On Mon, May 09, 2016 at 11:57:20AM -0400, Cole Robinson wrote:
On 05/09/2016 04:59 AM, Peter Krempa wrote:
> On Fri, May 06, 2016 at 11:19:05 -0400, John Ferlan wrote:
>>
>>
>> On 05/02/2016 10:32 AM, Peter Krempa wrote:
>>> This reverts commit c79ebf53b5fe0a33bf407b3bcb49e3a27ec97eb4.
>>>
>>> We can't just add checks to the XML parser once we've accepted such
>>> configuration in the past.
But we can just revert the check once we've accepted it? :)
>>> ---
>>> src/conf/domain_conf.c | 22 ----------------------
>>> tests/qemuxml2argvtest.c | 3 +--
>>> 2 files changed, 1 insertion(+), 24 deletions(-)
>>>
>>
>> There was a bz associated with that commit - that'll need to be
>> addressed in some manner...
>
> Well, the initial assesment of that BZ was wrong. This should have been
> fixed in virt manager at that point.
>
That bz:
https://bugzilla.redhat.com/show_bug.cgi?id=1201143
Is loaded with GSS and other 'priority' tags. Maybe the original assessment of
the bug is wrong. But just reverting the commit with little mention of that
until John dug it up is not helpful IMO
Neither is discussing a private BZ on a public list:
"You are not authorized to access bug #1201143. To see this bug, you
must first log in to an account with the appropriate permissions."
>> While I understand your point here, the configuration
didn't work - that
>> is it couldn't be started anyway so there could not be a domain running
>> with that configuration and thus it wouldn't disappear on a subsequent
>> reload, hence why checking the config and rejecting "earlier" seemed
>
> It does not kill any running domain, that's right. Defined domains still
> vanish after that commit if they were defined before. That is still
> unwanted.
>
Yes, this is problematic, but then again has this issue bitten us in the year
since this was committed? We should still fix it, but it's not time
critical... Maybe we come up with a better solution.
>> proper even though we hadn't rejected such a config when the
>> "mode='host'" was first implemented.
>
> Only when introducing a feature you are allowed to do a check that
> rejects parsing XML, afterwards, no such thins should be added.
>
Right, these rules make technical sense, but are extremely difficult to audit,
and have proven hard to enforce. People wandering into the code may follow the
conventions of the code around them, and have no idea that adding a new
validation check is 'bad' when the pre-existing similar checks are
'good'
strictly based one when they were added.
I think we need a better framework for this. I'll probably send a larger mail
at some point, but basically I think we should:
- rename VIR_DOMAIN_DEF_PARSE_SKIP_OSTYPE_CHECKS to something generic like
VIR_DOMAIN_DEF_PARSE_SKIP_VALIDATION. The original flag is used at libvirtd
startup time to avoid the 'disappearing domain' problem for when a qemu is
uninstalled for example, but we still get that validation check for normal
runtime XML define
The problem with skipping validation is that we will end up with invalid
domains being defined, breaking assumptions in other parts of libvirt.
That way we would have to duplicate the checks on domain startup too
(which would not be such a problem if they were all in the same
function).
For example:
commit 21b316f4d351859d9ccbf8a20199f7e8707fd51d
qemu: error out on missing machine type in configs
which I added after someone tried to put the machine XML directly in
/etc/libvirt.
There's no point in allowing the user to (try to) start such a domain,
but currently we treat such unvalidated XML the same as XML from a fresh
define.
I think I recall an attempt to introudce an 'invalid' state, where you
could not start the domain, but it was editable by libvirt APIs.
Unfortunately I cannot find it in the archives. Does anyone remember
what happened to it?
Jan