OpenStack Glance-Simplestreams-Sync Charm

Bug #1933966
Comment #12

Comment 12 for bug 1933966

Revision history for this message

Robert C Jennings (rcj) wrote on 2021-10-07: Re: [Bug 1933966] Re: sync-images fails with Invalid glance image: <X>. Expected size=<Y> md5=None. Found size=<Y> md5=<Z>

#12

It's 2021 and md5 has been insufficient as a cryptographic hash for years;
as of 2008 CERT declared MD5 "cryptographically broken and unsuitable for
further use"[1]. Minimal streams were created after this and therefore md5
sums are intentionally omitted. For standard image streams md5 sums should
be removed before another 10 year LTS is released considering supply chain
security concerns and simplestreams updated to only accept sha256 or
greater. Given the timeframe for LTS support NIST 2020 recommendations[2]
would point to SHA-384 or SHA-512.

[1] https://www.kb.cert.org/vuls/id/836068
[2] https://www.keylength.com/en/4/

On Thu, Oct 7, 2021 at 9:56 AM Corey Bryant <email address hidden>
wrote:

> @John, thanks for taking a look. The simplestreams code [1] seems to
> validate based on md5, so perhaps it should be validating images based on
> sha256.
> [1]
> https://git.launchpad.net/simplestreams/tree/simplestreams/mirrors/glance.py
>
> ** Also affects: simplestreams
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to cloud-
> images.
> Matching subscriptions: cloud-images
> https://bugs.launchpad.net/bugs/1933966
>
> Title:
> sync-images fails with Invalid glance image: <X>. Expected size=<Y>
> md5=None. Found size=<Y> md5=<Z>
>
> Status in OpenStack glance-simplestreams-sync charm:
> New
> Status in charm-octavia-diskimage-retrofit:
> Triaged
> Status in cloud-images:
> New
> Status in simplestreams:
> New
>
> Bug description:
> Visible in this gate:
>
> https://review.opendev.org/c/openstack/charm-octavia-diskimage-retrofit/+/778995
>
> https://openstack-ci-reports.ubuntu.com/artifacts/d09/778995/5/check/bionic-ussuri/d092848/job-output.txt
>
> zaza.model.ActionFailed: Run of action "sync-images" with parameters
> "<not-set>" on "glance-simplestreams-sync/0" failed with "exit status 1"
> (id=36 status=failed enqueued=2021-06-28T16:55:10Z
> started=2021-06-28T16:55:11Z completed=2021-06-28T16:55:28Z output={'Code':
> '1', 'Stderr':
> '/usr/lib/python2.7/dist-packages/keystoneauth1/adapter.py:179:
> UserWarning: Using keystoneclient sessions has been deprecated. Please
> update your software to use keystoneauth1.\n warnings.warn(\'Using
> keystoneclient sessions has been deprecated. \'\nTraceback (most recent
> call last):
> File "/snap/simplestreams/27/bin/sstream-mirror-glance", line 185, in
> <module>
> main()
> File "/snap/simplestreams/27/bin/sstream-mirror-glance", line 181, in
> main
> tmirror.sync(smirror, args.path)
> File
> "/snap/simplestreams/27/lib/python3.6/site-packages/simplestreams/mirrors/__init__.py",
> line 91, in sync
> return self.sync_index(reader, path, data, content)
> File
> "/snap/simplestreams/27/lib/python3.6/site-packages/simplestreams/mirrors/__init__.py",
> line 254, in sync_index
> self.sync(reader, path=epath)
> File
> "/snap/simplestreams/27/lib/python3.6/site-packages/simplestreams/mirrors/__init__.py",
> line 89, in sync
> return self.sync_products(reader, path, data, content)
> File
> "/snap/simplestreams/27/lib/python3.6/site-packages/simplestreams/mirrors/__init__.py",
> line 360, in sync_products
> (prodname, vername))
> File
> "/snap/simplestreams/27/lib/python3.6/site-packages/simplestreams/mirrors/glance.py",
> line 582, in insert_version
> self._insert_item(*iargs)
> File
> "/snap/simplestreams/27/lib/python3.6/site-packages/simplestreams/mirrors/glance.py",
> line 501, in _insert_item
> self.validate_image(glance_image.id, new_md5, new_size)
> File
> "/snap/simplestreams/27/lib/python3.6/site-packages/simplestreams/mirrors/glance.py",
> line 537, in validate_image
> raise IOError(msg)
> OSError: Invalid glance image: 3c4b49a4-a4c9-4b84-95eb-dbf0ce3d1e83.
> Expected size=172883968 md5=None. Found size=172883968
> md5=078ff054bceec76f66ffeaa748f9f2e5.
> ', 'Stdout': 'sending incremental file
> list\nstreams/\nstreams/v1/\nstreams/v1/auto.sync.json\nstreams/v1/index.json\n\nsent
> 1,230 bytes received 66 bytes 2,592.00 bytes/sec\ntotal size is 2,535
> speedup is 1.96\n'})
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/charm-glance-simplestreams-sync/+bug/1933966/+subscriptions
>
>

It's 2021 and md5 has been insufficient as a cryptographic hash for years;
as of 2008 CERT declared MD5 "cryptographically broken and unsuitable for
further use"[1].  Minimal streams were created after this and therefore md5
sums are intentionally omitted.  For standard image streams md5 sums should
be removed before another 10 year LTS is released considering supply chain
security concerns and simplestreams updated to only accept sha256 or
greater.  Given the timeframe for LTS support NIST 2020 recommendations[2]
would point to SHA-384 or SHA-512.

