We are psyched to announce the release of: ironic 24.1.4 This release is part of the caracal release series. The source is available from: https://opendev.org/openstack/ironic Download the package from: https://tarballs.openstack.org/ironic/ Please report issues through: https://bugs.launchpad.net/ironic/+bugs For more details, please see below. 24.1.4 ^^^^^^ Security Issues *************** * Fixes OSSA-2025-001, where Ironic did not properly filter file:// paths when used as image sources. This would permit any file accessible by the conductor to be used as an image to attempt deployment. Adds "CONF.conductor.file_url_allowed_paths", an allowlist configuration defaulting to "/var/lib/ironic", "/shared/html", "/opt/cache/files", "/vagrant", and "/templates", permits operators to further restrict where the conductor will fetch images for when provided a file:// URL. This default value was chosen based on known usage by projects downstream of Ironic, including Metal3, Bifrost, and OpenShift. These defaults may change to be more restrictive at a later date. Operators using file:// URLs are encouraged to explicitly set this value even if the current default is sufficient. Operators wishing to fully disable the ability to deploy with a file:// URL should set this configuration to "" (empty). Operators wishing to restore the original insecure behavior should set "CONF.conductor.file_url_allowed_paths" to "/". Take note that in the 2025.2 release and later, "/dev", "/sys", "/proc", "/run", and "/etc" will be unconditionally blocked as a security measure. This issue only poses a significant security risk when Ironic's automated cleaning process is disabled and the service is configured in such a way that permits direct deployment by an untrusted API user, such as standalone Ironic installations or environments granting ownership of nodes to projects. Bug Fixes ********* * The set of strings used to detect cipher suite version related errors in the "ipmitool" command was expanded. If the string "Error in open session response message : invalid role" is contained in the output of a failed "ipmitool" command execution, such error will be now considered as related to inappropriate ciphers too, and will be retried with another cipher suite version if Ironic is configured to do so. See bug 2085137 (https://launchpad.net/bugs/2085137) for more details. * Fixes an issue where operators executing complex arrangement of steps which include out-of-band and in-band steps, for example a hardware RAID "create_configuration" step followed by in-band steps inside of the agent, would effectively get the agent stuck in a "wait" state in the Cleaning, Servicing, or Deploying workflows. This was related to the way out-of-band steps are executed and monitored. Ironic, before starting to execute a new step, now cleans the polling lockout flag for the respective workflow being executed to prevent the agent from getting stuck. For more information, please see bug 2096938 (https://bugs.launchpad.net/ironic/+bug/2096938). * Some vendors insist that floppy images must be 1440 KiB in size and that the file name ends with ".img". Make it so. * Includes the agent token parameter in get command status requests as the endpoint now requires authentication. * The fix for CVE-2024-47211 results in image checksum being required in all cases. However there is no checksum requirement for file:// based images. When checksum is missing for file:// based image_source it is now calculated on-the-fly. * Fixes an error within the redfish session cache when no "redfish_password" is specified bug 2097019 (https://bugs.launchpad.net/ironic/+bug/2097019). Changes in ironic 24.1.3..24.1.4 -------------------------------- cc8d7c08c OSSA-2025-001: Disallow unsafe image file:// paths 287ac76cb [stable-only] Fix errors building docs 1e9877f4a Make floppy images more floppy 1f02a1d88 ci: automatically set the branch for IPA to match TARGET_BRANCH 4aa8310ef Pass agent token to get command results 6cbbad1ef Expand detected strings in check_cipher_suite_errors fea9a4f07 Fix agent from being locked out with complex steps 34bb2b1d4 stable-only: Drop ironic-tox-codespell job 9b97ec3bb Fix redfish session cache on missing password 4836513ee Calculate missing checksum for file:// based images cdae95e46 Fix actual size calculation for storage fallback logic Diffstat (except docs and test files) ------------------------------------- devstack/lib/ironic | 2 +- ironic/common/async_steps.py | 6 ++- ironic/common/checksum_utils.py | 15 +++++- ironic/common/image_service.py | 22 +++++++- ironic/common/images.py | 2 +- ironic/conductor/cleaning.py | 5 ++ ironic/conductor/deployments.py | 4 ++ ironic/conductor/servicing.py | 4 ++ ironic/conf/conductor.py | 16 ++++++ ironic/conf/types.py | 55 +++++++++++++++++++ ironic/drivers/modules/agent_client.py | 6 +++ ironic/drivers/modules/image_utils.py | 8 +-- ironic/drivers/modules/ipmitool.py | 8 +-- ironic/drivers/modules/redfish/utils.py | 6 ++- .../unit/drivers/modules/test_agent_client.py | 6 +-- .../unit/drivers/modules/test_deploy_utils.py | 12 +++++ ...ion-ipmitools-cipher-fail-1503b4e319e77ed8.yaml | 11 ++++ ...polling-lockout-for-steps-b9645f0cae18da1e.yaml | 13 +++++ .../floppy-image-quirks-32e14d32a37b0742.yaml | 5 ++ ...ent-token-to-get-requests-982bacce85d95ce8.yaml | 5 ++ .../missing_file_checksum-4931c98031951486.yaml | 7 +++ ...sallow-unsafe-image-paths-670fdcfe3e4647d4.yaml | 29 ++++++++++ ...sh-allow-missing-password-ce4fb161d35a6850.yaml | 6 +++ tools/config/ironic-config-generator.conf | 1 - tox.ini | 2 +- zuul.d/ironic-jobs.yaml | 7 --- 37 files changed, 432 insertions(+), 50 deletions(-)