We are thrilled to announce the release of: ironic 21.1.1: OpenStack Bare Metal Provisioning This release is part of the zed stable release series. The source is available from: https://opendev.org/openstack/ironic Download the package from: https://tarballs.openstack.org/ironic/ Please report issues through: https://storyboard.openstack.org/#!/project/943 For more details, please see below. 21.1.1 ^^^^^^ Upgrade Notes ************* * When Ironic operator uses irmc driver against Fujitsu server which runs iRMC version S6 2.00 or later, operator may need to set Redfish parameters in "driver_info" so this fix can operate properly or operator should enable IPMI over LAN through BMC settings, if possible. Bug Fixes ********* * Fixes Ironic integration with Cinder because of changes which resulted as part of the recent Security related fix in bug 2004555 (https://launchpad.net/bugs/2004555). The work in Ironic to track this fix was logged in bug 2019892 (https://bugs.launchpad.net/ironic/+bug/2019892). Ironic now sends a service token to Cinder, which allows for access restrictions added as part of the original CVE-2023-2088 fix to be appropriately bypassed. Ironic was not vulnerable, but the restrictions added as a result did impact Ironic's usage. This is because Ironic volume attachments are not on a shared "compute node", but instead mapped to the physical machines and Ironic handles the attachment life- cycle after initial attachment. * When aborting cleaning, the "last_error" field is no longer initially empty. It is now populated on the state transition to "clean failed". * When cleaning or deployment fails, the "last_error" field is no longer temporary set to "None" while the power off action is running. * Fixes "Invalid cross-device link" in some cases when using "file://" image URLs. * Fixes an issue where if selinux is enabled and enforcing, and the published image is a hardlink, the source selinux context is preserved, causing access denied when retrieving the image using hardlink URL. * Fixes bug of iRMC driver in parse_driver_info where, if FIPS is enabled, SNMP version is always required to be version 3 even though iRMC driver's xxx_interface doesn't use SNMP actually. * Fixes a firmware incompatibility issue with iRMC versions S6 2.00 and later now doesn't support IPMI over LAN by default. To deal with this problem, irmc driver first tries IPMI operation then, if IPMI operation fails, it tries Redfish API of Fujitsu server. The operator must set Redfish parameters in the "driver_info" if iRMC disable or doesn't support IPMI over LAN. * Fixes "'NoneType' object is not iterable" in conductor logs for "redfish" and "idrac-redfish" RAID clean and deploy steps. The message should no longer appear. For affected nodes re-create the node or delete "raid_configs" entry from "driver_internal_info" field. * Fixes an issue in the online upgrade logic where database models for Node Traits and BIOS Settings resulted in an error when performing the online data migration. This was because these tables were originally created as extensions of the Nodes database table, and the schema of the database was slightly different enough to result in an error if there was data to migrate in these tables upon upgrade, which would have occured if an early BIOS Setting adopter had data in the database prior to upgrading to the Yoga release of Ironic. The online upgrade parameter now subsitutes an alternate primary key name name when applicable. * Fixes an issue where an agent token could be inadvertently orphaned if a node is already in the target power state when we attempt to turn the node off. * Fixes scope classification check with the "self_owned_node" policy check where it was limited to check execution with only project scoped, so system scoped users who ticked the policy endpoint would basically get an incorrect error. * Fixes the bug where provisioning a Redfish managed node fails if the BMC doesn't support EthernetInterfaces attribute, even if MAC address information is provided manually. This is done by handling of MissingAttributeError sushy exception in get_mac_addresses() method. This fix is needed to successfully provision machines such as Cisco UCSB and UCSX. * Modify iRMC driver to use ironic.conf [deploy] default_boot_mode to determine default boot_mode. * No longer re-calculates checksums for images that are already