Thursday, 2022-04-28

« Wednesday, 2022-04-27 Index Friday, 2022-04-29 »
opendevreviewRajat Dhasmana proposed openstack/glance_store master: Cinder: Correct exception logging during attach  https://review.opendev.org/c/openstack/glance_store/+/83833505:02
opendevreviewMerged openstack/glance-tempest-plugin master: Update python testing classifier  https://review.opendev.org/c/openstack/glance-tempest-plugin/+/82326106:41
*** pdeore_ is now known as pdeore13:03
opendevreviewPierre-Samuel Le Stang proposed openstack/glance-specs master: [APIImpact] Add a new glance-download import method  https://review.opendev.org/c/openstack/glance-specs/+/83613213:20
pdeoreabhishekk, rosmaita, jokke_, dansmith, croelandt, mrjoshi glance weekly meeting in 10 minutes at #openstack-meeting13:51
abhishekkty!13:51
whoami-rajatabhishekk, croelandt hey, can we have a conclusion on this? it has been sitting there for quite a long time :) https://review.opendev.org/c/openstack/glance_store/+/83376713:58
abhishekkwhoami-rajat, will have a look after weekly meeting13:58
whoami-rajatabhishekk, ack13:58
dansmithwhoami-rajat: I piled on there14:03
whoami-rajatdansmith, thanks!14:04
dansmithjokke_: so, what I was trying to say was: if I show up at some service and say "here is some sensitive data and here is my md5 hash so you know you got it",14:59
dansmiththe remote service should not say "well, I've been told not to use md5, but I'll take your data anyway and return you a 200 without error, warning, etc"15:00
dansmithnow, IIRC, if I just do a glance upload, glance calculates the hash on its end, and the user could verify that glance got the whole thing after the fact by comparing its computed hash to the one the user knows to be right15:01
dansmiththat's the expected workflow today for upload yeah?15:01
jokke_yep, same with web-download ... we don't scrape say ubuntu download page if they happen to have a hash we can replicate, we get the data, calculate the hash when _uploading_ to the first store (as in after possible conversion etc. plugins that might change that data) and the user will have the hash available in the image metadata15:03
jokke_oh, sorry, just upload no import, yes we calculate it from the stream we push to the store15:04
dansmithwhich happens for both upload and import right? I wasn't making the distinction because I assumed the same15:05
jokke_well yeah, the difference is that in upload we just stream the user provided data through, import there might be changes before it goes to the store15:05
dansmithright, so we could (or do we?) calculate the hash while we stage it in the import case?15:06
jokke_so with import the user might not get same checksum back even if using same algo15:06
dansmithah, so calculate the hash after during staging->store because we could have converted it in staging?15:06
jokke_We don't calculate it in staging as it's WORM value ... once it's set it cannot be changed15:06
jokke_correct15:06
dansmith(sorry in the tc meeting too, just a sec)15:07
opendevreviewAbhishek Kekane proposed openstack/glance master: [oslo.policy] Blacklist 3.12.0  https://review.opendev.org/c/openstack/glance/+/83978015:11
abhishekkjokke_, ^^15:11
jokke_also the unfortunate design model of multi-hash is that it's not really a multihash as the algo and the hash are separate properties, we cannot even go and provide multiple hashes with different algorithms. so there is no way with Images API v2 for us to update the hash say with newer secure algo 15:11
jokke_abhishekk: thanks15:11
abhishekkjokke_, probably I will fix the instant caching spec tomorrow morning15:13
abhishekksorry for the delay15:13
jokke_abhishekk: no problem15:15
jokke_dansmith: And while that was designed, the decision was made that we treat hashes we can't replicate as if they were not existing. So say there is issue with algo that is in use, you update configs for new safe algo and then you path your system to not having that old algo anymore, we do not fail the operations as we couldn't calculate the hash, if we can calculate it and we get different value, 15:18
jokke_then we fail15:18
jokke_so your old images keeps working 15:19
dansmithjokke_: sorry, still in a section I have to chat, but .. can you point me to where in the code we ignore a missing algo for another operation?15:19
jokke_dansmith: no prob, read through when you have time ... was just writing my thoughts so I don't forget it15:20
jokke_https://github.com/openstack/python-glanceclient/blob/master/glanceclient/v2/images.py#L220-L237 that explains the validation chain15:25
jokke_importance there on point 415:25
dansmithjokke_: ack, so summarizing the scheme right now is basically "the server computes the hash as it got it, the client is responsible for verifying" either after upload or during download yeah?15:32
dansmithI'm not sure what we do at #1 if allow_md5_fallback=False, but that case and #2 itself says "if md5 is not available to the client, the download fails" which would be the fail-safe to not download if we can't validate the image right?15:33
