We are delighted to announce the release of: ironic 16.0.4: OpenStack Bare Metal Provisioning This release is part of the victoria stable release series. The source is available from: https://opendev.org/openstack/ironic Download the package from: https://tarballs.openstack.org/ironic/ Please report issues through: https://storyboard.openstack.org/#!/project/943 For more details, please see below. 16.0.4 ^^^^^^ Security Issues *************** * Fixes an issue with the "/v1/nodes/detail" endpoint where an authenticated user could explicitly ask for an "instance_uuid" lookup and the associated node would be returned to the user with sensitive fields redacted in the result payload if the user did not explicitly have "owner" or "lessee" permissions over the node. This is considered a low-impact low-risk issue as it requires the API consumer to already know the UUID value of the associated instance, and the returned information is mainly metadata in nature. More information can be found in Storyboard story 2008976 (https://storyboard.openstack.org/#!/story/2008976). Bug Fixes ********* * If the agent accepts a command, but is unable to reply to Ironic (which sporadically happens before of the eventlet's TLS implementation), we currently retry the request and fail because the command is already executing. Ironic now detects this situation by checking the list of executing commands after receiving a connection error. If the requested command is the last one, we assume that the command request succeeded. * Fixes fast-track to prevent marking the agent as alive if trying to rebuild a node before the fast-track timeout has expired. * Fixes potential cache coherency issues by caching the AgentClient per task, rather than globally. * Fixes the "[deploy]configdrive_use_object_store" option that was broken during the Python 3 transition. * Fixes an issue with the "/v1/nodes/detail" endpoint where requests for an explicit "instance_uuid" match would not follow the standard query handling path and thus not be filtered based on policy determined access level and node level "owner" or "lessee" fields appropriately. Additional information can be found in story 2008976 (https://storyboard.openstack.org/#!/story/2008976). * Fixes recognition of a busy agent to also handle recognition during deployment steps by more uniformly detecting and identifying when the "ironic-python-agent" service is busy. * Fixes the problem about grub2 config file. Some higher versions of grub2 (e.g. 2.05 or 2.06-rc1) use grub.cfg-01-MAC, while another lower versions of grub2 (e.g. 2.04) use MAC.conf, so we generate both paths in order to be compatible with both. * Fixes "idrac-wsman" management interface "set_boot_device" method that would fail deployment when there are existing jobs present with error "Failed to change power state to ''power on'' by ''rebooting''. Error: DRAC operation failed. Reason: Unfinished config jobs found: <list of existing jobs>. Make sure they are completed before retrying.". Now there can be non-BIOS jobs present during deployment. This will still fail for cases when there are BIOS jobs present. In such cases should consider moving to "idrac- redfish" that does not have this limitation when setting boot device. * Fixed an issue where provisioning/cleaning would fail on IPv6 routed provider networks. See bug: 2009773 (https://storyboard.openstack.org/#!/story/2009773). * Fixes "idrac-wsman" BIOS "apply_configuration" and "factory_reset" clean and deploy steps to fail correctly in case of error when checking completed jobs. Before the fix when BIOS job failed, then node clean or deploy failed with timeout instead of actual error in cleaning or deploying step. * Fixes redfish firmware update for ilo5 based hardware by making necessary changes to check whether sushy_task.messages is present, since in case of iLo task data does not contain messages attribute. Also it was not calling prepare_ramdisk() before rebooting the system to update the firmware which has been fixed in this patch. * Fixes "idrac-wsman" power interface to wait for the hardware to reach the target state before returning. For systems where soft power off at the end of deployment to boot to instance failed and forced hard power off was used, this left node successfully deployed in off state without any errors. This broke other workflows expecting node to be on booted into OS at the end of deployment. Additional information can be found in story 2009204 (https://storyboard.openstack.org/#!