Fail gracefully when MD5 is unavailable

The glanceclient currently assumes that MD5 will always be available. This is not the case, however, in a FIPS-compliant environment. This patch enables the glanceclient to fail gracefully in such a case. Closes-bug: #1871675 Change-Id: Ibd89989e06cc5be7da71f5f21561d73b5abc4104
2020-04-07 00:13:49 -04:00
parent cf5434a1b8
commit 56186d6d5a
6 changed files with 45 additions and 3 deletions
@@ -0,0 +1,13 @@
+---
+other:
+  -|
+   For legacy (pre-Rocky) images that do not contain "multihash" metadata,
+   or when the ``--allow-md5-fallback`` option is used in cases where the
+   multihash metadata is present but the specified algorithm is not available
+   to the glanceclient, the glanceclient uses an MD5 checksum to validate
+   the download.  When operating in a FIPS-compliant environment, however,
+   the MD5 algorithm may be unavailable to the glanceclient. In such a case,
+   (that is, when the MD5 checksum information is available to the glanceclient
+   but the MD5 algorithm is not), the glanceclient will fail the download as
+   corrupt because it cannot prove otherwise.  This is consistent with
+   current behavior.