We enthusiastically announce the release of: ironic 20.1.2: OpenStack Bare Metal Provisioning This release is part of the yoga stable release series. The source is available from: https://opendev.org/openstack/ironic Download the package from: https://tarballs.openstack.org/ironic/ Please report issues through: https://storyboard.openstack.org/#!/project/943 For more details, please see below. 20.1.2 ^^^^^^ Upgrade Notes ************* * Adds "sha256", "sha384" and "sha512" as supported SNMPv3 authentication protocols to iRMC driver. Bug Fixes ********* * Fixes Ironic integration with Cinder because of changes which resulted as part of the recent Security related fix in bug 2004555 (https://launchpad.net/bugs/2004555). The work in Ironic to track this fix was logged in bug 2019892 (https://bugs.launchpad.net/ironic/+bug/2019892). Ironic now sends a service token to Cinder, which allows for access restrictions added as part of the original CVE-2023-2088 fix to be appropriately bypassed. Ironic was not vulnerable, but the restrictions added as a result did impact Ironic's usage. This is because Ironic volume attachments are not on a shared "compute node", but instead mapped to the physical machines and Ironic handles the attachment life- cycle after initial attachment. * When aborting cleaning, the "last_error" field is no longer initially empty. It is now populated on the state transition to "clean failed". * When cleaning or deployment fails, the "last_error" field is no longer temporary set to "None" while the power off action is running. * Fixes an issue where if selinux is enabled and enforcing, and the published image is a hardlink, the source selinux context is preserved, causing access denied when retrieving the image using hardlink URL. * Fixes bug of iRMC driver in parse_driver_info where, if FIPS is enabled, SNMP version is always required to be version 3 even though iRMC driver's xxx_interface doesn't use SNMP actually. * Fixes "'NoneType' object is not iterable" in conductor logs for "redfish" and "idrac-redfish" RAID clean and deploy steps. The message should no longer appear. For affected nodes re-create the node or delete "raid_configs" entry from "driver_internal_info" field. * Fixes an issue in the online upgrade logic where database models for Node Traits and BIOS Settings resulted in an error when performing the online data migration. This was because these tables were originally created as extensions of the Nodes database table, and the schema of the database was slightly different enough to result in an error if there was data to migrate in these tables upon upgrade, which would have occured if an early BIOS Setting adopter had data in the database prior to upgrading to the Yoga release of Ironic. The online upgrade parameter now subsitutes an alternate primary key name name when applicable. * Fixes SNMPv3 message authentication and encryption functionality of iRMC driver. The SNMPv3 authentication between iRMC driver and iRMC was only by the security name with no passwords and encryption. To increase security, the following parameters are now added to the node's "driver_info", and can be used for authentication: * "irmc_snmp_user" * "irmc_snmp_auth_password" * "irmc_snmp_priv_password" * "irmc_snmp_auth_proto" (Optional, defaults to "sha") * "irmc_snmp_priv_proto" (Optional, defaults to "aes") "irmc_snmp_user" replaces "irmc_snmp_security". "irmc_snmp_security" will be ignored if "irmc_snmp_user" is set. "irmc_snmp_auth_proto" and "irmc_snmp_priv_proto" can also be set through the following options in the "[irmc]" section of "/etc/ironic/ironic.conf": * "snmp_auth_proto" * "snmp_priv_proto" * Fixes a race condition in PXE initialization where logic to retry what we suspect as potentially failed PXE boot operations was not consulting if an "agent token" had been established, which is the very first step in agent initialization. * Fixes an issue where an agent token was being orphaned if a baremetal node timed out during cleaning operations, leading to issues where the node would not be able to establish a new token with Ironic upon future in some cases. We now always wipe the token in this case. Other Notes *********** * Updates the minimum version of "python-scciclient" library to "0.12.2". Changes in ironic 20.1.1..20.1.2 -------------------------------- 72d124856 [iRMC] Fix parse_driver_info bug enforcing SNMP v3 under FIPS mode 4ec0ee677 [ci] [stable-only] Cinder fixed; make BFV job vote d1ad9e8d0 [stable-only] [CI] BFV, RBAC jobs marked non-voting 94358e471 Fix Cinder Integration fallout from CVE-2023-2088 ad227de24 Fix online upgrades for Bios/Traits 59cdb9aeb Wipe Agent Token when cleaning timeout occcurs 92c187a32 Do not move nodes to CLEAN FAILED with empty last_error e5267b58e Move and fix reno config for releasenotes job 31a0b0c1d Fix selinux context of published image hardlink 959fc9163 Fix "'NoneType' object is not iterable" in RAID 26573bed3 Prevent pxe retry when agent token exists 177e93de9 Fixes for tox 4.0 1f4fabf88 Add support auth protocols for iRMC c274231bf Add SNMPv3 authentication functionality Diffstat (except docs and test files) ------------------------------------- devstack/lib/ironic | 2 +- ironic/common/cinder.py | 71 +++++- ironic/common/keystone.py | 24 +- ironic/common/states.py | 3 + ironic/common/utils.py | 12 + ironic/conductor/cleaning.py | 26 +- ironic/conductor/manager.py | 3 +- ironic/conductor/task_manager.py | 11 +- ironic/conductor/utils.py | 12 +- ironic/conf/irmc.py | 28 ++- ironic/db/sqlalchemy/api.py | 33 ++- ironic/drivers/modules/image_utils.py | 10 + ironic/drivers/modules/irmc/common.py | 249 +++++++++++++++--- ironic/drivers/modules/irmc/inspect.py | 24 +- ironic/drivers/modules/irmc/power.py | 22 +- ironic/drivers/modules/pxe_base.py | 6 + ironic/drivers/modules/redfish/raid.py | 8 +- .../unit/drivers/modules/redfish/test_raid.py | 4 + releasenotes/config.yaml | 5 + .../notes/cinder-2019892-6b5a9de5c5f05aa6.yaml | 16 ++ .../notes/cleaning-error-5c13c33c58404b97.yaml | 8 + ...ix-context-image-hardlink-16f452974abc7327.yaml | 7 + ...nforcing-snmpv3-with-fips-e45971d363925ec3.yaml | 6 + ...pe-object-is-not-iterable-0592926d890d6c11.yaml | 7 + ...-online-version-migration-db432a7b239647fa.yaml | 14 ++ ...c-add-snmp-auth-protocols-3ff7597cea7ef9dd.yaml | 5 + .../irmc-add-snmpv3-security-fca05bfc30f50d1a.yaml | 28 +++ ...e-retry-when-token-exists-a4f38f7da56c1397.yaml | 7 + ...ken-upon-cleaning-timeout-c9add514fad1b02c.yaml | 7 + reno.yaml | 4 - tox.ini | 9 +- zuul.d/project.yaml | 11 +- 43 files changed, 1052 insertions(+), 151 deletions(-)