We are jazzed to announce the release of: ironic 29.0.2 This release is part of the epoxy release series. The source is available from: https://opendev.org/openstack/ironic Download the package from: https://tarballs.openstack.org/ironic/ Please report issues through: https://bugs.launchpad.net/ironic/+bugs For more details, please see below. 29.0.2 ^^^^^^ Security Issues * Fixes OSSA-2025-001, where Ironic did not properly filter file:// paths when used as image sources. This would permit any file accessible by the conductor to be used as an image to attempt deployment. Adds "CONF.conductor.file_url_allowed_paths", an allowlist configuration defaulting to "/var/lib/ironic", "/shared/html", "/opt/cache/files", "/vagrant", and "/templates", permits operators to further restrict where the conductor will fetch images for when provided a file:// URL. This default value was chosen based on known usage by projects downstream of Ironic, including Metal3, Bifrost, and OpenShift. These defaults may change to be more restrictive at a later date. Operators using file:// URLs are encouraged to explicitly set this value even if the current default is sufficient. Operators wishing to fully disable the ability to deploy with a file:// URL should set this configuration to "" (empty). Operators wishing to restore the original insecure behavior should set "CONF.conductor.file_url_allowed_paths" to "/". Take note that in the 2025.2 release and later, "/dev", "/sys", "/proc", "/run", and "/etc" will be unconditionally blocked as a security measure. This issue only poses a significant security risk when Ironic's automated cleaning process is disabled and the service is configured in such a way that permits direct deployment by an untrusted API user, such as standalone Ironic installations or environments granting ownership of nodes to projects. Changes in ironic 29.0.1..29.0.2 -------------------------------- 0506aae0c OSSA-2025-001: Disallow unsafe image file:// paths Diffstat (except docs and test files) ------------------------------------- ironic/common/image_service.py | 22 +++++++- ironic/conf/conductor.py | 15 ++++++ ironic/conf/types.py | 55 +++++++++++++++++++ ...sallow-unsafe-image-paths-670fdcfe3e4647d4.yaml | 29 ++++++++++ 8 files changed, 269 insertions(+), 10 deletions(-)