--  done
--
--  info "Stopping and disabling snapd..."
--  run "systemctl stop snapd.service snapd.socket snapd.seeded.service 2>/dev/null || true"
--  run "systemctl disable snapd.service snapd.socket 2>/dev/null || true"
--
--  info "Removing snapd package..."
--  run "apt-get purge -y snapd 2>/dev/null || true"
--
--  info "Removing snap directories..."
--  run "rm -rf /snap /var/snap /var/lib/snapd /var/cache/snapd /root/snap"
--  run "rm -rf /home/*/snap"
--
--  info "Removing snap loopback mounts..."
--  mount | grep '/snap/' | awk '{print $3}' | while read -r mp; do
--    run "umount '$mp' 2>/dev/null || true"
--  done
--
--  ok "snap and snapd fully removed."
--else
--  info "snap not installed, skipping."
--fi
--
--run "rm -f /var/lib/cloud/instance/sem/config_snap"
--
--# ── ssh-import-id ─────────────────────────────────────────────────────────────
--section "ssh-import-id"
--info "Removing ssh-import-id if installed..."
--run "apt-get purge -y ssh-import-id 2>/dev/null || true"
--# Imported keys would have been written to the user's authorized_keys
--if [[ -f /home/debian/.ssh/authorized_keys ]]; then
--  warn "Review /home/debian/.ssh/authorized_keys for externally imported keys."
--fi
--run "rm -f /var/lib/cloud/instance/sem/config_ssh_import_id"
--
--# ── set-passwords ─────────────────────────────────────────────────────────────
--section "set-passwords"
--info "Locking 'debian' user password (enforcing key-only auth)..."
--run "passwd -l debian 2>/dev/null || true"
--
--info "Ensuring SSH password authentication is disabled..."
--if [[ -f /etc/ssh/sshd_config ]]; then
--  run "sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config"
--  run "grep -q 'PasswordAuthentication no' /etc/ssh/sshd_config || echo 'PasswordAuthentication no' >> /etc/ssh/sshd_config"
--  run "systemctl reload ssh 2>/dev/null || true"
--fi
--run "rm -f /var/lib/cloud/instance/sem/config_set_passwords"
--ok "Password auth locked down."
--
--# ── grub-dpkg ─────────────────────────────────────────────────────────────────
--section "grub-dpkg"
--info "Clearing grub-dpkg debconf seeding..."
--run "echo '' | debconf-set-selections <<< 'grub-pc grub-pc/install_devices multiselect' 2>/dev/null || true"
--run "rm -f /var/lib/cloud/instance/sem/config_grub_dpkg"
--ok "grub-dpkg debconf state cleared (GRUB install device reset to empty)."
--
--# ── disable-ec2-metadata ──────────────────────────────────────────────────────
--section "disable-ec2-metadata"
--info "Re-enabling EC2 metadata service access (removing block if present)..."
--run "rm -f /run/cloud-init/enabled"
--run "iptables -D OUTPUT -d 169.254.169.254 -j DROP 2>/dev/null || true"
--run "ip6tables -D OUTPUT -d fd00:ec2::254 -j DROP 2>/dev/null || true"
--run "rm -f /var/lib/cloud/instance/sem/config_disable_ec2_metadata"
--
--# ── byobu ─────────────────────────────────────────────────────────────────────
--section "byobu"
--info "Removing byobu configuration and package..."
--run "rm -rf /etc/byobu"
--run "rm -f /etc/profile.d/Z97-byobu.sh /etc/profile.d/byobu.sh"
--run "rm -rf /home/debian/.byobu /root/.byobu"
--run "apt-get purge -y byobu 2>/dev/null || true"
--run "rm -f /var/lib/cloud/instance/sem/config_byobu"
--ok "byobu removed."
--
--# =============================================================================
--# 3. CLOUD_FINAL_MODULES — final stage
--# =============================================================================
--
--# ── package-update-upgrade-install ───────────────────────────────────────────
--section "package-update-upgrade-install"
--warn "Packages installed via cloud-init's package module cannot be auto-detected."
--warn "Review your user-data 'packages:' list and remove manually if needed."
--run "rm -f /var/lib/cloud/instance/sem/config_package_update_upgrade_install"
--
--# ── fan ───────────────────────────────────────────────────────────────────────
--section "fan (Ubuntu Fan networking)"
--if command -v fanctl &>/dev/null || dpkg -s ubuntu-fan &>/dev/null 2>&1; then
