[CentOS-devel] Providing checksums for our Vagrant images

Thu Mar 23 08:32:14 UTC 2017
Michael Vermaes <mvermaes at gmail.com>

On Wed, Mar 22, 2017 at 11:23 PM, Laurentiu Pancescu
<lpancescu at gmail.com> wrote:
> Hi there,
>
> I've been looking at making it easier for Vagrant users to verify our images
> when adding them.  The Vagrant documentation mentions that the checksum can
> be added to the box metadata[1], and that this is done automatically if you
> build the box on Atlas - indeed, the source code shows they are verifying a
> checksum from the downloaded metadata[2].
>
> Unfortunately, Atlas does not seem to provide such a checksum for any of the
> boxes I checked - neither those hosted by them, like debian/jessie64, nor
> external ones like ours' or Fedora's.  The Bento boxes seemed to offer a
> checksum, but that's just their complete JSON metadata somehow ending up in
> the description field on Atlas (I assume that's an automatic step not doing
> what the Bento developers intended - I saw no message about verifying the
> checksum when adding bento/debian-8.7).
>
> We already host the images on cloud.centos.org.  We could also generate the
> needed JSON metadata (we only need one file for all centos/7 images, and one
> for centos/6), including the SHA256 checksums.  We could also create two
> Apache aliases (e.g. cloud.centos.org/vagrant/7) to make life easier for our
> users - after an initial "vagrant box add
> https://cloud.centos.org/vagrant/7", which would prove the checksum
> automatically, they would also be notified when new images appear and be
> able to use "vagrant box update centos/7", just like they do now.
>
> This would allow us to even move away from Atlas, if desired.  We would
> finally be able to completely automate our Vagrant releases, instead of
> manually adding the releases to Atlas every month, and not even having
> embedded checksums.  There was an Atlas CLI that proved not to work as
> expected: our 1701 and 1702 releases didn't end up on Atlas, we had to
> intervene.  The big question is how we could communicate this to our users,
> not the technical side: I already tested this with a local webserver,
> serving the centos/7 JSON downloaded from Atlas, which I edited to add an
> SHA256 checksum - Vagrant automatically verified the checksum after the
> download was finished.
>
> Any thoughts?
>
> Laurențiu
>
>
> [1] https://www.vagrantup.com/docs/boxes/format.html#box-metadata
> [2]
> https://github.com/mitchellh/vagrant/blob/master/lib/vagrant/action/builtin/box_add.rb#L136-L145
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> https://lists.centos.org/mailman/listinfo/centos-devel

Hi Laurențiu

I think there is still some benefit to maintaining a presence on Atlas
if possible, as it is where Vagrant users are likely to search for
CentOS boxes first. But hosting the metadata on the CentOS
infrastructure makes a lot of sense for the reasons you mentioned. I
guess you could maybe leave a final release in Atlas pointing people
to the new location when it's available.

By the way, from what I can understand from the commit history [1], it
looks like the Bento metadata was added for a similar reason, to allow
them to consider standing up their own metadata server in place of
Atlas.

[1] https://github.com/chef/bento/pull/387