We are pleased to announce the release of: ironic 27.0.0 This release is part of the epoxy release series. The source is available from: https://opendev.org/openstack/ironic Download the package from: https://tarballs.openstack.org/ironic/ Please report issues through: https://bugs.launchpad.net/ironic/+bugs For more details, please see below. 27.0.0 ^^^^^^ New Features ************ * A new module, "ironic.wsgi" has been enabled as an entrypoint for WSGI runners. For example, if using uWSGI then now instead of: [uwsgi] wsgi-file = /bin/ironic-api-wsgi You can now use: [uwsgi] module = ironic.wsgi:application Legacy installed wsgi scripts will be removed in a future version of Ironic. Upgrade Notes ************* * Because of the code reorganization, some metrics have been removed: all metrics prefixed with "AgentDeployMixin" are now prefixed with "CustomAgentDeploy" or "AgentDeploy" instead. * Deployers using PostgreSQL must migrate to a supported mysql- compatible database, such as MySQL or MariaDB. * Support for Python 3.8 has been removed. Now the minimum python version supported is 3.9 . Deprecation Notes ***************** * Use of postgresql has been deprecated for all OpenStack projects, including ironic, for several years. However, in an effort to avoid breaking existing installs, we had tested database migrations and performed a basic functionality test against PostgreSQL. This test has now been removed, and operators deployed on PostgreSQL must migrate to a MySQL-compatible database, such as MySQL or MariaDB, before upgrade. Security Issues *************** * An issue in Ironic has been resolved where image checksums would not be checked prior to the conversion of an image to a "raw" format image from another image format. With default settings, this normally would not take place, however the "image_download_source" option, which is available to be set at a "node" level for a single deployment, by default for that baremetal node in all cases, or via the "[agent]image_download_source" configuration option when set to "local". By default, this setting is "http". This was in concert with the "[DEFAULT]force_raw_images" when set to "True", which caused Ironic to download and convert the file. In a fully integrated context of Ironic's use in a larger OpenStack deployment, where images are coming from the Glance image service, the previous pattern was not problematic. The overall issue was introduced as a result of the capability to supply, cache, and convert a disk image provided as a URL by an authenticated user. Ironic will now validate the user supplied checksum prior to image conversion on the conductor. This can be disabled using the "[conductor]disable_file_checksum" configuration option. Bug Fixes ********* * The set of strings used to detect cipher suite version related errors in the "ipmitool" command was expanded. If the string "Error in open session response message : invalid role" is contained in the output of a failed "ipmitool" command execution, such error will be now considered as related to inappropriate ciphers too, and will be retried with another cipher suite version if Ironic is configured to do so. See bug 2085137 (https://launchpad.net/bugs/2085137) for more details. * Fixes the policy scope checking for the RBAC Policy "baremetal:node:disable_cleaning", which previously restricted to "system" user scope. The scope restriction has been revised to permit "project" scoped matching, but the default RBAC policy has not been revised. * Fixes a security issue where Ironic would fail to checksum disk image files it downloads when Ironic had been requested to download and convert the image to a raw image format. This required the "image_download_source" to be explicitly set to "local", which is not the default. This fix can be disabled by setting "[conductor]disable_file_checksum" to "True", however this option will be removed in new major Ironic releases. As a result of this, parity has been introduced to align Ironic to Ironic-Python-Agent's support for checksums used by "standalone" users of Ironic. This includes support for remote checksum files to be supplied by URL, in order to prevent breaking existing users which may have inadvertently been leveraging the prior code path. This support can be disabled by setting "[conductor]disable_support_for_checksum_files" to "True". * Fixes newly added policy rules, "baremetal:node:set_provision_state:clean_steps" and "baremetal:node:set_provision_state:service_steps``which impacted ``project scoped" users utilizing the "2024.2" release of Ironic where they were attempting to invoke "service" or "clean" provision state commands. This was due to