search

osism / openstack-image-manager

Easily manage and keep up to date a large number of images on an OpenStack environment
https://osism.tech/docs/guides/operations-guide/openstack/day2-operations/image-manager
Apache License 2.0
29 stars 19 forks source link

Enhance upstream Glance API to allow different hash algorithms for image checksum verification #643

Open gndrmnn opened 1 year ago

gndrmnn commented 1 year ago

But with the Victoria release the former single MD5 hash was deprecated: https://docs.openstack.org/releasenotes/glance/victoria.html#deprecation-notes in favor of "multihash". While this sounds cool, multihash is only about being able to configure(!) a single hash algo that is then used: https://github.com/openstack/glance/blob/b023562e1d31d3e60c195d701e6a9ff52e2fc956/doc/source/admin/os_hash_algo.rst#secure-hash-algorithm-support-multihash, or https://docs.openstack.org/glance/latest/configuration/sample-configuration.html:

#
# Secure hashing algorithm used for computing the 'os_hash_value' property.
#
# This option configures the Glance "multihash", which consists of two
# image properties: the 'os_hash_algo' and the 'os_hash_value'.  The
# 'os_hash_algo' will be populated by the value of this configuration
# option, and the 'os_hash_value' will be populated by the hexdigest computed
# when the algorithm is applied to the uploaded or imported image data.
#
# The value must be a valid secure hash algorithm name recognized by the
# python 'hashlib' library.  You can determine what these are by examining
# the 'hashlib.algorithms_available' data member of the version of the
# library being used in your Glance installation.  For interoperability
# purposes, however, we recommend that you use the set of secure hash
# names supplied by the 'hashlib.algorithms_guaranteed' data member because
# those algorithms are guaranteed to be supported by the 'hashlib' library
# on all platforms.  Thus, any image consumer using 'hashlib' locally should
# be able to verify the 'os_hash_value' of the image.
#
# The default value of 'sha512' is a performant secure hash algorithm.
#
# If this option is misconfigured, any attempts to store image data will fail.
# For that reason, we recommend using the default value.
#
# Possible values:
#     * Any secure hash algorithm name recognized by the Python 'hashlib'
#       library
#
# Related options:
#     * None
#
#  (string value)
#hashing_algorithm = sha512

The default of SHA-512 is not provided by most image upstreams though. SHA-256 is very common, but for upstreams not providing the chosen hash algo, no checkum verification can be done. Would be nice to be able to provide any hash value of supported algos with the webdownload via image_url ... but that's an upstream change and will even if implemented take a while until is reaches most OpenStack installations.

Originally posted by @frittentheke in https://github.com/osism/openstack-image-manager/issues/340#issuecomment-1471721379

frittentheke commented 1 year ago

Thanks for moving this "commented suggestions" to a whole issue. If you approach implementing this for Glance, be sure to first write a spec for this feature and discuss with the core devs how this should work.

I am tracking this issue here, but please do keep me in the loop if you start working on this for Glance.