We are pumped to announce the release of: ironic 31.0.0 This release is part of the flamingo release series. The source is available from: https://opendev.org/openstack/ironic Download the package from: https://tarballs.openstack.org/ironic/ Please report issues through: https://bugs.launchpad.net/ironic/+bugs For more details, please see below. 31.0.0 ^^^^^^ New Features ************ * Added a new 'api-call' action plugin for Ironic inspection rules. This action allows triggering an HTTP GET request to a given URL when a rule matches successfully during node inspection. It is useful for integrating with external systems such as webhooks, alerting, or automation tools. The following options are supported: * url (required): The HTTP endpoint to call * timeout (optional, default: 5): Timeout in seconds * retries (optional, default: 3): Number of retries on failure * backoff_factor (optional, default: 0.3): Delay factor for retry attempts * headers, proxies (optional): Additional request configuration Retry applies to status codes 429, 500, 502, 503, and 504. Example rule: [ { "description": "Trigger webhook after node inspection", "actions": [ { "action": "api-call", "url": "http://example.com/hook", "timeout": 10, "retries": 5, "backoff_factor": 1 } ] } ] * Adds two new capabilities to the Redfish managemnet interface for managing the BMC clock. 1. A manual cleaning step "set_bmc_clock" that allows operators to set the BMC's hardware clock to a specific datetime (in ISO8601 format), optionally including a datetimelocaloffset. 2. An automated verify step "verify_bmc_clock" that compares the BMC's Redfish datetime to the system UTC time, and automatically updates the BMC clock if needed. Verification fails if the difference exceeds 1 second after the update. These steps helps ensure BMC clock synchronization in baremetal environments where incorrect or drifting BMC clocks may lead to TLS certificate validation failures. * Allows users to specify the verify_ca path for the corresponding driver through the "verify_ca" option under the "[<driver>]" section in the configuration. When "[driver_info]/<driver>_verify_ca" is specified as None or True, it will be replaced by the value of the "verify_ca" option. NOTE: For the "idrac" driver, it uses the same options as the "redfish" driver. * A new configuration option, "[api] response_validation", has been added. This allows operators to configure the behavior of "ironic- api" when a response fails schema validation * Ironic operators can now assign specific steps to run during automated cleaning instead of relying on the driver-based implicit steps typically used for automated cleaning. To generally opt-in to this behavior, first set "[conductor]/automated_cleaning_step_source" to either 'hybrid' or 'runbook'. A setting of 'autogenerated' (default), preserves existing behavior. Setting 'runbook' causes Ironic to attempt to find and use a configured runbook for automated cleaning, and fails cleaning if one is not found. The 'hybrid' setting causes Ironic to attempt to find and use a configured runbook for automated cleaning. If one is not found, we fallback to the default autogenerated cleaning. Configuration for cleaning runbooks is tiered to allow maximum flexibility; Ironic will try to find a cleaning runbook in the following places. Values representing the runbook name or the runbook UUID are accepted; and the most specific value found is used. First, "node.driver_info['cleaning_runbook']" is a node specific override, disabled by default. To enable it, set "[conductor]automated_cleaning_runbook_from_node" to True. Next, "[conductor]automated_cleaning_runbook_by_resource_class" allows you to map resource classes to the expected runbook for them to use in automated cleaning. The global default, and final fallback, is "[conductor]automated_cleaning_runbook". As with normal runbook usage, the runbook name must match an active trait in node.traits. This behavior can be changed by setting "[conductor]automated_cleaning_runbook_validate_traits" to False. A cleaning attempt that resolves to an incompatible runbook will cause an error and leave the node uncleaned in a clean fail state. * Added a new configuration option "[conductor]error_on_ramdisk_config_inconsistency" to control how Ironic handles inconsistent kernel and ramdisk configurations. When "error_on_ramdisk_config_inconsistency" is set to "True", Ironic will raise a "MissingParameterValue" exception when it encounters inconsistent kernel/ramdisk configurations, such as: * A node's "driver_info" containing only "deploy_kernel" but missing "deploy_ramdisk" (or vice versa) * The "[conductor]deploy_kernel_by_arch" configuration having entries for architectures that are missing from "[conductor]deploy_ramdisk_by_arch" (or vice versa) * Similar inconsistencies with rescue kernel/ramdisk configurations When set to "False" (the default), Ironic will log warning messages about these inconsistencies but continue operation by falling back to global configuration values when possible. In a future Ironic release, the default of this value will be changed to True to enforce strict validation. * Adds support for updating firmware of certain NIC interfaces to the "redfish" firmware interface. * Start and end of dynamic step-based flows (automated cleaning, manual cleaning, servicing, and deploy steps) are now logged to Node History if "[conductor]record_step_flows_in_history" is enabled (default: "True"). This makes it easier to trace what steps were attempted when troubleshooting deployment failures. A second knob which is disabled by default, "[conductor]log_step_flows_to_syslog", allows emitting the same flow events, but to the service log. * The REST API and JSON-RPC listeners now honour new options in their own config sections: * "[api]cert_file" / "[api]key_file" * "[json_rpc]cert_file" / "[json_rpc]key_file" This lets operators present different certificates for each endpoint without touching the global "[ssl]" block as that is now deprecated, to be removed in **2026.1**. Deployments that still rely on the global "[ssl]" section are advised to move the certificate settings to the per-service options. Upgrade Notes ************* * The configuration option *[DEFAULT]/graceful_shutdown_timeout* from *oslo.service* has been replaced by configuration option *[conductor]/graceful_shutdown_timeout*. The default value (*60* seconds) has not changed, operators using a custom value for should update their configuration files to use the new option. * The new "[conductor]error_on_ramdisk_config_inconsistency" configuration option defaults to "False" to maintain backward compatibility. Existing deployments with inconsistent kernel/ramdisk configurations will continue to work as before, with warning messages logged to help identify potential configuration issues. Operators who want strict validation of kernel/ramdisk configurations can set this option to "True", but should first review their configurations to ensure consistency across all node "driver_info" entries and architecture-specific configuration options. Ironic expects to enable strict validation of these values in a future release. * All-in-one Ironic processes that use "rpc_transport=none" are switched to using JSON RPC over localhost on upgrade. This is because the current model is not compatible with the post-eventlet architecture. Make sure that local traffic is possible on port 8089. If not, you may change the port by modifying the "[json_rpc]port" option. * Rootwrap support has been removed. Due to this removal, the following files and directories are no longer used, and should be