Move away from md5 digests in managing octavia amphora images

This patch changes the image management code from using deprecated md5
checksum methods to sha digests.

This patch also fixes amphora update code so it uses the checksum of the
image after conversion to raw if it raw conversion was enabled.

Closes-Bug: #1843059
Change-Id: I1817f11bcce90ab5ac29ea3bbf30b3dbf488de5f
(cherry picked from commit 7d212d68c5)
This commit is contained in:
Brent Eagles 2019-09-06 15:45:52 -02:30
parent 985e7a9f94
commit 4fcd5cac1e
2 changed files with 97 additions and 30 deletions

View File

@ -25,6 +25,43 @@
- amphora_image is undefined
- (image_file_result.stat.exists | bool) and (not (symlnk_check.stat.islnk | bool))
- name: Capture the file's checksum
set_fact:
image_checksum: "{{ image_file_result.stat.checksum }}"
when:
- image_file_result.stat.exists | bool
- name: Convert image if indicated
when:
- amp_to_raw | bool
block:
- name: create temporary directory
tempfile:
state: directory
register: amp_tmp_dir
- name: set RAW file name
set_fact:
raw_filename: "{{ amp_tmp_dir.path }}/{{ image_filename|splitext|first|basename }}.img"
- name: convert image from qcow2 to raw
shell: |
qemu-img convert -f qcow2 -O raw {{ image_filename }} {{ raw_filename }}
- name: setting amphora format to raw
set_fact:
raw_format: raw
- name: get the checksum for the converted file
stat:
path: "{{ raw_filename }}"
get_checksum: true
register: raw_file_result
- name: update image_checksum with checksum of the converted file
set_fact:
image_checksum: "{{ raw_file_result.stat.checksum }}"
- name: gather facts about the service project
shell: |
openstack project show "{{ auth_project_name }}" -c id -f value
@ -50,7 +87,7 @@
- name: get checksum if there's an image in glance already
shell: |
openstack image show {{ glance_id_result.stdout }} -c checksum -f value
openstack image show {{ glance_id_result.stdout }} -c properties -f json
environment:
OS_USERNAME: "{{ auth_username }}"
OS_PASSWORD: "{{ auth_password }}"
@ -60,20 +97,69 @@
register: glance_results
failed_when: false
- name: set current_md5 fact from glance if image already exists there
- name: set current_checksum fact from glance if image already exists there
set_fact:
current_md5: "{{ glance_results.stdout }}"
current_image_facts: "{{ glance_results.stdout | from_json }}"
when:
- glance_results.rc is defined
- glance_results.rc == 0
- name: store the current checksum if available
when:
- current_image_facts.properties.image_checksum is defined
set_fact:
current_checksum: "{{ current_image_facts.properties.image_checksum }}"
- name: calculate the image checksum if it is missing
when:
- image_id is defined
- current_checksum is not defined
block:
- name: create temporary directory
tempfile:
state: directory
register: amp_tmp_dir
- name: download the current amphora image
command: |
openstack image save --file "{{ amp_tmp_dir.path }}/{{ image_id }}.tmp" {{ image_id }}
environment:
OS_USERNAME: "{{ auth_username }}"
OS_PASSWORD: "{{ auth_password }}"
OS_PROJECT_NAME: "{{ auth_project_name }}"
- name: calculate the missing checksum
stat:
path: "{{ amp_tmp_dir.path }}/{{ image_id }}.tmp"
get_checksum: true
register: tmp_file_result
- name: update current checksum fact
set_fact:
current_checksum: "{{ tmp_file_result.stat.checksum }}"
- name: store the property on the image so it is there next time
command: |
openstack image set --property image_checksum={{ current_checksum }} {{ image_id }}
environment:
OS_USERNAME: "{{ auth_username }}"
OS_PASSWORD: "{{ auth_password }}"
OS_PROJECT_NAME: "{{ auth_project_name }}"
- name: remove the temporary copy of the current amphora image
file:
path: "{{ amp_tmp_dir.path }}/{{ image_id }}.tmp"
state: absent
- name: determine if the image needs to be replaced
set_fact:
replace_image: "{{ current_md5 != image_file_result.stat.md5 }}"
replace_image: "{{ current_checksum != image_checksum }}"
when:
- current_md5 is defined
- current_checksum is defined
- image_checksum is defined
- name: move existing image if the names match and the md5s are not the same
- name: move existing image if the names match and the checksums are not the same
shell: |
ts=`openstack image show {{ image_id }} -f value -c created_at`
ts=${ts//:/}
@ -90,27 +176,7 @@
set_fact:
upload_image: true
when:
- (current_md5 is not defined) or (replace_image is defined and replace_image | bool)
- block:
- name: create temporary directory
tempfile:
state: directory
register: amp_tmp_dir
- name: set RAW file name
set_fact:
raw_filename: "{{ amp_tmp_dir.path }}/{{ image_filename|splitext|first|basename }}.img"
- name: convert image from qcow2 to raw
shell: |
qemu-img convert -f qcow2 -O raw {{ image_filename }} {{ raw_filename }}
- name: setting amphora format to raw
set_fact:
raw_format: raw
when:
- amp_to_raw | bool
- (current_checksum is not defined) or (replace_image is defined and replace_image | bool)
- name: upload image to glance
shell: |
@ -118,6 +184,7 @@
--container-format bare --tag {{ amp_image_tag }} \
--file {{ raw_filename|default(image_filename) }} \
--property hw_architecture={{ amp_hw_arch }} \
--property image_checksum={{ image_checksum }} \
--private {{ amphora_image }}
environment:
OS_USERNAME: "{{ auth_username }}"
@ -130,8 +197,8 @@
- upload_image is defined
- name: delete converted raw image
when:
- amp_tmp_dir.path is defined
file:
path: "{{ amp_tmp_dir.path }}"
state: absent
when:
- amp_to_raw | bool

View File

@ -25,7 +25,7 @@
stat:
path: "{{ image_filename }}"
follow: true
get_md5: true
get_checksum: true
register: image_file_result
- include_tasks: image_mgmt.yml