[CentOS-devel] Providing checksums for our Vagrant images

Wed Mar 22 15:23:32 UTC 2017
Laurentiu Pancescu <lpancescu at gmail.com>

Hi there,

I've been looking at making it easier for Vagrant users to verify our 
images when adding them.  The Vagrant documentation mentions that the 
checksum can be added to the box metadata[1], and that this is done 
automatically if you build the box on Atlas - indeed, the source code 
shows they are verifying a checksum from the downloaded metadata[2].

Unfortunately, Atlas does not seem to provide such a checksum for any of 
the boxes I checked - neither those hosted by them, like 
debian/jessie64, nor external ones like ours' or Fedora's.  The Bento 
boxes seemed to offer a checksum, but that's just their complete JSON 
metadata somehow ending up in the description field on Atlas (I assume 
that's an automatic step not doing what the Bento developers intended - 
I saw no message about verifying the checksum when adding bento/debian-8.7).

We already host the images on cloud.centos.org.  We could also generate 
the needed JSON metadata (we only need one file for all centos/7 images, 
and one for centos/6), including the SHA256 checksums.  We could also 
create two Apache aliases (e.g. cloud.centos.org/vagrant/7) to make life 
easier for our users - after an initial "vagrant box add 
https://cloud.centos.org/vagrant/7", which would prove the checksum 
automatically, they would also be notified when new images appear and be 
able to use "vagrant box update centos/7", just like they do now.

This would allow us to even move away from Atlas, if desired.  We would 
finally be able to completely automate our Vagrant releases, instead of 
manually adding the releases to Atlas every month, and not even having 
embedded checksums.  There was an Atlas CLI that proved not to work as 
expected: our 1701 and 1702 releases didn't end up on Atlas, we had to 
intervene.  The big question is how we could communicate this to our 
users, not the technical side: I already tested this with a local 
webserver, serving the centos/7 JSON downloaded from Atlas, which I 
edited to add an SHA256 checksum - Vagrant automatically verified the 
checksum after the download was finished.

Any thoughts?

Laurențiu


[1] https://www.vagrantup.com/docs/boxes/format.html#box-metadata
[2] 
https://github.com/mitchellh/vagrant/blob/master/lib/vagrant/action/builtin/box_add.rb#L136-L145