/story/2009204). * Correctly wipes agent token on inspection start and abort. * Calculating the ipmitool *-N* and *-R* arguments from ironic.conf [ipmi] *command_retry_timeout* and *min_command_interval* now takes into account the 1 second interval increment that ipmitool adds on each retry event. Failure-path ipmitool run duration will now be just less than *command_retry_timeout* instead of much longer. * Adds handling of Redfish BMC's which lack a "BootSourceOverrideMode" flag, such that it is no longer a fatal error for a deployment if the BMC does not support this field. This most common on BMCs which feature only a partial implementation of the "ComputerSystem" resource "boot", but may also be observable on some older generations of BMCs which recieved updates to have partial Redfish support. * The "redfish-virtual-media" boot interface no longer passes validation for Dell nodes. The "idrac-redfish-virtual-media" boot interface must be used for these nodes instead. * The fix for story 2008252 (https://storyboard.openstack.org/#!/story/2008252) synced the boot mode after changing the boot device because Supermicro nodes reset the boot mode if not included in the boot device set. However this can cause a problem on Dell nodes when changing the mode uefi->bios or bios->uefi, see story 2008712 (https://storyboard.openstack.org/#!/story/2008712) for details. Restrict the syncing of the boot mode to Supermicro. * Retries virtual media insert on failure to allow for an eject that may not have finished. https://storyboard.openstack.org/#!/story/2008504 * Fixes a bug where a conductor could fail to complete a deployment if there was contention on a shared lock. This would manifest as an instance being stuck in the "deploying" state, though the node had in fact started or even completed its final boot. * When Ironic configures the BootSourceOverrideTarget setting via Redfish, on Supermicro BMCs it must always configure BootSourceOverrideEnabled or that will revert to default (Once) on the BMC, see story 2008547 (https://storyboard.openstack.org/#!/story/2008547) for details. This is different than what is currently implemented for other BMCs in which the BootSourceOverrideEnabled is not configured if it matches the current setting (see story 2007355 (https://storyboard.openstack.org/#!/story/2007355)). This requires that node.properties['vendor'] be 'supermicro' which will be set by Ironic from the Redfish system response or can be set manually. * Introduces lazy-loading of ports, portgroups, volume connections and volume targets in task manager to fix performance issues. For periodic tasks which create a task manager object but don't require the aforementioned data (e.g. power sync), this change should reduce the number of database interactions by around two thirds, speeding up overall execution. * Fixes an issue of powering off with the "idrac-wsman" management interface while the execution of a clear job queue cleaning step is proceeding. Prior to this fix, the clean step would fail when powering off a node. Changes in ironic 16.0.3..16.0.4 -------------------------------- 87f15ec6e Ensure 'port' is up2date after binding:host_id 259647c7c CI: Lower test VM memory by 400MB 969cfefee Fix idrac-wsman deploy with existing non-BIOS jobs 0df43f758 Fix idrac-wsman set_power_state to wait on HW 87dee0250 Use shim-signed on Ubuntu, shim is empty now 2df5dc42a Use openstack-tox for ironic-tox-unit-with-driver-libs d09a158cc Fix iPXE docs: snponly is not always available 0cb15a223 Cache AgentClient on Task, not globally 4ac6ad731 Update the clear job id's constant 755c75e2e Fix node detail instance_uuid request handling 0bc5265ec Refactor iDRAC OEM extension manager calls e2ede2607 Set IPA download branch to stable/victoria for victoria 05f864706 Update project conundrum related docs 3258e49a5 Delete unavailable py2 package 0df78f600 Point ipa-builder to stable/wallaby 678714261 Fix deployment when executing a command fails after the command starts e88436688 Inherit InvalidImageRef from InvalidParameterValue