libvirt: avoid generating script with empty path
Previously, libvirt just appended 'script=' onto the QEMU cmd line
according to what <script path=''/> contained, letting QEMU execute the
script. That was flawed from security POV (you don't want QEMU to be
allowed to execute anything), so newer libvirt (as of [1]) executes the
script now. But the libvirt code doesn't allow this corner case (of
allowing and ignoring an empty script path) whereas apparently the QEMU
code does.
So the Nova setting of '' used to work by accident, but now does not.
[1]
http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=9c17d66 (autocreate
tap device for ethernet network type)
Closes-Bug: #1649527
Change-Id: I4f97c05e2dec610af22a5150dd27696e1d767896
(cherry picked from commit 847952927c
)
This commit is contained in:
parent
7a7bbb6da2
commit
99f8a3c4e9
|
@ -58,7 +58,7 @@ class DesignerTestCase(test.NoDBTestCase):
|
|||
designer.set_vif_host_backend_ethernet_config(conf, 'fake-tap')
|
||||
self.assertEqual('ethernet', conf.net_type)
|
||||
self.assertEqual('fake-tap', conf.target_dev)
|
||||
self.assertEqual('', conf.script)
|
||||
self.assertIsNone(conf.script)
|
||||
|
||||
def test_set_vif_host_backend_802qbg_config(self):
|
||||
conf = config.LibvirtConfigGuestInterface()
|
||||
|
|
|
@ -779,8 +779,8 @@ class LibvirtVifTestCase(test.NoDBTestCase):
|
|||
node = self._get_node(xml)
|
||||
self._assertTypeAndMacEquals(node, "ethernet", "target", "dev",
|
||||
self.vif_ivs, prefix=dev_prefix)
|
||||
script = node.find("script").get("path")
|
||||
self.assertEqual(script, "")
|
||||
script = node.find("script")
|
||||
self.assertIsNone(script)
|
||||
|
||||
def test_unplug_ivs_ethernet(self):
|
||||
d = vif.LibvirtGenericVIFDriver()
|
||||
|
|
|
@ -58,7 +58,7 @@ def set_vif_host_backend_ethernet_config(conf, tapname):
|
|||
|
||||
conf.net_type = "ethernet"
|
||||
conf.target_dev = tapname
|
||||
conf.script = ""
|
||||
conf.script = None
|
||||
|
||||
|
||||
def set_vif_host_backend_802qbg_config(conf, devname, managerid,
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
---
|
||||
issues:
|
||||
- |
|
||||
When generating Libvirt XML to attach network interfaces for the `tap`,
|
||||
`ivs`, `iovisor`, `midonet`, and `vrouter` virtual interface types Nova
|
||||
previously generated an empty path attribute to the script element
|
||||
(`<script path=''/>`) of the interface.
|
||||
|
||||
As of Libvirt 1.3.3 (`commit`_) and later Libvirt no longer accepts an
|
||||
empty path attribute to the script element of the interface. Notably this
|
||||
includes Libvirt 2.0.0 as provided with RHEL 7.3 and CentOS 7.3-1611. The
|
||||
creation of virtual machines with offending interface definitions on a host
|
||||
with Libvirt 1.3.3 or later will result in an error "libvirtError: Cannot
|
||||
find '' in path: No such file or directory".
|
||||
|
||||
Additionally, where virtual machines already exist that were created using
|
||||
earlier versions of Libvirt interactions with these virtual machines via
|
||||
Nova or other utilities (e.g. `virsh`) may result in similar errors.
|
||||
|
||||
To mitigate this issue Nova no longer generates an empty path attribute
|
||||
to the script element when defining an interface. This resolves the issue
|
||||
with regards to virtual machine creation. To resolve the issue with regards
|
||||
to existing virtual machines a change to Libvirt is required, this is being
|
||||
tracked in `Bugzilla 1412834`_
|
||||
|
||||
.. _commit: https://libvirt.org/git/?p=libvirt.git;a=commit;h=9c17d665fdc5f0ab74500a14c30627014c11b2c0
|
||||
.. _Bugzilla 1412834: https://bugzilla.redhat.com/show_bug.cgi?id=1412834
|
Loading…
Reference in New Issue