| 2016-09-05 21:03:27 |
Matthias Ferdinand |
bug |
|
|
added bug |
| 2016-09-05 21:03:27 |
Matthias Ferdinand |
attachment added |
|
interface-type-ethernet-with-script.patch https://bugs.launchpad.net/bugs/1620407/+attachment/4735142/+files/interface-type-ethernet-with-script.patch |
|
| 2016-09-06 00:37:18 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
| 2016-09-06 00:37:27 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
| 2016-09-06 18:55:41 |
Joshua Powers |
libvirt (Ubuntu): importance |
Undecided |
Medium |
|
| 2016-09-06 18:55:44 |
Joshua Powers |
libvirt (Ubuntu): status |
New |
Triaged |
|
| 2016-09-06 18:55:52 |
Joshua Powers |
bug |
|
|
added subscriber Ubuntu Server Team |
| 2016-09-09 07:22:27 |
Sebastien Bacher |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
| 2017-01-11 16:09:49 |
Sebastien Bacher |
bug |
|
|
added subscriber ChristianEhrhardt |
| 2017-01-12 13:26:38 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
Triaged |
Incomplete |
|
| 2017-01-13 04:41:00 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
Incomplete |
Confirmed |
|
| 2017-01-18 11:07:49 |
Christian Ehrhardt |
tags |
patch |
needs-bisect patch |
|
| 2017-01-18 11:11:57 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
Confirmed |
Triaged |
|
| 2017-01-18 11:12:02 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Xenial |
|
| 2017-01-18 11:12:02 |
Christian Ehrhardt |
bug task added |
|
libvirt (Ubuntu Xenial) |
|
| 2017-01-18 11:12:09 |
Christian Ehrhardt |
libvirt (Ubuntu Xenial): status |
New |
Triaged |
|
| 2017-01-18 11:12:11 |
Christian Ehrhardt |
libvirt (Ubuntu Xenial): importance |
Undecided |
Medium |
|
| 2017-01-18 11:12:15 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
Triaged |
Fix Released |
|
| 2017-02-06 06:38:00 |
Christian Ehrhardt |
libvirt (Ubuntu Xenial): status |
Triaged |
In Progress |
|
| 2017-02-06 14:50:32 |
Christian Ehrhardt |
description |
Ubuntu 16.04.1 LTS (amd64)
libvirt-bin 1.3.1-1ubuntu10.1
We use external scripts to setup tap interfaces, e.g.
<interface type='ethernet'>
<mac address='52:54:00:18:0d:a3'/>
<script path='/etc/libvirt/14v/mf_testet.sh'/>
<target dev='mf_testet'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
Starting the VM throws an error message ("interface not found" or something like that).
IIUC, the script invocation is done by qemu, so the interface
may not yet exist when libvirt is constructing the qemu cmd args.
Checking for that interface in advance therefore is a bug.
Attached patch skips the check if a <script> parameter is provided.
Regards
Matthias Ferdinand |
Regression restricted to set script which is rare as it is a massive security drop
[Impact]
* A user using a type "ethernet" device with a custom script as working
in Trusty runs into an error on Xenial.
* Essentially Xenials libvirt "only" stumbles over a check&add on an
index for that network device. But since it might be externally created
later (up until on qemu start) it might not be available at the time it
is checking. So the fix skips the check index in those cases.
* The fix as-is is not upstream because upstream opted for a fare bigger
rework of the section in which after 9c17d665fdc5f "autocreate tap
device for ethernet network type" libvirt calls the script. That also
allows different security levels (permission of libvirt instead of
qemu) but these changes are huge and not sufficient for an SRU fix.
[Test Case]
* Create a guest your usual way (e.g. uvtool-libvirt
* Add a script based type network ethernet device (there is no need to
create a script, one can use the default of qemu). The xml snippet
looks like this:
<interface type='ethernet'>
<mac address='52:54:00:18:0d:a3'/>
<script path='/etc/qemu-ifup'/>
<target dev='newdevname'/>
<model type='virtio'/>
</interface>
* without the fix this runs into:
error: Failed to start domain <guestname>
error: Unable to get index for interface <devicename>: No such device
[Regression Potential]
* There could be a cornercase around nicindexes which due to the skip in
case net->skript is set that was not covered in our experiments now
failing. But since as of today setting the script tag in generally
fails those people should not exist.
* Another fact that limits the potential regression is that type ethernet
devices come at a huge security disadvantage - it needs to run
privileged as root and also disable certain security features (not
clearing capabilities for example).
That said the number of users still using that feature should be low
and shrinking further.
[Other Info]
* n/a
----- original report -----
Ubuntu 16.04.1 LTS (amd64)
libvirt-bin 1.3.1-1ubuntu10.1
We use external scripts to setup tap interfaces, e.g.
<interface type='ethernet'>
<mac address='52:54:00:18:0d:a3'/>
<script path='/etc/libvirt/14v/mf_testet.sh'/>
<target dev='mf_testet'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
Starting the VM throws an error message ("interface not found" or something like that).
IIUC, the script invocation is done by qemu, so the interface
may not yet exist when libvirt is constructing the qemu cmd args.
Checking for that interface in advance therefore is a bug.
Attached patch skips the check if a <script> parameter is provided.
Regards
Matthias Ferdinand |
|
| 2017-02-07 16:23:26 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2017-02-09 03:56:01 |
Chris J Arges |
libvirt (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
| 2017-02-09 03:56:06 |
Chris J Arges |
bug |
|
|
added subscriber SRU Verification |
| 2017-02-09 03:56:12 |
Chris J Arges |
tags |
needs-bisect patch |
needs-bisect patch verification-needed |
|
| 2017-02-15 08:12:39 |
Christian Ehrhardt |
tags |
needs-bisect patch verification-needed |
needs-bisect patch verification-done |
|
| 2017-02-16 18:40:56 |
Launchpad Janitor |
libvirt (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
| 2017-02-16 18:41:12 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
