We joyfully announce the release of: ironic 23.0.1: OpenStack Bare Metal Provisioning This release is part of the bobcat release series. The source is available from: https://opendev.org/openstack/ironic Download the package from: https://tarballs.openstack.org/ironic/ Please report issues through: https://storyboard.openstack.org/#!/project/943 For more details, please see below. 23.0.1 ^^^^^^ Bug Fixes * Fixes an issue with units tests that show this DeprecationWarning: The metaschema specified by $schema was not found. Using the latest draft to validate, but this will raise an error in the future. cls = validator_for(schema) Removed the warning for deprecated schema by using a new template. * Fixes the issue of service steps not starting due to servicing states (states.SERVICING and states.SERVICEWAIT) missing from _FASTTRACK_HEARTBEAT_ALLOWED constant. * Firmware components are now also cached on the transition to the "manageable" state in addition to cleaning. This is consisent with how BIOS settings, vendor and boot mode are cached. * Fixes the behavior of "file:///" image URLs pointing at a symlink. Ironic no longer creates a hard link to the symlink, which could cause confusing FileNotFoundError to happen if the symlink is relative. * Nodes no longer get stuck in cleaning when the firmware components caching code raises an unexpected exception. * Prevents a database constraints error on caching firmware components when a supported component does not have the current version. * Fixes an issue when listing allocations as a project scoped user when the legacy RBAC policies have been disabled which forced an HTTP 406 error being erroneously raised. Users attempting to list allocations with a specific owner, different from their own, will now receive an HTTP 403 error. * Properly eject the virtual media from a DVD device in case this is the only MediaType available from the Hardware, and Ironic requested CD as the device to be used. See bug 2039042 (https://bugs.launchpad.net/ironic/+bug/2039042) for details. * Fixes an issue where a System Scoped user could not trigger a node into a "manageable" state with cleaning enabled, as the Neutron client would attempt to utilize their user's token to create the Neutron port for the cleaning operation, as designed. This is because with requests made in the "system" scope, there is no associated project and the request fails. Ironic now checks if the request has been made with a "system" scope, and if so it utilizes the internal credential configuration to communicate with Neutron. * When configured to listen on a unix socket, Ironic will now properly cleanup the unix socket on a clean service stop. * The "idrac" hardware type is now compatible with the "redfish" firmware interface. The link between them was missing initially. * Fixes issues with Lenovo hardware where the system firmware may display a blue "Boot Option Restoration" screen after the agent writes an image to the host in UEFI boot mode, requiring manual intervention before the deployed node boots. This issue is rooted in multiple changes being made to the underlying NVRAM configuration of the node. Lenovo engineers have suggested to *only* change the UEFI NVRAM and not perform any further changes via the BMC to configure the next boot. Ironic now does such on Lenovo hardware. More information and background on this issue can be discovered in bug 2053064 (https://bugs.launchpad.net/ironic/+bug/2053064). * When Ironic hits the limit on the number of the concurrent deploys (specified in the "[conductor]max_concurrent_deploy" option), the resulting HTTP code is now 503 instead of the more generic 500. * The per-node "external_http_url" setting in the driver info is now used for a boot ISO. Previously this setting was only used for a config floppy. * Fixes an issue where the conductor service would fail to launch when the "neutron" network_interface setting was enabled, and no global "cleaning_network" or "provisioning_network" is set in *ironic.conf.* These settings have long been able to be applied on a per-node basis via the API. As such, the service can now be started and will error on node validation calls, as designed for drivers missing networking parameters. * When configuring secure boot via Redfish, internal server errors are now retried for a longer period than by default, accounting for the SecureBoot resource unavailability during configuration on some hardware. * Fixes Raid creation issue in iLO6 and other BMC with latest schema by removing 'VolumeType', 'Encrypted' and changing placement of 'Drives' to inside 'Links'. * Provides a fix for "service" role support to enable the use case where a dedicated service project is used for cloud service operation to facilitate actions as part of the operation of the cloud infrastructure. OpenStack clouds can take a variety of configuration models for service accounts. It is now possible to utilize the "[DEFAULT] rbac_service_role_elevated_access" setting to enable users with a "service" role in a dedicated "service" project to act upon the API similar to a "System" scoped "Member" where resources regardless of "owner" or "lessee" settings are available. This is needed to enable synchronization processes, such as "nova-compute" or the "networking-baremetal" ML2 plugin to perform actions across the whole of an Ironic deployment, if desirable where a "System" scoped