diff options
author | Dmitry Tantsur <dtantsur@protonmail.com> | 2023-05-04 09:26:10 +0200 |
---|---|---|
committer | Dmitry Tantsur <dtantsur@protonmail.com> | 2023-05-04 09:26:10 +0200 |
commit | c1c5537ba23b791e5041230db289bd5cd226ac7c (patch) | |
tree | ec88f6c16eb2be02e2ca015fb917a33859eccb4e | |
parent | c05fdf790c3cab6a18ca5b264e258c5c0016918d (diff) | |
download | ironic-python-agent-c1c5537ba23b791e5041230db289bd5cd226ac7c.tar.gz |
Revert disabling MD5 checksums
This was a significant breaking change that was landed despite explicit
disagreement by some community members (myself included). It has already
resulted in an accidental Ironic CI breakage, has broken Bifrost and has
a potential of breaking Metal3. In case of Metal3, MD5 support is a part
of its public API.
While MD5 is a potential security hazard, I don't see the need to hurry
this change without giving the community time to prepare. This change
reverts the new option md5_enabled to True.
Change-Id: I32b291ea162e8eb22429712c15cb5b225a6daafd
-rw-r--r-- | ironic_python_agent/config.py | 5 | ||||
-rw-r--r-- | ironic_python_agent/tests/unit/extensions/test_standby.py | 1 | ||||
-rw-r--r-- | releasenotes/notes/disable-md5-image-checksum-7def176928d36e75.yaml | 11 |
3 files changed, 6 insertions, 11 deletions
diff --git a/ironic_python_agent/config.py b/ironic_python_agent/config.py index 5c5de305..cd6de31f 100644 --- a/ironic_python_agent/config.py +++ b/ironic_python_agent/config.py @@ -329,8 +329,9 @@ cli_opts = [ 'cluster which may be visible over a storage fabric ' 'such as FibreChannel.'), cfg.BoolOpt('md5_enabled', - default=False, - help='If the MD5 algorithm is enabled for file checksums.'), + default=True, + help='If the MD5 algorithm is enabled for file checksums. ' + 'Will be changed to False in the future.'), ] CONF.register_cli_opts(cli_opts) diff --git a/ironic_python_agent/tests/unit/extensions/test_standby.py b/ironic_python_agent/tests/unit/extensions/test_standby.py index 9f5a354b..195336df 100644 --- a/ironic_python_agent/tests/unit/extensions/test_standby.py +++ b/ironic_python_agent/tests/unit/extensions/test_standby.py @@ -123,6 +123,7 @@ class TestStandbyExtension(base.IronicAgentTest): standby._validate_image_info(None, image_info) def test_validate_image_info_legacy_md5_checksum(self): + CONF.set_override('md5_enabled', False) image_info = _build_fake_image_info() del image_info['os_hash_algo'] del image_info['os_hash_value'] diff --git a/releasenotes/notes/disable-md5-image-checksum-7def176928d36e75.yaml b/releasenotes/notes/disable-md5-image-checksum-7def176928d36e75.yaml index 7fcacac4..5c9cfd05 100644 --- a/releasenotes/notes/disable-md5-image-checksum-7def176928d36e75.yaml +++ b/releasenotes/notes/disable-md5-image-checksum-7def176928d36e75.yaml @@ -6,14 +6,7 @@ features: (SHA-2) and SHA256 (SHA-2) checksums to be identified and utilized without an explicit declaration of the checksum type utilizing the ``os_hash_algo`` value. -upgrade: - - | - MD5 support for checksums have been disabled by default. This may result - in rebulids or manual deploy attempts to fail if no updated checksum has - been supplied for the ``os_hash_value`` and ``os_hash_algo`` settings. - To re-enable MD5 support, you may utilize a the ``[DEFAULT]md5_enabled`` - setting. deprecations: - | - Support for MD5 checksums have been deprecated and disabled by default. - Support for MD5 checksums will be removed after the 2024 Release. + Support for MD5 checksums have been deprecated and will be removed after + the 2024 Release. |