Bug 746072 - virDomainSave* and virDomainRestore* APIs choose an odd relative path when used remotely
Summary: virDomainSave* and virDomainRestore* APIs choose an odd relative path when us...
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Virtualization Tools
Classification: Community
Component: libvirt
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-13 19:59 UTC by Chris Lalancette
Modified: 2016-04-19 21:29 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-04-19 21:29:47 UTC
Embargoed:

Attachments (Terms of Use)

Description Chris Lalancette 2011-10-13 19:59:08 UTC 
Description of problem:
When using any of the virDomainSave or virDomainRestore APIs, they have this bit of code in src/libvirt.c:


        /* We must absolutize the file path as the save is done out of process */
        if (virFileAbsPath(to, &absolute_to) < 0) {
            virLibConnError(VIR_ERR_INTERNAL_ERROR,
                            _("could not build absolute output file path"));
            goto error;
        }

If using an absolute path, this is fine as this is pretty much a strcpy.  If you are using libvirt locally and using a relative path, this will do what the user expects.  Howver, if you are using libvirt remotely *and* you try to use a relative path, this will do something unexpected.  Namely, it will convert the relative path to an absolute path *at the client*, and then make the RPC call.  When the remote libvirtd gets the call, it will very likely do something that the user did not expect.

I can think of a few ways to solve this problem:
1)  Put checks in src/libvirt.c so that if the URI is remote and the path is relative, an error is thrown.  The downside here is that you need a reliable way to detect a remote URI, and this also could be considered something of a semantic API break.
2)  Move the conversion from relative to absolute path down into the individual drivers.  The downside here is that you have code duplication, and you also have the problem of where the relative path starts from.
3)  Disallow relative paths.  Again, this would be a semantic API break.

Does anyone else have any ideas of how to make this less surprising?
Comment 1 Eric Blake 2011-10-13 20:04:47 UTC 
(In reply to comment #0)
> 
> I can think of a few ways to solve this problem:
> 1)  Put checks in src/libvirt.c so that if the URI is remote and the path is
> relative, an error is thrown.  The downside here is that you need a reliable
> way to detect a remote URI, and this also could be considered something of a
> semantic API break.
> 2)  Move the conversion from relative to absolute path down into the individual
> drivers.  The downside here is that you have code duplication, and you also
> have the problem of where the relative path starts from.
> 3)  Disallow relative paths.  Again, this would be a semantic API break.
> 
> Does anyone else have any ideas of how to make this less surprising?

Yes - see this upstream thread.  Solutions include new APIs, and the possibility of specifying a new flag bit to request that a name be resolved relative to a storage pool on the server rather than resolved to the file system on the client.

https://www.redhat.com/archives/libvir-list/2011-September/msg01025.html
Comment 2 Cole Robinson 2016-04-19 21:29:47 UTC 
The notion of expanding the API to explicitly handle this case doesn't really sound worth it IMO. I think it's sufficient to just tell callers to use an absolute path if they want sensible output for remote hosts
Note You need to log in before you can comment on or make changes to this bug.