search

vmware / govmomi

Go library for the VMware vSphere API
Apache License 2.0
2.31k stars 911 forks source link

govc import.ova does not verify the included manifest #1978

Closed klxfeiyang closed 1 year ago

klxfeiyang commented 4 years ago

Issue

govc import.ova does not verify the included manifest uploading ova to vCenter, since it directly uploads ovf and vmdk files according to here. This behavior is different than uploading an ova using the vCenter UI command Deploy OVF Template which provides verification of the provided manifest file.

Reproduce

  1. untar an ova file
  2. tamper the manifest
  3. re-zip the ova file, and
  4. upload to vcenter via govc import.ova

See logs below:

$ tar -xvf photon-3.ova photon-3-*
# tamper with the manifest file
$ tar -cvf photon-3.modified.ova photon-3-*
photon-3.ova.vmdk
photon-3.mf
photon-3.ovf
$ govc import.ova -name="photon-3.modified" photon-3.modified.ova
[11-05-20 18:39:58] Uploading photon-3.ova.vmdk... OK
$ echo $?
0

Uploading the same ova file via vCenter UI results in an error:

The checksum(s) from the provided manifest file do not match the content of file(s): photon-3.ova.vmdk

Version

→ govc version
govc 0.22.1

→ govc about
Name:         VMware vCenter Server
Vendor:       VMware, Inc.
Version:      6.7.0
Build:        14368073
OS type:      linux-x64
API type:     VirtualCenter
API version:  6.7.3
Product ID:   vpx
UUID:         xxxxxxx

Notes

It appears that uploading OVA using the vCenter UI shows the Import OVF package task instead govc import.ova shows the Deploy OVF template task. This suggests that the govc client is using a different vCenter API for uploading the ova file.

dougm commented 4 years ago

Right, govc doesn't do any client side manifest validation. That is something we could add. You could also try the govc library.* commands. library.import may also need client side validation, but library.deploy may take care of that on the vCenter side.

The UI did switch to a different API at some point in 6.7 I believe, but the API is internal.

klxfeiyang commented 4 years ago

Thanks for responding, Doug! We will try the the library.* commands to take advantage of the vCenter side validation.

github-actions[bot] commented 3 years ago

This issue is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Reopen the issue with /reopen. Mark the issue as fresh by adding the comment /remove-lifecycle stale.

HakanSunay commented 1 year ago

Reopening as requested