You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
#
# Secure hashing algorithm used for computing the 'os_hash_value' property.
#
# This option configures the Glance "multihash", which consists of two
# image properties: the 'os_hash_algo' and the 'os_hash_value'. The
# 'os_hash_algo' will be populated by the value of this configuration
# option, and the 'os_hash_value' will be populated by the hexdigest computed
# when the algorithm is applied to the uploaded or imported image data.
#
# The value must be a valid secure hash algorithm name recognized by the
# python 'hashlib' library. You can determine what these are by examining
# the 'hashlib.algorithms_available' data member of the version of the
# library being used in your Glance installation. For interoperability
# purposes, however, we recommend that you use the set of secure hash
# names supplied by the 'hashlib.algorithms_guaranteed' data member because
# those algorithms are guaranteed to be supported by the 'hashlib' library
# on all platforms. Thus, any image consumer using 'hashlib' locally should
# be able to verify the 'os_hash_value' of the image.
#
# The default value of 'sha512' is a performant secure hash algorithm.
#
# If this option is misconfigured, any attempts to store image data will fail.
# For that reason, we recommend using the default value.
#
# Possible values:
# * Any secure hash algorithm name recognized by the Python 'hashlib'
# library
#
# Related options:
# * None
#
# (string value)
#hashing_algorithm = sha512
The default of SHA-512 is not provided by most image upstreams though. SHA-256 is very common, but for upstreams not providing the chosen hash algo, no checkum verification can be done. Would be nice to be able to provide any hash value of supported algos with the webdownload via image_url ... but that's an upstream change and will even if implemented take a while until is reaches most OpenStack installations.
Thanks for moving this "commented suggestions" to a whole issue. If you approach implementing this for Glance, be sure to first write a spec for this feature and discuss with the core devs how this should work.
I am tracking this issue here, but please do keep me in the loop if you start working on this for Glance.
But with the Victoria release the former single MD5 hash was deprecated: https://docs.openstack.org/releasenotes/glance/victoria.html#deprecation-notes in favor of "multihash". While this sounds cool, multihash is only about being able to configure(!) a single hash algo that is then used: https://github.com/openstack/glance/blob/b023562e1d31d3e60c195d701e6a9ff52e2fc956/doc/source/admin/os_hash_algo.rst#secure-hash-algorithm-support-multihash, or https://docs.openstack.org/glance/latest/configuration/sample-configuration.html:
The default of SHA-512 is not provided by most image upstreams though. SHA-256 is very common, but for upstreams not providing the chosen hash algo, no checkum verification can be done. Would be nice to be able to provide any hash value of supported algos with the webdownload via image_url ... but that's an upstream change and will even if implemented take a while until is reaches most OpenStack installations.
Originally posted by @frittentheke in #340 (comment)
The text was updated successfully, but these errors were encountered: