We jubilantly announce the release of: ironic-python-agent 9.14.0 This release is part of the dalmatian release series. The source is available from: https://opendev.org/openstack/ironic-python-agent Download the package from: https://tarballs.openstack.org/ironic-python-agent/ Please report issues through: https://bugs.launchpad.net/ironic-python-agent/+bugs For more details, please see below. 9.14.0 ^^^^^^ Upgrade Notes ************* * Deployers implementing their own "HardwareManagers" must to audit their code for unsafe uses of *qemu-img* and related methods. Security Issues *************** * Ironic-Python-Agent now checks any supplied image format value against the detected format of the image file and will prevent deployments should the values mismatch. * Images previously misconfigured as raw despite being in another format, in some non-default configurations, may have been mistakenly converted if needed. Ironic-Python-Agent will no longer perform conversion in any case for images with metadata indicating in raw format. * Ironic-Python-Agent *always* inspects any non-raw user image content for safety before running any qemu-based utilities on the image. This is utilized to identify the format of the image and to verify the overall safety of the image. Any images with unknown or unsafe feature uses are explicitly rejected. This can be disabled in both IPA and Ironic by setting "[conductor]disable_deep_image_inspection" to "True" for the Ironic deployment. Image inspection is the primary mitigation for CVE-2024-44082 being tracked in bug 2071740 (https://bugs.launchpad.net/ironic-python-agent/+bug/2071740). Operators may desire to set "[conductor]conductor_always_validates_images" on Ironic conductors to mitigate the issue before they have upgraded their Ironic-Python- Agent. * Ironic-Python-Agent now explicitly enforces a list of permitted image types for deployment, defaulting to "raw" and "qcow2". Other image types may work, but are not explicitly supported and must be enabled. This can be modified by setting "[conductor]permitted_image_formats" for all Ironic services. Bug Fixes ********* * Adds a preliminary check for IPMI device files before the BMC detection attempts, optimizing *ipmitool* command calls on systems without IPMI capabilities. * Fixes multiple issues in the handling of images as it related to execution of the "qemu-img" utility. When using this utility to convert an unsafe image, a malicious user can extract information from a node while Ironic-Python-Agent is deploying or converting an image. Ironic-Python-Agent now inspects all non-raw images for safety, and never runs qemu-based utilities on raw images. This fix is tracked as CVE-2024-44082 and bug 2071740 (https://bugs.launchpad.net/ironic-python-agent/+bug/2071740). * Images with metadata indicating a "raw" disk format may have been transparently converted from another format. Now, these images will have their exact contents imaged to disk without modification. Changes in ironic-python-agent 9.13.0..9.14.0 --------------------------------------------- 2d79eae Check for the existence of an IPMI device e303a36 Inspect non-raw images for safety ba5c1bf Remove and disable examples job bd3b596 Fix series in release notes b173ce9 [doc] Clarify Step return values 4cea26f update dynamic-login to mention the sshkey option Diffstat (except docs and test files) ------------------------------------- ironic_python_agent/agent.py | 6 + ironic_python_agent/config.py | 36 +- ironic_python_agent/disk_utils.py | 111 ++- ironic_python_agent/errors.py | 9 + ironic_python_agent/extensions/standby.py | 85 +- ironic_python_agent/format_inspector.py | 1044 ++++++++++++++++++++ ironic_python_agent/hardware.py | 58 +- ironic_python_agent/partition_utils.py | 9 +- ironic_python_agent/qemu_img.py | 153 +++ ironic_python_agent/utils.py | 11 + ...-device-before-invocation-45b00d15c94edd00.yaml | 6 + .../notes/image-security-5c23b890409101c9.yaml | 48 + releasenotes/source/2023.1.rst | 2 +- releasenotes/source/2023.2.rst | 2 +- releasenotes/source/2024.1.rst | 2 +- releasenotes/source/zed.rst | 2 +- zuul.d/ironic-python-agent-jobs.yaml | 17 +- zuul.d/project.yaml | 2 - 27 files changed, 2952 insertions(+), 201 deletions(-)