Bug 1077009
| Summary: | It shouldn't be permitted to change the uuid of a nwfilter | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Hu Jianwei <jiahu> |
| Component: | libvirt | Assignee: | Ján Tomko <jtomko> |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | ajia, dyuan, gsun, honzhang, mzhan, rbalakri |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | libvirt-1.2.7-1.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-05 07:32:46 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I have posted the patch from comment 0 upstream: https://www.redhat.com/archives/libvir-list/2014-July/msg00320.html Now pushed upstream:
commit 46a811db0731cedaea0153fc223faa6096cee5b5
Author: Hu Jianwei <jiahu>
AuthorDate: 2014-07-07 15:55:16 +0200
Commit: Ján Tomko <jtomko>
CommitDate: 2014-07-07 15:55:16 +0200
Do not allow changing the UUID of a nwfilter
https://bugzilla.redhat.com/show_bug.cgi?id=1077009
git describe: v1.2.6-58-g46a811d
I can not reproduce it on libvirt-1.2.8-7.el7.x86_64
[root@ibm-x3850x5-06 ~]# rpm -q libvirt
libvirt-1.2.8-7.el7.x86_64
[root@ibm-x3850x5-06 ~]# virsh nwfilter-dumpxml mynwfilter
<filter name='mynwfilter' chain='root'>
<uuid>71ef822b-4220-4752-b1aa-3653d40254a1</uuid>
<rule action='drop' direction='out' priority='-650'>
<tcp dstportstart='22'/>
</rule>
</filter>
[root@ibm-x3850x5-06 ~]# virsh nwfilter-edit mynwfilter
error: operation failed: filter 'mynwfilter' already exists with uuid 71ef822b-4220-4752-b1aa-3653d40254a1
Failed. Try again? [y,n,f,?]:
error: operation failed: filter 'mynwfilter' already exists with uuid 71ef822b-4220-4752-b1aa-3653d40254a1
Failed. Try again? [y,n,f,?]:
[root@ibm-x3850x5-06 ~]# virsh nwfilter-dumpxml mynwfilter
<filter name='mynwfilter' chain='root'>
<uuid>71ef822b-4220-4752-b1aa-3653d40254a1</uuid>
<rule action='drop' direction='out' priority='-650'>
<tcp dstportstart='22'/>
</rule>
</filter>
The uuid can not be changed, move to Verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0323.html |
Description of problem: It shouldn't be permitted to change the uuid of a nwfilter Version-Release number of selected component (if applicable): libvirt-1.1.1-27.el7.x86_64 qemu-kvm-rhev-1.5.3-53.el7.x86_64 kernel-3.10.0-110.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. Dump a nwfilter [root@localhost ~]# virsh nwfilter-dumpxml mynwfilter <filter name='mynwfilter' chain='root'> <uuid>71ef822b-4220-4752-b1aa-3653d40254a1</uuid> <rule action='drop' direction='out' priority='-650'> <tcp dstportstart='22'/> </rule> </filter> 2. Change its uuid to new, like "71ef822b-4220-4752-b1aa-3653d4025999" [root@localhost ~]# virsh nwfilter-edit mynwfilter Network filter mynwfilter XML configuration edited. [root@localhost ~]# virsh nwfilter-dumpxml mynwfilter <filter name='mynwfilter' chain='root'> <uuid>71ef822b-4220-4752-b1aa-3653d4025999</uuid> <rule action='drop' direction='out' priority='-650'> <tcp dstportstart='22'/> </rule> </filter> Actual results: As shown above. Its uuid was changed. Expected results: I think libvirt should prevent those actions and report some warning/error message like virtual network/domain. [root@localhost ~]# virsh net-dumpxml default <network> <name>default</name> <uuid>02ddfd5e-8b4b-48b2-ad16-e0876e76f4da</uuid> <forward mode='nat'> <nat> <port start='1024' end='65535'/> </nat> </forward> <bridge name='virbr0' stp='on' delay='0' /> <mac address='52:54:00:58:33:1b'/> <ip address='192.168.122.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.122.2' end='192.168.122.254' /> </dhcp> </ip> </network> [root@localhost ~]# virsh net-edit default error: operation failed: network 'default' already exists with uuid 02ddfd5e-8b4b-48b2-ad16-e0876e76f4da Failed. Try again? [y,n,f,?]: [root@localhost ~]# virsh dumpxml r7| grep uuid -a5 <domain type='kvm' id='6'> <name>r7</name> <uuid>6495a404-dc7b-4b8a-8ea3-29c6896d0849</uuid> <memory unit='KiB'>1048576</memory> <currentMemory unit='KiB'>1048576</currentMemory> <vcpu placement='static'>1</vcpu> <resource> <partition>/machine</partition> [root@localhost ~]# virsh edit r7 error: operation failed: domain 'r7' already exists with uuid 6495a404-dc7b-4b8a-8ea3-29c6896d0849 Failed. Try again? [y,n,f,?]: Additional info: I have a candidate patch for this issue, could you accept it? diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c index 5599443..ca5696a 100644 --- a/src/conf/nwfilter_conf.c +++ b/src/conf/nwfilter_conf.c @@ -2978,6 +2978,17 @@ virNWFilterObjAssignDef(virNWFilterObjListPtr nwfilters, return NULL; } virNWFilterObjUnlock(nwfilter); + } else { + nwfilter = virNWFilterObjFindByName(nwfilters, def->name); + if (nwfilter) { + char uuidstr[VIR_UUID_STRING_BUFLEN]; + virUUIDFormat(nwfilter->def->uuid, uuidstr); + virReportError(VIR_ERR_OPERATION_FAILED, + _("filter '%s' already exists with uuid %s"), + nwfilter->def->name, uuidstr); + virNWFilterObjUnlock(nwfilter); + return NULL; + } } if (virNWFilterDefLoopDetect(nwfilters, def) < 0) { [root@amd-5600-4-1 x86_64]# virsh nwfilter-dumpxml clean-traffic-9 <filter name='clean-traffic-9' chain='root'> <uuid>415c9b7e-efd1-4099-a9a4-d9589d8d85e4</uuid> <filterref filter='no-mac-spoofing'/> <filterref filter='no-ip-spoofing'/> <rule action='accept' direction='out' priority='-600'> <mac protocolid='ipv4'/> </rule> <filterref filter='allow-incoming-ipv4'/> <filterref filter='no-arp-spoofing'/> <rule action='accept' direction='inout' priority='-500'> <mac protocolid='arp'/> </rule> <filterref filter='no-other-l2-traffic'/> <filterref filter='qemu-announce-self'/> </filter> [root@amd-5600-4-1 x86_64]# virsh nwfilter-edit clean-traffic-9 error: operation failed: filter 'clean-traffic-9' already exists with uuid 415c9b7e-efd1-4099-a9a4-d9589d8d85e4 Failed. Try again? [y,n,f,?]: