We are stoked to announce the release of: ironic 30.0.0 This release is part of the flamingo release series. The source is available from: https://opendev.org/openstack/ironic Download the package from: https://tarballs.openstack.org/ironic/ Please report issues through: https://bugs.launchpad.net/ironic/+bugs For more details, please see below. 30.0.0 ^^^^^^ New Features ************ * Adds NVIDIA A10/A40/L40S/L20 to known accelerators that can be reported when present in bare metals. * It is now possible to filter by conductor groups when listing ports and portgroups. For example, the following request returns only the ports for nodes in conductor groups "bear" and "metal": GET /v1/ports?conductor_groups=bear,metal * If *allow_image_access_via_auth_token* is set to *True*, Ironic allows access to Glance images if an auth_token is present in the request context. * Add a new configuration group [agent_containers] that allows users to dynamically configure container-based cleaning via Ironic conductor. * Adds a new configuration option "bootloader_by_arch", a dictionary value that maps architecture names to a Glance ID, http:// or file:// URL of an EFI system partition image containing EFI boot loader, to support architecture-specific images for virtual media boot in mixed-architecture clouds. * Adds a new boolean configuration option "[neutron]fail_on_port_binding_failure" and corresponding node "driver_info" setting "fail_on_binding_failure" to control whether deployment should fail or continue if Neutron port binding fails. With a default of "true", if your network is not configured properly, this will likely cause deployment failures. To maintain the previous behavior, explicitly set this option to False in your configuration. * A new "description" field has been added to the Port object. This field allows operators to provide human-readable descriptions to easily identify physical ports on bare metal hosts. * The "ipmitool-socat" console interface is now available for users of the "redfish" hardware type. This was done as an enablement action for operators to be able to leverage IPMI based Serial-over- Lan connections. This option requires the IPMI parameters to be configured on the baremetal node in addition to the "redfish" hardware type. * Adds a new option "[json_rpc]client_use_ssl". It can be set to True in situations where server-side TLS is handled by a reverse proxy, and thus "[json_rpc]use_ssl" is set to False. * Add support for a node in "service wait" state can be unprovisioned via the "delete" provision action. * The Ironic conductor can now access images that are shared with its project, in addition to those it owns. To use the feature, ensure the images are shared with the project associated with the conductor's credentials. Upgrade Notes ************* * CONF.allow_image_access_via_auth_token is set to *True* in this Ironic release. OpenStack integrated operators should ensure images for Ironic use are using image visibility "public" or "community" for the most reliable results. Deprecation Notes ***************** * While never supported outside of the Ironic project's CI testing, use of the TinyIPA ramdisk image is in the process of being discontinued. Any users who chose to utilize TinyIPA for any reasons should leverage ironic-python-agent-builder images. Security Issues *************** * Fixes OSSA-2025-001, where Ironic did not properly filter file:// paths when used as image sources. This would permit any file accessible by the conductor to be used as an image to attempt deployment. Ironic now unconditionally forbids paths that provide access to system configuration (/dev, /sys, /proc, /boot, /run, and /etc). Adds "CONF.conductor.file_url_allowed_paths", an allowlist configuration defaulting to "/var/lib/ironic", "/shared/html", "/opt/cache/files", "/vagrant", and "/templates", permits operators to further restrict where the conductor will fetch images for when provided a file:// URL. This default value was chosen