From 3630862668e23d51946c8bcac566e7b5ebfbaa50 Mon Sep 17 00:00:00 2001
From: Brent Eagles <beagles@redhat.com>
Date: Fri, 6 Sep 2019 15:45:52 -0230
Subject: [PATCH] Move away from md5 digests in managing octavia amphora images

This patch changes the image management code from using deprecated md5
checksum methods to sha digests.

This patch also fixes amphora update code so it uses the checksum of the
image after conversion to raw if it raw conversion was enabled.

Closes-Bug: #1843059
Change-Id: I1817f11bcce90ab5ac29ea3bbf30b3dbf488de5f
(cherry picked from commit 7d212d68c5a147da39b119bde5f2c9e40af4b617)
---
 .../octavia-undercloud/tasks/image_mgmt.yml   | 125 ++++++++++++++----
 .../roles/octavia-undercloud/tasks/main.yml   |   2 +-
 2 files changed, 97 insertions(+), 30 deletions(-)

diff --git a/tripleo_ansible/roles/octavia-undercloud/tasks/image_mgmt.yml b/tripleo_ansible/roles/octavia-undercloud/tasks/image_mgmt.yml
index e01702b1d..814e0af23 100644
--- a/tripleo_ansible/roles/octavia-undercloud/tasks/image_mgmt.yml
+++ b/tripleo_ansible/roles/octavia-undercloud/tasks/image_mgmt.yml
@@ -25,6 +25,43 @@
     - amphora_image is undefined
     - (image_file_result.stat.exists | bool) and (not (symlnk_check.stat.islnk | bool))
 
+- name: Capture the file's checksum
+  set_fact:
+    image_checksum: "{{ image_file_result.stat.checksum }}"
+  when:
+    - image_file_result.stat.exists | bool
+
+- name: Convert image if indicated
+  when:
+    - amp_to_raw | bool
+  block:
+    - name: create temporary directory
+      tempfile:
+        state: directory
+      register: amp_tmp_dir
+
+    - name: set RAW file name
+      set_fact:
+        raw_filename: "{{ amp_tmp_dir.path }}/{{ image_filename|splitext|first|basename }}.img"
+
+    - name: convert image from qcow2 to raw
+      shell: |
+        qemu-img convert -f qcow2 -O raw {{ image_filename }} {{ raw_filename }}
+
+    - name: setting amphora format to raw
+      set_fact:
+        raw_format: raw
+
+    - name: get the checksum for the converted file
+      stat:
+        path: "{{ raw_filename }}"
+        get_checksum: true
+      register: raw_file_result
+
+    - name: update image_checksum with checksum of the converted file
+      set_fact:
+        image_checksum: "{{ raw_file_result.stat.checksum }}"
+
 - name: gather facts about the service project
   shell: |
     openstack project show "{{ auth_project_name }}" -c id -f value
@@ -50,7 +87,7 @@
 
 - name: get checksum if there's an image in glance already
   shell: |
-    openstack image show {{ glance_id_result.stdout }} -c checksum -f value
+    openstack image show {{ glance_id_result.stdout }} -c properties -f json
   environment:
     OS_USERNAME: "{{ auth_username }}"
     OS_PASSWORD: "{{ auth_password }}"
@@ -60,20 +97,69 @@
   register: glance_results
   failed_when: false
 
-- name: set current_md5 fact from glance if image already exists there
+- name: set current_checksum fact from glance if image already exists there
   set_fact:
-    current_md5: "{{ glance_results.stdout }}"
+    current_image_facts: "{{ glance_results.stdout | from_json  }}"
   when:
     - glance_results.rc is defined
     - glance_results.rc == 0
 
