Hi there,
Emmanuel Kasper of the Debian Cloud Team contacted me about two days ago: they discovered that Vagrant simply ignores any --checksum parameter when adding the box. You can even provide "1234" instead of a valid SHA256 sum, and Vagrant will just add the downloaded box, without any warning or error whatsoever:
vagrant box add --checksum-type sha256 --checksum 1234 --provider libvirt --box-version 1710.01 centos/7
==> box: Loading metadata for box 'centos/7' box: URL: https://atlas.hashicorp.com/centos/7 ==> box: Adding box 'centos/7' (v1710.01) for provider: libvirt box: Downloading: https://vagrantcloud.com/centos/boxes/7/versions/1710.01/providers/libvirt.b... ==> box: Successfully added box 'centos/7' (v1710.01) for 'libvirt'!
echo $? 0
Our signatures are basically useless for most users: Vagrant will only check the signature if one is included in the metadata (which is not the one in the box we host, but generated by Vagrant Cloud, formerly known as Atlas - there's simply no way to get Hashicorp's servers to include the checksum, not even for the boxes they host themselves). The --checksum argument is honored if you add a raw box, but I doubt our users would be willing to do that, even if they knew about it:
$ vagrant box add --checksum-type sha256 --checksum 1234 --name c7tmp https://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagr... ==> box: Box file was not detected as metadata. Adding it directly... ==> box: Adding box 'c7tmp' (v0) for provider: box: Downloading: https://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagr... box: Calculating and comparing box checksum... The checksum of the downloaded box did not match the expected value. Please verify that you have the proper URL setup and that you're downloading the proper file.
Expected: 1234 Received: 9d1ddb812de88578326538d69fdd5f59ba68adf04862144300c42d0293f61d2f $ echo $? 1
Another possibility would be to also host the metadata ourselves, along with the raw boxes, on cloud.centos.org. Endymion can already generate the needed metadata, and I already verified that Vagrant works properly with it, even detecting newer versions of the boxes for updates. The problem of convincing our users to use a cloud.c.o URL instead of Atlas still remains.
I guess I'll have to replace the section in our future release announcements about verifying the images downloaded from Atlas with some sort of warning. Any other ideas of what we could do? Vagrant's behavior is described in its documentation, so I assume it's by design.
How about adding the missing Vagrant functionality as distro patches, if upstream doesn't want to?
Regards, Laurențiu
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878759 https://github.com/lpancescu/endymion
On Sat, Nov 11, 2017 at 1:35 PM, Laurentiu Pancescu < lpancescu@centosproject.org> wrote:
Hi there,
Emmanuel Kasper of the Debian Cloud Team contacted me about two days ago: they discovered that Vagrant simply ignores any --checksum parameter when adding the box. You can even provide "1234" instead of a valid SHA256 sum, and Vagrant will just add the downloaded box, without any warning or error whatsoever:
is this an open bug against vagrant? By reading https://github.com/hashicorp/vagrant/issues/8714#issuecomment-311240889 it seems that vagrant people are providing checksum verification
"When the author of the ubuntu box created the entry in atlas, they provided a remote link for the download instead of storing the box within atlas. This is why Vagrant redirects to an HTTP connection, because it was instructed to do so. Vagrant will also checksum the box if the information is provided within the boxes metadata. If the owner does not provide that data, Vagrant will not perform the checksum."
Cheers
Marcin
vagrant box add --checksum-type sha256 --checksum 1234 --provider libvirt --box-version 1710.01 centos/7
==> box: Loading metadata for box 'centos/7' box: URL: https://atlas.hashicorp.com/centos/7 ==> box: Adding box 'centos/7' (v1710.01) for provider: libvirt box: Downloading: https://vagrantcloud.com/centos/boxes/7/versions/1710.01/ providers/libvirt.box ==> box: Successfully added box 'centos/7' (v1710.01) for 'libvirt'!
echo $? 0
Our signatures are basically useless for most users: Vagrant will only check the signature if one is included in the metadata (which is not the one in the box we host, but generated by Vagrant Cloud, formerly known as Atlas - there's simply no way to get Hashicorp's servers to include the checksum, not even for the boxes they host themselves). The --checksum argument is honored if you add a raw box, but I doubt our users would be willing to do that, even if they knew about it:
$ vagrant box add --checksum-type sha256 --checksum 1234 --name c7tmp https://cloud.centos.org/centos/7/vagrant/x86_64/images/ CentOS-7-x86_64-Vagrant-1710_01.Libvirt.box ==> box: Box file was not detected as metadata. Adding it directly... ==> box: Adding box 'c7tmp' (v0) for provider: box: Downloading: https://cloud.centos.org/cento s/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagrant-1710_01.Libvirt.box box: Calculating and comparing box checksum... The checksum of the downloaded box did not match the expected value. Please verify that you have the proper URL setup and that you're downloading the proper file.
