diff -Nru libvirt-2.1.0/debian/changelog libvirt-2.1.0/debian/changelog
--- libvirt-2.1.0/debian/changelog 2016-12-01 08:51:22.000000000 +0000
+++ libvirt-2.1.0/debian/changelog 2017-03-21 08:17:45.000000000 +0000
@@ -1,3 +1,19 @@
+libvirt (2.1.0-1ubuntu9.3) yakkety; urgency=medium
+
+ * d/p/ubuntu/qemu-Allow-empty-script-path-to-interface.patch: in the past
+ meant a no-op, but libvirt now fails - fix to match
+ the old behavior (LP: #1665698).
+
+ -- Christian Ehrhardt Tue, 21 Mar 2017 09:16:57 +0100
+
+libvirt (2.1.0-1ubuntu9.2) yakkety; urgency=medium
+
+ * d/p/ubuntu/fix-command-generation-for-rbd.patch: fix the generation
+ of the command used to add disks when secrets are provided like when
+ using rbd (LP: #1672367).
+
+ -- Christian Ehrhardt Tue, 14 Mar 2017 14:12:51 +0100
+
libvirt (2.1.0-1ubuntu9.1) yakkety; urgency=medium
* d/p/u/apparmor-fix-other-seclabels.patch fixes an issue parsing non
diff -Nru libvirt-2.1.0/debian/patches/series libvirt-2.1.0/debian/patches/series
--- libvirt-2.1.0/debian/patches/series 2016-12-01 08:47:14.000000000 +0000
+++ libvirt-2.1.0/debian/patches/series 2017-03-21 08:16:10.000000000 +0000
@@ -59,3 +59,5 @@
ubuntu/make-postcopy-mandatory-for-postcopy-after-precopy.patch
ubuntu/libvirt-guests-filter-newline-from-list.patch
ubuntu/apparmor-fix-other-seclabels.patch
+ubuntu/fix-command-generation-for-rbd.patch
+ubuntu/qemu-Allow-empty-script-path-to-interface.patch
diff -Nru libvirt-2.1.0/debian/patches/ubuntu/fix-command-generation-for-rbd.patch libvirt-2.1.0/debian/patches/ubuntu/fix-command-generation-for-rbd.patch
--- libvirt-2.1.0/debian/patches/ubuntu/fix-command-generation-for-rbd.patch 1970-01-01 00:00:00.000000000 +0000
+++ libvirt-2.1.0/debian/patches/ubuntu/fix-command-generation-for-rbd.patch 2017-03-21 08:15:20.000000000 +0000
@@ -0,0 +1,54 @@
+Description: Fix the command line generation for rbd auth using aes secrets
+upstream commit d53d465083edeb64cc7b78249c030734c0d91c6b
+Author: John Ferlan
+Date: Tue Aug 16 16:50:15 2016 -0400
+
+ qemu: Fix the command line generation for rbd auth using aes secrets
+
+ https://bugzilla.redhat.com/show_bug.cgi?id=1182074
+
+ Since libvirt still uses a legacy qemu arg format to add a disk, the
+ manner in which the 'password-secret' argument is passed to qemu needs
+ to change to prepend a 'file.' If in the future, usage of the more
+ modern disk format, then the prepended 'file.' can be removed.
+
+ Fix based on Jim Fehlig posting and subsequent
+ upstream list followups, see:
+
+ http://www.redhat.com/archives/libvir-list/2016-August/msg00777.html
+
+ for details. Introduced by commit id 'a1344f70'.
+
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1672367
+Last-Update: 2017-03-14
+diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
+index ebedaef..a6dea6a 100644
+--- a/src/qemu/qemu_command.c
++++ b/src/qemu/qemu_command.c
+@@ -1287,7 +1287,12 @@ qemuBuildDriveSourceStr(virDomainDiskDefPtr disk,
+ virBufferAddLit(buf, ",");
+
+ if (secinfo && secinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES) {
+- virBufferAsprintf(buf, "password-secret=%s,",
++ /* NB: If libvirt starts using the more modern option based
++ * syntax to build the command line (e.g., "-drive driver=rbd,
++ * filename=%s,...") instead of the legacy model (e.g."-drive
++ * file=%s,..."), then the "file." prefix can be removed
++ */
++ virBufferAsprintf(buf, "file.password-secret=%s,",
+ secinfo->s.aes.alias);
+ }
+
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args
+index 5034bb7..07d01b6 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args
++++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args
+@@ -26,7 +26,7 @@ data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+ -drive 'file=rbd:pool/image:id=myname:auth_supported=cephx\;none:\
+ mon_host=mon1.example.org\:6321\;mon2.example.org\:6322\;mon3.example.org\:\
+-6322,password-secret=virtio-disk0-secret0,format=raw,if=none,\
++6322,file.password-secret=virtio-disk0-secret0,format=raw,if=none,\
+ id=drive-virtio-disk0' \
+ -device virtio-blk-pci,bus=pci.0,addr=0x3,drive=drive-virtio-disk0,\
+ id=virtio-disk0
diff -Nru libvirt-2.1.0/debian/patches/ubuntu/qemu-Allow-empty-script-path-to-interface.patch libvirt-2.1.0/debian/patches/ubuntu/qemu-Allow-empty-script-path-to-interface.patch
--- libvirt-2.1.0/debian/patches/ubuntu/qemu-Allow-empty-script-path-to-interface.patch 1970-01-01 00:00:00.000000000 +0000
+++ libvirt-2.1.0/debian/patches/ubuntu/qemu-Allow-empty-script-path-to-interface.patch 2017-03-21 08:15:38.000000000 +0000
@@ -0,0 +1,42 @@
+Description: qemu: Allow empty script path to
+
+commit 1d9ab0f04af310e52f80b4281751655bb3bb7601
+Author: Michal Privoznik
+Date: Thu Feb 2 14:16:20 2017 +0100
+
+ qemu: Allow empty script path to
+
+ Before 9c17d665fdc5f (v1.3.2 - I know, right?) it was possible to
+ have the following interface configuration:
+
+
+
+
+
+ This resulted in -netdev tap,script=,.. Fortunately, qemu helped
+ us to get away with this as it just ignored the empty script
+ path. However, after the commit mentioned above it's libvirtd
+ who is executing the script. Unfortunately without special
+ case-ing empty script path.
+
+ Signed-off-by: Michal Privoznik
+
+Note: can be dropped >=3.1
+
+Original-Author: Michal Privoznik
+Author: Christian Ehrhardt
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1665698
+Forwarded: yes (backport from upstream 1d9ab0f0)
+--- a/src/util/virnetdev.c
++++ b/src/util/virnetdev.c
+@@ -2615,6 +2615,10 @@
+ virCommandPtr cmd;
+ int ret;
+
++ /* Not a bug! Previously we did accept script="" as a NO-OP. */
++ if (STREQ(script, ""))
++ return 0;
++
+ cmd = virCommandNew(script);
+ virCommandAddArgFormat(cmd, "%s", ifname);
+ virCommandClearCaps(cmd);