Simplify the nginx commands and verify the checksums after download #52
Conversation
| echo "{{ $keys.sha512sum.initramfs }}" >> /usr/share/nginx/html/checksums.txt; | ||
| wget -O /tmp/hook{{ $index }}.tar.gz {{ $keys.url }} | ||
| tar -zxvf /tmp/hook{{ $index }}.tar.gz | ||
| rm /tmp/hook{{ $index }}.tar.gz |
There was a problem hiding this comment.
I appreciate the old code does this, but if we remove the tarball the sha512sum --check call is redundant as it won't have anything to compute against the checksum in checksum.txt - am I missing something?
There was a problem hiding this comment.
That's the strange part about the logic. It's checking the checksum of the files inside the tarball, not the tarball itself.
I would only check the tarball itself, but that change would be a breaking change. Should I do it?
There was a problem hiding this comment.
Thanks for clarifying.
@jacobweinstock What was the rational for this? Would you be opposed to simplifying to checking the tarball checksum? I'm in favor.
@rgl what breakages are you foreseeing? I don't think it'll be a breaking change given its the same tarball and fundamental mechanism, just a simpler implementation.
There was a problem hiding this comment.
@chrisdoherty4 this would break:
As it needs to be changed into:
downloads:
- url: https://github.com/tinkerbell/hook/releases/download/v0.8.0/hook_x86_64.tar.gz
sha512sum: <hook_x86_64.tar.gz sha512 checksum would go here>
- url: https://github.com/tinkerbell/hook/releases/download/v0.8.0/hook_aarch64.tar.gz
sha512sum: <hook_aarch64.tar.gz sha512 checksum would go here>PS: tinkering out loud, maybe we should even get rid of all of this, and make boots reference an oci oras image artifact, which would allow a machine to directly boot from an image registry like zot.
There was a problem hiding this comment.
I'm good with this breaking change. Just checksum the tarballs. 👍🏼
There was a problem hiding this comment.
Thanks for clarifying @rgl. We aren't worried, for now, about that kind of breakage.
Signed-off-by: Rui Lopes <rgl@ruilopes.com>
Signed-off-by: Rui Lopes <rgl@ruilopes.com>
Signed-off-by: Rui Lopes <rgl@ruilopes.com>
Description
Simplify the nginx commands and verify the checksums after download.
Why is this needed
Simplifies the code.
How Has This Been Tested?
Tested by launching the k8s stack in https://github.com/rgl/tinkerbell-k8s-vagrant
How are existing users impacted? What migration steps/scripts do we need?
None.
Checklist:
I have: