Revert disabling MD5 checksums

This was a significant breaking change that was landed despite explicit disagreement by some community members (myself included). It has already resulted in an accidental Ironic CI breakage, has broken Bifrost and has a potential of breaking Metal3. In case of Metal3, MD5 support is a part of its public API. While MD5 is a potential security hazard, I don't see the need to hurry this change without giving the community time to prepare. This change reverts the new option md5_enabled to True. Change-Id: I32b291ea162e8eb22429712c15cb5b225a6daafd
2023-05-04 09:26:10 +02:00 · 2023-05-04 09:26:10 +02:00 · c1c5537ba2
commit c1c5537ba2
parent c05fdf790c
3 changed files with 6 additions and 11 deletions
--- a/ironic_python_agent/config.py
+++ b/ironic_python_agent/config.py
@ -329,8 +329,9 @@ cli_opts = [
                     'cluster which may be visible over a storage fabric '
                     'such as FibreChannel.'),
    cfg.BoolOpt('md5_enabled',
-                default=False,
-                help='If the MD5 algorithm is enabled for file checksums.'),
+                default=True,
+                help='If the MD5 algorithm is enabled for file checksums. '
+                     'Will be changed to False in the future.'),
 ]

 CONF.register_cli_opts(cli_opts)
--- a/ironic_python_agent/tests/unit/extensions/test_standby.py
+++ b/ironic_python_agent/tests/unit/extensions/test_standby.py
@ -123,6 +123,7 @@ class TestStandbyExtension(base.IronicAgentTest):
        standby._validate_image_info(None, image_info)

    def test_validate_image_info_legacy_md5_checksum(self):
+        CONF.set_override('md5_enabled', False)
        image_info = _build_fake_image_info()
        del image_info['os_hash_algo']
        del image_info['os_hash_value']
--- a/releasenotes/notes/disable-md5-image-checksum-7def176928d36e75.yaml
+++ b/releasenotes/notes/disable-md5-image-checksum-7def176928d36e75.yaml
@ -6,14 +6,7 @@ features:
    (SHA-2) and SHA256 (SHA-2) checksums to be identified and utilized without
    an explicit declaration of the checksum type utilizing the
    ``os_hash_algo`` value.
-upgrade:
-  - |
-    MD5 support for checksums have been disabled by default. This may result
-    in rebulids or manual deploy attempts to fail if no updated checksum has
-    been supplied for the ``os_hash_value`` and ``os_hash_algo`` settings.
-    To re-enable MD5 support, you may utilize a the ``[DEFAULT]md5_enabled``
-    setting.
 deprecations:
  - |
-    Support for MD5 checksums have been deprecated and disabled by default.
-    Support for MD5 checksums will be removed after the 2024 Release.
+    Support for MD5 checksums have been deprecated and will be removed after
+    the 2024 Release.