We are overjoyed to announce the release of: ironic-inspector 6.1.0: Hardware introspection for OpenStack Bare Metal This release is part of the queens release series. The source is available from: http://git.openstack.org/cgit/openstack/ironic-inspector Download the package from: https://tarballs.openstack.org/ironic-inspector/ Please report issues through launchpad: http://bugs.launchpad.net/ironic-inspector For more details, please see below. 6.1.0 ^^^^^ New Features ************ * The PXE filter drivers mechanism is now enabled. The firewall- based filtering was re-implemented as the "iptables" PXE filter driver. * Adds an API access policy enforcment based on **oslo.policy** rules. Similar to other OpenStack services, operators now can configure fine-grained access policies using "policy.yaml" file. See policy.yaml.sample in the code tree for the list of available policies and their default rules. This file can also be generated from the code tree with the following command: tox -egenpolicy See the oslo.policy package documentation for more information on using and configuring API access policies. (https://git.openstack.org/cgit/openstack/ironic- inspector/plain/policy.yaml.sample) (https://docs.openstack.org/oslo.policy/latest/) Upgrade Notes ************* * Due to the choice of default values for API access policies rules, some API parts of the **ironic-inspector** service will become available to wider range of users after upgrade: * general access to the whole API is by default granted to a user with either "admin", "administrator" or "baremetal_admin" role (previously it allowed access only to a user with "admin" role) * listing of current introspection statuses and showing a given introspection is by default also allowed to a user with the "baremetal_observer" role If these access policies are not appropriate for your deployment, override them in a "policy.json" file in the **ironic-inspector** configuration directory (usually "/etc/ironic-inspector"). See the oslo.policy package documentation for more information on using and configuring API access policies. (https://docs.openstack.org/oslo.policy/latest/) Deprecation Notes ***************** * The firewall-specific configuration options were moved from the "firewall" to the "iptables" group. All options in the "iptables" group are now deprecated. * The generic firewall options "firewall_update_period" and "manage_firewall" were moved under the "pxe_filter" group as "sync_period" and "driver=iptables/noop" respectively. Bug Fixes ********* * A "version_id" is now explicitly generated during the "node_cache.start_introspection/.add_node" call to avoid race conditions such as in case of the two concurrent introspection calls bug. (https://bugs.launchpad.net/ironic-inspector/+bug/1719627) * The older "ipmi_address" field in the introspection data no longer has priority over the newer "bmc_address" inventory field during lookup. This fixes lookup based on MAC addresses, when the BMC address is reported as "0.0.0.0" for any reason (see bug 1714944 (https://bugs.launchpad.net/ironic-python-agent/+bug/1714944)). * Should the "iptables" PXE filter encounter an unexpected exception in the periodic "sync" call, the exception will be logged and the filter driver will be reset in order to make subsequent "sync" calls fail (and propagate the failure, exiting the **ironc-inspector** process eventually). Other Notes *********** * Allows a periodic task to shut down an **ironic-inspector** process upon a failure. Changes in ironic-inspector 6.0.0..6.1.0 ---------------------------------------- d5266f7 Unittest node_info is added with a version_id 65d0213 Clean up release notes before a release 16148bf refer to 'openstack baremetal' CLI in docs cbf4c39 Updated from global requirements acb51f6 Support manage_firewall during deprecation period 7b27585 Refactoring the firewall 1689693 Update tests to do not use deprecated test.services() 7dbb7c1 flake8: Enable some off-by-default checks 19c1b8e pep8: Add 'application-import-names = ironic_inspector' 2e25c5e Fix for broken zuul v3 job and releasenotes 660b682 Just "import mock" as it works for Python 2 and 3 198ef70 Add request context and policy enforcement a65a2ee Properly init config in unit tests 02f38aa Remove SCREEN_LOGDIR from devstack bc87e6e Updated from global requirements 35f2d8c Make starting state non-reentrant 7625ed6 Use ostestr unit test runner 82000e4 Generate version_id upon add_node 7571be0 Replace the usage of 'admin_manager' with 'os_admin' 30affed Updated from global requirements adffb3b Updated from global requirements 360b194 Updated from global requirements 776e345 Updated from global requirements a1d19d9 Do not rely on the older ipmi_address field on lookup 9054402 Updated from global requirements 