We are satisfied to announce the release of: ironic 21.4.1: OpenStack Bare Metal Provisioning This release is part of the antelope release series. The source is available from: https://opendev.org/openstack/ironic Download the package from: https://tarballs.openstack.org/ironic/ Please report issues through: https://storyboard.openstack.org/#!/project/943 For more details, please see below. 21.4.1 ^^^^^^ Bug Fixes * Fixes an issue with units tests that show this DeprecationWarning: The metaschema specified by $schema was not found. Using the latest draft to validate, but this will raise an error in the future. cls = validator_for(schema) Removed the warning for deprecated schema by using a new template. * Fixes Ironic integration with Cinder because of changes which resulted as part of the recent Security related fix in bug 2004555 (https://launchpad.net/bugs/2004555). The work in Ironic to track this fix was logged in bug 2019892 (https://bugs.launchpad.net/ironic/+bug/2019892). Ironic now sends a service token to Cinder, which allows for access restrictions added as part of the original CVE-2023-2088 fix to be appropriately bypassed. Ironic was not vulnerable, but the restrictions added as a result did impact Ironic's usage. This is because Ironic volume attachments are not on a shared "compute node", but instead mapped to the physical machines and Ironic handles the attachment life- cycle after initial attachment. * Fixes "Invalid cross-device link" in some cases when using "file://" image URLs. * Fixes the behavior of "file:///" image URLs pointing at a symlink. Ironic no longer creates a hard link to the symlink, which could cause confusing FileNotFoundError to happen if the symlink is relative. * Fixes an issue when listing allocations as a project scoped user when the legacy RBAC policies have been disabled which forced an HTTP 406 error being erroneously raised. Users attempting to list allocations with a specific owner, different from their own, will now receive an HTTP 403 error. * Properly eject the virtual media from a DVD device in case this is the only MediaType available from the Hardware, and Ironic requested CD as the device to be used. See bug 2039042 (https://bugs.launchpad.net/ironic/+bug/2039042) for details. * Fixes bug of iRMC driver in parse_driver_info where, if FIPS is enabled, SNMP version is always required to be version 3 even though iRMC driver's xxx_interface doesn't use SNMP actually. * Fixes bug in iRMC driver, where *irmc* power_interface sets and updates *irmc_ipmi_succeed* flag which is used by rest of iRMC driver code to deal with iRMC firmware's IPMI incompatibility but *ipmitool* power_interface doesn't set nor update *irmc_ipmi_succeed* flag and rest of iRMC driver code fail to handle iRMC firmware's IPMI incompatibility correctly. * Fixes an issue where an agent token could be inadvertently orphaned if a node is already in the target power state when we attempt to turn the node off. * Fixes scope classification check with the "self_owned_node" policy check where it was limited to check execution with only project scoped, so system scoped users who ticked the policy endpoint would basically get an incorrect error. * Fixes an issue where a System Scoped user could not trigger a node into a "manageable" state with cleaning enabled, as the Neutron client would attempt to utilize their user's token to create the Neutron port for the cleaning operation, as designed. This is because with requests made in the "system" scope, there is no associated project and the request fails. Ironic now checks if the request has been made with a "system" scope, and if so it utilizes the internal credential configuration to communicate with Neutron. * Fixes secure boot with anaconda deploy. * Fixes the bug where provisioning a Redfish managed node fails if the BMC doesn't support EthernetInterfaces attribute, even if MAC address information is provided manually. This is done by handling of MissingAttributeError sushy exception in get_mac_addresses() method. This fix is needed to successfully provision machines such as Cisco UCSB and UCSX. * Fixes issues with Lenovo hardware where the system firmware may display a blue "Boot Option Restoration" screen after the agent writes an image to the host in UEFI boot mode, requiring