Project

Profile

Help

Task #8322

Task #7960: FIPS and support for ALLOWED_CONTENT_CHECKSUMS

Automate the running of the `handle-content-artifact` command

Added by daviddavis about 1 month ago. Updated 30 days ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

In 3.10, the default for ALLOWED_CONTENT_CHECKSUMS included md5 and sha1. In 3.11, it does not.

Problem

If the user hasn't manually brought back md5 and sha1 in the ALLOWED_CONTENT_CHECKSUMS setting, this will present a problem at upgrade time when the pulpcore-manager migrate goes to run. Specifically Pulp will refuse to run the migrate because Artifacts have md5 and sha1 from <3.11 and the user (and installer) never ran pulpcore-migrate handle-artifact-checksums.

Experience the problem

  1. Install a 3.10 version of pulp
  2. Use pulp_file to sync down https://fixtures.pulpproject.org/file/PULP_MANIFEST
  3. Upgrade to 3.11 and attempt to run migrations (you'll experience the 3.11 failure here)
  4. Even if you can get around the migrations running when Pulp goes to start you'll then experience the problem again at Pulp start time.

Solution

Have pulpcore ship a migration with 3.11 that runs the pulpcore-migrate handle-artifact-checksums command from the migration itself. Users can set the ALLOWED_CONTENT_CHECKSUMS to the checksums they desire prior to starting pulpcore 3.11 and if they do nothing this migration will ensure the don't encounter a problem.

Additionally this check here needs to not perform the check for the migrate command also: https://github.com/pulp/pulpcore/blob/master/pulpcore/app/settings.py#L312 Otherwise the migration itself won't be able to run to resolve the problem.

Associated revisions

Revision 6cc9d493 View on GitHub
Added by bmbouter about 1 month ago

Adds migration to call handle-artifact-migrations

In 3.11 due to the settings changing, every system will need to call this command, therefore providing it as a data migration is easier for everyone. Users can still modify the ALLOWED_CONTENT_CHECKSUMS command as they see fit prior to the 3.11 upgrade and this migration will serve them well too.

In order to run the migrations in an environment where the checksum checks in pulpcore.app.settings would fail, they have also been adjusted to allow the pulpcore-manager migrate command to run.

closes #8322

History

#1 Updated by bmbouter about 1 month ago

  • Description updated (diff)

#2 Updated by bmbouter about 1 month ago

  • Description updated (diff)

#3 Updated by bmbouter about 1 month ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to bmbouter

#4 Updated by bmbouter about 1 month ago

  • Parent task set to #7960

#5 Updated by bmbouter about 1 month ago

  • Subject changed from Test that upgrades work if you have forbidden content to Automate the running of the `handle-content-artifact` command

#6 Updated by bmbouter about 1 month ago

  • Description updated (diff)

I tested an upgrade on a system with sync'd file content and I reproduced the problem. I put some details in the body of this work.

#7 Updated by pulpbot about 1 month ago

  • Status changed from ASSIGNED to POST

#8 Updated by bmbouter about 1 month ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#9 Updated by ipanova@redhat.com 30 days ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Please register to edit this issue

Also available in: Atom PDF