--  info "Removing ubuntu-fan networking..."
--  run "systemctl stop fanatic 2>/dev/null || true"
--  run "apt-get purge -y ubuntu-fan 2>/dev/null || true"
--  run "rm -f /etc/network/fan"
--  ok "ubuntu-fan removed."
--else
--  info "ubuntu-fan not installed, skipping."
--fi
--run "rm -f /var/lib/cloud/instance/sem/config_fan"
--
--# ── landscape ────────────────────────────────────────────────────────────────
--section "landscape"
--if dpkg -s landscape-client &>/dev/null 2>&1; then
--  info "Removing Landscape client..."
--  run "systemctl stop landscape-client 2>/dev/null || true"
--  run "apt-get purge -y landscape-client landscape-common 2>/dev/null || true"
--  run "rm -rf /etc/landscape /var/lib/landscape"
--  ok "Landscape client removed."
--else
--  info "Landscape client not installed, skipping."
--fi
--run "rm -f /var/lib/cloud/instance/sem/config_landscape"
--
--# ── lxd ──────────────────────────────────────────────────────────────────────
--section "lxd"
--if command -v lxd &>/dev/null; then
--  info "Removing LXD and all containers/images..."
--  run "lxc list --format csv -c n 2>/dev/null | while read -r c; do lxc delete --force \"\$c\"; done || true"
--  run "snap remove --purge lxd 2>/dev/null || apt-get purge -y lxd lxd-client liblxc1 2>/dev/null || true"
--  run "rm -rf /var/lib/lxd /var/snap/lxd"
--  ok "LXD removed."
--else
--  info "LXD not installed, skipping."
--fi
--run "rm -f /var/lib/cloud/instance/sem/config_lxd"
--
--# ── puppet ───────────────────────────────────────────────────────────────────
--section "puppet"
--if command -v puppet &>/dev/null || dpkg -s puppet-agent &>/dev/null 2>&1; then
--  info "Removing Puppet agent..."
--  run "systemctl stop puppet 2>/dev/null || true"
--  run "apt-get purge -y puppet puppet-agent 2>/dev/null || true"
--  run "rm -rf /etc/puppet /var/lib/puppet /opt/puppetlabs"
--  ok "Puppet removed."
--else
--  info "Puppet not installed, skipping."
--fi
--run "rm -f /var/lib/cloud/instance/sem/config_puppet"
--
--# ── chef ─────────────────────────────────────────────────────────────────────
--section "chef"
--if command -v chef-client &>/dev/null; then
--  info "Removing Chef client..."
--  run "systemctl stop chef-client 2>/dev/null || true"
--  run "apt-get purge -y chef 2>/dev/null || true"
--  run "rm -rf /etc/chef /var/log/chef /var/lib/chef /var/cache/chef /var/backups/chef /var/run/chef"
--  ok "Chef removed."
--else
--  info "Chef not installed, skipping."
--fi
--run "rm -f /var/lib/cloud/instance/sem/config_chef"
--
--# ── mcollective ───────────────────────────────────────────────────────────────
--section "mcollective"
--if dpkg -s mcollective &>/dev/null 2>&1; then
--  info "Removing MCollective..."
--  run "systemctl stop mcollective 2>/dev/null || true"
--  run "apt-get purge -y mcollective 2>/dev/null || true"
--  run "rm -rf /etc/mcollective"
--  ok "MCollective removed."
--else
--  info "MCollective not installed, skipping."
--fi
--run "rm -f /var/lib/cloud/instance/sem/config_mcollective"
--
--# ── salt-minion ───────────────────────────────────────────────────────────────
--section "salt-minion"
--if command -v salt-minion &>/dev/null || dpkg -s salt-minion &>/dev/null 2>&1; then
--  info "Removing Salt minion..."
--  run "systemctl stop salt-minion 2>/dev/null || true"
--  run "apt-get purge -y salt-minion salt-common 2>/dev/null || true"
--  run "rm -rf /etc/salt /var/cache/salt /var/log/salt /var/run/salt"
--  ok "Salt minion removed."
--else
--  info "salt-minion not installed, skipping."
--fi
--run "rm -f /var/lib/cloud/instance/sem/config_salt_minion"
--
--# ── reset_rmc ─────────────────────────────────────────────────────────────────
--section "reset_rmc (IBM Power)"
--# Only relevant on IBM Power hardware; safe no-op on other platforms
--run "rm -f /var/lib/cloud/instance/sem/config_reset_rmc"
--info "reset_rmc semaphore cleared (no-op on non-IBM-Power hardware)."
--
--# ── phone-home ────────────────────────────────────────────────────────────────