manual intervention before the deployed node boots. This issue is rooted in multiple changes being made to the underlying NVRAM configuration of the node. Lenovo engineers have suggested to *only* change the UEFI NVRAM and not perform any further changes via the BMC to configure the next boot. Ironic now does such on Lenovo hardware. More information and background on this issue can be discovered in bug 2053064 (https://bugs.launchpad.net/ironic/+bug/2053064). * No longer re-calculates checksums for images that are already raw. Previously, it would cause significant delays in deploying raw images. * The per-node "external_http_url" setting in the driver info is now used for a boot ISO. Previously this setting was only used for a config floppy. * Fixes an issue where the conductor service would fail to launch when the "neutron" network_interface setting was enabled, and no global "cleaning_network" or "provisioning_network" is set in *ironic.conf.* These settings have long been able to be applied on a per-node basis via the API. As such, the service can now be started and will error on node validation calls, as designed for drivers missing networking parameters. * Fixes Raid creation issue in iLO6 and other BMC with latest schema by removing 'VolumeType', 'Encrypted' and changing placement of 'Drives' to inside 'Links'. * Provides a fix for "service" role support to enable the use case where a dedicated service project is used for cloud service operation to facilitate actions as part of the operation of the cloud infrastructure. OpenStack clouds can take a variety of configuration models for service accounts. It is now possible to utilize the "[DEFAULT] rbac_service_role_elevated_access" setting to enable users with a "service" role in a dedicated "service" project to act upon the API similar to a "System" scoped "Member" where resources regardless of "owner" or "lessee" settings are available. This is needed to enable synchronization processes, such as "nova-compute" or the "networking-baremetal" ML2 plugin to perform actions across the whole of an Ironic deployment, if desirable where a "System" scoped user is also undesirable. This functionality can be tuned to utilize a customized project name aside from the default convention "service", for example "baremetal" or "admin", utilizing the "[DEFAULT] rbac_service_project_name" setting. Operators can alternatively entirely override the "service_role" RBAC policy rule, if so desired, however Ironic feels the default is both reasonable and delineates sufficiently for the variety of Role Based Access Control usage cases which can exist with a running Ironic deployment. * Fixes an issue where an agent token was being orphaned if a baremetal node timed out during cleaning operations, leading to issues where the node would not be able to establish a new token with Ironic upon future in some cases. We now always wipe the token in this case. Changes in ironic 21.4.0..21.4.1 -------------------------------- e62fd3638 Remove deprecation warning by setting schema 59800efd8 ci: pin CI to dnsmasq 2.85 d278fdb6d stable-only: pin proliantutils/scciclient to prevent break 526be0c86 Special case lenovo UEFI boot setup 4315431ae neutron: do not error if no cleaning/provisioning on launch 48daff5fd Fix service role support 6c6c3175c Kickstart: Don't error unit tests ksvalidate is present 2b41efb0b Fixes Secureboot with Anaconda deploy e04a7273a Stop using a specific mirror in infra 8739bb447 Don't create a hardlink to a symlink when handling file:// URLs 99f03fb4b Revert "Revert "RBAC: Fix allocation check"" to use Unauthorized ee74de0f4 Fix system scoped manageable node network failure 52f79b885 [Backport] Fixes Raid creation in iLO6 and other BMC with latest schema 5a2eba836 Fix log message var reference dc60287b5 Use per-node external_http_url for boot ISO 5379f18fd Make sure we eject media from DVD when CD is requested 9e90dbed6 redfish_address - wrap_ipv6 address 58251eb37 DB: Select upon delete for allocations b35a9c78c DB: Streamline allocation interactions f0778eaa2 CI: Fix PXE Ananconda cleanup test 534362b7f Fix ks_template property to be processed only for anaconda deploy 0859c6d17 [iRMC] Fix IPMI incompatibility handling error 41807b956 [iRMC] Fix parse_driver_info bug enforcing SNMP v3 