def _verify_checksum(self, img, base_file):
"""Compare the checksum stored on disk with the current file.
Note that if the checksum fails to verify this is logged, but no actual
action occurs. This is something sysadmins should monitor for and
handle manually when it occurs.
"""
f = open(base_file, 'r')
current_checksum = utils.hash_file(f)
f.close()
stored_checksum = read_stored_checksum(base_file)
if stored_checksum:
if current_checksum != stored_checksum:
LOG.error(_('%(container_format)s-%(id)s '
'(%(base_file)s): '
'image verification failed'),
{'container_format': img['container_format'],
'id': img['id'],
'base_file': base_file})
return False
else:
return True
else:
LOG.debug(_('%(container_format)s-%(id)s (%(base_file)s): '
'image verification skipped, no hash stored'),
{'container_format': img['container_format'],
'id': img['id'],
'base_file': base_file})
return None
def write_stored_checksum(target):
"""Write a checksum to disk for a file in _base."""
if not read_stored_checksum(target):
img_file = open(target, 'r')
checksum = utils.hash_file(img_file)
img_file.close()
virtutils.write_stored_info(target, field='sha1', value=checksum)
def write_stored_checksum(target):
"""Write a checksum to disk for a file in _base."""
if not read_stored_checksum(target):
img_file = open(target, 'r')
checksum = utils.hash_file(img_file)
img_file.close()
virtutils.write_stored_info(target, field='sha1', value=checksum)
def inner_verify_checksum():
(stored_checksum,
stored_timestamp) = read_stored_checksum(base_file,
timestamped=True)
if stored_checksum:
# NOTE(mikal): Checksums are timestamped. If we have recently
# checksummed (possibly on another compute node if we are using
# shared storage), then we don't need to checksum again.
if (stored_timestamp and time.time() - stored_timestamp <
CONF.checksum_interval_seconds):
return True
# NOTE(mikal): If there is no timestamp, then the checksum was
# performed by a previous version of the code.
if not stored_timestamp:
write_stored_info(base_file,
field='sha1',
value=stored_checksum)
with open(base_file, 'r') as f:
current_checksum = utils.hash_file(f)
if current_checksum != stored_checksum:
LOG.error(
_('image %(id)s at (%(base_file)s): image '
'verification failed'), {
'id': img_id,
'base_file': base_file
})
return False
else:
return True
else:
LOG.info(
_('image %(id)s at (%(base_file)s): image '
'verification skipped, no hash stored'), {
'id': img_id,
'base_file': base_file
})
# NOTE(mikal): If the checksum file is missing, then we should
# create one. We don't create checksums when we download images
# from glance because that would delay VM startup.
if CONF.checksum_base_images and create_if_missing:
LOG.info(_('%(id)s (%(base_file)s): generating checksum'),
{
'id': img_id,
'base_file': base_file
})
write_stored_checksum(base_file)
return None
def write_stored_checksum(target):
"""Write a checksum to disk for a file in _base."""
checksum_filename = '%s.sha1' % target
if os.path.exists(target) and not os.path.exists(checksum_filename):
# NOTE(mikal): Create the checksum file first to exclude possible
# overlap in checksum operations. An empty checksum file is ignored if
# encountered during verification.
sum_file = open(checksum_filename, 'w')
img_file = open(target, 'r')
checksum = utils.hash_file(img_file)
img_file.close()
sum_file.write(checksum)
sum_file.close()
def write_stored_checksum(target):
"""Write a checksum to disk for a file in _base."""
checksum_filename = '%s.sha1' % target
if os.path.exists(target) and not os.path.exists(checksum_filename):
# NOTE(mikal): Create the checksum file first to exclude possible
# overlap in checksum operations. An empty checksum file is ignored if
# encountered during verification.
sum_file = open(checksum_filename, 'w')
img_file = open(target, 'r')
checksum = utils.hash_file(img_file)
img_file.close()
sum_file.write(checksum)
sum_file.close()
def inner_verify_checksum():
(stored_checksum, stored_timestamp) = read_stored_checksum(
base_file, timestamped=True)
if stored_checksum:
# NOTE(mikal): Checksums are timestamped. If we have recently
# checksummed (possibly on another compute node if we are using
# shared storage), then we don't need to checksum again.
if (stored_timestamp and
time.time() - stored_timestamp <
CONF.checksum_interval_seconds):
return True
# NOTE(mikal): If there is no timestamp, then the checksum was
# performed by a previous version of the code.
if not stored_timestamp:
write_stored_info(base_file, field='sha1',
value=stored_checksum)
with open(base_file, 'r') as f:
current_checksum = utils.hash_file(f)
if current_checksum != stored_checksum:
LOG.error(_('image %(id)s at (%(base_file)s): image '
'verification failed'),
{'id': img_id,
'base_file': base_file})
return False
else:
return True
else:
LOG.info(_('image %(id)s at (%(base_file)s): image '
'verification skipped, no hash stored'),
{'id': img_id,
'base_file': base_file})
# NOTE(mikal): If the checksum file is missing, then we should
# create one. We don't create checksums when we download images
# from glance because that would delay VM startup.
if CONF.checksum_base_images and create_if_missing:
LOG.info(_('%(id)s (%(base_file)s): generating checksum'),
{'id': img_id,
'base_file': base_file})
write_stored_checksum(base_file)
return None
def _make_base_file(self, checksum=True):
"""Make a base file for testing."""