Expected: 1234 Received: 9d1ddb812de88578326538d69fdd5f59ba68adf04862144300c42d0293f61d2f $ echo $? 1
Another possibility would be to also host the metadata ourselves, along with the raw boxes, on cloud.centos.org. Endymion can already generate the needed metadata, and I already verified that Vagrant works properly with it, even detecting newer versions of the boxes for updates. The problem of convincing our users to use a cloud.c.o URL instead of Atlas still remains.
I guess I'll have to replace the section in our future release announcements about verifying the images downloaded from Atlas with some sort of warning. Any other ideas of what we could do? Vagrant's behavior is described in its documentation, so I assume it's by design.
How about adding the missing Vagrant functionality as distro patches, if upstream doesn't want to?
Regards, Laurențiu
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878759 https://github.com/lpancescu/endymion _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel
On 11/11/17 16:42, Marcin Dulak wrote:
is this an open bug against vagrant? By reading https://github.com/hashicorp/vagrant/issues/8714#issuecomment-311240889 it seems that vagrant people are providing checksum verification
It is rather a missing feature of Atlas (the Vagrant check exists and works correctly if you are pointing "vagrant add" to a JSON file on your own web server, like the JSON files Endymion is generating - I tested that extensively back then). The Atlas web interface only allows you to specify a description for the box, and, for each version, release notes and download links for each provider. Atlas generates a JSON file based on that information - there's no way to specify a checksum anywhere (including the checksum in the metadata.json inside the .box file doesn't work). The Atlas API won't let you specify checksums either, just a name and url:
https://www.vagrantup.com/docs/vagrant-cloud/api.html#providers
Not even the newest release of Hashicorp's own Vagrant images provide the necessary checksums:
$ curl https://app.vagrantup.com/hashicorp/boxes/ubuntu-10.04-i386 | python3 -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 330 0 330 0 0 330 0 --:--:-- 0:00:01 --:--:-- 238 { "description": "", "short_description": "", "name": "hashicorp/ubuntu-10.04-i386", "versions": [ { "version": "0.1.0", "status": "active", "description_html": null, "description_markdown": "", "providers": [ { "name": "vmware_desktop", "url": "https://vagrantcloud.com/hashicorp/boxes/ubuntu-10.04-i386/versions/0.1.0/pr..." } ] } ] }
On Sat, Nov 11, 2017 at 6:25 PM, Laurentiu Pancescu < lpancescu@centosproject.org> wrote:
On 11/11/17 16:42, Marcin Dulak wrote:
is this an open bug against vagrant? By reading https://github.com/hashicorp/vagrant/issues/8714#issuecomment-311240889 it seems that vagrant people are providing checksum verification
It is rather a missing feature of Atlas (the Vagrant check exists and works correctly if you are pointing "vagrant add" to a JSON file on your own web server, like the JSON files Endymion is generating - I tested that extensively back then). The Atlas web interface only allows you to specify a description for the box, and, for each version, release notes and download links for each provider. Atlas generates a JSON file based on that information - there's no way to specify a checksum anywhere (including the checksum in the metadata.json inside the .box file doesn't work). The Atlas API won't let you specify checksums either, just a name and url:
https://www.vagrantup.com/docs/vagrant-cloud/api.html#providers
Not even the newest release of Hashicorp's own Vagrant images provide the necessary checksums:
Actually this is already reported to vagrant https://groups.google.com/forum/#!topic/vagrant-up/V0E4PAajM-g by the debian developers.
Marcin
$ curl https://app.vagrantup.com/hashicorp/boxes/ubuntu-10.04-i386 | python3 -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 330 0 330 0 0 330 0 --:--:-- 0:00:01 --:--:-- 238 { "description": "", "short_description": "", "name": "hashicorp/ubuntu-10.04-i386", "versions": [ { "version": "0.1.0", "status": "active", "description_html": null, "description_markdown": "", "providers": [ { "name": "vmware_desktop", "url": "https://vagrantcloud.com/hash icorp/boxes/ubuntu-10.04-i386/versions/0.1.0/providers/vmware_desktop.box" } ] } ]
} _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel
-
Laurentiu Pancescu -
Marcin Dulak