under FIPS mode c973f20a2 Fix self_owned_node policy check cdf893197 CI: Disable mysql counters for grenade 12e79423a [ci] [stable-only] Cinder fixed; make BFV job vote 0c2911b14 [stable-only] [CI] BFV, RBAC jobs marked non-voting efc1e687d Fix Cinder Integration fallout from CVE-2023-2088 ae78df020 Fix anaconda stage2_id loading from image properties 00ffa4b96 Handle MissingAttributeError when using OOB inspections to fetch MACs ce4c63b95 Always fall back from hard linking to copying files 2280bdf84 Add error logging on lookup failures in the API de24d715c Wipe Agent Token when cleaning timeout occcurs c3b412863 Clean out agent token even if power is already off baedbec8b Do not recalculate checksum if disk_format is not changed ba7dd3630 Update TOX_CONSTRAINTS_FILE for stable/2023.1 96babaea4 Update .gitreview for stable/2023.1 Diffstat (except docs and test files) ------------------------------------- .gitreview | 1 + devstack/lib/ironic | 22 +- devstack/plugin.sh | 1 + driver-requirements.txt | 7 +- ironic/api/controllers/v1/allocation.py | 13 +- ironic/api/controllers/v1/ramdisk.py | 6 +- ironic/common/cinder.py | 71 +++++-- ironic/common/context.py | 7 + ironic/common/image_service.py | 45 +++-- ironic/common/keystone.py | 24 ++- ironic/common/neutron.py | 6 +- ironic/common/policy.py | 40 ++-- ironic/common/pxe_utils.py | 56 +++--- ironic/common/utils.py | 8 +- ironic/conductor/utils.py | 11 +- ironic/conf/default.py | 36 ++++ ironic/db/sqlalchemy/api.py | 56 +++--- ironic/drivers/modules/agent_base.py | 21 +- ironic/drivers/modules/deploy_utils.py | 37 ++-- ironic/drivers/modules/image_utils.py | 3 +- ironic/drivers/modules/irmc/common.py | 12 ++ ironic/drivers/modules/irmc/inspect.py | 3 +- ironic/drivers/modules/irmc/management.py | 18 +- ironic/drivers/modules/network/neutron.py | 18 +- ironic/drivers/modules/pxe.py | 15 +- ironic/drivers/modules/pxe_base.py | 20 +- ironic/drivers/modules/redfish/boot.py | 19 +- ironic/drivers/modules/redfish/firmware_utils.py | 2 +- ironic/drivers/modules/redfish/management.py | 11 +- ironic/drivers/modules/redfish/raid.py | 20 +- ironic/drivers/modules/redfish/utils.py | 3 +- .../unit/api/controllers/v1/test_allocation.py | 11 + .../unit/drivers/modules/network/test_neutron.py | 12 +- .../unit/drivers/modules/redfish/test_boot.py | 44 +++- .../drivers/modules/redfish/test_management.py | 10 + .../unit/drivers/modules/redfish/test_raid.py | 37 +--- .../unit/drivers/modules/redfish/test_utils.py | 8 + .../unit/drivers/modules/test_deploy_utils.py | 73 ++++++- releasenotes/notes/2061160-5e080a17ae31fb53.yaml | 8 + .../notes/cinder-2019892-6b5a9de5c5f05aa6.yaml | 16 ++ .../notes/cross-link-1ffd1a4958f14fd7.yaml | 5 + .../notes/file-symlink-b65bd6b407bd1683.yaml | 6 + ...ocation-exception-on-list-c04e93fb9cace218.yaml | 8 + .../fix-eject-media-dvd-b1994446ea71be9c.yaml | 8 + ...nforcing-snmpv3-with-fips-e45971d363925ec3.yaml | 6 + ...atibility-patch-situation-c246d2b59b2e8a78.yaml | 8 + .../fix-power-off-token-wipe-e7d605997f00d39d.yaml | 6 + ...ix-self-owned-node-policy-fc2dae357879dc33.yaml | 7 + ...tem-scope-triggered-clean-22ada9b920c08365.yaml | 12 ++ ...boot_with_anaconda_deploy-84d7c1e3bbfa40f2.yaml | 4 + ...g-ethernetinterfaces-attr-7e52f7259fe66762.yaml | 9 + ...boot-to-disk-calls-lenovo-39763bfc98f602d8.yaml | 13 ++ .../notes/no-recalculate-653e524fd6160e72.yaml | 5 + ...ode-iso-external_http_url-c5e3fa9ae4960dd6.yaml | 5 + ...-without-neutron-networks-d4aa21654f9c07bf.yaml | 9 + ...redfish-fix-raid-creation-f437066b1301c032.yaml | 6 + ...-project-service-role-fix-e4d1a8c23856926a.yaml | 41 ++++ ...ken-upon-cleaning-timeout-c9add514fad1b02c.yaml | 7 + tox.ini | 10 +- zuul.d/ironic-jobs.yaml | 5 +- zuul.d/project.yaml | 59 ++++-- 75 files changed, 1364 insertions(+), 359 deletions(-) Requirements updates -------------------- diff --git a/driver-requirements.txt b/driver-requirements.txt index 876e817cb..de4d8574b 100644 --- a/driver-requirements.txt +++ b/driver-requirements.txt @@ -7 +7,4 @@ -proliantutils>=2.14.0 +# NOTE(TheJulia): Proliantutils 2.16.0 moves to pysnmp-lextudio +# however that breaks on imports and with testing due to collission +# with pysnmp. +proliantutils>=2.14.0,<2.16.0 @@ -9 +12 @@ pysnmp>=4.3.0,<5.0.0 -python-scciclient>=0.12.2 +python-scciclient>=0.12.2,<0.14.0