a misunderstanding of the correct policy checker to invoke, and additional testing has been added around these functions to ensure they work as expected moving forward. * Fix issue on SQLite database usage. Previously ironic node provisioning may fail with error related accessing the hostname. For more details please see bug 2086682 (https://bugs.launchpad.net/ironic/+bug/2086682). * Fixes aborting in-band inspection. Previously, it would fail with "Can not transition from state 'inspect failed' on event 'abort'". * The configuration option "[inspector]power_off" is now actually ignored for nodes with fast track enabled, as documented in its help. * Fixes the built-in in-band inspection implementation to power off the node after aborting inspection on user's request, unless the node is in the fast track mode or "[inspector]power_off" is set to "False". * Adds a timeout to the "service wait" state. Previously, a node stuck in this state would remain in it forever. The timeout value can be adjusted via the new option "[conductor]service_callback_timeout". * Add support for passing either a node's name or UUID through the 'node_ident' parameter during port creation. The 'node_uuid' parameter is now deprecated. Other Notes *********** * The "AgentDeployMixin" class has been removed from "agent_base.py". Third-party deploy interfaces that inherit it most probably want to inherit "ironic.drivers.modules.agent.CustomAgentDeploy" instead. If you rely on the "prepare_instance_to_boot" or "configure_local_boot" helper methods, inherit from "AgentDeploy" instead. Changes in ironic 26.1.0..27.0.0 -------------------------------- f41504a41 Use quay.io registry image for metal3 job 360e21124 Use specific fix-commit from dnsmasq e2fce4c0d Fix genconfig: remove now-gone ironic_lib modules c43022c75 Disable deep image inspection for kernel/initramfs bf644e827 Fix policy checks added with runbooks e3953b845 trivial: remove libpq from bindep file 80c83d82f Refactoring: simplify tear_down_agent 91b7a4621 Inspection: account for disable_power_off 466cd3902 Remove postgresql testing and documentation e7fc5c93a Add support for Ubuntu 24.04 8de2b4950 update doc and drop deprecated plugin cde358bda Remove default override for config options policy_file 5cf5f6f27 bump some pre-commit hooks and remove default cfg 27bd04925 Use linux instead of linuxefi in grub config 2cb56f8b9 add qemu-img to necessary dependency list 6af6d10ab Instance provisioning fails on SQLite 4f40ddef2 Actually ignore [inspector]power_off with fast track 6008d31f2 add pyproject.toml to support pip 23.1 166e31794 Check for AMD virtualization support ffecec3c5 trivial: Fix policy scope restriction for automated cleaning 8466ba7c2 Added missing fields in API Ref 80c8b9f3f Migrate lint to pre-commit f6191f296 Fix lint issues with documentation 045249f60 Remove trailing whitespace 95ae183dc Correct duplicated names/entries in unit tests a72aad535 Make all API samples valid JSON 3db454f0e Enable WSGI module entrypoint for Ironic fde2cd608 CI: Change 4k block device job to use LVM 6bbfa45e1 Remove Python 3.8 support 48b2d856a docs: adds link to oslo_messaging_notifications documentation da002a341 Add support for node name in port creation 80540bb52 Expand detected strings in check_cipher_suite_errors c09525dd8 Gracefully handle bad request exception 823a7c93b Added Localdev Docs on changing microversion 7b807eff7 Enable GLOBAL_VENV in ironic grenade jobs 599fb4b64 Redfish power: account for disable_power_off ae4d5b5c4 docs: Updates redfish metrics docs with required configuration file settings 05ccd2c32 devstack: Remove IRONIC_USE_WSGI fd9e8b945 devstack: Remove IRONIC_USE_MOD_WSGI 5f58cbf22 Continue disable the GLOBAL_VENV in grenade job ac31720ac docs: Add context around asynchronous device initialization 1f5798bce Use oslo.utils implementation to parse server address 00c5e0faf Checksum files before raw conversion 90f9fa3eb Fix actual size calculation for storage fallback logic 0d7fd7391 CI: Add a 4k disk CI job 083ea91ab Imported Translations from Zanata f92258e76 Reject explicit requests to power off nodes with disable_power_off b1e38a45c Add disable_power_off field to the node model aac5fa28e Imported Translations from Zanata 46f1962ea Drop logic for pysnmp < 5 6f1c603b5 CI: Enable the ability to have test VMs with different block sizes 1a0de7247 Add timeout to SERVICEWAIT 82b67aa36 Firmware Update via Firmware Interface Docs adfb09169 Fix inspect interface for redfish driver in the docs 8a6b5eb8c Fix double transition to INSPECTFAIL on aborting in-band inspection 4724eb9d6 Refactoring: get rid of AgentDeployMixin c2ed9296f Imported Translations from Zanata