[ironic][ops] Breaking change coming in the Victoria development cycle

Donny Davis donny at fortnebula.com
Mon Mar 30 22:14:41 UTC 2020


woot woot Security !!!

On Mon, Mar 30, 2020 at 5:27 PM Julia Kreger <juliaashleykreger at gmail.com>
wrote:

> Greetings everyone,
>
> One of the items the ironic team has been focused on is improving
> security of remote/edge deployments where machines may be deployed on
> networks where an un-trusted actor could also be present.
>
> Our answer to this has been the concept of utilizing a temporary
> token[0] for the deployment, which we use to validate the agent
> heartbeat operations, and commands sent back to the agent ramdisk from
> the conductor. While not a complete solution to all possible attack
> vectors, it is a step forward and we will be taking more steps during
> the next cycle.
>
> For the Ussuri release, this functionality is always enabled, but is
> not explicitly required[1]. Deployments, with older ramdisks who
> choose to require this capability, must update their
> deployment/rescue/cleaning ramdisks to a version with a newer
> ironic-python-agent version from Ussuri development cycle.
>
> In Victoria, the ironic team will change the default for requirement
> of agent tokens such that they are required by default. Pre-Ussuri
> agent ramdisks will no longer work and will need to be updated.
>
> Please let us know if you have any questions or concerns.
>
> -Julia
>
> [0]: https://docs.openstack.org/ironic/latest/admin/agent-token.html
> [1]:
> https://docs.openstack.org/ironic/latest/admin/agent-token.html#how-it-works
>
>

-- 
~/DonnyD
C: 805 814 6800
"No mission too difficult. No sacrifice too great. Duty First"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200330/649b1ec1/attachment.html>


More information about the openstack-discuss mailing list