[ironic][ops] Breaking change coming in the Victoria development cycle
Greetings everyone, One of the items the ironic team has been focused on is improving security of remote/edge deployments where machines may be deployed on networks where an un-trusted actor could also be present. Our answer to this has been the concept of utilizing a temporary token[0] for the deployment, which we use to validate the agent heartbeat operations, and commands sent back to the agent ramdisk from the conductor. While not a complete solution to all possible attack vectors, it is a step forward and we will be taking more steps during the next cycle. For the Ussuri release, this functionality is always enabled, but is not explicitly required[1]. Deployments, with older ramdisks who choose to require this capability, must update their deployment/rescue/cleaning ramdisks to a version with a newer ironic-python-agent version from Ussuri development cycle. In Victoria, the ironic team will change the default for requirement of agent tokens such that they are required by default. Pre-Ussuri agent ramdisks will no longer work and will need to be updated. Please let us know if you have any questions or concerns. -Julia [0]: https://docs.openstack.org/ironic/latest/admin/agent-token.html [1]: https://docs.openstack.org/ironic/latest/admin/agent-token.html#how-it-works
woot woot Security !!! On Mon, Mar 30, 2020 at 5:27 PM Julia Kreger <juliaashleykreger@gmail.com> wrote:
Greetings everyone,
One of the items the ironic team has been focused on is improving security of remote/edge deployments where machines may be deployed on networks where an un-trusted actor could also be present.
Our answer to this has been the concept of utilizing a temporary token[0] for the deployment, which we use to validate the agent heartbeat operations, and commands sent back to the agent ramdisk from the conductor. While not a complete solution to all possible attack vectors, it is a step forward and we will be taking more steps during the next cycle.
For the Ussuri release, this functionality is always enabled, but is not explicitly required[1]. Deployments, with older ramdisks who choose to require this capability, must update their deployment/rescue/cleaning ramdisks to a version with a newer ironic-python-agent version from Ussuri development cycle.
In Victoria, the ironic team will change the default for requirement of agent tokens such that they are required by default. Pre-Ussuri agent ramdisks will no longer work and will need to be updated.
Please let us know if you have any questions or concerns.
-Julia
[0]: https://docs.openstack.org/ironic/latest/admin/agent-token.html [1]: https://docs.openstack.org/ironic/latest/admin/agent-token.html#how-it-works
-- ~/DonnyD C: 805 814 6800 "No mission too difficult. No sacrifice too great. Duty First"
participants (2)
-
Donny Davis
-
Julia Kreger