--section "phone-home"
--info "Clearing phone-home state..."
--run "rm -f /var/lib/cloud/instance/sem/config_phone_home"
--# Revoke any iptables allow-rule if phone-home was whitelisted
--info "If you added firewall rules for phone-home, remove them manually."
--ok "phone-home state cleared."
--
--# ── keys-to-console / ssh-authkey-fingerprints ────────────────────────────────
--section "keys-to-console / ssh-authkey-fingerprints"
--info "Removing console key output scripts..."
--run "rm -f /etc/profile.d/ssh-key-fingerprints.sh"
--run "rm -f /var/lib/cloud/instance/sem/config_keys_to_console"
--run "rm -f /var/lib/cloud/instance/sem/config_ssh_authkey_fingerprints"
--
--# =============================================================================
--# resolv.conf — restore after systemd-resolved removal
--# =============================================================================
--section "resolv.conf reset (systemd-resolved removed)"
--
--RESOLV="/etc/resolv.conf"
--
--# Detect what's currently there
--if [[ -L "$RESOLV" ]]; then
--  info "Found symlink: $RESOLV -> $(readlink -f "$RESOLV")"
--  info "Removing dangling symlink left by systemd-resolved..."
--  run "rm -f '$RESOLV'"
--else
--  info "$RESOLV is a plain file — backing it up before overwriting..."
--  run "cp '$RESOLV' '${RESOLV}.bak.$(date +%Y%m%d%H%M%S)'"
--fi
--
--# Write a static resolv.conf with sensible production defaults.
--# Adjust nameservers to match your infrastructure (internal DNS, VPC resolver, etc.)
--info "Writing static $RESOLV..."
--run "cat > '$RESOLV' <<'EOF'
--# /etc/resolv.conf — managed manually (systemd-resolved is not installed)
--nameserver 1.1.1.1
--nameserver 8.8.8.8
--nameserver 2606:4700:4700::1111
--
--# search your.internal.domain
--
--options timeout:2 attempts:3 rotate
--EOF"
--
--run "chmod 644 '$RESOLV'"
--run "chown root:root '$RESOLV'"
--
--# Verify DNS resolution works with the new config
--info "Testing DNS resolution..."
--if $DRY_RUN; then
--  echo -e "  ${YELLOW}[DRY-RUN]${RESET} getent hosts debian.org"
--elif getent hosts debian.org &>/dev/null; then
--  ok "DNS resolution working."
--else
--  warn "DNS resolution test failed — check nameservers in $RESOLV"
--fi
--
--# =============================================================================
--# SUMMARY
--# =============================================================================
--section "Cleanup Complete"
--
--echo ""
--echo -e "${BOLD}Actions performed:${RESET}"
--echo "  ✓ Hostname reset to 'localhost' (/etc/hostname, /etc/hosts)"
--echo "  ✓ Custom CA certificates removed, trust store rebuilt"
--echo "  ✓ rsyslog cloud-init config removed"
--echo "  ✓ User 'debian' removed (with home directory)"
--echo "  ✓ SSH host keys regenerated"
--echo "  ✓ snap/snapd removed"
--echo "  ✓ ssh-import-id removed"
--echo "  ✓ Password authentication locked (key-only enforced)"
--echo "  ✓ grub-dpkg debconf seeding cleared"
--echo "  ✓ byobu removed"
--echo "  ✓ hotplug udev rule removed"
--echo "  ✓ phone-home state cleared"
--echo "  ✓ All cloud-init semaphores and cache cleared"
--echo "  ✓ Landscape / LXD / Puppet / Chef / Salt / MCollective checked and removed if present"
--echo ""
--echo -e "${YELLOW}Manual review required:${RESET}"
--echo "  ⚠  Files written by write-files — check your user-data for target paths"
--echo "  ⚠  Packages installed via 'packages:' in user-data"
--echo "  ⚠  Scripts run from scripts-user / scripts-per-instance / scripts-vendor"
--echo "  ⚠  /home/debian/.ssh/authorized_keys — if user was not removed"
--echo "  ⚠  Any firewall rules added for phone-home or disable-ec2-metadata"
--echo ""
--if $FULL_UNINSTALL; then
--  echo -e "${RED}cloud-init has been fully removed from this system.${RESET}"
--else
--  echo -e "${CYAN}cloud-init is still installed. Run with --full-uninstall to remove it too.${RESET}"
--fi
--echo ""
--echo -e "${GREEN}Done.${RESET}"
--
  {{/code}}
++
  )))

Changes for page proxmox

Summary

Details

Navigation

Recently Modified