based on known usage by projects downstream of Ironic, including Metal3, Bifrost, and OpenShift. These defaults may change to be more restrictive at a later date. Operators using file:// URLs are encouraged to explicitly set this value even if the current default is sufficient. Operators wishing to fully disable the ability to deploy with a file:// URL should set this configuration to "" (empty). This issue only poses a significant security risk when Ironic's automated cleaning process is disabled and the service is configured in such a way that permits direct deployment by an untrusted API user, such as standalone Ironic installations or environments granting ownership of nodes to projects. Bug Fixes ********* * In the redfish inspector, use condition to control whether the pxe_enabled field of a port is updated during inspection. [inspector]update_pxe_enabled is used to control this so it behaves like all other inspection interfaces. The default value for this configuration is True. * Fixes loop functionality to align more closely with the spec where, with *loop* present, *args* reference loop items using '{item}' placeholder to support direct array iteration; plus, separately handle list and dict loop item types. * Fixes an issue with the "neutron" "network_interface" driver where validate calls by "member" scoped API users, triggered through a port update or explicit node interface validation action would fail due to the user being unable to resolve provisioning or cleaning networks because the networks are in a different project. * Fixes interface binding logic as it relates to Neutron VIF attachments, such that an initial neutron port update occurs to ensure Neutron performs any necessary address assignments, which will now result in the port entering an "ACTIVE" state. The state may change later on as the port is updated as part of any workflow actions with supplied port configuration information to allow ML2 plugins to finalize any port binding actions, when appropriate. The base bug which identified this issue is bug 2106073 (https://bugs.launchpad.net/nova/+bug/2106073), which will require additional work to completely fix. Related, this logic *also* detaches any previously bound VIF which might have been supplied to Ironic. To have done so in advance of attachment is erroneous, yet understandable behavior. * Fixes an issue with agent startup where the workflow from the first agent heartbeat interaction could fail due to a transient networking issue leaving the Agent and Ironic in a state where the node cannot be deployed and continues to record errors upon each additional heartbeat operation. Logic to check the state of the agent has been adjusted to ignore retry operations which were recorded by the agent. More information on this issue can be found in bug 2110698 (https://bugs.launchpad.net/ironic/+bug/2110698). * Fixes an issue where a Nova, or other consumer attempting to send network data to Ironic can send grossly invalid network metadata which needs to be replaced. Ironic now identifies the condition, and regenerates the network metadata utilizing the attached VIF records. This results in some minor data differences, such as Nova's internal VIF tap naming which is redundant, and MTUs to be included in the Network data when they might not have been included previously. More information about this bug can be found in bug 2106073 (https://bugs.launchpad.net/ironic/+bug/2106073). This logic does *not* attempt to patch or modify configuration drive URLs which are supplied by tools like Bifrost, which is unaffected by this issue. This fix can be disabled by setting "[conductor]disable_configdrive_check" to "True". * Updates the patch validation logic to support special characters ("~" and "/") in field keys, provided they align with the escaping rules defined in RFC 6901 (JSON Pointer) as required for the *path* field specified in RFC 6902 (JSON Patch). * Fixes an error that node does not move to failed state when removing