From c1c5537ba23b791e5041230db289bd5cd226ac7c Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Thu, 4 May 2023 09:26:10 +0200 Subject: Revert disabling MD5 checksums This was a significant breaking change that was landed despite explicit disagreement by some community members (myself included). It has already resulted in an accidental Ironic CI breakage, has broken Bifrost and has a potential of breaking Metal3. In case of Metal3, MD5 support is a part of its public API. While MD5 is a potential security hazard, I don't see the need to hurry this change without giving the community time to prepare. This change reverts the new option md5_enabled to True. Change-Id: I32b291ea162e8eb22429712c15cb5b225a6daafd --- ironic_python_agent/config.py | 5 +++-- ironic_python_agent/tests/unit/extensions/test_standby.py | 1 + .../notes/disable-md5-image-checksum-7def176928d36e75.yaml | 11 ++--------- 3 files changed, 6 insertions(+), 11 deletions(-) diff --git a/ironic_python_agent/config.py b/ironic_python_agent/config.py index 5c5de305..cd6de31f 100644 --- a/ironic_python_agent/config.py +++ b/ironic_python_agent/config.py @@ -329,8 +329,9 @@ cli_opts = [ 'cluster which may be visible over a storage fabric ' 'such as FibreChannel.'), cfg.BoolOpt('md5_enabled', - default=False, - help='If the MD5 algorithm is enabled for file checksums.'), + default=True, + help='If the MD5 algorithm is enabled for file checksums. ' + 'Will be changed to False in the future.'), ] CONF.register_cli_opts(cli_opts) diff --git a/ironic_python_agent/tests/unit/extensions/test_standby.py b/ironic_python_agent/tests/unit/extensions/test_standby.py index 9f5a354b..195336df 100644 --- a/ironic_python_agent/tests/unit/extensions/test_standby.py +++ b/ironic_python_agent/tests/unit/extensions/test_standby.py @@ -123,6 +123,7 @@ class TestStandbyExtension(base.IronicAgentTest): standby._validate_image_info(None, image_info) def test_validate_image_info_legacy_md5_checksum(self): + CONF.set_override('md5_enabled', False) image_info = _build_fake_image_info() del image_info['os_hash_algo'] del image_info['os_hash_value'] diff --git a/releasenotes/notes/disable-md5-image-checksum-7def176928d36e75.yaml b/releasenotes/notes/disable-md5-image-checksum-7def176928d36e75.yaml index 7fcacac4..5c9cfd05 100644 --- a/releasenotes/notes/disable-md5-image-checksum-7def176928d36e75.yaml +++ b/releasenotes/notes/disable-md5-image-checksum-7def176928d36e75.yaml @@ -6,14 +6,7 @@ features: (SHA-2) and SHA256 (SHA-2) checksums to be identified and utilized without an explicit declaration of the checksum type utilizing the ``os_hash_algo`` value. -upgrade: - - | - MD5 support for checksums have been disabled by default. This may result - in rebulids or manual deploy attempts to fail if no updated checksum has - been supplied for the ``os_hash_value`` and ``os_hash_algo`` settings. - To re-enable MD5 support, you may utilize a the ``[DEFAULT]md5_enabled`` - setting. deprecations: - | - Support for MD5 checksums have been deprecated and disabled by default. - Support for MD5 checksums will be removed after the 2024 Release. + Support for MD5 checksums have been deprecated and will be removed after + the 2024 Release. -- cgit v1.2.1