raw. Previously, it would cause significant delays in deploying raw images. * The per-node "external_http_url" setting in the driver info is now used for a boot ISO. Previously this setting was only used for a config floppy. * Fixes an issue where an agent token was being orphaned if a baremetal node timed out during cleaning operations, leading to issues where the node would not be able to establish a new token with Ironic upon future in some cases. We now always wipe the token in this case. Changes in ironic 21.1.0..21.1.1 -------------------------------- e38735cb9 Use per-node external_http_url for boot ISO ba97ec80e redfish_address - wrap_ipv6 address 1bd7ab875 [iRMC] Fix parse_driver_info bug enforcing SNMP v3 under FIPS mode 4fdf65ca5 Fix self_owned_node policy check 5e2d72cbf [ci] [stable-only] Cinder fixed; make BFV job vote 907f71742 [stable-only] [CI] BFV, RBAC jobs marked non-voting 07497e1b0 Fix Cinder Integration fallout from CVE-2023-2088 c45cf2017 Handle MissingAttributeError when using OOB inspections to fetch MACs ec6c37579 Always fall back from hard linking to copying files d6b970995 Add error logging on lookup failures in the API 2b0a5575c Fix online upgrades for Bios/Traits 4481031d7 Wipe Agent Token when cleaning timeout occcurs 3d32729fb Clean out agent token even if power is already off 3e3d4e1cb Do not recalculate checksum if disk_format is not changed a4a3b31d4 Do not move nodes to CLEAN FAILED with empty last_error e928980e7 [iRMC] Handle IPMI incompatibility in iRMC S6 2.x b91d174eb Move and fix reno config for releasenotes job 728301fc2 Fix selinux context of published image hardlink be92735d7 Fix "'NoneType' object is not iterable" in RAID 1ba3d29a0 Fixes for tox 4.0 49dade88c Fix unit tests for Python 3.11 f882fa0fa Align iRMC driver with Ironic's default boot_mode ff06b3d2a Fix the invalid glance client test 17fb4f706 Update TOX_CONSTRAINTS_FILE for stable/zed e45428d35 Update .gitreview for stable/zed Diffstat (except docs and test files) ------------------------------------- .gitreview | 1 + devstack/lib/ironic | 2 +- ironic/api/controllers/v1/ramdisk.py | 6 +- ironic/common/cinder.py | 71 +++++- ironic/common/glance_service/image_service.py | 3 +- ironic/common/image_service.py | 35 ++- ironic/common/keystone.py | 24 +- ironic/common/policy.py | 4 +- ironic/common/states.py | 3 + ironic/common/utils.py | 23 +- ironic/conductor/cleaning.py | 26 +- ironic/conductor/manager.py | 3 +- ironic/conductor/task_manager.py | 11 +- ironic/conductor/utils.py | 19 +- ironic/conf/glance.py | 1 + ironic/db/sqlalchemy/api.py | 33 ++- ironic/drivers/modules/deploy_utils.py | 37 ++- ironic/drivers/modules/image_utils.py | 13 +- ironic/drivers/modules/irmc/common.py | 14 ++ ironic/drivers/modules/irmc/inspect.py | 89 +++++-- ironic/drivers/modules/irmc/management.py | 251 ++++++++++++++++--- ironic/drivers/modules/irmc/power.py | 57 ++++- ironic/drivers/modules/redfish/management.py | 11 +- ironic/drivers/modules/redfish/raid.py | 8 +- ironic/drivers/modules/redfish/utils.py | 3 +- .../unit/drivers/modules/irmc/test_inspect.py | 132 ++++++++-- .../unit/drivers/modules/irmc/test_management.py | 267 +++++++++++++++++++-- .../drivers/modules/redfish/test_management.py | 10 + .../unit/drivers/modules/redfish/test_raid.py | 4 + .../unit/drivers/modules/redfish/test_utils.py | 8 + .../unit/drivers/modules/test_deploy_utils.py | 73 +++++- releasenotes/config.yaml | 5 + .../notes/cinder-2019892-6b5a9de5c5f05aa6.yaml | 16 ++ .../notes/cleaning-error-5c13c33c58404b97.yaml | 8 + .../notes/cross-link-1ffd1a4958f14fd7.yaml | 5 + ...ix-context-image-hardlink-16f452974abc7327.yaml | 7 + ...nforcing-snmpv3-with-fips-e45971d363925ec3.yaml | 6 + ...2.00-ipmi-incompatibility-118484a424df02b1.yaml | 15 ++ ...pe-object-is-not-iterable-0592926d890d6c11.yaml | 7 + ...-online-version-migration-db432a7b239647fa.yaml | 14 ++ .../fix-power-off-token-wipe-e7d605997f00d39d.yaml | 6 + ...ix-self-owned-node-policy-fc2dae357879dc33.yaml | 7 + ...g-ethernetinterfaces-attr-7e52f7259fe66762.yaml | 9 + ...-ironic-default-boot-mode-dde6f65ea084c9e6.yaml | 12 + .../notes/no-recalculate-653e524fd6160e72.yaml | 5 + ...ode-iso-external_http_url-c5e3fa9ae4960dd6.yaml | 5 + ...ken-upon-cleaning-timeout-c9add514fad1b02c.yaml | 7 + reno.yaml | 4 - tox.ini | 19 +- zuul.d/project.yaml | 11 +- 65 files changed, 1658 insertions(+), 369 deletions(-)