c53ed0715 Fix typo in parameter description fd2572f46 Update master for stable/2024.2 533e1ad60 doc: Promote built-in introspection from experimental 7e85b3ed4 doc/source/admin fixes part-1 341ddfe75 Move the benchmark job to the experimental pipeline 9810fa996 [doc] Add instructions on making big fake-BM nodes dcf155d9c devstack - enable v6 addr list if q-dhcp enabled Diffstat (except docs and test files) ------------------------------------- .pre-commit-config.yaml | 55 +- api-ref/source/baremetal-api-v1-nodes.inc | 8 + api-ref/source/baremetal-api-v1-ports.inc | 8 +- api-ref/source/parameters.yaml | 15 + .../source/samples/node-bios-detail-response.json | 12 +- .../samples/node-bios-list-details-response.json | 12 +- .../samples/node-indicators-list-response.json | 12 +- api-ref/source/samples/port-create-request.json | 2 +- api-ref/source/samples/shards-list-response.json | 2 +- bindep.txt | 8 +- devstack/files/bindep.txt | 10 +- devstack/files/ci-block-device-for-lvm.yaml | 73 ++ devstack/lib/ironic | 181 ++-- devstack/tools/ironic/scripts/configure-vm.py | 3 + devstack/tools/ironic/scripts/create-node.sh | 8 +- devstack/tools/ironic/templates/vm.xml | 1 + devstack/upgrade/upgrade.sh | 2 +- ironic/api/controllers/v1/node.py | 35 +- ironic/api/controllers/v1/port.py | 19 +- ironic/api/controllers/v1/portgroup.py | 2 + ironic/api/controllers/v1/utils.py | 5 + ironic/api/controllers/v1/versions.py | 4 +- ironic/common/checksum_utils.py | 258 ++++++ ironic/common/exception.py | 22 + ironic/common/grub_conf.template | 4 +- ironic/common/image_service.py | 37 + ironic/common/images.py | 9 +- ironic/common/policy.py | 11 +- ironic/common/pxe_utils.py | 18 +- ironic/common/release_mappings.py | 4 +- ironic/conductor/inspection.py | 5 +- ironic/conductor/manager.py | 25 +- ironic/conductor/utils.py | 7 +- ironic/conf/conductor.py | 29 + ironic/conf/inspector.py | 2 +- .../6e9cf6acce0b_node_disable_power_off.py | 31 + ironic/db/sqlalchemy/api.py | 2 +- ironic/db/sqlalchemy/models.py | 2 + ironic/drivers/modules/agent.py | 318 ++++++- ironic/drivers/modules/agent_base.py | 304 ------- ironic/drivers/modules/deploy_utils.py | 70 +- ironic/drivers/modules/image_cache.py | 60 +- ironic/drivers/modules/inspector/agent.py | 36 +- ironic/drivers/modules/inspector/interface.py | 65 +- ironic/drivers/modules/ipmitool.py | 8 +- ironic/drivers/modules/irmc/boot.py | 10 +- ironic/drivers/modules/pxe_grub_config.template | 14 +- ironic/drivers/modules/redfish/power.py | 18 +- ironic/drivers/modules/snmp.py | 34 +- ironic/objects/node.py | 35 +- .../unit/drivers/modules/inspector/test_agent.py | 127 ++- .../drivers/modules/inspector/test_interface.py | 249 +++--- .../unit/drivers/modules/redfish/test_power.py | 75 +- .../unit/drivers/modules/test_deploy_utils.py | 241 +++++- ironic/wsgi/__init__.py | 23 + playbooks/metal3-ci/run.yaml | 1 + pyproject.toml | 6 + .../add-wsgi-entrypoints-79f8f3cf3b7a663f.yaml | 18 + .../notes/agent-deploy-cacaf7f2585992e8.yaml | 14 + ...ion-ipmitools-cipher-fail-1503b4e319e77ed8.yaml | 11 + ...striction-automated-clean-2f9f82058b5bad87.yaml | 8 + ...hecksum-before-conversion-66d273b94fa2ba4d.yaml | 44 + ...provision-state-subpolicy-13ae3ef7497d20c1.yaml | 12 + .../notes/fix-sqlite-lock-61232cfe81adbde4.yaml | 7 + .../notes/inspect-abort-8add5e6e6b599357.yaml | 5 + .../notes/inspect-off-099e3c73edaf6082.yaml | 9 + .../notes/postgres-removal-88f8b02dbfc3303c.yaml | 13 + .../notes/remove-py38-bc14b5425f440359.yaml | 5 + .../servicewait-timeout-6ab4aca87cf76cc2.yaml | 6 + ...ode-name-in-port-creation-66f994e3d46a7e6c.yaml | 6 + releasenotes/source/2024.2.rst | 6 + releasenotes/source/index.rst | 1 + releasenotes/source/liberty.rst | 6 +- .../locale/en_GB/LC_MESSAGES/releasenotes.po | 247 +++++- .../source/locale/ja/LC_MESSAGES/releasenotes.po | 159 ++++ requirements.txt | 4 +- setup.cfg | 6 +- setup.py | 2 +- test-requirements.txt | 1 - tools/bandit.yml | 1 + tools/config/ironic-config-generator.conf | 3 - tools/test-setup.sh | 50 -- tox.ini | 108 +-- zuul.d/ironic-jobs.yaml | 93 +- zuul.d/metal3-jobs.yaml | 3 + zuul.d/project.yaml | 15 +- 152 files changed, 4768 insertions(+), 2160 deletions(-) Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt index 25f9d4c49..70f616200 100644 --- a/requirements.txt +++ b/requirements.txt @@ -5 +5 @@ -pbr>=3.1.1 # Apache-2.0 +pbr>=6.0.0 # Apache-2.0 @@ -22 +22 @@ oslo.middleware>=3.31.0 # Apache-2.0 -oslo.policy>=4.4.0 # Apache-2.0 +oslo.policy>=4.5.0 # Apache-2.0 diff --git a/test-requirements.txt b/test-requirements.txt index 772496f8f..52e337a59 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -9 +8,0 @@ stestr>=2.0.0 # Apache-2.0 -psycopg2>=2.8.5 # LGPL/ZPL