25929f3 Change example dnsmasq.conf in install doc for uefi 581c40c Allow periodics to terminate inspector b1c0656 i[Trivialfix]Fix typos in ironic-inspector 94ac873 Updated from global requirements 98019af Release notes: specify pike versions bc72a69 Imported Translations from Zanata 0ed098a Updated from global requirements 208b66d Remove ensure_logs_exist check during upgrade 021b427 Update reno for stable/pike Diffstat (except docs and test files) ------------------------------------- .gitignore | 4 +- .stestr.conf | 3 + CONTRIBUTING.rst | 2 - config-generator.conf | 1 + devstack/example.local.conf | 1 - devstack/upgrade/upgrade.sh | 2 - example.conf | 45 ++- ironic_inspector/common/context.py | 45 +++ ironic_inspector/common/service_utils.py | 18 +- ironic_inspector/conf.py | 52 ++- ironic_inspector/dbsync.py | 3 +- ironic_inspector/firewall.py | 257 ------------ ironic_inspector/introspect.py | 12 +- ironic_inspector/introspection_state.py | 1 - ironic_inspector/main.py | 95 +++-- ironic_inspector/node_cache.py | 5 +- ironic_inspector/plugins/standard.py | 6 +- ironic_inspector/policy.py | 217 ++++++++++ ironic_inspector/process.py | 6 +- ironic_inspector/pxe_filter/base.py | 21 +- ironic_inspector/pxe_filter/iptables.py | 232 +++++++++++ ironic_inspector/test/base.py | 9 +- ironic_inspector/test/functional.py | 4 +- ironic_inspector/test/unit/policy_fixture.py | 40 ++ ironic_inspector/test/unit/test_firewall.py | 444 --------------------- ironic_inspector/test/unit/test_introspect.py | 87 ++-- ironic_inspector/test/unit/test_iptables.py | 356 +++++++++++++++++ ironic_inspector/test/unit/test_main.py | 4 +- ironic_inspector/test/unit/test_node_cache.py | 3 + ironic_inspector/test/unit/test_process.py | 16 +- ironic_inspector/test/unit/test_pxe_filter.py | 39 +- ironic_inspector/test/unit/test_swift.py | 5 +- ironic_inspector/test/unit/test_utils.py | 46 ++- ironic_inspector/test/unit/test_wsgi_service.py | 367 +++++++++++++---- ironic_inspector/utils.py | 16 +- ironic_inspector/wsgi_service.py | 53 ++- policy-generator.conf | 3 + policy.yaml.sample | 59 +++ .../add_node-with-version_id-24f51e5888480aa0.yaml | 8 + ...iodics-shutdown-inspector-ac28ea5ba3224279.yaml | 5 + .../empty-ipmi-address-2-4d57c34aec7d14e2.yaml | 8 + .../firewall-refactoring-17e8ad764f2cde8d.yaml | 20 + .../notes/policy-engine-c44828e3131e6c62.yaml | 38 ++ releasenotes/source/index.rst | 1 + .../source/locale/fr/LC_MESSAGES/releasenotes.po | 110 +++++ releasenotes/source/pike.rst | 6 + requirements.txt | 32 +- setup.cfg | 5 + test-requirements.txt | 13 +- tox.ini | 33 +- 60 files changed, 1910 insertions(+), 1033 deletions(-) Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt index b02ff1b..47efea4 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4 +4 @@ -automaton>=0.5.0 # Apache-2.0 +automaton>=1.9.0 # Apache-2.0 @@ -10 +10 @@ Flask!=0.11,<1.0,>=0.10 # BSD -futurist!=0.15.0,>=0.11.0 # Apache-2.0 +futurist>=1.2.0 # Apache-2.0 @@ -13,4 +13,4 @@ jsonpath-rw<2.0,>=1.2.0 # Apache-2.0 -jsonschema!=2.5.0,<3.0.0,>=2.0.0 # MIT -keystoneauth1>=3.1.0 # Apache-2.0 -keystonemiddleware>=4.12.0 # Apache-2.0 -netaddr!=0.7.16,>=0.7.13 # BSD +jsonschema<3.0.0,>=2.6.0 # MIT +keystoneauth1>=3.2.0 # Apache-2.0 +keystonemiddleware>=4.17.0 # Apache-2.0 +netaddr>=0.7.18 # BSD @@ -21,9 +21,11 @@ pytz>=2013.6 # MIT -oslo.concurrency>=3.8.0 # Apache-2.0 -oslo.config!=4.3.0,!=4.4.0,>=4.0.0 # Apache-2.0 -oslo.db>=4.24.0 # Apache-2.0 -oslo.i18n!=3.15.2,>=2.1.0 # Apache-2.0 -oslo.log>=3.22.0 # Apache-2.0 -oslo.middleware>=3.27.0 # Apache-2.0 -oslo.rootwrap>=5.0.0 # Apache-2.0 -oslo.serialization!=2.19.1,>=1.10.0 # Apache-2.0 -oslo.utils>=3.20.0 # Apache-2.0 +oslo.concurrency>=3.20.0 # Apache-2.0 +oslo.config>=4.6.0 # Apache-2.0 +oslo.context!=2.19.1,>=2.14.0 # Apache-2.0 +oslo.db>=4.27.0 # Apache-2.0 +oslo.i18n>=3.15.3 # Apache-2.0 +oslo.log>=3.30.0 # Apache-2.0 +oslo.middleware>=3.31.0 # Apache-2.0 +oslo.policy>=1.23.0 # Apache-2.0 +oslo.rootwrap>=5.8.0 # Apache-2.0 +oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0 +oslo.utils>=3.28.0 # Apache-2.0 diff --git a/test-requirements.txt b/test-requirements.txt index e54b32e..3c8fca1 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -5 +5 @@ coverage!=4.4,>=4.0 # Apache-2.0 -doc8 # Apache-2.0 +doc8>=0.6.0 # Apache-2.0 @@ -7,2 +7,2 @@ flake8-import-order==0.11 # LGPLv3 -hacking<0.13,>=0.12.0 # Apache-2.0 -mock>=2.0 # BSD +hacking>=1.0.0 # Apache-2.0 +mock>=2.0.0 # BSD @@ -10,2 +10,3 @@ sphinx>=1.6.2 # BSD -openstackdocstheme>=1.16.0 # Apache-2.0 -reno!=2.3.1,>=1.8.0 # Apache-2.0 +openstackdocstheme>=1.17.0 # Apache-2.0 +os-testr>=1.0.0 # Apache-2.0 +reno>=2.5.0 # Apache-2.0 @@ -13 +14 @@ fixtures>=3.0.0 # Apache-2.0/BSD -testresources>=0.2.4 # Apache-2.0/BSD +testresources>=2.0.0 # Apache-2.0/BSD