[1] https://www.kb.cert.org/vuls/id/836068
[2] https://www.keylength.com/en/4/

On Thu, Oct 7, 2021 at 9:56 AM Corey Bryant <1933966@bugs.launchpad.net>
wrote:

> @John, thanks for taking a look. The simplestreams code [1] seems to
> validate based on md5, so perhaps it should be validating images based on
> sha256.
> [1]
> https://git.launchpad.net/simplestreams/tree/simplestreams/mirrors/glance.py
>
> ** Also affects: simplestreams
>    Importance: Undecided
>        Status: New
>
> --
> You received this bug notification because you are subscribed to cloud-
> images.
> Matching subscriptions: cloud-images
> https://bugs.launchpad.net/bugs/1933966
>
> Title:
>   sync-images fails with Invalid glance image: <X>. Expected size=<Y>
>   md5=None. Found size=<Y> md5=<Z>
>
> Status in OpenStack glance-simplestreams-sync charm:
>   New
> Status in charm-octavia-diskimage-retrofit:
>   Triaged
> Status in cloud-images:
>   New
> Status in simplestreams:
>   New
>
> Bug description:
>   Visible in this gate:
>
> https://review.opendev.org/c/openstack/charm-octavia-diskimage-retrofit/+/778995
>
> https://openstack-ci-reports.ubuntu.com/artifacts/d09/778995/5/check/bionic-ussuri/d092848/job-output.txt
>
>   zaza.model.ActionFailed: Run of action "sync-images" with parameters
> "<not-set>" on "glance-simplestreams-sync/0" failed with "exit status 1"
> (id=36 status=failed enqueued=2021-06-28T16:55:10Z
> started=2021-06-28T16:55:11Z completed=2021-06-28T16:55:28Z output={'Code':
> '1', 'Stderr':
> '/usr/lib/python2.7/dist-packages/keystoneauth1/adapter.py:179:
> UserWarning: Using keystoneclient sessions has been deprecated. Please
> update your software to use keystoneauth1.\n  warnings.warn(\'Using
> keystoneclient sessions has been deprecated. \'\nTraceback (most recent
> call last):
>     File "/snap/simplestreams/27/bin/sstream-mirror-glance", line 185, in
> <module>
>       main()
>     File "/snap/simplestreams/27/bin/sstream-mirror-glance", line 181, in
> main
>       tmirror.sync(smirror, args.path)
>     File
> "/snap/simplestreams/27/lib/python3.6/site-packages/simplestreams/mirrors/__init__.py",
> line 91, in sync
>       return self.sync_index(reader, path, data, content)
>     File
> "/snap/simplestreams/27/lib/python3.6/site-packages/simplestreams/mirrors/__init__.py",
> line 254, in sync_index
>       self.sync(reader, path=epath)
>     File
> "/snap/simplestreams/27/lib/python3.6/site-packages/simplestreams/mirrors/__init__.py",
> line 89, in sync
>       return self.sync_products(reader, path, data, content)
>     File
> "/snap/simplestreams/27/lib/python3.6/site-packages/simplestreams/mirrors/__init__.py",
> line 360, in sync_products
>       (prodname, vername))
>     File
> "/snap/simplestreams/27/lib/python3.6/site-packages/simplestreams/mirrors/glance.py",
> line 582, in insert_version
>       self._insert_item(*iargs)
>     File
> "/snap/simplestreams/27/lib/python3.6/site-packages/simplestreams/mirrors/glance.py",
> line 501, in _insert_item
>       self.validate_image(glance_image.id, new_md5, new_size)
>     File
> "/snap/simplestreams/27/lib/python3.6/site-packages/simplestreams/mirrors/glance.py",
> line 537, in validate_image
>       raise IOError(msg)
>   OSError: Invalid glance image: 3c4b49a4-a4c9-4b84-95eb-dbf0ce3d1e83.
> Expected size=172883968 md5=None. Found size=172883968
> md5=078ff054bceec76f66ffeaa748f9f2e5.
>   ', 'Stdout': 'sending incremental file
> list\nstreams/\nstreams/v1/\nstreams/v1/auto.sync.json\nstreams/v1/index.json\n\nsent
> 1,230 bytes  received 66 bytes  2,592.00 bytes/sec\ntotal size is 2,535
> speedup is 1.96\n'})
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/charm-glance-simplestreams-sync/+bug/1933966/+subscriptions
>
>