Task #8322
closedTask #7960: FIPS and support for ALLOWED_CONTENT_CHECKSUMS
Automate the running of the `handle-content-artifact` command
100%
Description
In 3.10, the default for ALLOWED_CONTENT_CHECKSUMS included md5 and sha1. In 3.11, it does not.
Problem¶
If the user hasn't manually brought back md5 and sha1 in the ALLOWED_CONTENT_CHECKSUMS
setting, this will present a problem at upgrade time when the pulpcore-manager migrate
goes to run. Specifically Pulp will refuse to run the migrate
because Artifacts have md5 and sha1 from <3.11 and the user (and installer) never ran pulpcore-migrate handle-artifact-checksums
.
Experience the problem¶
- Install a 3.10 version of pulp
- Use pulp_file to sync down
https://fixtures.pulpproject.org/file/PULP_MANIFEST
- Upgrade to 3.11 and attempt to run migrations (you'll experience the 3.11 failure here)
- Even if you can get around the migrations running when Pulp goes to start you'll then experience the problem again at Pulp start time.
Solution¶
Have pulpcore ship a migration with 3.11 that runs the pulpcore-migrate handle-artifact-checksums
command from the migration itself. Users can set the ALLOWED_CONTENT_CHECKSUMS
to the checksums they desire prior to starting pulpcore 3.11 and if they do nothing this migration will ensure the don't encounter a problem.
Additionally this check here needs to not perform the check for the migrate
command also: https://github.com/pulp/pulpcore/blob/master/pulpcore/app/settings.py#L312 Otherwise the migration itself won't be able to run to resolve the problem.
Updated by bmbouter almost 4 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to bmbouter
Updated by bmbouter almost 4 years ago
- Subject changed from Test that upgrades work if you have forbidden content to Automate the running of the `handle-content-artifact` command
Updated by bmbouter almost 4 years ago
- Description updated (diff)
I tested an upgrade on a system with sync'd file content and I reproduced the problem. I put some details in the body of this work.
Updated by pulpbot almost 4 years ago
- Status changed from ASSIGNED to POST
Added by bmbouter almost 4 years ago
Updated by bmbouter almost 4 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset pulpcore|6cc9d4935b2e5eb09a8e5270b20bf75a9668954b.
Updated by ipanova@redhat.com almost 4 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Adds migration to call handle-artifact-migrations
In 3.11 due to the settings changing, every system will need to call this command, therefore providing it as a data migration is easier for everyone. Users can still modify the
ALLOWED_CONTENT_CHECKSUMS
command as they see fit prior to the 3.11 upgrade and this migration will serve them well too.In order to run the migrations in an environment where the checksum checks in
pulpcore.app.settings
would fail, they have also been adjusted to allow thepulpcore-manager migrate
command to run.closes #8322