We are psyched to announce the release of: ironic 26.1.2 This release is part of the dalmatian release series. The source is available from: https://opendev.org/openstack/ironic Download the package from: https://tarballs.openstack.org/ironic/ Please report issues through: https://bugs.launchpad.net/ironic/+bugs For more details, please see below. 26.1.2 ^^^^^^ Security Issues *************** * Fixes OSSA-2025-001, where Ironic did not properly filter file:// paths when used as image sources. This would permit any file accessible by the conductor to be used as an image to attempt deployment. Adds "CONF.conductor.file_url_allowed_paths", an allowlist configuration defaulting to "/var/lib/ironic", "/shared/html", "/opt/cache/files", "/vagrant", and "/templates", permits operators to further restrict where the conductor will fetch images for when provided a file:// URL. This default value was chosen based on known usage by projects downstream of Ironic, including Metal3, Bifrost, and OpenShift. These defaults may change to be more restrictive at a later date. Operators using file:// URLs are encouraged to explicitly set this value even if the current default is sufficient. Operators wishing to fully disable the ability to deploy with a file:// URL should set this configuration to "" (empty). Operators wishing to restore the original insecure behavior should set "CONF.conductor.file_url_allowed_paths" to "/". Take note that in the 2025.2 release and later, "/dev", "/sys", "/proc", "/run", and "/etc" will be unconditionally blocked as a security measure. This issue only poses a significant security risk when Ironic's automated cleaning process is disabled and the service is configured in such a way that permits direct deployment by an untrusted API user, such as standalone Ironic installations or environments granting ownership of nodes to projects. Bug Fixes ********* * The set of strings used to detect cipher suite version related errors in the "ipmitool" command was expanded. If the string "Error in open session response message : invalid role" is contained in the output of a failed "ipmitool" command execution, such error will be now considered as related to inappropriate ciphers too, and will be retried with another cipher suite version if Ironic is configured to do so. See bug 2085137 (https://launchpad.net/bugs/2085137) for more details. * When changing from glanceclient to OpenStack SDK to communicate with Glance, a bug was introduced reading image properties causing the Anaconda deploy interface to be unable to use Glance images. Other deploy interfaces continued to function but could have resulted in some properties not taking affect. See bug 2099275 (https://bugs.launchpad.net/ironic/+bug/2099953) for more details. * Fixes step validation where some of the reserved step names, "hold", and "wait", were not being properly handled by the step validation code. * Fixes an issue where operators executing complex arrangement of steps which include out-of-band and in-band steps, for example a hardware RAID "create_configuration" step followed by in-band steps inside of the agent, would effectively get the agent stuck in a "wait" state in the Cleaning, Servicing, or Deploying workflows. This was related to the way out-of-band steps are executed and monitored. Ironic, before starting to execute a new step, now cleans the polling lockout flag for the respective workflow being executed to prevent the agent from getting stuck. For more information, please see bug 2096938 (https://bugs.launchpad.net/ironic/+bug/2096938). * Fixes newly added policy rules, "baremetal:node:set_provision_state:clean_steps" and "baremetal:node:set_provision_state:service_steps``which impacted ``project scoped" users utilizing the "2024.2" release of Ironic where they were attempting to invoke "service" or "clean" provision state commands. This was due to a misunderstanding of the correct policy checker to invoke, and additional testing has been added around these functions to ensure they work as expected moving forward. * Some vendors insist that floppy images must be 1440 KiB in size and