We eagerly announce the release of: ironic 17.0.3: OpenStack Bare Metal Provisioning This release is part of the wallaby stable release series. The source is available from: https://opendev.org/openstack/ironic Download the package from: https://tarballs.openstack.org/ironic/ Please report issues through: https://storyboard.openstack.org/#!/project/943 For more details, please see below. 17.0.3 ^^^^^^ Security Issues *************** * Fixes an issue with the "/v1/nodes/detail" endpoint where an authenticated user could explicitly ask for an "instance_uuid" lookup and the associated node would be returned to the user with sensitive fields redacted in the result payload if the user did not explicitly have "owner" or "lessee" permissions over the node. This is considered a low-impact low-risk issue as it requires the API consumer to already know the UUID value of the associated instance, and the returned information is mainly metadata in nature. More information can be found in Storyboard story 2008976 (https://storyboard.openstack.org/#!/story/2008976). Bug Fixes ********* * If the agent accepts a command, but is unable to reply to Ironic (which sporadically happens before of the eventlet's TLS implementation), we currently retry the request and fail because the command is already executing. Ironic now detects this situation by checking the list of executing commands after receiving a connection error. If the requested command is the last one, we assume that the command request succeeded. * When local boot is used (e.g. by default), the instance image validation now happens only in the deploy interface, not in the boot interface (as before). This means that the boot interface validation will now pass in many cases where it would previously fail. * Fixes an issue with the "/v1/nodes/detail" endpoint where requests for an explicit "instance_uuid" match would not follow the standard query handling path and thus not be filtered based on policy determined access level and node level "owner" or "lessee" fields appropriately. Additional information can be found in story 2008976 (https://storyboard.openstack.org/#!/story/2008976). * No longer masks configdrive when sending the node's record to in- band deploy steps. * Fixes handling of single-value (non-key-value) parameters in the "[inspector]extra_kernel_params" configuration options. * The behavior when a bootable iso ramdisk is provided behind an http server is to download and serve the image from the conductor; the image is removed only when the node is undeployed. In certain cases, for example on large deployments, this could cause undesired behaviors, like the conductor nodes running out of disk storage. To avoid this event we provide an option "[deploy]ramdisk_image_download_source" to be able to tell the ramdisk interface to directly use the bootable iso url from its original source instead of downloading it and serving it from the conductor node. The default behavior is unchanged. * Fixes sub-optimal Ironic API performance where Secure RBAC related field level policy checks were executing without first checking if there were field results. This helps improve API performance when only specific columns have been requested by the API consumer. Changes in ironic 17.0.2..17.0.3 -------------------------------- adc4f7657 Fix node detail instance_uuid request handling 566cff59a Handle non-key-value params in [inspector]extra_kernel_params 05c838073 dhcp-less: mention how to provide network_data to instance f99d68707 Refactor iDRAC OEM extension manager calls fc8e1652b Improve agent_client logging d3f62f83e Set download stable branch for IPA f9eb7abe8 Secure RBAC - Efficent node santiziation c7af96938 Update project conundrum related docs 0500fe107 Avoid unnecessary validation in boot interfaces 77be4c6c6 Delete unavailable py2 package fce4cc11b Fix deployment when executing a command fails after the command starts 659eef72e Provide an option to not cache bootable iso ramdisks 78e10ce59 Update refarch with information about image_download_source 7b723bcce Do not mask configdrive when executing in-band deploy steps fe2377855 Inherit InvalidImageRef from InvalidParameterValue Diffstat (except docs and test files) ------------------------------------- devstack/lib/ironic | 2 +- .../include/configure-ironic-api-mod_wsgi.inc | 10 +- .../install/include/configure-ironic-api.inc | 2 +- ironic/api/controllers/v1/node.py | 143 ++++++++-------- ironic/common/exception.py | 2 +- ironic/common/pxe_utils.py | 5 +- ironic/common/utils.py | 16 ++ ironic/conf/deploy.py | 16 ++ ironic/db/sqlalchemy/api.py | 2 +- ironic/drivers/modules/agent_client.py | 121 +++++++++++--- ironic/drivers/modules/drac/boot.py | 67 +------- ironic/drivers/modules/drac/inspect.py | 46 +---- ironic/drivers/modules/drac/management.py | 185 ++++----------------- ironic/drivers/modules/drac/raid.py | 43 +---- ironic/drivers/modules/drac/utils.py | 121 ++++++++++++++ ironic/drivers/modules/image_utils.py | 14 +- ironic/drivers/modules/inspector.py | 6 +- ironic/drivers/modules/pxe_base.py | 14 +- ironic/drivers/modules/redfish/boot.py | 11 +- ironic/objects/node.py | 10 +- .../unit/drivers/modules/drac/test_inspect.py | 27 --- .../unit/drivers/modules/drac/test_management.py | 124 ++------------ .../unit/drivers/modules/redfish/test_boot.py | 74 ++------- .../unit/drivers/modules/test_agent_client.py | 117 +++++++++++++ .../notes/agent-last-command-4ec6967c995ba84a.yaml | 9 + .../notes/boot-validate-6b4b6b40c8e27273.yaml | 7 + ...ed-instance-info-behavior-1375914a30621eca.yaml | 20 +++ .../deploy-step-configdrive-86ea2bb267211b88.yaml | 5 + .../inspector-kernel-params-6db82c633d7361e2.yaml | 5 + ...ion-no-cache-http-ramdisk-62fc29cdd1d5b152.yaml | 14 ++ ...-sanitization-performance-dc7886952144bb04.yaml | 7 + 54 files changed, 1037 insertions(+), 858 deletions(-)