We jubilantly announce the release of: ironic 21.1.0: OpenStack Bare Metal Provisioning This release is part of the zed release series. The source is available from: https://opendev.org/openstack/ironic Download the package from: https://tarballs.openstack.org/ironic/ Please report issues through: https://storyboard.openstack.org/#!/project/943 For more details, please see below. 21.1.0 ^^^^^^ Prelude ******* The Ironic team hereby announces the release of the *Zed* version of Ironic. This version, *21.1.0*, represents the collaboration of Ironic's contributors during the *Zed* release cycle, which first saw the release of Ironic *20.2.0*, and Ironic *21.1.0*. These versions saw improvements in functionality to better support infrastructure operators from the configuration of individual nodes, to support a greater separation of duties, and ultimately Self-Service Bare Metal as a Service, or "SSBMaaS". Along with these features, these releases have seen numerous bug fixes. We sincerely hope you enjoy it! New Features ************ * Adds "raritan_pdu2", "servertech_sentry3", "servertech_sentry4", and "vertivgest_pdu" snmp drivers to support additional PDU models. * Adds an automatic switch to "url" for the kickstart template when the source is a URL path as opposed to a "stage2" ramdisk. * Adds a concurrency limiter for number of nodes in states related to *Cleaning* and *Provisioning* operations across the ironic deployment. These settings default to a maximum number of concurrent deployments to "250" and a maximum number of concurrent deletes and cleaning operations to "50". These settings can be tuned using "[conductor]max_concurrent_deploy" and "[conductor]max_concurrent_clean", respectively. The defaults should generally be good for most operators in most cases. Large scale operators should evaluate the defaults and tune appropriately as this feature cannot be disabled, as it is a security mechanism. * Adds new clean steps "create_csr" and "add_https_certificate" to "ilo" and "ilo5" hardware types which allows users to create Certificate Signing Request(CSR) and adds signed HTTPS certificate to the iLO. * The "[dhcp]dhcp_provider" configuration option can now be set to "dnsmasq" as an alternative to "none" for standalone deployments. This enables the same node-specific DHCP capabilities as the "neutron" provider. See the "[dnsmasq]" section for configuration options. * Provides vendor passthru methods for "ilo" and "ilo5" hardware types to create, delete and get subscriptions for BMC events. These methods are supported for "HPE ProLiant Gen10" and "HPE ProLiant Gen10 Plus" servers. * Adds the capability for a project scoped "admin" user to be able to create nodes in Ironic, which are then manageable by the project scoped "admin" user. Effectively, this is self service Bare Metal as a Service, however more advanced fields such as drivers, chassies, are not available to these users. This is controlled through an auto-population of the Node "owner" field, and can be controlled through the "[api]project_admin_can_manage_own_nodes" setting, which defaults to "True", and the new policy "baremetal:node:create:self_owned_node". * Adds the capability for a project scoped "admin" user to be able to delete nodes from Ironic which their *project* owns. This can be contolled through the "[api]project_admin_can_manage_own_nodes" setting, which defaults to "True", as well as the "baremetal:node:delete:self_owned_node" policy. Upgrade Notes ************* * Large scale operators should be aware that a new feature, referred to as "Concurrent Action Limit" was introduced as a security mechanism to provide a means to limit attackers, or faulty scripts, from potentially causing irreperable harm to an environment. This feature cannot be disabled, and operators are encouraged to tune the new settings "[conductor]max_concurrent_deploy" and "[conductor]max_concurrent_clean" to match the needs of their environment. * Operators who are upgrading should be aware that a bug was discovered with the automatic selection of "boot_interface" for users of the "ilo" and "ilo5" hardware types. This was an inconsistency, resulting in "pxe" being selected instead of "ipxe" if both boot interfaces were enabled. Depending