Project

Profile

Help

Task #8322

closed

Task #7960: FIPS and support for ALLOWED_CONTENT_CHECKSUMS

Automate the running of the `handle-content-artifact` command

Added by daviddavis almost 4 years ago. Updated over 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

In 3.10, the default for ALLOWED_CONTENT_CHECKSUMS included md5 and sha1. In 3.11, it does not.

Problem

If the user hasn't manually brought back md5 and sha1 in the ALLOWED_CONTENT_CHECKSUMS setting, this will present a problem at upgrade time when the pulpcore-manager migrate goes to run. Specifically Pulp will refuse to run the migrate because Artifacts have md5 and sha1 from <3.11 and the user (and installer) never ran pulpcore-migrate handle-artifact-checksums.

Experience the problem

  1. Install a 3.10 version of pulp
  2. Use pulp_file to sync down https://fixtures.pulpproject.org/file/PULP_MANIFEST
  3. Upgrade to 3.11 and attempt to run migrations (you'll experience the 3.11 failure here)
  4. Even if you can get around the migrations running when Pulp goes to start you'll then experience the problem again at Pulp start time.

Solution

Have pulpcore ship a migration with 3.11 that runs the pulpcore-migrate handle-artifact-checksums command from the migration itself. Users can set the ALLOWED_CONTENT_CHECKSUMS to the checksums they desire prior to starting pulpcore 3.11 and if they do nothing this migration will ensure the don't encounter a problem.

Additionally this check here needs to not perform the check for the migrate command also: https://github.com/pulp/pulpcore/blob/master/pulpcore/app/settings.py#L312 Otherwise the migration itself won't be able to run to resolve the problem.

Actions #1

Updated by bmbouter almost 4 years ago

  • Description updated (diff)
Actions #2

Updated by bmbouter almost 4 years ago

  • Description updated (diff)
Actions #3

Updated by bmbouter almost 4 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to bmbouter
Actions #4

Updated by bmbouter almost 4 years ago

  • Parent issue set to #7960
Actions #5

Updated by bmbouter almost 4 years ago

  • Subject changed from Test that upgrades work if you have forbidden content to Automate the running of the `handle-content-artifact` command
Actions #6

Updated by bmbouter almost 4 years ago

  • Description updated (diff)

I tested an upgrade on a system with sync'd file content and I reproduced the problem. I put some details in the body of this work.

Actions #7

Updated by pulpbot almost 4 years ago

  • Status changed from ASSIGNED to POST

Added by bmbouter over 3 years ago

Revision 6cc9d493 | View on GitHub

Adds migration to call handle-artifact-migrations

In 3.11 due to the settings changing, every system will need to call this command, therefore providing it as a data migration is easier for everyone. Users can still modify the ALLOWED_CONTENT_CHECKSUMS command as they see fit prior to the 3.11 upgrade and this migration will serve them well too.

In order to run the migrations in an environment where the checksum checks in pulpcore.app.settings would fail, they have also been adjusted to allow the pulpcore-manager migrate command to run.

closes #8322

Actions #8

Updated by bmbouter over 3 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100
Actions #9

Updated by ipanova@redhat.com over 3 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Also available in: Atom PDF