We are glad to announce the release of: ironic 23.0.2: OpenStack Bare Metal Provisioning This release is part of the bobcat release series. The source is available from: https://opendev.org/openstack/ironic Download the package from: https://tarballs.openstack.org/ironic/ Please report issues through: https://storyboard.openstack.org/#!/project/943 For more details, please see below. 23.0.2 ^^^^^^ Upgrade Notes ************* * When upgrading Ironic to address the "qemu-img" image conversion security issues, the "ironic-python-agent" ramdisks will also need to be upgraded. * When upgrading Ironic to address the "qemu-img" image conversion security issues, the "[conductor]conductor_always_validates_images" setting may be set to "True" as a short term remedy while "ironic- python-agent" ramdisks are being updated. Alternatively it may be advisable to also set the "[agent]image_download_source" setting to "local" to minimize redundant network data transfers. * As a result of security fixes to address "qemu-img" image conversion security issues, a new configuration parameter has been added to Ironic, "[conductor]permitted_image_formats" with a default value of "raw,qcow2,iso". Raw and qcow2 format disk images are the image formats the Ironic community has consistently stated as what is supported and expected for use with Ironic. These formats also match the formats which the Ironic community tests. Operators who leverage other disk image formats, may need to modify this setting further. Security Issues *************** * Ironic now checks the supplied image format value against the detected format of the image file, and will prevent deployments should the values mismatch. If being used with Glance and a mismatch in metadata is identified, it will require images to be re-uploaded with a new image ID to represent corrected metadata. This is the result of CVE-2024-44082 tracked as bug 2071740 (https://bugs.launchpad.net/ironic/+bug/2071740). * Ironic *always* inspects the supplied user image content for safety prior to deployment of a node should the image pass through the conductor, even if the image is supplied in "raw" format. This is utilized to identify the format of the image and the overall safety of the image, such that source images with unknown or unsafe feature usage are explicitly rejected. This can be disabled by setting "[conductor]disable_deep_image_inspection" to "True". This is the result of CVE-2024-44082 tracked as bug 2071740 (https://bugs.launchpad.net/ironic/+bug/2071740). * Ironic can also inspect images which would normally be provided as a URL for direct download by the "ironic-python-agent" ramdisk. This is not enabled by default as it will increase the overall network traffic and disk space utilization of the conductor. This level of inspection can be enabled by setting "[conductor]conductor_always_validates_images" to "True". Once the "ironic-python-agent" ramdisk has been updated, it will perform similar image security checks independently, should an image conversion be required. This is the result of CVE-2024-44082 tracked as bug 2071740 (https://bugs.launchpad.net/ironic/+bug/2071740). * Ironic now explicitly enforces a list of permitted image types for deployment via the "[conductor]permitted_image_formats" setting, which defaults to "raw", "qcow2", and "iso". While the project has classically always declared permissible images as "qcow2" and "raw", it was previously possible to supply other image formats known to "qemu-img", and the utility would attempt to convert the images. The "iso" support is required for "boot from ISO" ramdisk support. * Ironic now explicitly passes the source input format to executions of "qemu-img" to limit the permitted qemu disk image drivers which may evaluate an image to prevent any mismatched format attacks against "qemu-img". * The "ansible" deploy interface example playbooks now supply an input format to execution of "qemu-img". If you are using customized playbooks, please add "-f {{ ironic.image.disk_format }}" to your invocations of "qemu-img". If you do not do so, "qemu-img" will automatically try and guess which can lead to known security issues with the incorrect source format driver. * Operators who have implemented any custom deployment drivers or additional functionality like machine snapshot, should review their downstream code to ensure they are properly invoking "qemu-img". If there are any questions or concerns, please reach out to the Ironic project developers. * Operators are reminded that they should utilize cleaning in their environments. Disabling any security features such as cleaning or image inspection are at **your** **own** **risk**. Should you have any issues with security related features, please don't hesitate to open a bug with the project. * The "[conductor]disable_deep_image_inspection" setting is conveyed to the "ironic-python-agent" ramdisks automatically, and will prevent those operating ramdisks from performing deep inspection of images before they are written. * The "[conductor]permitted_image_formats" setting is conveyed to the "ironic-python-agent" ramdisks automatically. Should a need arise to explicitly permit an additional format, that should take place in the Ironic service configuration. Bug Fixes ********* * Fixes issue with configuring virtual media boot for executing service steps by adding missing entries for states.SERVICING and states.SERVICEWAIT in the whitelist of the states allowed by this method. * Fixes multiple issues in the handling of images as it relates to the execution of the "qemu-img" utility, which is used for image format conversion, where a malicious user could craft a disk image to potentially extract information from an "ironic-conductor" process's operating environment. Ironic now explicitly enforces a list of approved image formats as a "[conductor]permitted_image_formats" list, which mirrors the image formats the Ironic project has historically tested and expressed as known working. Testing is not based upon file extension, but upon content fingerprinting of the disk image files. This is tracked as CVE-2024-44082 via bug 2071740 (https://bugs.launchpad.net/ironic/+bug/2071740). * Service step validation no longer requires a priority field, which is not supported for servicing. * Adds an ISO publisher value to ISO images which are mastered as part of cleaning/deployment/service operations in support of a fix for bug 2032377 (https://bugs.launchpad.net/ironic/+bug/2032377). Changes in ironic 23.0.1..23.0.2 -------------------------------- 79f685be2 CI: Remove grenade jobs for 2023.2 6a7c1ce16 CVE-2024-44982: Harden all image handling and conversion code bd7adb094 Temporary disable ironic-standalone-redfish on stable/2023.2 9b09987b6 fix: Fix class typo for portgroup. Portgroup instead of PortGroup 81f79769c Remove SQLAlchemy tips jobs d4ce99c89 Fix spurious CI job failures around partition images c71e124f9 Inject a randomized publisher id 0638b08d1 Handle servicing failures in the Redfish BIOS interface 7bf5f13b0 Stop assuming service steps have priorities b81bbdd7d Add states.SERVICING and SERVICEWAIT to need_prepare_ramdisk Diffstat (except docs and test files) ------------------------------------- devstack/lib/ironic | 7 +- ironic/api/controllers/v1/port.py | 2 +- ironic/api/controllers/v1/ramdisk.py | 2 + ironic/common/exception.py | 4 + ironic/common/image_format_inspector.py | 1038 ++++++++++++++++++++ ironic/common/images.py | 190 +++- ironic/common/qemu_img.py | 89 ++ ironic/conductor/steps.py | 25 +- ironic/conf/__init__.py | 2 + ironic/conf/conductor.py | 43 + ironic/conf/disk_utils.py | 33 + ironic/conf/opts.py | 1 + .../playbooks/roles/deploy/tasks/write.yaml | 2 +- ironic/drivers/modules/deploy_utils.py | 218 +++- ironic/drivers/modules/image_cache.py | 71 +- ironic/drivers/modules/image_utils.py | 34 +- ironic/drivers/modules/redfish/bios.py | 7 +- ironic/drivers/utils.py | 4 +- .../unit/drivers/modules/test_deploy_utils.py | 515 +++++++++- ...g-to-need-prepare-ramdisk-fb0634b4f7d851bd.yaml | 7 + .../address-qemu-issues-1bbead8bb70b76fb.yaml | 108 ++ .../notes/service-priority-7482622471102c6b.yaml | 5 + ...ia-publisher-id-injection-c88674a31634f852.yaml | 6 + zuul.d/ironic-jobs.yaml | 18 - zuul.d/project.yaml | 17 +- 36 files changed, 3722 insertions(+), 287 deletions(-)