[SOLVED] Image fingerprint doesn't match

sinist3rr · February 18, 2019, 2:26pm

I’m try using ansible module “lxd_container” to create new container and got this weird error:

failed: [localhost] (item=c1) => {
“actions”: [],
“changed”: false,
“invocation”: {
“module_args”: {
“architecture”: null,
“cert_file”: “/home/user/snap/lxd/current/.config/lxc/client.crt”,
“config”: null,
“description”: null,
“devices”: null,
“ephemeral”: null,
“force_stop”: false,
“key_file”: “/home/user/snap/lxd/current/.config/lxc/client.key”,
“name”: “c1”,
“profiles”: null,
“source”: {
“alias”: “centos/7/amd64”,
“architecture”: “x86_64”,
“devices”: null,
“eth0”: {
“ipv4.address”: “10.204.58.111”,
“nictype”: “bridged”,
“parent”: “lxdbr0”,
“type”: “nic”
},
“mode”: “pull”,
“server”: “https://images.linuxcontainers.org”,
“type”: “image”
},
“state”: “started”,
“timeout”: 30,
“trust_password”: “VALUE_SPECIFIED_IN_NO_LOG_PARAMETER”,
“url”: “https://192.168.56.102:8443”,
“wait_for_ipv4_addresses”: false
}
},
“item”: “c1”,
"msg": "Image fingerprint doesn’t match. Got 8d894551208470ab85c3d555638ea988dc095b448a1f0f31f38541b76d3eba2d expected 5bc303a2b8afdaa8d97c1c66df63c90e74c7d91983377ea0129268c9ceda5f65"
}

lxc version
Client version: 3.10
Server version: 3.10

A few weeks back it worked as expected, with various images and without any errors.

Where does the second fingerprint come from?
Any help would be greatly appreciated.

sinist3rr · February 18, 2019, 6:04pm

The first fingerprint/hash is taken from the site, and the second is calculated after downloading the image.
Did I understand it correctly?

stgraber · February 18, 2019, 10:12pm

Yeah, that usually indicates that the downloaded image got corrupted in transit.
Do you have a proxy server or something similar in your environment?

stgraber · February 18, 2019, 11:34pm

Confirmed the issue, it’s a problem with the legacy image server, I’m looking into it.

I don’t know much about Ansible but either there should be a way for you to use the simplestreams protocol to fetch images or the Ansible integration should switch over to it internally. Here it’s using the native LXD protocol to grab those images from our image server and that backend isn’t what we recommend anymore (nor what our normal CLI tool uses).

stgraber · February 18, 2019, 11:41pm

Fixed the image server, it will take an hour or so to mirror to our frontends.

sinist3rr · February 19, 2019, 11:44am

Ansible is able to use lxd or simplestreams protocol, thanks for the tip.

sinist3rr · February 19, 2019, 11:45am

It’s works. Issue is fixed, thanks a lot.

borkoj1 · February 25, 2019, 11:22am

May I report for Oracle Linux 7 as well…
I’ve got this when I tried to create container with this image:

{“actions”: [], “changed”: false, “msg”: “Image fingerprint doesn’t match. Got 6405be27af68e8b693f62d3db311361ef63c9ed810d22fa5da6e8a6b0635e715 expected bed973a496083774ea2d2619c196f90c316fd47f6ea66e4ca6ff252920962487”}
to retry, use: --limit @/home/ubntcfg/lxdsetup-fe/containers.retry

sinist3rr · February 25, 2019, 11:47am

You can try switch to simplestreams protocol (by default ansible using lxd)

Something like this:

  lxd_container:
    name: "c1"
    state: started
    source:
          type: image
          mode: pull
          server: https://images.linuxcontainers.org
          protocol: "simplestreams"
          alias: "oracle/7/amd64"
          architecture: "x86_64"