0b24dbd620
Partially implements blueprint multihash. Requires glance_store 0.26.1 Co-authored-by: Scott McClymont <scott.mcclymont@verizonwireless.com> Co-authored-by: Brian Rosmaita <rosmaita.fossdev@gmail.com> Change-Id: Ib28ea1f6c431db6434dbab2a234018e82d5a6d1a
56 lines
2.8 KiB
YAML
56 lines
2.8 KiB
YAML
---
|
|
features:
|
|
- |
|
|
This release implements the Glance spec `Secure Hash Algorithm Support
|
|
<https://specs.openstack.org/openstack/glance-specs/specs/rocky/approved/glance/multihash.html>`_
|
|
(also known as "multihash"). This feature supplements the current
|
|
'checksum' image property with a self-describing secure hash. The
|
|
self-description consists of two new image properties:
|
|
|
|
* ``os_hash_algo`` - this contains the name of the secure hash algorithm
|
|
used to generate the value on this image
|
|
* ``os_hash_value`` - this is the hexdigest computed by applying the
|
|
secure hash algorithm named in the ``os_hash_algo`` property to the
|
|
image data
|
|
|
|
These are read-only image properties and are not user-modifiable.
|
|
|
|
The secure hash algorithm used is an operator-configurable setting. See
|
|
the help text for 'hashing_algorithm' in the sample Glance configuration
|
|
file for more information.
|
|
|
|
The default secure hash algorithm is SHA-512. It should be suitable for
|
|
most applications.
|
|
|
|
The legacy 'checksum' image property, which provides an MD5 message
|
|
digest of the image data, is preserved for backward compatibility.
|
|
issues:
|
|
- |
|
|
The ``os_hash_value`` image property, introduced as part of the
|
|
`Secure Hash Algorithm Support
|
|
<https://specs.openstack.org/openstack/glance-specs/specs/rocky/approved/glance/multihash.html>`_
|
|
("multihash") feature, is limited to 128 characters. This is sufficient
|
|
to store 512 bits as a hexadecimal numeral.
|
|
|
|
- |
|
|
The "multihash" implemented in this release (`Secure Hash Algorithm Support
|
|
<https://specs.openstack.org/openstack/glance-specs/specs/rocky/approved/glance/multihash.html>`_)
|
|
is computed only for new images. There is no provision for computing
|
|
the multihash for existing images. Thus, users should expect to see
|
|
JSON 'null' values for the ``os_hash_algo`` and ``os_hash_value`` image
|
|
properties on images created prior to the installation of the Rocky
|
|
release at your site.
|
|
security:
|
|
- |
|
|
This release implements the Glance spec `Secure Hash Algorithm Support
|
|
<https://specs.openstack.org/openstack/glance-specs/specs/rocky/approved/glance/multihash.html>`_,
|
|
which introduces a self-describing "multihash" to the image-show response.
|
|
This feature supplements the current 'checksum' image property with a
|
|
self-describing secure hash. The default hashing algorithm is SHA-512,
|
|
which is currently considered secure. In the event that algorithm is
|
|
compromised, you will immediately be able to begin using a different
|
|
algorithm (as long as it's supported by the Python 'hashlib' library and
|
|
has output that fits in 128 characters) by modifying the value of the
|
|
'hashing_algorithm' configuration option and either restarting or issuing
|
|
a SIGHUP to Glance.
|