[libvirt PATCH 0/3] cpu: Make unknown XML elements fail CPU comparison

[Peter Krempa]

On Thu, Sep 17, 2020 at 15:20:18 +0200, Tim Wiederhake wrote:
> On Wed, 2020-09-16 at 14:48 +0100, Daniel P. Berrangé wrote:
> > On Wed, Sep 16, 2020 at 03:33:53PM +0200, Tim Wiederhake wrote:
> > > We currently ignore unknown elements in the CPU XML description,
> > > e.g. with vi=
> > > rsh
> > > cpu-compare and hypervisor-cpu-compare. This makes '<cpu><faeture
> > > name=3D"...=
> > > "/></cpu>'
> > > (note the typo in "faeture") semantically identic to '<cpu/>'. No
> > > error is re=
> > > ported.
> > 
> > This is an intentional implementation choice in libvirt. The XML
> > documents
> > that we're parsing are way to large and complex for us to justify
> > adding
> > code to report errors for every invalid attribute or child element
> > name.
> >
> > We provide an RNG schema, however, which declares the valid set of
> > attrs
> > and thus by running RNG schema validation, a client can get a error
> > report
> > of invalid info.
> > 
> > We enable this validation by default in "virsh edit" and a few other
> > similar commands.
> > 
> > There are certainly libvirt APIs though which accept XML and don't
> > have
> > a flag defined to enable RNG schema validation. I presume the CPU
> > APIs
> > are one such case.  We should add support for validation to all such
> > APIs accepting XML documents, and wire it up in virsh.
> > 
> > Regards,
> > Daniel
> 
> Hi Daniel, all,
> 
> thanks for the input!
> 
> My first attempt at the problem I described did in fact employ RNG
> schema validation on the xml documents describing the CPU. The problem
> though with that approach is that `virsh [hypervisor-]cpu-compare` can
> consume quite different xml documents. The tests add more possible
> document types, e.g. multicpu, which force the schema for a validation
> performed in `virCPUDefParseXML` to basically import all other schemas
> (which produced some naming conflicts that I was unable to solve) and,
> secondly, perform a lot of unneccessary validation.
> 
> I created a schema that would perform only a check for "unknown"
> elements and attributes in the cpu element and ignore everything else.
> I attached this for your entertainment. There you can see what I meant
> with "different xml documents".

IMO that would not be very useful. The premise of rejecting just unknown
elements itself as described by the bug is IMO flawed and not very
useful.

Fixing this bug makes only sense when we actually validate the whole
schema.

> Copying / moving the node into a new document just for validation seems
> not like an elegant solution (if possible at all) and I am unsure about
> potential performance impact.

IMO the CPU comparison APIs aren't on any hot path so wasting a few
cycles here especially only when enabled by an API flag (since
validation must be enabled only as an opt-in as we were accepting broken
XMLs before, if they had valid parts in them) seems to be better than
the proposed solution with ad-hoc code validator.

> The best solution in my opinion would be to not perform XPath
> evaluation in the parser, but instead use some stream parser and error
> out if the parser encounteres an element with an unknown name.

libxml doesn't seem to support such mode. Inventing a new parser just
for this is a waste of time.

> The next best solution in my opinion is the one you reviewed. I agree
> with all comments made that this is far from perfect, but at least it
> would trigger visible test fails when / if new elements and attributes
> are added without that list being expanded.

I disagree. IMO the next best solution after RNG validation is just not
fixing it at all. The bug itself doesn't warant inventing ad-hoc
solutions for just this special case.

> I will further explore whether it is possible to do node-only
> validation without creating an include-everything schema, but I would
> be grateful for any hint or suggestion in that direction. We should
> have at least some error reporting in the case I described initially.

I'd say don't bother with that.