Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhance upstream Glance API to allow different hash algorithms for image checksum verification #643

Open
gndrmnn opened this issue Aug 30, 2023 · 1 comment
Labels
enhancement New feature or request upstream Implemented directly in the upstream

Comments

@gndrmnn
Copy link
Contributor

gndrmnn commented Aug 30, 2023

But with the Victoria release the former single MD5 hash was deprecated: https://docs.openstack.org/releasenotes/glance/victoria.html#deprecation-notes in favor of "multihash". While this sounds cool, multihash is only about being able to configure(!) a single hash algo that is then used: https://github.com/openstack/glance/blob/b023562e1d31d3e60c195d701e6a9ff52e2fc956/doc/source/admin/os_hash_algo.rst#secure-hash-algorithm-support-multihash, or https://docs.openstack.org/glance/latest/configuration/sample-configuration.html:

#
# Secure hashing algorithm used for computing the 'os_hash_value' property.
#
# This option configures the Glance "multihash", which consists of two
# image properties: the 'os_hash_algo' and the 'os_hash_value'.  The
# 'os_hash_algo' will be populated by the value of this configuration
# option, and the 'os_hash_value' will be populated by the hexdigest computed
# when the algorithm is applied to the uploaded or imported image data.
#
# The value must be a valid secure hash algorithm name recognized by the
# python 'hashlib' library.  You can determine what these are by examining
# the 'hashlib.algorithms_available' data member of the version of the
# library being used in your Glance installation.  For interoperability
# purposes, however, we recommend that you use the set of secure hash
# names supplied by the 'hashlib.algorithms_guaranteed' data member because
# those algorithms are guaranteed to be supported by the 'hashlib' library
# on all platforms.  Thus, any image consumer using 'hashlib' locally should
# be able to verify the 'os_hash_value' of the image.
#
# The default value of 'sha512' is a performant secure hash algorithm.
#
# If this option is misconfigured, any attempts to store image data will fail.
# For that reason, we recommend using the default value.
#
# Possible values:
#     * Any secure hash algorithm name recognized by the Python 'hashlib'
#       library
#
# Related options:
#     * None
#
#  (string value)
#hashing_algorithm = sha512

The default of SHA-512 is not provided by most image upstreams though. SHA-256 is very common, but for upstreams not providing the chosen hash algo, no checkum verification can be done. Would be nice to be able to provide any hash value of supported algos with the webdownload via image_url ... but that's an upstream change and will even if implemented take a while until is reaches most OpenStack installations.

Originally posted by @frittentheke in #340 (comment)

@gndrmnn gndrmnn added enhancement New feature or request upstream Implemented directly in the upstream labels Aug 30, 2023
@frittentheke
Copy link

frittentheke commented Aug 30, 2023

Thanks for moving this "commented suggestions" to a whole issue. If you approach implementing this for Glance, be sure to first write a spec for this feature and discuss with the core devs how this should work.

I am tracking this issue here, but please do keep me in the loop if you start working on this for Glance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request upstream Implemented directly in the upstream
Projects
None yet
Development

No branches or pull requests

2 participants