that the file name ends with ".img". Make it so. * Includes the agent token parameter in get command status requests as the endpoint now requires authentication. * The configuration option "[inspector]power_off" is now actually ignored for nodes with fast track enabled, as documented in its help. * Fixes the built-in in-band inspection implementation to power off the node after aborting inspection on user's request, unless the node is in the fast track mode or "[inspector]power_off" is set to "False". * The fix for CVE-2024-47211 results in image checksum being required in all cases. However there is no checksum requirement for file:// based images. When checksum is missing for file:// based image_source it is now calculated on-the-fly. * Fixes an error within the redfish session cache when no "redfish_password" is specified bug 2097019 (https://bugs.launchpad.net/ironic/+bug/2097019). * Update the node cache after a successful servicing and cleaning. This ensures the node information is correctly updated in the database. Changes in ironic 26.1.1..26.1.2 -------------------------------- e18bbe3af OSSA-2025-001: Disallow unsafe image file:// paths 6b8e25234 [stable-only] Fix errors building docs 651d77537 fix glance metadata layout bc565cf54 Make floppy images more floppy 5aa51d698 Pass agent token to get command results 3fec72442 Expand detected strings in check_cipher_suite_errors 0911ecae4 Fix agent from being locked out with complex steps 60248a0b8 Fix redfish session cache on missing password 3c27ebcc1 Fix hold/wait step logic in step validation 187337bc4 stable-only: Drop ironic-tox-codespell job d1872d7fc Calculate missing checksum for file:// based images 684dd6107 Update Node Cache after Successful Clean/Service 38d94ca3a Use specific fix-commit from dnsmasq 1ed8b772b Fix policy checks added with runbooks 94a72b7a7 [stable-only] [ci] Remove metal3 job 2a29676ea Actually ignore [inspector]power_off with fast track 577971afd add qemu-img to necessary dependency list f5ba0c8ae Gracefully handle bad request exception e3437d7c9 Fix actual size calculation for storage fallback logic Diffstat (except docs and test files) ------------------------------------- devstack/lib/ironic | 18 +- ironic/api/controllers/v1/node.py | 31 ++- ironic/api/controllers/v1/portgroup.py | 2 + ironic/common/async_steps.py | 6 +- ironic/common/checksum_utils.py | 15 +- ironic/common/glance_service/service_utils.py | 18 +- ironic/common/image_service.py | 22 ++- ironic/common/images.py | 2 +- ironic/conductor/cleaning.py | 6 + ironic/conductor/deployments.py | 4 + ironic/conductor/manager.py | 9 +- ironic/conductor/servicing.py | 7 + ironic/conductor/steps.py | 3 +- ironic/conf/conductor.py | 15 ++ ironic/conf/types.py | 55 ++++++ ironic/drivers/modules/agent_client.py | 6 + ironic/drivers/modules/image_utils.py | 8 +- ironic/drivers/modules/inspector/agent.py | 23 +-- ironic/drivers/modules/inspector/interface.py | 39 ++-- ironic/drivers/modules/ipmitool.py | 8 +- ironic/drivers/modules/redfish/utils.py | 6 +- .../unit/drivers/modules/inspector/test_agent.py | 52 ++++- .../drivers/modules/inspector/test_interface.py | 210 ++++++++++----------- .../unit/drivers/modules/test_agent_client.py | 6 +- .../unit/drivers/modules/test_deploy_utils.py | 12 ++ ...ion-ipmitools-cipher-fail-1503b4e319e77ed8.yaml | 11 ++ ...ce-image-properties-check-2a11337c9e517a5c.yaml | 10 + ...x-hold-wait-service-steps-37dc91fd7393b180.yaml | 5 + ...polling-lockout-for-steps-b9645f0cae18da1e.yaml | 13 ++ ...provision-state-subpolicy-13ae3ef7497d20c1.yaml | 12 ++ .../floppy-image-quirks-32e14d32a37b0742.yaml | 5 + ...ent-token-to-get-requests-982bacce85d95ce8.yaml | 5 + .../notes/inspect-off-099e3c73edaf6082.yaml | 9 + .../missing_file_checksum-4931c98031951486.yaml | 7 + ...sallow-unsafe-image-paths-670fdcfe3e4647d4.yaml | 29 +++ ...sh-allow-missing-password-ce4fb161d35a6850.yaml | 6 + ...essful-servicing-cleaning-7433c493e31742b0.yaml | 6 + tools/config/ironic-config-generator.conf | 1 - tox.ini | 2 +- zuul.d/ironic-jobs.yaml | 7 - zuul.d/project.yaml | 10 - 59 files changed, 823 insertions(+), 269 deletions(-)