+- name: store the current checksum if available
+  when:
+    - current_image_facts.properties.image_checksum is defined
+  set_fact:
+    current_checksum: "{{ current_image_facts.properties.image_checksum }}"
+
+- name: calculate the image checksum if it is missing
+  when:
+    - image_id is defined
+    - current_checksum is not defined
+  block:
+    - name: create temporary directory
+      tempfile:
+        state: directory
+      register: amp_tmp_dir
+
+    - name: download the current amphora image
+      command: |
+        openstack image save --file "{{ amp_tmp_dir.path }}/{{ image_id }}.tmp" {{ image_id }}
+      environment:
+        OS_USERNAME: "{{ auth_username }}"
+        OS_PASSWORD: "{{ auth_password }}"
+        OS_PROJECT_NAME: "{{ auth_project_name }}"
+
+    - name: calculate the missing checksum
+      stat:
+        path: "{{ amp_tmp_dir.path }}/{{ image_id }}.tmp"
+        get_checksum: true
+      register: tmp_file_result
+
+    - name: update current checksum fact
+      set_fact:
+        current_checksum: "{{ tmp_file_result.stat.checksum }}"
+
+    - name: store the property on the image so it is there next time
+      command: |
+        openstack image set --property image_checksum={{ current_checksum }}  {{ image_id }}
+      environment:
+        OS_USERNAME: "{{ auth_username }}"
+        OS_PASSWORD: "{{ auth_password }}"
+        OS_PROJECT_NAME: "{{ auth_project_name }}"
+
+    - name: remove the temporary copy of the current amphora image
+      file:
+        path: "{{ amp_tmp_dir.path }}/{{ image_id }}.tmp"
+        state: absent
+
+
 - name: determine if the image needs to be replaced
   set_fact:
-    replace_image: "{{ current_md5 != image_file_result.stat.md5 }}"
+    replace_image: "{{ current_checksum != image_checksum }}"
   when:
-    - current_md5 is defined
+    - current_checksum is defined
+    - image_checksum is defined
 
-- name: move existing image if the names match and the md5s are not the same
+- name: move existing image if the names match and the checksums are not the same
   shell: |
     ts=`openstack image show {{ image_id }} -f value -c created_at`
     ts=${ts//:/}
@@ -90,27 +176,7 @@
   set_fact:
     upload_image: true
   when:
-    - (current_md5 is not defined) or (replace_image is defined and replace_image | bool)
-
-- block:
-    - name: create temporary directory
-      tempfile:
-        state: directory
-      register: amp_tmp_dir
-
-    - name: set RAW file name
-      set_fact:
-        raw_filename: "{{ amp_tmp_dir.path }}/{{ image_filename|splitext|first|basename }}.img"
-
-    - name: convert image from qcow2 to raw
-      shell: |
-        qemu-img convert -f qcow2 -O raw {{ image_filename }} {{ raw_filename }}
-
-    - name: setting amphora format to raw
-      set_fact:
-        raw_format: raw
-  when:
-    - amp_to_raw | bool
+    - (current_checksum is not defined) or (replace_image is defined and replace_image | bool)
 
 - name: upload image to glance
   shell: |
@@ -118,6 +184,7 @@
       --container-format bare --tag {{ amp_image_tag }} \
       --file {{ raw_filename|default(image_filename) }} \
       --property hw_architecture={{ amp_hw_arch }} \
+      --property image_checksum={{ image_checksum }} \
       --private {{ amphora_image }}
   environment:
     OS_USERNAME: "{{ auth_username }}"
@@ -130,8 +197,8 @@
     - upload_image is defined
 
 - name: delete converted raw image
+  when:
+    - amp_tmp_dir.path is defined
   file:
     path: "{{ amp_tmp_dir.path }}"
     state: absent
-  when:
-    - amp_to_raw | bool
diff --git a/tripleo_ansible/roles/octavia-undercloud/tasks/main.yml b/tripleo_ansible/roles/octavia-undercloud/tasks/main.yml
index cfa3aabc3..e6fba3702 100644
--- a/tripleo_ansible/roles/octavia-undercloud/tasks/main.yml
+++ b/tripleo_ansible/roles/octavia-undercloud/tasks/main.yml
@@ -25,7 +25,7 @@
   stat:
     path: "{{ image_filename }}"
     follow: true
-    get_md5: true
+    get_checksum: true
   register: image_file_result
 
 - include_tasks: image_mgmt.yml