user is also undesirable. This functionality can be tuned to utilize a customized project name aside from the default convention "service", for example "baremetal" or "admin", utilizing the "[DEFAULT] rbac_service_project_name" setting. Operators can alternatively entirely override the "service_role" RBAC policy rule, if so desired, however Ironic feels the default is both reasonable and delineates sufficiently for the variety of Role Based Access Control usage cases which can exist with a running Ironic deployment. * Fixes service steps that rely on a reboot. Previously, the reboot was not properly recognized in the conductor logic. Changes in ironic 23.0.0..23.0.1 -------------------------------- cd17bc024 Add states.SERVICING and SERVICEWAIT to _FASTTRACK_HEARTBEAT_ALLOWED 42b332a07 Remove deprecation warning by setting schema 0617163c3 Fix the confusion around service_reboot/servicing_reboot 5240ae78c Fix servicing clean-up 0d9e903f4 Marking metalsmith legacy job as non-voting a7cbe13fd Fix get_async_step_return_state to account for servicing 92ae4448b ci: pin CI to dnsmasq 2.85 45d17c4ab Special case lenovo UEFI boot setup 606edbd13 neutron: do not error if no cleaning/provisioning on launch 0379f4af8 Fix service role support 4895c687b Kickstart: Don't error unit tests ksvalidate is present 8e7576223 RedfishFirmwareInterface - Unit Tests & More logs 5c1f85835 Cache firwmare components on the transition to "manageable" e9dd47e2d Fix two severe errors in the firmware caching code aec3c072c Stop using a specific mirror in infra f75933240 Don't create a hardlink to a symlink when handling file:// URLs ab5a5f6a1 Revert "Revert "RBAC: Fix allocation check"" to use Unauthorized 7bfc9e3f8 Fix system scoped manageable node network failure 11c7d6c96 Do not log lack of metrics support at WARNING lvl bd098796f [Backport] Fixes Raid creation in iLO6 and other BMC with latest schema 47522a71c Fix log message var reference 7775cf3da Handle internal server errors while configuring secure boot af85c2076 Properly cleanup unix sockets in wsgi_service d385c4a4d Add missing compatibility between idrac and redfish firmware c6089dc5e Use per-node external_http_url for boot ISO 235e6ccb9 Make sure we eject media from DVD when CD is requested 39578d919 Fix the HTTP code for reaching max_concurrent_deploy: 503 instead of 500 7a6e89316 Do not store ramdisk logs as part of the inventory da4e1c982 Update TOX_CONSTRAINTS_FILE for stable/2023.2 6b40719e1 Update .gitreview for stable/2023.2 Diffstat (except docs and test files) ------------------------------------- .gitreview | 1 + devstack/lib/ironic | 26 +- ironic/api/controllers/v1/allocation.py | 13 +- ironic/common/async_steps.py | 168 ++++++ ironic/common/context.py | 7 + ironic/common/exception.py | 2 +- ironic/common/image_service.py | 16 +- ironic/common/neutron.py | 6 +- ironic/common/policy.py | 36 +- ironic/common/states.py | 5 + ironic/common/wsgi_service.py | 2 +- ironic/conductor/cleaning.py | 16 +- ironic/conductor/deployments.py | 12 +- ironic/conductor/inspection.py | 3 + ironic/conductor/manager.py | 6 +- ironic/conductor/servicing.py | 12 +- ironic/conductor/utils.py | 67 ++- ironic/conductor/verify.py | 8 +- ironic/conf/default.py | 36 ++ ironic/drivers/drac.py | 5 + ironic/drivers/modules/agent.py | 8 +- ironic/drivers/modules/agent_base.py | 60 +- ironic/drivers/modules/deploy_utils.py | 88 +-- ironic/drivers/modules/image_utils.py | 3 +- ironic/drivers/modules/network/neutron.py | 18 +- ironic/drivers/modules/pxe_base.py | 13 + ironic/drivers/modules/redfish/boot.py | 19 +- ironic/drivers/modules/redfish/firmware.py | 45 +- ironic/drivers/modules/redfish/firmware_utils.py | 8 +- ironic/drivers/modules/redfish/management.py | 14 +- ironic/drivers/modules/redfish/raid.py | 20 +- ironic/drivers/modules/redfish/utils.py | 11 + .../unit/api/controllers/v1/test_allocation.py | 11 + .../unit/drivers/modules/drac/test_management.py | 9 +- .../unit/drivers/modules/network/test_neutron.py | 12 +- .../unit/drivers/modules/redfish/test_boot.py | 44 +- .../unit/drivers/modules/redfish/test_firmware.py | 659 +++++++++++++++++++++ .../drivers/modules/redfish/test_management.py | 25 +- .../unit/drivers/modules/redfish/test_raid.py | 95 +-- .../unit/drivers/modules/test_deploy_utils.py | 5 +- releasenotes/notes/2061160-5e080a17ae31fb53.yaml | 8 + ...ng-to-heartbeat-fasttrack-85863df34ece6401.yaml | 6 + ...cache-firmware-components-485b3343ba1db5ee.yaml | 6 + .../notes/file-symlink-b65bd6b407bd1683.yaml | 6 + .../notes/firmware-fail-c6f6c70220373033.yaml | 8 + ...ocation-exception-on-list-c04e93fb9cace218.yaml | 8 + .../fix-eject-media-dvd-b1994446ea71be9c.yaml | 8 + ...tem-scope-triggered-clean-22ada9b920c08365.yaml | 12 + .../fix-unix-socket-support-eaa0e350f4bfaf56.yaml | 3 + .../notes/idrac-firmware-3839648d729d9c7c.yaml | 5 + ...boot-to-disk-calls-lenovo-39763bfc98f602d8.yaml | 13 + .../max_concurrent_deploy-7a31ba142bf5ad5c.yaml | 6 + ...ode-iso-external_http_url-c5e3fa9ae4960dd6.yaml | 5 + ...-without-neutron-networks-d4aa21654f9c07bf.yaml | 9 + .../notes/redfish-500-fea3a8f86c0aecc7.yaml | 6 + ...redfish-fix-raid-creation-f437066b1301c032.yaml | 6 + ...-project-service-role-fix-e4d1a8c23856926a.yaml | 41 ++ .../notes/servicing-reboot-502f474a01f937a8.yaml | 5 + tox.ini | 10 +- zuul.d/ironic-jobs.yaml | 4 +- zuul.d/project.yaml | 8 +- 72 files changed, 1792 insertions(+), 409 deletions(-)