Merge "Change force_raw_images to use sha256 if md5 is selected"

2020-03-07 17:51:16 +00:00 · 2020-03-07 17:51:16 +00:00 · c6a53b182e
parent 7a15df60c3 06c5997267
commit c6a53b182e
3 changed files with 30 additions and 33 deletions
--- a/ironic/drivers/modules/deploy_utils.py
+++ b/ironic/drivers/modules/deploy_utils.py
@ -1300,19 +1300,22 @@ def build_instance_info_for_deploy(task):
                                                 force_raw=force_raw)
            if force_raw:
                instance_info['image_disk_format'] = 'raw'
-
+                # Standard behavior is for image_checksum to be MD5,
+                # so if the hash algorithm is None, then we will use
+                # sha256.
+                os_hash_algo = image_info.get('os_hash_algo')
+                if os_hash_algo == 'md5':
+                    LOG.debug('Checksum calculation for image %(image)s is '
+                              'set to \'%(algo)s\', changing to \'sha256\'',
+                              {'algo': os_hash_algo,
+                               'image': image_path})
+                    os_hash_algo = 'sha256'
                LOG.debug('Recalculating checksum for image %(image)s due to '
                          'image conversion.', {'image': image_path})
-                md5checksum = compute_image_checksum(image_path, 'md5')
-                instance_info['image_checksum'] = md5checksum
-                # Populate instance_info with os_hash_algo, os_hash_value
-                # if they exists and not md5
-                os_hash_algo = image_info['os_hash_algo']
-                if os_hash_algo and os_hash_algo != 'md5':
-                    hash_value = compute_image_checksum(image_path,
-                                                        os_hash_algo)
-                    instance_info['image_os_hash_algo'] = os_hash_algo
-                    instance_info['image_os_hash_value'] = hash_value
+                instance_info['image_checksum'] = 'md5-not-supported'
+                hash_value = compute_image_checksum(image_path, os_hash_algo)
+                instance_info['image_os_hash_algo'] = os_hash_algo
+                instance_info['image_os_hash_value'] = hash_value
            else:
                instance_info['image_checksum'] = image_info['checksum']
                instance_info['image_disk_format'] = image_info['disk_format']
--- a/ironic/tests/unit/drivers/modules/test_deploy_utils.py
+++ b/ironic/tests/unit/drivers/modules/test_deploy_utils.py
@ -2641,37 +2641,21 @@ class TestBuildInstanceInfoForHttpProvisioning(db_base.DbTestCase):
        image_path, instance_info = self._test_build_instance_info(
            image_info=self.image_info, expect_raw=True)

-        self.assertEqual(instance_info['image_checksum'], 'fake-checksum')
+        self.assertEqual('md5-not-supported', instance_info['image_checksum'])
        self.assertEqual(instance_info['image_disk_format'], 'raw')
-        calls = [mock.call(image_path, algorithm='md5'),
-                 mock.call(image_path, algorithm='sha512')]
+        calls = [mock.call(image_path, algorithm='sha512')]
        self.checksum_mock.assert_has_calls(calls)

-    def test_build_instance_info_force_raw_new_fields_none(self):
-        cfg.CONF.set_override('force_raw_images', True)
-        self.image_info['os_hash_algo'] = None
-        self.image_info['os_hash_value'] = None
-        image_path, instance_info = self._test_build_instance_info(
-            image_info=self.image_info, expect_raw=True)
-
-        self.assertEqual(instance_info['image_checksum'], 'fake-checksum')
-        self.assertEqual(instance_info['image_disk_format'], 'raw')
-        self.assertNotIn('image_os_hash_algo', instance_info.keys())
-        self.assertNotIn('image_os_hash_value', instance_info.keys())
-        self.checksum_mock.assert_called_once_with(image_path, algorithm='md5')
-
-    def test_build_instance_info_force_raw_new_fields_is_md5(self):
+    def test_build_instance_info_force_raw_drops_md5(self):
        cfg.CONF.set_override('force_raw_images', True)
        self.image_info['os_hash_algo'] = 'md5'
-        self.image_info['os_hash_value'] = 'fake-md5'
        image_path, instance_info = self._test_build_instance_info(
            image_info=self.image_info, expect_raw=True)

-        self.assertEqual(instance_info['image_checksum'], 'fake-checksum')
+        self.assertEqual('md5-not-supported', instance_info['image_checksum'])
        self.assertEqual(instance_info['image_disk_format'], 'raw')
-        self.assertNotIn('image_os_hash_algo', instance_info.keys())
-        self.assertNotIn('image_os_hash_value', instance_info.keys())
-        self.checksum_mock.assert_called_once_with(image_path, algorithm='md5')
+        calls = [mock.call(image_path, algorithm='sha256')]
+        self.checksum_mock.assert_has_calls(calls)


 class TestStorageInterfaceUtils(db_base.DbTestCase):
--- a/releasenotes/notes/image-checksum-recalculation-sha256-fd3d5b4b0b757e86.yaml
+++ b/releasenotes/notes/image-checksum-recalculation-sha256-fd3d5b4b0b757e86.yaml
@ -0,0 +1,10 @@
+---
+upgrade:
+  - |
+    If ``[DEFAULT]force_raw_images`` is set to ``true``, then MD5 will not be
+    utilized to recalculate the image checksum. This requires the
+    ``ironic-python-agent`` ramdisk to be at least version 3.4.0.
+security:
+  - |
+    Image checksum recalculation when images are forced to raw images, are now
+    calculated using SHA3-256 if MD5 was selected. This is now unconditional.