Glance import task should check supplied checksum of image

[berendt]

No description provided.

[berendt]

• https://specs.openstack.org/openstack/glance-specs/specs/mitaka/implemented/image-signing-and-verification-support.html

[frittentheke]

I quite like the idea!

But with the Victoria release the former single MD5 hash was deprecated: https://docs.openstack.org/releasenotes/glance/victoria.html#deprecation-notes in favor of "multihash". While this sounds cool, multihash is only about being able to configure(!) a single hash algo that is then used: https://github.com/openstack/glance/blob/b023562e1d31d3e60c195d701e6a9ff52e2fc956/doc/source/admin/os_hash_algo.rst#secure-hash-algorithm-support-multihash, or https://docs.openstack.org/glance/latest/configuration/sample-configuration.html:

#
# Secure hashing algorithm used for computing the 'os_hash_value' property.
#
# This option configures the Glance "multihash", which consists of two
# image properties: the 'os_hash_algo' and the 'os_hash_value'.  The
# 'os_hash_algo' will be populated by the value of this configuration
# option, and the 'os_hash_value' will be populated by the hexdigest computed
# when the algorithm is applied to the uploaded or imported image data.
#
# The value must be a valid secure hash algorithm name recognized by the
# python 'hashlib' library.  You can determine what these are by examining
# the 'hashlib.algorithms_available' data member of the version of the
# library being used in your Glance installation.  For interoperability
# purposes, however, we recommend that you use the set of secure hash
# names supplied by the 'hashlib.algorithms_guaranteed' data member because
# those algorithms are guaranteed to be supported by the 'hashlib' library
# on all platforms.  Thus, any image consumer using 'hashlib' locally should
# be able to verify the 'os_hash_value' of the image.
#
# The default value of 'sha512' is a performant secure hash algorithm.
#
# If this option is misconfigured, any attempts to store image data will fail.
# For that reason, we recommend using the default value.
#
# Possible values:
#     * Any secure hash algorithm name recognized by the Python 'hashlib'
#       library
#
# Related options:
#     * None
#
#  (string value)
#hashing_algorithm = sha512

The default of SHA-512 is not provided by most image upstreams though. SHA-256 is very common, but for upstreams not providing the chosen hash algo, no checkum verification can be done. Would be nice to be able to provide any hash value of supported algos with the webdownload via image_url ... but that's an upstream change and will even if implemented take a while until is reaches most OpenStack installations.