on the local configuration, this may, or may not have happened and will remain static on preexisting baremetal nodes. Some users may have been relying upon this incorrect behavior by having misalligned defaults by trying to use the "pxe" interface for "ipxe". Users wishing to continue this usage as it was previously will need to explicitly set a "boot_interface" value to either "pxe" or "ilo-ipxe" by default, depending on the local configuration. Most operators have leveraged the default examples, and thus did not explicitly encounter this condition. Operators explicitly wishing to use "pxe" boot interfaces with the "ipxe" templates and defaults set to override the defaults for "ironic.conf" will need to either continue to leverage default override configurations in their "ironic.conf" file. Security Issues *************** * This release contains an improvement which, by default, allows users to create and delete baremetal nodes inside their own project. This can be disabled using the "[api]project_admin_can_manage_own_nodes" setting. Bug Fixes ********* * Fixes detecting of allowable values for a BIOS settings enumeration in the "redfish" BIOS interface when only "ValueDisplayName" is provided. * Adds a configuration option, "[anaconda]insecure_heartbeat" to allow for TLS certificate validation to be disabled in the "anaconda" deployment interface, which is needed for continious integration to be able to be performed without substantial substrate image customization. This option is *not* advised for any production usage. * Fixes an issue where image information retrieval would fail when a path was supplied when using the "anaconda" deploy interface, as *HTTP* "HEAD" requests on a URL path have no "Content-Length". We now consider if a path is used prior to attempting to collect additional configuration data from what is normally expected to be Glance. * Fixes an issue where the fallback to a default kickstart template value would result in error indicating "Scheme-less image href is not a UUID". This was becaues the handling code falling back to the default did not explicitly indicate it was a file URL before saving the value. * Fixes an issue where cleaning operations could fail in such a way that was not easily recoverable when pre-cleaning network interface configuration was validated, yet contained invalid configuration. Now Ironic properly captures the error and exits from cleaning in a state which allows for cleaning to be retried. * Fixes "idrac-redfish" RAID "delete_configuration" step to convert PERC 9 and PERC 10 controllers to RAID mode if it is not already set. * Fixes the default boot interface order for the "ilo" hardware type where previously it would prefer "pxe" over "ipxe". This created inconsistencies for operators using multiple hardware types, where both interfaces were enabled in the deployment. * Fixes API error messages with jsonschema>=4.8. A possible root cause is now detected for generic schema errors. * Fixes an issue where the Redfish session cache would continue using an old session when a password for a Redfish BMC was changed. Now the old session will not be found in this case, and a new session will be created with the latest credential information available. Other Notes *********** * The maximum disk erasure concurrency setting, "[deploy]disk_erasure_concurrency" has been incremed to 4. Previously, this was kept at 1 in order to maintain continuity of experience, but operators have not reported any issues with an increased concurrency, and as such we feel comfortable upstream enabling concurrent disk erasure/cleaning. This setting applies to the "erase_devices" clean step. Changes in ironic 21.0.0..21.1.0 -------------------------------- 38a170dd6 Zed: Add a prelude for the release notes a14b3d02f Set stage for Zed Release with 21.1 e340fc39b Document existence of non-production "fake" driver 31c808740 Fix nodes stuck at cleaning on Network Service issues 9a8b1d149 Concurrent Distructive/Intensive ops limits 397e49a5e Fix idrac-redfish RAID controller mode conversion e6e4d7ccd Update sushy-oem-idrac version 211b25f30 Zed Ironic requires Sushy >4 4415c5502 Cleanup submitted SNMP driver code for additional PDUs 9c19dd6ef Adds create_csr and add_https_certificate