with utils.tempdir() as tmpdir:
fname = os.path.join(tmpdir, 'aaa')
base_file = open(fname, 'w')
base_file.write('data')
base_file.close()
base_file = open(fname, 'r')
if checksum:
checksum_file = open('%s.sha1' % fname, 'w')
checksum_file.write(utils.hash_file(base_file))
checksum_file.close()
base_file.close()
yield fname
def _make_base_file(self, checksum=True):
"""Make a base file for testing."""
with utils.tempdir() as tmpdir:
fname = os.path.join(tmpdir, 'aaa')
base_file = open(fname, 'w')
base_file.write('data')
base_file.close()
base_file = open(fname, 'r')
if checksum:
checksum_file = open('%s.sha1' % fname, 'w')
checksum_file.write(utils.hash_file(base_file))
checksum_file.close()
base_file.close()
yield fname
def _make_base_file(checksum=True):
"""Make a base file for testing."""
dirname = tempfile.mkdtemp()
fname = os.path.join(dirname, 'aaa')
base_file = open(fname, 'w')
base_file.write('data')
base_file.close()
base_file = open(fname, 'r')
if checksum:
checksum_file = open('%s.sha1' % fname, 'w')
checksum_file.write(utils.hash_file(base_file))
checksum_file.close()
base_file.close()
return dirname, fname
def _make_base_file(checksum=True):
"""Make a base file for testing."""
dirname = tempfile.mkdtemp()
fname = os.path.join(dirname, 'aaa')
base_file = open(fname, 'w')
base_file.write('data')
base_file.close()
base_file = open(fname, 'r')
if checksum:
checksum_file = open('%s.sha1' % fname, 'w')
checksum_file.write(utils.hash_file(base_file))
checksum_file.close()
base_file.close()
return dirname, fname
def _verify_checksum(self, img_id, base_file, create_if_missing=True):
"""Compare the checksum stored on disk with the current file.
Note that if the checksum fails to verify this is logged, but no actual
action occurs. This is something sysadmins should monitor for and
handle manually when it occurs.
"""
if not FLAGS.checksum_base_images:
return None
stored_checksum = read_stored_checksum(base_file)
if stored_checksum:
f = open(base_file, 'r')
current_checksum = utils.hash_file(f)
f.close()
if current_checksum != stored_checksum:
LOG.error(
_('%(id)s (%(base_file)s): image verification '
'failed'), {
'id': img_id,
'base_file': base_file
})
return False
else:
return True
else:
LOG.info(
_('%(id)s (%(base_file)s): image verification skipped, '
'no hash stored'), {
'id': img_id,
'base_file': base_file
})
# NOTE(mikal): If the checksum file is missing, then we should
# create one. We don't create checksums when we download images
# from glance because that would delay VM startup.
if create_if_missing:
write_stored_checksum(base_file)
return None
def _verify_checksum(self, img, base_file):
"""Compare the checksum stored on disk with the current file.
Note that if the checksum fails to verify this is logged, but no actual
action occurs. This is something sysadmins should monitor for and
handle manually when it occurs.
"""
stored_checksum = read_stored_checksum(base_file)
if stored_checksum:
f = open(base_file, 'r')
current_checksum = utils.hash_file(f)
f.close()
if current_checksum != stored_checksum:
LOG.error(_('%(container_format)s-%(id)s '
'(%(base_file)s): '
'image verification failed'),
{'container_format': img['container_format'],
'id': img['id'],
'base_file': base_file})
return False
else:
return True
else:
LOG.debug(_('%(container_format)s-%(id)s (%(base_file)s): '
'image verification skipped, no hash stored'),
{'container_format': img['container_format'],
'id': img['id'],
'base_file': base_file})
# NOTE(mikal): If the checksum file is missing, then we should
# create one. We don't create checksums when we download images
# from glance because that would delay VM startup.
if FLAGS.checksum_base_images:
write_stored_checksum(base_file)
return None
def _make_base_file(self, checksum=True):
"""Make a base file for testing."""
with utils.tempdir() as tmpdir:
self.flags(instances_path=tmpdir)
self.flags(image_info_filename_pattern=('$instances_path/'
'%(image)s.sha1'))
fname = os.path.join(tmpdir, 'aaa')
base_file = open(fname, 'w')
base_file.write('data')
base_file.close()
base_file = open(fname, 'r')
if checksum:
checksum_file = open('%s.sha1' % fname, 'w')
checksum_file.write(utils.hash_file(base_file))
checksum_file.close()
base_file.close()
yield fname
def test_hash_file(self):
data = 'Mary had a little lamb, its fleece as white as snow'
flo = StringIO.StringIO(data)
h1 = utils.hash_file(flo)
h2 = hashlib.sha1(data).hexdigest()
self.assertEquals(h1, h2)
def write_stored_checksum(target):
"""Write a checksum to disk for a file in _base."""
with open(target, "r") as img_file:
checksum = utils.hash_file(img_file)
virtutils.write_stored_info(target, field="sha1", value=checksum)
def write_stored_checksum(target):
"""Write a checksum to disk for a file in _base."""
with open(target, 'r') as img_file:
checksum = utils.hash_file(img_file)
write_stored_info(target, field='sha1', value=checksum)
def write_stored_checksum(target):
"""Write a checksum to disk for a file in _base."""
with open(target, 'r') as img_file:
checksum = utils.hash_file(img_file)
write_stored_info(target, field='sha1', value=checksum)
def test_hash_file(self):
data = 'Mary had a little lamb, its fleece as white as snow'
flo = StringIO.StringIO(data)
h1 = utils.hash_file(flo)
h2 = hashlib.sha1(data).hexdigest()
self.assertEquals(h1, h2)