removed. * "/etc/ironic/rootwrap.conf" file * "/etc/ironic/rootwrap.d" directory * "ironic-rootwrap" command Deprecation Notes ***************** * The configuration option *[DEFAULT]/graceful_shutdown_timeout* from *oslo.service* has been deprecated, replaced by *[conductor]/graceful_shutdown_timeout*. This change was triggered by the need to remove usage of eventlet. * The SNMP hardware type and associated interfaces have been deprecated for removal in a future Ironic release. It currently depends on an outdated, unsupported library and unless it is migrated off that library by the end of the 2026.1 cycle it will be removed. Operators utilizing this driver will need to find an alternate way to manage their machines. Alternatively, the Ironic community welcomes contributions to keep this driver alive. Security Issues *************** * Update jinja2 to 3.1.6 in requirements to address CVE-2023-34064. Single location in code updated to work with new jinja2 version. * This change permits declarative cleaning via use of runbooks. Please note there is no validation that a runbook performs typical, expected cleaning actions such as a disk wipe. Operators should be careful to ensure they are using sufficient steps to securely wipe the system. Additionally, operators of multitenant Ironic clusters should be careful before setting "[conductor]automated_cleaning_runbook_from_node" to True, as it may permit a node owner to render cleaning ineffective. This is not a concern in deployments utilizing node.lessee via automated_lessee. Bug Fixes ********* * Include Ethernet interface name(identity attribute) in inventory for inspection hooks To succeed Redfish inspection flow ensure that the Ethernet interface name is present in the inventory data. This is required for inspection hooks such as *validate-interfaces* to function correctly. * [Bug 2092398 (https://bugs.launchpad.net/ironic/+bug/2092398)] Fixes an issue with node servicing/cleaning that caused the node to enter into *service failed* or *clean failed* state after doing a bmc firmware update, due to the BMC being unresponsive to requests during the update. Now when doing a BMC update, we wait some time before proceeding with the reboot to finish the update. The time is configurable and can be changed via the config option "[redfish]firmware_update_wait_unresponsive_bmc" (default, 300 seconds) or by setting "firmware_update_unresponsive_bmc_wait" in the "driver-info". * Fixes the redfish sensor data output, before any enum value would be treated as an object, now we consider their value as string. * Fixes an issue where a "null" or missing MTU value for network_data.json payloads in configuration drives forces a regeneration of the configuration drive. This behavior is enabled by default, and can be disabled by using the "[conductor]disable_metadata_mtu_check" configuration option by setting the option value to "True". For more information, see bug 2110322 (https://bugs.launchpad.net/ironic/+bug/2110322). * Fixes schema validation by raising formatting and schema errors early during inspection rule creation, updates and execution. * Adds support for standard comparison operators (*le*, *ge*, *ne*) to extend inspection rules capabilities for common logical conditions. * The Ironic REST API and JSON-RPC endpoints are now served by "cheroot.wsgi.Server" instead of the deprecated "oslo_service.wsgi" / eventlet stack. Behaviour and CLI commands are unchanged. * Removes initial, unconditional reboot into ramdisk during servicing when not required by specified service steps. This reduces the total number of reboots needed when performing servicing, speeding up the process. Changes in ironic 30.0.0..31.0.0 -------------------------------- 3106588d6 [docs] Update manual clean and verify steps 94948bb19 Add manual clean and automated verify steps to set BMC clock via Redfish Manager 65eb4ba37 Drop redundant geattr 38b15996c Fix inspection rules validation 0125c26ab Log executed steps during cleaning/servicing/deploy 3e39f8aae ci: mark failing jobs non-voting pending fixes/removal 1b2c01185 Skip initial reboot to IPA when updating firmware out-of-band 635849989 doc: Use dnsmasq to run tftp server 9d251bfa2 Drop remaining reference to openSUSE 153d425a5 [docs] Add NIC Firmware Update to Firmware Interface Docs a4e7939b6 Clear `last_error` on power match/sync 383146475 Switch from local RPC to automated JSON RPC on localhost 489af188c Remove rootwrap 790f43337 Add interface name to inventory for inspection hooks 1b3e56699 Imported Translations from Zanata 4b17246f6 Remove focus from ironic-inspector in the documentation 5b4bce7c8 update Jinja2 to address CVE-2024-2383 03fd6f992 ci: stabilize ironic-standalone-redfish 259cc2331 Update firmware schema to require 'created_at' and 'updated_at' fields bb0f6fe12 Stop short-cutting to local manager with all-in-one processes 0624d1987 Redfish Firmware Interface - NIC Support 276937a57 Cleanup tests for eventlet migration abddd546f Fix names of steps in comments as per function 2411779ee Handle unresponsive BMC during Firmware Updates 65909e25a feat: add verify ca conf support for drivers 13df83eef Fix Sensor Data values a2b18ca21 trivial: follow-up on I07172e48207e09c0858298e34eea038c776d3c74 0e0e73424 trivial: note ipmitool code which can be removed with eventlet 2be79d809 fix: handle unexpected 'loop' in actions field 205893fc4 Change the novncproxy service code to handle eventlet-lessness c0a83a46a Stop using oslo.service graceful_shutdown_timeout a986fbdcb Add `api-call` action for ironic inspection rule 5c4c32442 Add specific "use 24.04" note to devstack-guide 4aba6bcfc Revert "Replace license classifier" ccbc47270 Increase memory allocation for ironic-base a78697462 Make _by_arch ramdisk uses & validation consistent c33f12329 Consider missing MTU invalid metadata d4725c90a Eventlet: Migrate API & JSON-RPC to cheroot d4cf0e76a Report provisioned state where appropiate when raising InvalidState* Exceptions f2302d34e Added a FAQ on CI debugging, starts with network 965b2a53e PTG: Move CI job descriptions into yaml b551ec5e1 [docs] Automated cleaning by runbook febb6e24a Automated cleaning by runbook 046169527 Add missing space to log statement b37ae4388 follow-up: post-review feedback fixes for network data fixes bf9647502 fix: 'built_in' KeyError on invalid priority. 5b0134ea9 conf: Add '[api] response_validation' option a2cbb3484 Advanced vmedia deployment test ops 6abe65110 Fix minor devstack issues 00f0a0316 Remove installation guide for openSUSE/SLES dc6cd79a9 Mark SNMP driver unsupported for removal Diffstat (except docs and test files) ------------------------------------- devstack/lib/ironic | 96 ++- .../include/configure-ironic-api-mod_wsgi.inc | 22 +- .../install/include/configure-ironic-api.inc | 2 +- .../install/include/configure-ironic-conductor.inc | 2 +- .../include/configure-ironic-novncproxy.inc | 2 +- .../include/configure-ironic-singleprocess.inc | 8 +- etc/ironic/rootwrap.conf | 28 - etc/ironic/rootwrap.d/ironic-utils.filters | 3 - ironic/api/controllers/v1/inspection_rule.py | 20 +- ironic/api/schemas/v1/firmware.py | 6 +- ironic/api/validation/__init__.py | 32 +- ironic/command/conductor.py | 44 ++ ironic/command/singleprocess.py | 3 + ironic/common/auth_basic.py | 7 + ironic/common/automated_clean_methods.py | 28 + ironic/common/inspection_rules/actions.py | 51 ++ ironic/common/inspection_rules/operators.py | 18 +- ironic/common/inspection_rules/validation.py | 13 +- ironic/common/json_rpc/client.py | 10 +- ironic/common/neutron.py | 7 +- ironic/common/pxe_utils.py | 17 +- ironic/common/rpc_service.py | 8 +- ironic/common/tls_utils.py | 93 +++ ironic/common/wsgi_service.py | 102 ++- ironic/conductor/base_manager.py | 16 +- ironic/conductor/cleaning.py | 43 +- ironic/conductor/configdrive_utils.py | 110 ++-- ironic/conductor/deployments.py | 24 + ironic/conductor/local_rpc.py | 114 ++++ ironic/conductor/manager.py | 152 ++++- ironic/conductor/rpc_service.py | 2 +- ironic/conductor/rpcapi.py | 65 +- ironic/conductor/servicing.py | 78 ++- ironic/conductor/steps.py | 54 +- ironic/conductor/utils.py | 61 +- ironic/conf/__init__.py | 2 + ironic/conf/api.py | 41 ++ ironic/conf/conductor.py | 115 +++- ironic/conf/irmc.py | 3 + ironic/conf/json_rpc.py | 7 +- ironic/conf/local_rpc.py | 39 ++ ironic/conf/opts.py | 1 + ironic/conf/redfish.py | 19 + ironic/console/websocketproxy.py | 18 +- ironic/drivers/base.py | 10 +- ironic/drivers/modules/agent_base.py | 5 +- ironic/drivers/modules/deploy_utils.py | 12 +- ironic/drivers/modules/ipmitool.py | 1 + ironic/drivers/modules/irmc/common.py | 3 +- ironic/drivers/modules/network/noop.py | 2 - ironic/drivers/modules/redfish/firmware.py | 60 +- ironic/drivers/modules/redfish/firmware_utils.py | 5 +- ironic/drivers/modules/redfish/inspect.py | 8 +- ironic/drivers/modules/redfish/management.py | 106 +++- ironic/drivers/modules/redfish/utils.py | 42 +- ironic/drivers/snmp.py | 6 + ironic/drivers/utils.py | 125 +++- .../api/controllers/v1/test_inspection_rule.py | 8 + .../drivers/modules/inspector/test_interface.py | 4 - .../unit/drivers/modules/redfish/test_boot.py | 125 ++-- .../unit/drivers/modules/redfish/test_firmware.py | 162 ++++- .../drivers/modules/redfish/test_firmware_utils.py | 72 +++ .../unit/drivers/modules/redfish/test_inspect.py | 106 +++- .../drivers/modules/redfish/test_management.py | 699 +++++++++++++++------ .../unit/drivers/modules/redfish/test_utils.py | 10 + ...pi-call-inspection-action-985aee4347ed9217.yaml | 36 ++ ...c-clock-clean-verify-step-6b70b04a618bf6e1.yaml | 17 + ...ify-ca-opt-for-driver-cfg-72284de9b2acd1ab.yaml | 8 + ...face-name-to-inspect-data-602cbf2a2e052ccd.yaml | 8 + .../address-CVE-2023-34064-f78745eab4f3d466.yaml | 5 + .../notes/api-validation-eface4a013c58a70.yaml | 6 + ...mated-cleaning-by-runbook-b5b4b1f0f51040b0.yaml | 43 ++ .../notes/bug-2092398-45f65c06a84d396a.yaml | 13 + .../notes/bug-2113877-fdb0c3a6ed8ee363.yaml | 5 + ...graceful-shutdown-timeout-db26a9194cf27bc2.yaml | 16 + ...consider-null-mtu-invalid-7fb35b7e85c8fc74.yaml | 10 + ...onsistent-ramdisk-configs-6a37ef69bf73cd2e.yaml | 38 ++ ...rface-support-nic-updates-429f3c6f62f9a0d4.yaml | 5 + ...n-rules-schema-validation-5cac6058d12ce030.yaml | 9 + releasenotes/notes/localrpc-403d72535e3e0048.yaml | 9 + ...-dynamic-step-based-flows-f0ef2f066f5d8127.yaml | 12 + ...-json-rpc-out-of-eventlet-4ef744d7601111d6.yaml | 21 + .../notes/remove-rootwrap-575dd46a25bbfc37.yaml | 9 + ...ace-metadata-when-invalid-c10a8c5add9151c8.yaml | 2 +- ...itial-reboot-into-ramdisk-c1840524832435c2.yaml | 7 + .../snmp-driver-deprecation-ac612cb6c9412e1e.yaml | 10 + .../locale/en_GB/LC_MESSAGES/releasenotes.po | 33 +- .../source/locale/ja/LC_MESSAGES/releasenotes.po | 159 ----- requirements.txt | 8 +- setup.cfg | 7 +- zuul.d/ironic-jobs.yaml | 238 ++++++- zuul.d/project.yaml | 20 +- 133 files changed, 4541 insertions(+), 1386 deletions(-) Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt index ecfb0cbe4..028e209a9 100644 --- a/requirements.txt +++ b/requirements.txt @@ -17,2 +16,0 @@ oslo.db>=9.1.0 # Apache-2.0 -# TODO(dtantsur): remove rootwrap when we no longer provide ironic-rootwrap CLI -oslo.rootwrap>=5.8.0 # Apache-2.0 @@ -33 +31 @@ jsonpatch>=1.16 # BSD -Jinja2>=3.0.0 # BSD License (3 clause) +Jinja2>=3.1.6 # BSD License (3 clause) @@ -43 +41 @@ openstacksdk>=0.99.0 # Apache-2.0 -sushy>=4.8.0 +sushy>=5.7.0 @@ -51,0 +50,2 @@ PyYAML>=6.0.2 # MIT +cheroot>=10.0.1 # BSD +cryptography>=2.3 # BSD/Apache-2.0