Browse Source

libvirt: avoid generating script with empty path

Previously, libvirt just appended 'script=' onto the QEMU cmd line
according to what <script path=''/> contained, letting QEMU execute the
script.  That was flawed from security POV (you don't want QEMU to be
allowed to execute anything), so newer libvirt (as of [1]) executes the
script now.  But the libvirt code doesn't allow this corner case (of
allowing and ignoring an empty script path) whereas apparently the QEMU
code does.

So the Nova setting of '' used to work by accident, but now does not.

[1]
http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=9c17d66 (autocreate
tap device for ethernet network type)

Closes-Bug: #1649527
Change-Id: I4f97c05e2dec610af22a5150dd27696e1d767896
(cherry picked from commit 847952927c)
changes/37/425637/1
Neil Jerram 6 years ago committed by Roman Podoliaka
parent
commit
99f8a3c4e9
  1. 2
      nova/tests/unit/virt/libvirt/test_designer.py
  2. 4
      nova/tests/unit/virt/libvirt/test_vif.py
  3. 2
      nova/virt/libvirt/designer.py
  4. 27
      releasenotes/notes/libvirt-script-with-empty-path-2b49caa68b05278d.yaml

2
nova/tests/unit/virt/libvirt/test_designer.py

@ -58,7 +58,7 @@ class DesignerTestCase(test.NoDBTestCase):
designer.set_vif_host_backend_ethernet_config(conf, 'fake-tap')
self.assertEqual('ethernet', conf.net_type)
self.assertEqual('fake-tap', conf.target_dev)
self.assertEqual('', conf.script)
self.assertIsNone(conf.script)
def test_set_vif_host_backend_802qbg_config(self):
conf = config.LibvirtConfigGuestInterface()

4
nova/tests/unit/virt/libvirt/test_vif.py

@ -779,8 +779,8 @@ class LibvirtVifTestCase(test.NoDBTestCase):
node = self._get_node(xml)
self._assertTypeAndMacEquals(node, "ethernet", "target", "dev",
self.vif_ivs, prefix=dev_prefix)
script = node.find("script").get("path")
self.assertEqual(script, "")
script = node.find("script")
self.assertIsNone(script)
def test_unplug_ivs_ethernet(self):
d = vif.LibvirtGenericVIFDriver()

2
nova/virt/libvirt/designer.py

@ -58,7 +58,7 @@ def set_vif_host_backend_ethernet_config(conf, tapname):
conf.net_type = "ethernet"
conf.target_dev = tapname
conf.script = ""
conf.script = None
def set_vif_host_backend_802qbg_config(conf, devname, managerid,

27
releasenotes/notes/libvirt-script-with-empty-path-2b49caa68b05278d.yaml

@ -0,0 +1,27 @@
---
issues:
- |
When generating Libvirt XML to attach network interfaces for the `tap`,
`ivs`, `iovisor`, `midonet`, and `vrouter` virtual interface types Nova
previously generated an empty path attribute to the script element
(`<script path=''/>`) of the interface.
As of Libvirt 1.3.3 (`commit`_) and later Libvirt no longer accepts an
empty path attribute to the script element of the interface. Notably this
includes Libvirt 2.0.0 as provided with RHEL 7.3 and CentOS 7.3-1611. The
creation of virtual machines with offending interface definitions on a host
with Libvirt 1.3.3 or later will result in an error "libvirtError: Cannot
find '' in path: No such file or directory".
Additionally, where virtual machines already exist that were created using
earlier versions of Libvirt interactions with these virtual machines via
Nova or other utilities (e.g. `virsh`) may result in similar errors.
To mitigate this issue Nova no longer generates an empty path attribute
to the script element when defining an interface. This resolves the issue
with regards to virtual machine creation. To resolve the issue with regards
to existing virtual machines a change to Libvirt is required, this is being
tracked in `Bugzilla 1412834`_
.. _commit: https://libvirt.org/git/?p=libvirt.git;a=commit;h=9c17d665fdc5f0ab74500a14c30627014c11b2c0
.. _Bugzilla 1412834: https://bugzilla.redhat.com/show_bug.cgi?id=1412834
Loading…
Cancel
Save