[ironic][ops] Breaking change coming in the Victoria development cycle
donny at fortnebula.com
Mon Mar 30 22:14:41 UTC 2020
woot woot Security !!!
On Mon, Mar 30, 2020 at 5:27 PM Julia Kreger <juliaashleykreger at gmail.com>
> Greetings everyone,
> One of the items the ironic team has been focused on is improving
> security of remote/edge deployments where machines may be deployed on
> networks where an un-trusted actor could also be present.
> Our answer to this has been the concept of utilizing a temporary
> token for the deployment, which we use to validate the agent
> heartbeat operations, and commands sent back to the agent ramdisk from
> the conductor. While not a complete solution to all possible attack
> vectors, it is a step forward and we will be taking more steps during
> the next cycle.
> For the Ussuri release, this functionality is always enabled, but is
> not explicitly required. Deployments, with older ramdisks who
> choose to require this capability, must update their
> deployment/rescue/cleaning ramdisks to a version with a newer
> ironic-python-agent version from Ussuri development cycle.
> In Victoria, the ironic team will change the default for requirement
> of agent tokens such that they are required by default. Pre-Ussuri
> agent ramdisks will no longer work and will need to be updated.
> Please let us know if you have any questions or concerns.
> : https://docs.openstack.org/ironic/latest/admin/agent-token.html
C: 805 814 6800
"No mission too difficult. No sacrifice too great. Duty First"
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openstack-discuss