vif failed due to unexpected errors during tear down. Other Notes *********** * Ironic is in the process of removing testing and use of TinyIPA, which was originally developed as a lightweight low memory IPA image to simplify upstream testing and had no use outside of that context. Due to the OpenStack move away from Python3.9, TinyIPA cannot continue to be maintained, and as such all testing and use of images will be discontinued by the Ironic community. Changes in ironic 29.0.0..30.0.0 -------------------------------- ea8b3fcc3 Patch configdrive metadata 6d1195481 Add a new configuration option, ``bootloader_by_arch`` b476c1bc2 re-framing this as an explicit bugfix to backport 8f7d5d817 ci: remove the partition image upload 72c208f76 ci: Expand the multinode job -- remove tinyipa usage d33c981dc CI: remove legacy devstack baremetal admin and observer role usage b7efcda9e Update devstack-guide to use neutron- not q- 5a9efa070 Control port updates with update_pxe_enabled flag 9406b4465 Replace license classifier 65f1396d1 Add port/portgroup list conductor groups filter 95294caa6 [ci] Restore ovn-ipv6 job to voting 1cc44809a Remove warning filter for old oslo.db 8b3e8c87d Drop duplicate logic b744e2ed0 [CI] metal3 job back to voting 241d296b5 [CI] Fix libvirt network names in metal3 job logs collection 9211ab629 Replace eventlet usage in `pxe_filter` 9a0de989a Replace `eventlet.spawn_n` in Inspector Interface c7ccec9d8 Revert "Fix redfish driver URL parsing" 56d43ff56 ci: Remove code which has been long-dead 94af5f161 CI: Remove the multinode grenade job 6c0b015a0 CI: Reconfigure jobs to minimize tinyipa usage d3ff85fb8 doc: Make port binding failure configurably fatal e1835827e [CI] metal3 non voting for investigation 7358559e1 Inspection throws exception on CPU-less systems a43d615e1 trivial: add missing exception to agent code path docstrings 85456f788 Fix unhandled exception during node tear down 034312e6e CI: cleanup outdated rbac scope enforce jobs c52b1a874 Set an explicit neutron endpoint for grenade 5730b0405 api: Add schema for node firmware API 91c04035e api: Ensure parameter transform happens early 91b28bc43 Fix agent get_XXX_steps retries from being treated as not fresh agents 5731f4faf remove explicit eventlet usage around time.sleep d7b5c6eb4 doc: A possible improvement around multi-arch config options 5f7c7dcd0 Fix redfish driver URL parsing 80f97ae27 Auto-detect the RPC executor instead of hardcoding eventlet 5146e0a0f provide host_id to neutron early on 42be33b52 CI: Fix anaconda job post OSSA-2025-001 8363404ef Make metal3 job voting again 5fddef982 OSSA-2025-001: Disallow unsafe image file:// paths 58062d55d Revert "Add an index on ports.node_id" cd23ae477 Trivial: Fix gap in microversion sequence 3be31c13d Remove tags from README 538ac164e Make metal3 job non-voting temporarily e37c58220 Allow to unprovision instance from service wait states a5750a432 Add an index on ports.node_id cd5d0f8be docs: update openstackdocstheme version to 3.5.0 f597e9e4e Trivial: Fix spelling issue in configuration desc 39fc3d9fe Update some docs a39f11cec Add shared image support 915e50cee CI: Coverage for neutron with automated cleaning 876a9d402 Make port binding failure (configurably) fatal 5fccd55c9 Allow special characters in patch field keys a463ee864 Add several NV GPU types 52e090b60 Release notes title to "unreleased" for in-progress 854f059b8 Improve is_image_available 9cfb693be Fix ISO+GPT image handling 80ffd07df ci: restrict multinode job to multinode tests cbde488bc Update documentation to retain relevant terms b7cc916dd Remove compatibility for oslo.versionedobjects < 0.10.0 5b372dd9e A new 'description' field to the port object 4a02db984 Add image build method for verified OS. 3e0f6ed24 Rename ironic cmd module 55364fcb0 [devstack] Allow deploy environment with portgroups d2bd781a2 redfish: permit ipmitool-socat console for redfish usage 47e87d649 devstack: network simulator support for sonic d2fb4cbc4 Fix passing vtep