dansmithpoint here is that glance with glance-download is behaving both as client (of glance) and server15:34
dansmithreplicating the glanceclient behavior may be reasonable, although I think sticking to the stricter behavior is better because the point of the feature is to avoid the user having to download the image15:34
dansmithso if I go glance-download an image from one cloud to another, the destination cloud should ideally be able to validate (to me) that the image it got is the same as the one in the source cloud, because it may then modify that image (i.e. convert) before it calculates its hash during staging->store15:35
abhishekk ERROR: Requirement for package oslo.policy excludes a version not excluded in the global list.15:35
abhishekk  Local settings : {'!=3.12.0'}15:35
abhishekk  Global settings: {'!=3.0.0', '!=3.6.1'}15:35
abhishekk  Unexpected     : {'!=3.12.0'}15:35
dansmithotherwise, in the latter case, the hash will not match between the source and dest clouds but I have no way of knowing that it at least made it to the dest cloud intact before it was mechanically converted15:36
dansmithso to me, it seems like the best plan would be to calculate one of the available hashes while we're downloading, and if we really have none in common, either refuse (as glanceclient seems to do if md5 is not available) or at least warn the user in some way15:36
jokke_dansmith: so if we tell it to verify md5 in absence of multihash it fails if the md5 is not there. Unless specifically told so we skip the points 2&315:37
dansmithI haven't read the code just the comment, but you're saying if allow_md5_fallback=False and no hashes are supported, we jump to #4?15:38
jokke_yup15:38
jokke_meaning we do not have hash as we don't have any compatible algos to verify and we continue unverified15:39
dansmithokay, but do you understand why that's not as big of a deal if I'm downloading the image and can manually calculate another hash to validate, but I can't if it's cloud-to-cloud?15:39
jokke_dansmith: no this is the same behaviour when nova and cinder are consuming the image15:40
jokke_it's not just CLI behaviour15:40
jokke_if compute does not have the algo available, it will consume the image15:41
jokke_which is why I'm saying ignoring algos we don't have is the consistent thing to do. The user can see if they have matching checksums after image creation and investigate if not.15:43
dansmithokay, if we can't even agree on the premise then I guess there's really not much conversation left to have15:43
dansmithbut fwiw, I don't actually see that nova even checks the checksum or the os_hash values, so I don't think your assertion that it silently ignores those if it doesn't have the aglo available is right15:44
jokke_but we shouldn't waste the bandwidth and make the user download&upload manually just because the origin had hashing algorithm used which doesn't exist in destination15:44
jokke_dansmith: nova doesn't because the the client does it in the fly 15:45
jokke_so if the checksum fails during the download the client will throw exception15:45
jokke_instead of providing nova the imge15:45
dansmithack, fair enough15:46
jokke_That said the only case where I've actually seen this happening was recent thing where store was corrupting the image data. I cannot recall when I would have seen actual transfer error last time. Nowadays networking, tcp & http are just pretty darn recilient 15:48
dansmithtcp and http only checksum 64k blocks at a time, using CRC. And malicious actors can easily modify data in flight.15:48
jokke_so I'd say the most likely case for getting checksum mismatch would be when expired algo has been used15:49
jokke_which seems to be pretty rare in https environments15:50
jokke_not saying impossible, just haven't came across mitm attacks for long time15:51
* abhishekk signing out for the day15:52
jokke_for sure easier in "trusted" environments where the malicious actor more likely has access to trusted certs too15:52
jokke_night abhishekk 15:52
abhishekkgood night o/~15:52
abhishekkhttps://review.opendev.org/c/openstack/releases/+/83977515:53
abhishekkThis will unblock us15:53
opendevreviewElod Illes proposed openstack/glance master: [CI] Install dependencies for docs target  https://review.opendev.org/c/openstack/glance/+/83978616:03
opendevreviewDurga Malleswari Varanasi proposed openstack/glance master: Internal server error if shared member tries to stage data to image  https://review.opendev.org/c/openstack/glance/+/83470116:35
opendevreviewElod Illes proposed openstack/glance stable/yoga: [CI] Install dependencies for docs target  https://review.opendev.org/c/openstack/glance/+/83981418:29
opendevreviewElod Illes proposed openstack/glance stable/xena: [CI] Install dependencies for docs target  https://review.opendev.org/c/openstack/glance/+/83981518:30
opendevreviewElod Illes proposed openstack/glance stable/wallaby: [CI] Install dependencies for docs target  https://review.opendev.org/c/openstack/glance/+/83981618:31
« Wednesday, 2022-04-27 Index Friday, 2022-04-29 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!