We eagerly announce the release of: ironic 24.1.2: OpenStack Bare Metal Provisioning This release is part of the caracal release series. The source is available from: https://opendev.org/openstack/ironic Download the package from: https://tarballs.openstack.org/ironic/ Please report issues through: https://bugs.launchpad.net/ironic/+bugs For more details, please see below. 24.1.2 ^^^^^^ Upgrade Notes ************* * When upgrading Ironic to address the "qemu-img" image conversion security issues, the "ironic-python-agent" ramdisks will also need to be upgraded. * When upgrading Ironic to address the "qemu-img" image conversion security issues, the "[conductor]conductor_always_validates_images" setting may be set to "True" as a short term remedy while "ironic- python-agent" ramdisks are being updated. Alternatively it may be advisable to also set the "[agent]image_download_source" setting to "local" to minimize redundant network data transfers. * As a result of security fixes to address "qemu-img" image conversion security issues, a new configuration parameter has been added to Ironic, "[conductor]permitted_image_formats" with a default value of "raw,qcow2,iso". Raw and qcow2 format disk images are the image formats the Ironic community has consistently stated as what is supported and expected for use with Ironic. These formats also match the formats which the Ironic community tests. Operators who leverage other disk image formats, may need to modify this setting further. Security Issues *************** * Ironic now checks the supplied image format value against the detected format of the image file, and will prevent deployments should the values mismatch. If being used with Glance and a mismatch in metadata is identified, it will require images to be re-uploaded with a new image ID to represent corrected metadata. This is the result of CVE-2024-44082 tracked as bug 2071740 (https://bugs.launchpad.net/ironic/+bug/2071740). * Ironic *always* inspects the supplied user image content for safety prior to deployment of a node should the image pass through the conductor, even if the image is supplied in "raw" format. This is utilized to identify the format of the image and the overall safety of the image, such that source images with unknown or unsafe feature usage are explicitly rejected. This can be disabled by setting "[conductor]disable_deep_image_inspection" to "True". This is the result of CVE-2024-44082 tracked as bug 2071740 (https://bugs.launchpad.net/ironic/+bug/2071740). * Ironic can also inspect images which would normally be provided as a URL for direct download by the "ironic-python-agent" ramdisk. This is not enabled by default as it will increase the overall network traffic and disk space utilization of the conductor. This level of inspection can be enabled by setting "[conductor]conductor_always_validates_images" to "True". Once the "ironic-python-agent" ramdisk has been updated, it will perform similar image security checks independently, should an image conversion be required. This is the result of CVE-2024-44082 tracked as bug 2071740 (https://bugs.launchpad.net/ironic/+bug/2071740). * Ironic now explicitly enforces a list of permitted image types for deployment via the "[conductor]permitted_image_formats" setting, which defaults to "raw", "qcow2", and "iso". While the project has classically always declared permissible images as "qcow2" and "raw", it was previously possible to supply other image formats known to "qemu-img", and the utility would attempt to convert the images. The "iso" support is required for "boot from ISO" ramdisk support. * Ironic now explicitly passes the source input format to executions of "qemu-img" to limit the permitted qemu disk image drivers which may evaluate an image to prevent any mismatched format attacks against "qemu-img". * The "ansible" deploy interface example playbooks now supply an input format to execution of "qemu-img". If you are using customized playbooks, please add "-f {{ ironic.image.disk_format }}" to your invocations of "qemu-img". If you do not do so, "qemu-img" will automatically try and guess which can lead to known security issues with the incorrect source format driver. * Operators who have implemented any custom deployment drivers or additional functionality like machine snapshot, should review their downstream code to ensure they are properly invoking "qemu-img". If there are any questions or concerns, please reach out to the Ironic project developers. * Operators are reminded that they should utilize cleaning in their environments. Disabling any security features such as cleaning or image inspection are at **your** **own** **risk**. Should you have any issues with security related features, please don't hesitate to open a bug with the project. * The "[conductor]disable_deep_image_inspection" setting is conveyed to the "ironic-python-agent" ramdisks automatically, and will prevent those operating ramdisks from performing deep inspection of images before they are written. * The "[conductor]permitted_image_formats" setting is conveyed to the "ironic-python-agent" ramdisks automatically. Should a need arise to explicitly permit an additional format, that should take place in the Ironic service configuration. Bug Fixes ********* * Fixes an issue with units tests that show this DeprecationWarning: The metaschema specified by $schema was not found. Using the latest draft to validate, but this will raise an error in the future. cls = validator_for(schema) Removed the warning for deprecated schema by using a new template. * Fixes