Description of problem: When using any of the virDomainSave or virDomainRestore APIs, they have this bit of code in src/libvirt.c: /* We must absolutize the file path as the save is done out of process */ if (virFileAbsPath(to, &absolute_to) < 0) { virLibConnError(VIR_ERR_INTERNAL_ERROR, _("could not build absolute output file path")); goto error; } If using an absolute path, this is fine as this is pretty much a strcpy. If you are using libvirt locally and using a relative path, this will do what the user expects. Howver, if you are using libvirt remotely *and* you try to use a relative path, this will do something unexpected. Namely, it will convert the relative path to an absolute path *at the client*, and then make the RPC call. When the remote libvirtd gets the call, it will very likely do something that the user did not expect. I can think of a few ways to solve this problem: 1) Put checks in src/libvirt.c so that if the URI is remote and the path is relative, an error is thrown. The downside here is that you need a reliable way to detect a remote URI, and this also could be considered something of a semantic API break. 2) Move the conversion from relative to absolute path down into the individual drivers. The downside here is that you have code duplication, and you also have the problem of where the relative path starts from. 3) Disallow relative paths. Again, this would be a semantic API break. Does anyone else have any ideas of how to make this less surprising?
(In reply to comment #0) > > I can think of a few ways to solve this problem: > 1) Put checks in src/libvirt.c so that if the URI is remote and the path is > relative, an error is thrown. The downside here is that you need a reliable > way to detect a remote URI, and this also could be considered something of a > semantic API break. > 2) Move the conversion from relative to absolute path down into the individual > drivers. The downside here is that you have code duplication, and you also > have the problem of where the relative path starts from. > 3) Disallow relative paths. Again, this would be a semantic API break. > > Does anyone else have any ideas of how to make this less surprising? Yes - see this upstream thread. Solutions include new APIs, and the possibility of specifying a new flag bit to request that a name be resolved relative to a storage pool on the server rather than resolved to the file system on the client. https://www.redhat.com/archives/libvir-list/2011-September/msg01025.html
The notion of expanding the API to explicitly handle this case doesn't really sound worth it IMO. I think it's sufficient to just tell callers to use an absolute path if they want sensible output for remote hosts