Revert disabling MD5 checksums

This was a significant breaking change that was landed despite explicit
disagreement by some community members (myself included). It has already
resulted in an accidental Ironic CI breakage, has broken Bifrost and has
a potential of breaking Metal3. In case of Metal3, MD5 support is a part
of its public API.

While MD5 is a potential security hazard, I don't see the need to hurry
this change without giving the community time to prepare. This change
reverts the new option md5_enabled to True.

Change-Id: I32b291ea162e8eb22429712c15cb5b225a6daafd
This commit is contained in:
Dmitry Tantsur 2023-05-04 09:26:10 +02:00
parent c05fdf790c
commit c1c5537ba2
3 changed files with 6 additions and 11 deletions

View File

@ -329,8 +329,9 @@ cli_opts = [
'cluster which may be visible over a storage fabric ' 'cluster which may be visible over a storage fabric '
'such as FibreChannel.'), 'such as FibreChannel.'),
cfg.BoolOpt('md5_enabled', cfg.BoolOpt('md5_enabled',
default=False, default=True,
help='If the MD5 algorithm is enabled for file checksums.'), help='If the MD5 algorithm is enabled for file checksums. '
'Will be changed to False in the future.'),
] ]
CONF.register_cli_opts(cli_opts) CONF.register_cli_opts(cli_opts)

View File

@ -123,6 +123,7 @@ class TestStandbyExtension(base.IronicAgentTest):
standby._validate_image_info(None, image_info) standby._validate_image_info(None, image_info)
def test_validate_image_info_legacy_md5_checksum(self): def test_validate_image_info_legacy_md5_checksum(self):
CONF.set_override('md5_enabled', False)
image_info = _build_fake_image_info() image_info = _build_fake_image_info()
del image_info['os_hash_algo'] del image_info['os_hash_algo']
del image_info['os_hash_value'] del image_info['os_hash_value']

View File

@ -6,14 +6,7 @@ features:
(SHA-2) and SHA256 (SHA-2) checksums to be identified and utilized without (SHA-2) and SHA256 (SHA-2) checksums to be identified and utilized without
an explicit declaration of the checksum type utilizing the an explicit declaration of the checksum type utilizing the
``os_hash_algo`` value. ``os_hash_algo`` value.
upgrade:
- |
MD5 support for checksums have been disabled by default. This may result
in rebulids or manual deploy attempts to fail if no updated checksum has
been supplied for the ``os_hash_value`` and ``os_hash_algo`` settings.
To re-enable MD5 support, you may utilize a the ``[DEFAULT]md5_enabled``
setting.
deprecations: deprecations:
- | - |
Support for MD5 checksums have been deprecated and disabled by default. Support for MD5 checksums have been deprecated and will be removed after
Support for MD5 checksums will be removed after the 2024 Release. the 2024 Release.