nova/releasenotes/notes/libvirt-script-with-empty-path-2b49caa68b05278d.yaml
Neil Jerram 847952927c libvirt: avoid generating script with empty path
Previously, libvirt just appended 'script=' onto the QEMU cmd line
according to what <script path=''/> contained, letting QEMU execute the
script.  That was flawed from security POV (you don't want QEMU to be
allowed to execute anything), so newer libvirt (as of [1]) executes the
script now.  But the libvirt code doesn't allow this corner case (of
allowing and ignoring an empty script path) whereas apparently the QEMU
code does.

So the Nova setting of '' used to work by accident, but now does not.

[1]
http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=9c17d66 (autocreate
tap device for ethernet network type)

Closes-Bug: #1649527
Change-Id: I4f97c05e2dec610af22a5150dd27696e1d767896
2017-01-24 12:50:49 +00:00

28 lines
1.5 KiB
YAML

---
issues:
- |
When generating Libvirt XML to attach network interfaces for the `tap`,
`ivs`, `iovisor`, `midonet`, and `vrouter` virtual interface types Nova
previously generated an empty path attribute to the script element
(`<script path=''/>`) of the interface.
As of Libvirt 1.3.3 (`commit`_) and later Libvirt no longer accepts an
empty path attribute to the script element of the interface. Notably this
includes Libvirt 2.0.0 as provided with RHEL 7.3 and CentOS 7.3-1611. The
creation of virtual machines with offending interface definitions on a host
with Libvirt 1.3.3 or later will result in an error "libvirtError: Cannot
find '' in path: No such file or directory".
Additionally, where virtual machines already exist that were created using
earlier versions of Libvirt interactions with these virtual machines via
Nova or other utilities (e.g. `virsh`) may result in similar errors.
To mitigate this issue Nova no longer generates an empty path attribute
to the script element when defining an interface. This resolves the issue
with regards to virtual machine creation. To resolve the issue with regards
to existing virtual machines a change to Libvirt is required, this is being
tracked in `Bugzilla 1412834`_
.. _commit: https://libvirt.org/git/?p=libvirt.git;a=commit;h=9c17d665fdc5f0ab74500a14c30627014c11b2c0
.. _Bugzilla 1412834: https://bugzilla.redhat.com/show_bug.cgi?id=1412834