| stephenfin | jokke__: Any idea on my question above (the difference between 'image-stage' and 'image-upload', and whether both are supported)? 👆 | 10:31 |
|---|---|---|
| croelandt | jokke__: will you be joining? | 14:01 |
| pdeore | we are starting with our first session for today | 14:01 |
| rosmaita | TheJulia: here's the state of play for image checksum verification | 16:04 |
| rosmaita | in Rocky, Glance introduced a "multihash" (self-describing hash fields that use SHA-512 by default) | 16:04 |
| rosmaita | and the python-cinderclient supports download validation using the multihash by default | 16:04 |
| rosmaita | with an optional fallback to using the MD5 'checksum' field if the secure algorithm isn't available on the client system | 16:04 |
| rosmaita | the md5 'checksum' is still populated for legacy applications; it uses the fips-compliant oslo thingy | 16:04 |
| rosmaita | probably the best description of multihash is glance rocky release notes | 16:04 |
| rosmaita | https://docs.openstack.org/releasenotes/glance/rocky.html#new-features | 16:04 |
| rosmaita | (third bullet point in ^^) | 16:04 |
| rosmaita | Here's the patch adding multihash support to the glanceclient (in particular, see the release note): | 16:04 |
| rosmaita | https://review.opendev.org/c/openstack/python-glanceclient/+/613350 | 16:04 |
| rosmaita | also, if ironic is using the python-glanceclient for image download, then ironic is already using multihash validation | 16:04 |
| TheJulia | rosmaita: yes, we support that multihash functionality. The question is will it be maintained, or not? | 16:05 |
| TheJulia | sorry, it being the md5 checksum | 16:05 |
| rosmaita | maintained in the sense of being populated, you mean? | 16:06 |
| TheJulia | yes | 16:09 |
| rosmaita | i guess i don't understand the problem, with the multihash present, you can treat the 'checksum' as a field like the image name that doesn't have anything to do with security | 16:10 |
| TheJulia | Indeed, however it can still be used as a compatability fallback, and I think that is the complaint ultimately. | 16:12 |
| rosmaita | TheJulia: this is how glance handled continuing to populate the 'checksum', I think the commit message explains why md5 is not a problem in this context | 16:21 |
| rosmaita | https://review.opendev.org/c/openstack/glance_store/+/756157 | 16:21 |
| TheJulia | I think some people find that insufficent, but okay | 16:22 |
| jokke__ | stephenfin: sorry for late reply. Staging is the mid part of Interoperable Image Import workflow. So after the staging is done, one needs to issue the image-import call to kick off the async processing of that staged data | 17:13 |
| jokke__ | stephenfin: image-upload does not utilize any of the taskflow async stuff, but glance streams the image directly to the target store. | 17:13 |
| *** jokke__ is now known as jokke_ | 17:13 | |
| jokke_ | stephenfin: so for example you can't upload compressed images or use the image conversion with image-upload | 17:14 |
| stephenfin | jokke_: Great. Thanks. I'd figured out 'image-import' in the interim but not the difference. That's great info (y) | 17:27 |
| opendevreview | Merged openstack/glance master: Imported Translations from Zanata https://review.opendev.org/c/openstack/glance/+/861551 | 21:09 |
| opendevreview | Brian Rosmaita proposed openstack/glance master: WIP: Test Ubuntu 22.04 (Jammy) migration https://review.opendev.org/c/openstack/glance/+/862189 | 21:13 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!