fields to neutron 34bc26b55 api: Correct types for validation decorators b43d74a8f Do not silence the actual error in prepare_instance_boot ee7e1ac43 Ironic Container Config for IPA Integration 399a6c12d doc: Migrate Inspection Rules 282dd1eba Trivial: Fix Doc8 D000 errors by adjusting title 99ebf632c Fix mismatch in expected loop functionality b939c24fa docs: Clarify physical_network should be a name 3a705a59d Allow configuring RPC client TLS separately from server 86334496b De-duplicate two WSGIService's 95b999413 Fix confusing logs on tenant network configuration e7f677fdd Imported Translations from Zanata 5f911ad68 Follow up to unprovision service failed e2fa72652 network simulator support for Cisco Nexus 9k 803a96913 docs: detail network switch simulator support 7ef39b8cc Add network simulator support for force10 OS 10 fe35cb238 network testing: hooking in an external network simulator 92f30dc5a Create Support Resources Page fbb5d5a41 metal3: Use zuul user for logs, fix remote node ip, reduce timeout 3e453a376 Update master for stable/2025.1 1f5755ec1 Only try and do deep network config validate if admin 55c0a060c [Trivial] Fix typo of exception error message b31a109db devstack bindep - [platform:rpm] 2c472dfa8 Fix default IRONIC_DEFAULT_TRAITS setting e443ddcb9 Update DRAC RAID module import logic dc0dd2399 Enable atop on jobs 5c285047a ci: set a longer nova tempest build interval 861034679 Don't log PXE when your not doing PXE. f1cad5260 refactor: split glance handling into it's own method Diffstat (except docs and test files) ------------------------------------- README.rst | 4 - api-ref/source/baremetal-api-v1-get-vmedia.inc | 6 +- .../source/baremetal-api-v1-inspection-rules.inc | 260 +++++++ .../source/baremetal-api-v1-node-management.inc | 8 +- api-ref/source/baremetal-api-v1-nodes-ports.inc | 2 +- api-ref/source/baremetal-api-v1-ports.inc | 24 +- api-ref/source/index.rst | 1 + api-ref/source/parameters.yaml | 135 ++++ .../samples/inspection-rule-create-request.json | 34 + .../samples/inspection-rule-create-response.json | 21 + .../samples/inspection-rule-detail-response.json | 43 ++ .../samples/inspection-rule-list-response.json | 55 ++ .../samples/inspection-rule-show-response.json | 39 + .../samples/inspection-rule-update-request.json | 28 + .../samples/inspection-rule-update-response.json | 43 ++ api-ref/source/samples/port-create-request.json | 1 + api-ref/source/samples/port-create-response.json | 1 + .../source/samples/port-list-detail-response.json | 1 + api-ref/source/samples/port-update-response.json | 1 + devstack/files/bindep.txt | 4 + devstack/lib/ironic | 852 ++++++++++++++++++--- devstack/settings | 2 +- devstack/tools/ironic/scripts/configure-vm.py | 3 + devstack/tools/ironic/scripts/create-node.sh | 41 +- devstack/tools/ironic/templates/vm.xml | 8 + .../contributor/ironic-multitenant-networking.rst | 44 ++ ironic/api/controllers/v1/firmware.py | 16 +- ironic/api/controllers/v1/port.py | 68 +- ironic/api/controllers/v1/portgroup.py | 45 +- ironic/api/controllers/v1/ramdisk.py | 9 + ironic/api/controllers/v1/utils.py | 24 +- ironic/api/controllers/v1/versions.py | 9 +- ironic/api/schemas/v1/firmware.py | 69 ++ ironic/api/validation/__init__.py | 56 +- ironic/{cmd => command}/__init__.py | 0 ironic/{cmd => command}/api.py | 0 ironic/{cmd => command}/conductor.py | 0 ironic/{cmd => command}/dbsync.py | 0 ironic/{cmd => command}/novncproxy.py | 0 ironic/{cmd => command}/pxe_filter.py | 0 ironic/{cmd => command}/singleprocess.py | 2 +- ironic/{cmd => command}/status.py | 2 +- ironic/common/args.py | 17 +- ironic/common/console_factory.py | 2 - ironic/common/dhcp_factory.py | 2 - ironic/common/exception.py | 8 +- ironic/common/glance_service/service_utils.py | 75 +- ironic/common/image_service.py | 34 +- ironic/common/images.py | 35 +- ironic/common/inspection_rules/actions.py | 25 +- ironic/common/inspection_rules/base.py | 87 ++- ironic/common/inspection_rules/engine.py | 4 +- ironic/common/inspection_rules/operators.py | 66 +- ironic/common/json_rpc/client.py | 2 +- ironic/common/json_rpc/server.py | 4 +- ironic/common/json_rpc/wsgi.py | 77 -- ironic/common/neutron.py | 153 +++- ironic/common/release_mappings.py | 6 +- ironic/common/rpc.py | 1 - ironic/common/states.py | 5 +- ironic/common/wsgi_service.py | 69 +- ironic/conductor/base_manager.py | 4 +- ironic/conductor/configdrive_utils.py | 452 +++++++++++ ironic/conductor/deployments.py | 7 + ironic/conductor/manager.py | 27 +- ironic/conductor/periodics.py | 4 +- ironic/conductor/utils.py | 2 + ironic/conf/__init__.py | 2 + ironic/conf/agent_containers.py | 58 ++ ironic/conf/conductor.py | 40 +- ironic/conf/default.py | 6 + ironic/conf/json_rpc.py | 6 + ironic/conf/neutron.py | 4 + ironic/conf/types.py | 55 ++ ironic/db/api.py | 20 +- .../versions/1c14278d6e33_port_description.py | 31 + ironic/db/sqlalchemy/api.py | 48 +- ironic/db/sqlalchemy/models.py | 1 + ironic/drivers/base.py | 6 + ironic/drivers/modules/agent.py | 4 +- ironic/drivers/modules/agent_base.py | 16 +- ironic/drivers/modules/agent_client.py | 4 + ironic/drivers/modules/deploy_utils.py | 97 +-- ironic/drivers/modules/drac/raid.py | 5 +- ironic/drivers/modules/image_utils.py | 5 + .../inspector/hooks/known_accelerators.yaml | 18 +- ironic/drivers/modules/inspector/interface.py | 8 +- ironic/drivers/modules/network/common.py | 94 ++- ironic/drivers/modules/network/flat.py | 4 + ironic/drivers/modules/network/neutron.py | 11 +- ironic/drivers/modules/network/noop.py | 2 + ironic/drivers/modules/redfish/boot.py | 3 + ironic/drivers/modules/redfish/inspect.py | 8 +- ironic/drivers/redfish.py | 5 +- ironic/drivers/utils.py | 25 +- ironic/objects/indirection.py | 9 - ironic/objects/port.py | 118 +-- ironic/objects/portgroup.py | 19 +- ironic/pxe_filter/service.py | 24 +- .../unit/api/controllers/v1/test_portgroup.py | 43 ++ .../unit/drivers/modules/network/test_common.py | 67 +- .../unit/drivers/modules/network/test_flat.py | 1 + .../unit/drivers/modules/network/test_neutron.py | 37 +- .../unit/drivers/modules/network/test_noop.py | 1 + .../unit/drivers/modules/redfish/test_bios.py | 4 - .../unit/drivers/modules/redfish/test_boot.py | 6 - .../unit/drivers/modules/redfish/test_firmware.py | 2 - .../unit/drivers/modules/redfish/test_inspect.py | 36 + .../unit/drivers/modules/redfish/test_raid.py | 2 - playbooks/ci-workarounds/pre.yaml | 1 + playbooks/metal3-ci/post.yaml | 31 +- .../notes/add-nv-gpus-7fd4b9cacb029596.yaml | 5 + ...up-conductor-group-filter-2fe67c18f5a99265.yaml | 9 + ...age_access_via_auth_token-1b5869f1c0999bea.yaml | 14 + .../agent-containers-config-4388e266d5f0192e.yaml | 7 + ...ootloader-by-arch-support-b69eae5b30bc211f.yaml | 8 + ...y-on-port-binding-failure-e4c9749a84bd947f.yaml | 10 + ...-enabled-field-inspection-206f67c6638a0bdb.yaml | 7 + ...ality-in-inspection-rules-9bf61e8355297804.yaml | 7 + ...access-around-port-update-86118701989d8a61.yaml | 8 + .../notes/initial-port-bind-5a1ffb083f6631d4.yaml | 16 + ...sallow-unsafe-image-paths-670fdcfe3e4647d4.yaml | 26 + ...etries-with-agent-startup-aebfc36a775794c3.yaml | 11 + .../notes/port-description-4b68b22cac2e35a5.yaml | 6 + ...permit-ipmi-socat-console-9ede51ab0bc9f17d.yaml | 8 + .../remove-tinyipa-testing-c85bdb7e4d130e59.yaml | 15 + ...ace-metadata-when-invalid-c10a8c5add9151c8.yaml | 15 + .../notes/rpc-client-ssl-63b0d8ccaf88dae5.yaml | 6 + .../service-wait-unprovision-dacfa468824335b7.yaml | 5 + .../support-shared-images-8279f7ecd66b7218.yaml | 8 + ...characters-in-patch-field-e077fb994661362c.yaml | 7 + ...dled-remove-vif-exception-89fd332d0c1feea7.yaml | 5 + releasenotes/source/2025.1.rst | 6 + releasenotes/source/index.rst | 1 + .../locale/en_GB/LC_MESSAGES/releasenotes.po | 11 +- .../source/locale/ja/LC_MESSAGES/releasenotes.po | 159 ++++ releasenotes/source/unreleased.rst | 1 + setup.cfg | 16 +- zuul.d/ironic-jobs.yaml | 416 +++++----- zuul.d/metal3-jobs.yaml | 2 +- zuul.d/project.yaml | 2 +- 197 files changed, 6617 insertions(+), 1412 deletions(-)