Open Stack

Greetings everyone,

One of the items the ironic team has been focused on is improving
security of remote/edge deployments where machines may be deployed on
networks where an un-trusted actor could also be present.

Our answer to this has been the concept of utilizing a temporary
token[0] for the deployment, which we use to validate the agent
heartbeat operations, and commands sent back to the agent ramdisk from
the conductor. While not a complete solution to all possible attack
vectors, it is a step forward and we will be taking more steps during
the next cycle.

For the Ussuri release, this functionality is always enabled, but is
not explicitly required[1]. Deployments, with older ramdisks who
choose to require this capability, must update their
deployment/rescue/cleaning ramdisks to a version with a newer
ironic-python-agent version from Ussuri development cycle.

In Victoria, the ironic team will change the default for requirement
of agent tokens such that they are required by default. Pre-Ussuri
agent ramdisks will no longer work and will need to be updated.

Please let us know if you have any questions or concerns.

-Julia

[0]: https://docs.openstack.org/ironic/latest/admin/agent-token.html
[1]: https://docs.openstack.org/ironic/latest/admin/agent-token.html#how-it-works