On Wed, Mar 22, 2017 at 11:23 PM, Laurentiu Pancescu lpancescu@gmail.com wrote:
Hi there,
I've been looking at making it easier for Vagrant users to verify our images when adding them. The Vagrant documentation mentions that the checksum can be added to the box metadata[1], and that this is done automatically if you build the box on Atlas - indeed, the source code shows they are verifying a checksum from the downloaded metadata[2].
Unfortunately, Atlas does not seem to provide such a checksum for any of the boxes I checked - neither those hosted by them, like debian/jessie64, nor external ones like ours' or Fedora's. The Bento boxes seemed to offer a checksum, but that's just their complete JSON metadata somehow ending up in the description field on Atlas (I assume that's an automatic step not doing what the Bento developers intended - I saw no message about verifying the checksum when adding bento/debian-8.7).
We already host the images on cloud.centos.org. We could also generate the needed JSON metadata (we only need one file for all centos/7 images, and one for centos/6), including the SHA256 checksums. We could also create two Apache aliases (e.g. cloud.centos.org/vagrant/7) to make life easier for our users - after an initial "vagrant box add https://cloud.centos.org/vagrant/7", which would prove the checksum automatically, they would also be notified when new images appear and be able to use "vagrant box update centos/7", just like they do now.
This would allow us to even move away from Atlas, if desired. We would finally be able to completely automate our Vagrant releases, instead of manually adding the releases to Atlas every month, and not even having embedded checksums. There was an Atlas CLI that proved not to work as expected: our 1701 and 1702 releases didn't end up on Atlas, we had to intervene. The big question is how we could communicate this to our users, not the technical side: I already tested this with a local webserver, serving the centos/7 JSON downloaded from Atlas, which I edited to add an SHA256 checksum - Vagrant automatically verified the checksum after the download was finished.
Any thoughts?
Laurențiu
[1] https://www.vagrantup.com/docs/boxes/format.html#box-metadata [2] https://github.com/mitchellh/vagrant/blob/master/lib/vagrant/action/builtin/... _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel
Hi Laurențiu
I think there is still some benefit to maintaining a presence on Atlas if possible, as it is where Vagrant users are likely to search for CentOS boxes first. But hosting the metadata on the CentOS infrastructure makes a lot of sense for the reasons you mentioned. I guess you could maybe leave a final release in Atlas pointing people to the new location when it's available.
By the way, from what I can understand from the commit history [1], it looks like the Bento metadata was added for a similar reason, to allow them to consider standing up their own metadata server in place of Atlas.