the issue of service steps not starting due to servicing states (states.SERVICING and states.SERVICEWAIT) missing from _FASTTRACK_HEARTBEAT_ALLOWED constant. * Fixes issue with configuring virtual media boot for executing service steps by adding missing entries for states.SERVICING and states.SERVICEWAIT in the whitelist of the states allowed by this method. * Fixes multiple issues in the handling of images as it relates to the execution of the "qemu-img" utility, which is used for image format conversion, where a malicious user could craft a disk image to potentially extract information from an "ironic-conductor" process's operating environment. Ironic now explicitly enforces a list of approved image formats as a "[conductor]permitted_image_formats" list, which mirrors the image formats the Ironic project has historically tested and expressed as known working. Testing is not based upon file extension, but upon content fingerprinting of the disk image files. This is tracked as CVE-2024-44082 via bug 2071740 (https://bugs.launchpad.net/ironic/+bug/2071740). * Fixes usage of redfish detach virtual media feature to be conform to the general implementation. Before the detach virtual media API call using redfish driver was not working as intended and caused the operation to fail. * Fixes an issue in redfish attach/detach generic virtual media where the attached devices are not correctly recognized causing the attach operation to fail. * Service step validation no longer requires a priority field, which is not supported for servicing. * Fixes service steps that rely on a reboot. Previously, the reboot was not properly recognized in the conductor logic. * Adds an ISO publisher value to ISO images which are mastered as part of cleaning/deployment/service operations in support of a fix for bug 2032377 (https://bugs.launchpad.net/ironic/+bug/2032377). * Fixes generated URL when using the virtual media attachment API. Previously, it missed the node UUID, causing conflicts between different nodes. Changes in ironic 24.1.1..24.1.2 -------------------------------- f7c7ea935 CVE-2024-44982: Harden all image handling and conversion code f33949e37 CI: Disable metal3-integration test job 25c78951a [CI][stable only] fix zuul config 9ac841796 [CI] Fix job parent name 84fb43b81 fix: Fix class typo for portgroup. Portgroup instead of PortGroup 55987f269 Correct bond_mode enum value for 802.3ad 4e09e6dc5 Remove SQLAlchemy tips jobs f0b623881 Fix spurious CI job failures around partition images 78c1d9a98 Inject a randomized publisher id 394ee3763 Redfish: fix error formatting when mounting vmedia 5026e3079 Fix attach/detach vmedia redfish implementation d31ea3d05 Fix redfish detach generic vmedia device method 22666a889 Add states.SERVICING and SERVICEWAIT to _FASTTRACK_HEARTBEAT_ALLOWED 438fd6220 Remove deprecation warning by setting schema 2638b6c00 Fix the confusion around service_reboot/servicing_reboot 7b6e58a5a Fix servicing clean-up 5733379b6 Handle servicing failures in the Redfish BIOS interface 5f9ceb492 Fix get_async_step_return_state to account for servicing 9bfe422f7 Stop assuming service steps have priorities fab3772cb Add states.SERVICING and SERVICEWAIT to need_prepare_ramdisk ac2c86861 Fix generating local paths when connecting virtual media Diffstat (except docs and test files) ------------------------------------- devstack/lib/ironic | 7 +- ironic/api/controllers/v1/network-data-schema.json | 4 +- ironic/api/controllers/v1/port.py | 2 +- ironic/api/controllers/v1/ramdisk.py | 2 + ironic/common/async_steps.py | 168 ++++ ironic/common/exception.py | 4 + ironic/common/image_format_inspector.py | 1038 ++++++++++++++++++++ ironic/common/images.py | 190 +++- ironic/common/qemu_img.py | 89 ++ ironic/common/states.py | 5 + ironic/conductor/cleaning.py | 11 +- ironic/conductor/deployments.py | 12 +- ironic/conductor/manager.py | 19 +- ironic/conductor/servicing.py | 12 +- ironic/conductor/steps.py | 25 +- ironic/conductor/utils.py | 36 +- ironic/conf/__init__.py | 2 + ironic/conf/conductor.py | 43 + ironic/conf/disk_utils.py | 33 + ironic/conf/opts.py | 1 + ironic/drivers/modules/agent.py | 8 +- ironic/drivers/modules/agent_base.py | 39 +- .../playbooks/roles/deploy/tasks/write.yaml | 2 +- ironic/drivers/modules/deploy_utils.py | 306 ++++-- ironic/drivers/modules/image_cache.py | 71 +- ironic/drivers/modules/image_utils.py | 38 +- ironic/drivers/modules/redfish/bios.py | 7 +- ironic/drivers/modules/redfish/boot.py | 8 +- ironic/drivers/modules/redfish/firmware_utils.py | 2 +- ironic/drivers/modules/redfish/management.py | 22 +- ironic/drivers/utils.py | 4 +- .../unit/drivers/modules/drac/test_management.py | 9 +- .../modules/network/json_samples/network_data.json | 2 +- .../drivers/modules/redfish/test_management.py | 43 +- .../unit/drivers/modules/redfish/test_raid.py | 58 +- .../unit/drivers/modules/test_deploy_utils.py | 520 +++++++++- releasenotes/notes/2061160-5e080a17ae31fb53.yaml | 8 + ...ng-to-heartbeat-fasttrack-85863df34ece6401.yaml | 6 + ...g-to-need-prepare-ramdisk-fb0634b4f7d851bd.yaml | 7 + .../address-qemu-issues-1bbead8bb70b76fb.yaml | 108 ++ ...fix-detach-vmedia-redfish-c86b7d0f72217816.yaml | 7 + ...x-redfish-advmedia-part02-67ac1b22153ff1cf.yaml | 6 + .../notes/service-priority-7482622471102c6b.yaml | 5 + .../notes/servicing-reboot-502f474a01f937a8.yaml | 5 + ...ia-publisher-id-injection-c88674a31634f852.yaml | 6 + .../notes/vmedia-path-648cfa258708e0bb.yaml | 6 + zuul.d/ironic-jobs.yaml | 23 +- zuul.d/project.yaml | 12 +- 63 files changed, 4116 insertions(+), 542 deletions(-)