c9425f995 Wipe agent tokens on inspection start and abort 550c4e075 update grub2 file name b205a32ca Fix ipmitool timing argument calculation 6130dc15e Fix idrac-wsman BIOS step async error handling 4fd099345 Restrict syncing of boot mode to Supermicro 13fc01fe3 Allow unsupported redfish set_boot_mode c2647f101 Prepare to use tinycore 12 for tinyipa 4ed8ceef6 Lazy-load node details from the DB b2b862f53 [Trivial] Fix testing of volume connector exception 25a05cf35 Always retry locking when performing task handoff d1ffc6a55 Handle agent still doing the prior command 90da180a1 devstack: a safeguard for disabled tempurls a1f596590 Enable swift temporary URLs in grenade and provide a good error message dea33cbaf Fix broken configdrive_use_object_store 73a600afa Switch multinode jobs to 512M RAM 78924eca2 Move the IPv6 job to the experimental pipeline cbccfa2a9 Don't mark an agent as alive if rebooted 46b34a73b Prevent redfish-virtual-media from being used with Dell nodes 80017a1d3 Fixes issue of redfish firmware update 7d74ea0ee For Supermicro BMCs set enable when changing boot device 1e8e54041 Refactor vendor detection and add Redfish implementation 0e4e00e82 Add a delay/retry is vmedia insert fails 26e8b9b01 [stable] Remove lower-constraints job Diffstat (except docs and test files) ------------------------------------- bindep.txt | 2 +- devstack/lib/ironic | 16 +- .../include/configure-ironic-api-mod_wsgi.inc | 10 +- .../install/include/configure-ironic-api.inc | 2 +- ironic/api/controllers/v1/node.py | 99 ++++++------- ironic/common/exception.py | 7 +- ironic/common/neutron.py | 3 +- ironic/common/pxe_utils.py | 14 +- ironic/common/swift.py | 7 +- ironic/conductor/cleaning.py | 11 ++ ironic/conductor/deployments.py | 13 +- ironic/conductor/manager.py | 18 ++- ironic/conductor/task_manager.py | 85 +++++++++-- ironic/conductor/utils.py | 38 +++++ ironic/db/sqlalchemy/api.py | 2 +- ironic/drivers/modules/agent.py | 14 +- ironic/drivers/modules/agent_base.py | 41 +++--- ironic/drivers/modules/agent_client.py | 144 +++++++++++++++--- ironic/drivers/modules/ansible/deploy.py | 6 +- ironic/drivers/modules/drac/bios.py | 20 ++- ironic/drivers/modules/drac/boot.py | 70 ++------- ironic/drivers/modules/drac/management.py | 4 +- ironic/drivers/modules/drac/power.py | 45 +++--- ironic/drivers/modules/drac/utils.py | 121 +++++++++++++++ ironic/drivers/modules/ipmitool.py | 87 +++++------ ironic/drivers/modules/iscsi_deploy.py | 4 +- ironic/drivers/modules/redfish/boot.py | 36 ++++- ironic/drivers/modules/redfish/management.py | 63 +++++++- .../unit/drivers/modules/drac/test_management.py | 13 +- .../unit/drivers/modules/irmc/test_inspect.py | 17 --- .../unit/drivers/modules/redfish/test_boot.py | 80 ++++++++++ .../drivers/modules/redfish/test_management.py | 95 +++++++++++- .../unit/drivers/modules/test_agent_client.py | 162 +++++++++++++++++++++ .../unit/drivers/modules/test_iscsi_deploy.py | 3 +- .../notes/agent-last-command-4ec6967c995ba84a.yaml | 9 ++ .../notes/agent-rebooted-fab20d012fe6cbe8.yaml | 6 + ...ache-agentclient-per-task-ec2231684e6876d9.yaml | 5 + ...figdrive_use_object_store-93cfd7dc27d90003.yaml | 5 + ...ed-instance-info-behavior-1375914a30621eca.yaml | 20 +++ .../fix-busy-agent-check-3cf75242b4783009.yaml | 6 + ...ix-grub2-config-file-name-88e689a982a21684.yaml | 7 + ...th-existing-non-bios-jobs-78aa2195d0c3016f.yaml | 12 ++ ...g-routed-provider-network-bbd0c46559f618ac.yaml | 6 + ...async-step-error-handling-80cd30c54c71c595.yaml | 8 + ...ish-firmware-update-issue-c6dfcd71a2f659a5.yaml | 9 ++ ...sman-set-power-state-wait-cd8f9ff41b19c7a7.yaml | 10 ++ .../notes/inspection-token-b3d9e8e34341d680.yaml | 4 + ...pmi_command_retry_timeout-889a49b402e82b97.yaml | 9 ++ ...ride-not-present-handling-92e7263617e467c4.yaml | 9 ++ .../redfish-vmedia-vendor-fc76086893d99415.yaml | 6 + ...fter-device-to-supermicro-218e8cb57735c685.yaml | 11 ++ .../notes/retry-vmedia-1999742c84f11103.yaml | 6 + ...fix-stuck-deploying-state-43d51149a02c08b8.yaml | 7 + ...-redfish-override-enabled-aa51686ed33d3061.yaml | 15 ++ .../taskmanager-lazy-load-32a14526c647c2f0.yaml | 9 ++ ...clear-job-id-constant-fix-c69cf96c55364bb3.yaml | 7 + zuul.d/ironic-jobs.yaml | 34 +++-- zuul.d/project.yaml | 6 +- 85 files changed, 2001 insertions(+), 591 deletions(-)