Task #7960: FIPS and support for ALLOWED_CONTENT_CHECKSUMS
Automate the running of the `handle-content-artifact` command
In 3.10, the default for ALLOWED_CONTENT_CHECKSUMS included md5 and sha1. In 3.11, it does not.
If the user hasn't manually brought back md5 and sha1 in the
ALLOWED_CONTENT_CHECKSUMS setting, this will present a problem at upgrade time when the
pulpcore-manager migrate goes to run. Specifically Pulp will refuse to run the
migrate because Artifacts have md5 and sha1 from <3.11 and the user (and installer) never ran
Experience the problem¶
- Install a 3.10 version of pulp
- Use pulp_file to sync down
- Upgrade to 3.11 and attempt to run migrations (you'll experience the 3.11 failure here)
- Even if you can get around the migrations running when Pulp goes to start you'll then experience the problem again at Pulp start time.
Have pulpcore ship a migration with 3.11 that runs the
pulpcore-migrate handle-artifact-checksums command from the migration itself. Users can set the
ALLOWED_CONTENT_CHECKSUMS to the checksums they desire prior to starting pulpcore 3.11 and if they do nothing this migration will ensure the don't encounter a problem.
Additionally this check here needs to not perform the check for the
migrate command also: https://github.com/pulp/pulpcore/blob/master/pulpcore/app/settings.py#L312 Otherwise the migration itself won't be able to run to resolve the problem.
Adds migration to call handle-artifact-migrations
In 3.11 due to the settings changing, every system will need to call
this command, therefore providing it as a data migration is easier for
everyone. Users can still modify the
command as they see fit prior to the 3.11 upgrade and this migration
will serve them well too.
In order to run the migrations in an environment where the checksum
pulpcore.app.settings would fail, they have also been
adjusted to allow the
pulpcore-manager migrate command to run.
Please register to edit this issue