clean step 25b3e6796 tests: Add a WarningsFixture b796d7b83 Imported Translations from Zanata d8fc96fd1 CI: Changes to support Anaconda CI jobs 74795abf2 Fix compatibility with oslo.db 12.1.0 166bd1697 Enables event subscription methods for ilo and ilo5 hardware types 754e6bb66 Implement a DHCP driver backed by dnsmasq 9eec74666 Update releasenote for proper formatting 62f9c61ae Improve error message heuristics with jsonschema>=4.8 721439242 [config-doc] Fix help for default_boot_mode 9f1f58c6a redfish: fixes usage of ValueDisplayName c2ba86904 Redfish: Consider password part of the session cache e75626392 CI: anaconda: permit tls certificate validation bypass 5c1dd47e6 Add kickstart template 'url' option bc8705c16 Allow project scoped admins to create/delete nodes c921c077d Fix ilo boot interface order 4d653ac22 Correct Image properties lookup for paths 556d5de9d increase disk_erasure_coconcurrency Diffstat (except docs and test files) ------------------------------------- devstack/lib/ironic | 41 ++- driver-requirements.txt | 4 +- ironic/api/controllers/v1/node.py | 44 ++- ironic/api/controllers/v1/utils.py | 12 +- ironic/api/controllers/v1/versions.py | 5 +- ironic/common/args.py | 17 +- ironic/common/exception.py | 10 + ironic/common/policy.py | 19 +- ironic/common/pxe_utils.py | 90 +++--- ironic/common/release_mappings.py | 26 +- ironic/conductor/cleaning.py | 2 +- ironic/conductor/manager.py | 52 +++- ironic/conf/__init__.py | 2 + ironic/conf/anaconda.py | 11 + ironic/conf/api.py | 5 + ironic/conf/conductor.py | 26 ++ ironic/conf/deploy.py | 6 +- ironic/conf/dhcp.py | 3 +- ironic/conf/dnsmasq.py | 43 +++ ironic/conf/ilo.py | 5 + ironic/db/api.py | 9 + ironic/db/sqlalchemy/__init__.py | 4 +- ironic/db/sqlalchemy/api.py | 24 ++ ironic/dhcp/base.py | 11 + ironic/dhcp/dnsmasq.py | 159 ++++++++++ ironic/dhcp/neutron.py | 11 + ironic/drivers/ilo.py | 5 +- ironic/drivers/modules/drac/raid.py | 82 +++++ ironic/drivers/modules/ilo/common.py | 42 +++ ironic/drivers/modules/ilo/management.py | 79 ++++- ironic/drivers/modules/ilo/vendor.py | 43 ++- ironic/drivers/modules/ks.cfg.template | 23 +- ironic/drivers/modules/redfish/bios.py | 18 +- ironic/drivers/modules/redfish/utils.py | 61 ++-- ironic/drivers/modules/snmp.py | 339 +++++++++++++++++++++ .../unit/drivers/modules/ilo/test_management.py | 115 +++++++ .../unit/drivers/modules/redfish/test_bios.py | 3 +- .../unit/drivers/modules/redfish/test_utils.py | 16 + .../notes/ValueDisplayName-13837c653277ff08.yaml | 5 + .../additonal-snmp-drivers-ae1174e6bd6ee3a6.yaml | 5 + ...tart-auto-url-in-template-9f716c244adff159.yaml | 5 + ...t-cert-validation-disable-6611d3cb9401031d.yaml | 8 + ...concurrency-limit-control-4b101bca7136e08d.yaml | 23 ++ ...rce-path-handling-lookups-4ce2023a56372f10.yaml | 16 + .../create_csr_clean_step-a720932f61b42118.yaml | 7 + .../notes/dnsmasq_dhcp-9154fcae927dc3de.yaml | 7 + ...ing-stuck-on-networkerror-4aedbf3673413af6.yaml | 8 + ...c-redfish-controller-mode-7b55c58d09240d3c.yaml | 5 + ...-ilo-boot-interface-order-238a2da9933cf28c.yaml | 26 ++ .../ilo-event-subscription-0dadf136411bd16a.yaml | 7 + .../notes/jsonschema-4.8-1146d103b877cffd.yaml | 5 + ...-disk-erasure-concurrency-6d132bd84e3df4cf.yaml | 10 + ...o-longer-scope-restricted-b455f66a751f10ec.yaml | 27 ++ ...password_in_session_cache-1fa84234db179053.yaml | 7 + ...rac-reset-if-attr-missing-b2a2b609c906c6c4.yaml | 10 +- .../notes/zed-prelude-09fe95b11ad2459d.yaml | 12 + .../locale/en_GB/LC_MESSAGES/releasenotes.po | 35 ++- requirements.txt | 2 +- setup.cfg | 1 + tox.ini | 1 - zuul.d/ironic-jobs.yaml | 42 +++ zuul.d/project.yaml | 2 + 85 files changed, 2809 insertions(+), 253 deletions(-) Requirements updates -------------------- diff --git a/driver-requirements.txt b/driver-requirements.txt index 5333dbd4f..876e817cb 100644 --- a/driver-requirements.txt +++ b/driver-requirements.txt @@ -7 +7 @@ -proliantutils>=2.13.0 +proliantutils>=2.14.0 @@ -20 +20 @@ python-ibmcclient>=0.2.2,<0.3.0 -sushy-oem-idrac>=4.0.0,<5.0.0 +sushy-oem-idrac>=5.0.0,<6.0.0 diff --git a/requirements.txt b/requirements.txt index 24c09f50c..ae8e14f39 100644 --- a/requirements.txt +++ b/requirements.txt @@ -50 +50 @@ openstacksdk>=0.48.0 # Apache-2.0 -sushy>=3.10.0 +sushy>=4.3.0