[release-announce] ironic 17.0.3 (wallaby)
no-reply at openstack.org
no-reply at openstack.org
Wed Jun 23 16:25:13 UTC 2021
We eagerly announce the release of:
ironic 17.0.3: OpenStack Bare Metal Provisioning
This release is part of the wallaby stable release series.
The source is available from:
https://opendev.org/openstack/ironic
Download the package from:
https://tarballs.openstack.org/ironic/
Please report issues through:
https://storyboard.openstack.org/#!/project/943
For more details, please see below.
17.0.3
^^^^^^
Security Issues
***************
* Fixes an issue with the "/v1/nodes/detail" endpoint where an
authenticated user could explicitly ask for an "instance_uuid"
lookup and the associated node would be returned to the user with
sensitive fields redacted in the result payload if the user did not
explicitly have "owner" or "lessee" permissions over the node. This
is considered a low-impact low-risk issue as it requires the API
consumer to already know the UUID value of the associated instance,
and the returned information is mainly metadata in nature. More
information can be found in Storyboard story 2008976
(https://storyboard.openstack.org/#!/story/2008976).
Bug Fixes
*********
* If the agent accepts a command, but is unable to reply to Ironic
(which sporadically happens before of the eventlet's TLS
implementation), we currently retry the request and fail because the
command is already executing. Ironic now detects this situation by
checking the list of executing commands after receiving a connection
error. If the requested command is the last one, we assume that the
command request succeeded.
* When local boot is used (e.g. by default), the instance image
validation now happens only in the deploy interface, not in the boot
interface (as before). This means that the boot interface validation
will now pass in many cases where it would previously fail.
* Fixes an issue with the "/v1/nodes/detail" endpoint where requests
for an explicit "instance_uuid" match would not follow the standard
query handling path and thus not be filtered based on policy
determined access level and node level "owner" or "lessee" fields
appropriately. Additional information can be found in story 2008976
(https://storyboard.openstack.org/#!/story/2008976).
* No longer masks configdrive when sending the node's record to in-
band deploy steps.
* Fixes handling of single-value (non-key-value) parameters in the
"[inspector]extra_kernel_params" configuration options.
* The behavior when a bootable iso ramdisk is provided behind an
http server is to download and serve the image from the conductor;
the image is removed only when the node is undeployed. In certain
cases, for example on large deployments, this could cause undesired
behaviors, like the conductor nodes running out of disk storage. To
avoid this event we provide an option
"[deploy]ramdisk_image_download_source" to be able to tell the
ramdisk interface to directly use the bootable iso url from its
original source instead of downloading it and serving it from the
conductor node. The default behavior is unchanged.
* Fixes sub-optimal Ironic API performance where Secure RBAC related
field level policy checks were executing without first checking if
there were field results. This helps improve API performance when
only specific columns have been requested by the API consumer.
Changes in ironic 17.0.2..17.0.3
--------------------------------
adc4f7657 Fix node detail instance_uuid request handling
566cff59a Handle non-key-value params in [inspector]extra_kernel_params
05c838073 dhcp-less: mention how to provide network_data to instance
f99d68707 Refactor iDRAC OEM extension manager calls
fc8e1652b Improve agent_client logging
d3f62f83e Set download stable branch for IPA
f9eb7abe8 Secure RBAC - Efficent node santiziation
c7af96938 Update project conundrum related docs
0500fe107 Avoid unnecessary validation in boot interfaces
77be4c6c6 Delete unavailable py2 package
fce4cc11b Fix deployment when executing a command fails after the command starts
659eef72e Provide an option to not cache bootable iso ramdisks
78e10ce59 Update refarch with information about image_download_source
7b723bcce Do not mask configdrive when executing in-band deploy steps
fe2377855 Inherit InvalidImageRef from InvalidParameterValue
Diffstat (except docs and test files)
-------------------------------------
devstack/lib/ironic | 2 +-
.../include/configure-ironic-api-mod_wsgi.inc | 10 +-
.../install/include/configure-ironic-api.inc | 2 +-
ironic/api/controllers/v1/node.py | 143 ++++++++--------
ironic/common/exception.py | 2 +-
ironic/common/pxe_utils.py | 5 +-
ironic/common/utils.py | 16 ++
ironic/conf/deploy.py | 16 ++
ironic/db/sqlalchemy/api.py | 2 +-
ironic/drivers/modules/agent_client.py | 121 +++++++++++---
ironic/drivers/modules/drac/boot.py | 67 +-------
ironic/drivers/modules/drac/inspect.py | 46 +----
ironic/drivers/modules/drac/management.py | 185 ++++-----------------
ironic/drivers/modules/drac/raid.py | 43 +----
ironic/drivers/modules/drac/utils.py | 121 ++++++++++++++
ironic/drivers/modules/image_utils.py | 14 +-
ironic/drivers/modules/inspector.py | 6 +-
ironic/drivers/modules/pxe_base.py | 14 +-
ironic/drivers/modules/redfish/boot.py | 11 +-
ironic/objects/node.py | 10 +-
.../unit/drivers/modules/drac/test_inspect.py | 27 ---
.../unit/drivers/modules/drac/test_management.py | 124 ++------------
.../unit/drivers/modules/redfish/test_boot.py | 74 ++-------
.../unit/drivers/modules/test_agent_client.py | 117 +++++++++++++
.../notes/agent-last-command-4ec6967c995ba84a.yaml | 9 +
.../notes/boot-validate-6b4b6b40c8e27273.yaml | 7 +
...ed-instance-info-behavior-1375914a30621eca.yaml | 20 +++
.../deploy-step-configdrive-86ea2bb267211b88.yaml | 5 +
.../inspector-kernel-params-6db82c633d7361e2.yaml | 5 +
...ion-no-cache-http-ramdisk-62fc29cdd1d5b152.yaml | 14 ++
...-sanitization-performance-dc7886952144bb04.yaml | 7 +
54 files changed, 1037 insertions(+), 858 deletions(-)
More information about the Release-announce
mailing list