Version-Release number of selected component (if applicable): libvirt-5.0.0-6.el8.x86_64 qemu-kvm-3.1.0-18.module+el8+2834+fa8bb6e2.x86_64 How reproducible: 100% Reproduce steps: 1.Prepare guest xml with ceph auth disk: #virsh dumpxml rhel8 > /tmp/ceph.xml ... <disk type='network' device='disk'> <driver name='qemu' type='raw' cache='none'/> <source protocol='rbd' name='libvirt-tool/yafu1.img'> <host name='10.73.75.128' port='6789'/> <auth username='admin'> <secret type='ceph' ***usage='client.admin secret'***/> </auth> </source> <backingStore/> <target dev='sdd' bus='scsi'/> <alias name='scsi0-0-0-3'/> <address type='drive' controller='0' bus='0' target='0' unit='3'/> </disk> ... 2.#virt-xml-validate /tmp/ceph.xml Relax-NG validity error : Extra element devices in interleave /tmp/ceph.xml:68: element devices: Relax-NG validity error : Element domain failed to validate content /tmp/ceph.xml fails to validate 3.Success to validate domain xml if removing auth part from ceph disk. Actual results: Fail to validate domain xml with ceph auth disk Expected results: Should validate domain xml with ceph auth disk successfully Additional info: 1.The value of usage is defined as following pattern: <param name="pattern">[a-zA-Z0-9_\+\-]+</param> but the space is needed in the value of usage.
Both disk/secret/usage and the secret usage element have the same definition of the value in the RNG schema. This means that a <secret> with the usage as in the example above can't be validated when used in the <secret> element: $ cat test-secret.xml <secret ephemeral='no' private='yes'> <uuid>0a81f5b2-8403-7b23-c8d6-21ccc2f80d6e</uuid> <usage type='ceph'> <name>client.admin secret</name> </usage> </secret> $ virt-xml-validate test-secret.xml test-secret.xml:4: element name: Relax-NG validity error : Error validating datatype string test-secret.xml:4: element name: Relax-NG validity error : Element name failed to validate content Relax-NG validity error : Extra element usage in interleave test-secret.xml:1: element secret: Relax-NG validity error : Element secret failed to validate content test-secret.xml fails to validate If the name is fixed according to the regex which is also accepted in the context of the <disk> $ cat test-secret.xml <secret ephemeral='no' private='yes'> <uuid>0a81f5b2-8403-7b23-c8d6-21ccc2f80d6e</uuid> <usage type='ceph'> <name>clientadminsecret</name> </usage> </secret> $ virt-xml-validate test-secret.xml test-secret.xml validates As both <disk><source><auth><secret> and <secret><usage> are using the same regex I don't see any problem.
I'm reopening this because I'm not sure it was brought to a satisfactory conclusion as some work is definitely required to fully resolve this. A long time ago the rbd driver was written and an arbitrary format for the name of the secret was decided upon 'client.X secret' where 'X' represents the name of the client. This was at least seven years ago and has been documented in several places [0][1] (there are more if you search including inside a copy of 'Mastering KVM Virtualization'). Whilst it's true this name could take any form there are multiple examples in the wild. Looking at the description of this bug there may even be templates that produce output like, "<secret type='ceph' ***usage='client.admin secret'***/>" perhaps in openstack tooling/scripts, etc. but I haven't been able to positively identify that. So IMHO a true solution here would either involve modifying the validation tool to accept this format or make this format an error and document here that it may not include spaces or full stops AND find all locations where this is documented and change them. This applies to both entries in both the secret and disk xml as they need to match. [0] https://docs.ceph.com/en/latest/rbd/libvirt/#configuring-the-vm [1] https://documentation.suse.com/ses/6/html/ses-all/cha-ceph-libvirt.html#ceph-libvirt-cfg-vm
Schema was relaxed upstream: commit 9aa1a1ea77ba13db6539212472e7dfc624bb39b4 Author: Peter Krempa <pkrempa> Date: Wed Jan 6 17:19:03 2021 +0100 schema: secret: Relax requirements for usage name There's plenty of existing documentation [1] which shows as example a name which contains a space and a dot ('client.admin secret') as ceph usage name. Use a more relaxed type in the RNG schema since the usage name is actually just a string used to look up the secret. [1]: https://docs.ceph.com/en/latest/rbd/libvirt/#configuring-the-vm https://documentation.suse.com/ses/6/html/ses-all/cha-ceph-libvirt.html#ceph-libvirt-cfg-vm Libvirt docs were correct though: https://libvirt.org/formatsecret.html#CephUsageType Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1689168 Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Ján Tomko <jtomko> commit 1a3c07989b5bee79713e1f2014c0c31443878d1b Author: Peter Krempa <pkrempa> Date: Wed Jan 6 16:51:21 2021 +0100 schema: Add define for object names Objects such as domain, pool, etc re-define the regex for the format. Add more generic types for objects with/without a slash which we'll be able to reuse also for other objects. Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Ján Tomko <jtomko> commit e9551061955be0d9b041968585df8db589a0cb69 Author: Peter Krempa <pkrempa> Date: Wed Jan 6 11:27:50 2021 +0100 schema: Remove workaround for bug in libxml2 2.7.6 New libxml2 handles '\n' properly so the literal newline is not necessary, because 2.9.1 is the minimum version we support. Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Ján Tomko <jtomko>
Test as commemt0 on v7.0.0-rc1-16-g97b1de5051. Passed
Verified on libvirt-7.0.0-1.module+el8.4.0+9464+3e71831a.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (virt:av bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2098