[release-announce] ironic 20.1.2 (yoga)

no-reply at openstack.org no-reply at openstack.org
Thu Sep 21 11:28:56 UTC 2023 

We enthusiastically announce the release of:

ironic 20.1.2: OpenStack Bare Metal Provisioning

This release is part of the yoga stable release series.

The source is available from:

    https://opendev.org/openstack/ironic

Download the package from:

    https://tarballs.openstack.org/ironic/

Please report issues through:

    https://storyboard.openstack.org/#!/project/943

For more details, please see below.

20.1.2
^^^^^^


Upgrade Notes
*************

* Adds "sha256", "sha384" and "sha512" as supported SNMPv3
  authentication protocols to iRMC driver.


Bug Fixes
*********

* Fixes Ironic integration with Cinder because of changes which
  resulted as part of the recent Security related fix in bug 2004555
  (https://launchpad.net/bugs/2004555). The work in Ironic to track
  this fix was logged in bug 2019892
  (https://bugs.launchpad.net/ironic/+bug/2019892). Ironic now sends a
  service token to Cinder, which allows for access restrictions added
  as part of the original CVE-2023-2088 fix to be appropriately
  bypassed. Ironic was not vulnerable, but the restrictions added as a
  result did impact Ironic's usage. This is because Ironic volume
  attachments are not on a shared "compute node", but instead mapped
  to the physical machines and Ironic handles the attachment life-
  cycle after initial attachment.

* When aborting cleaning, the "last_error" field is no longer
  initially empty. It is now populated on the state transition to
  "clean failed".

* When cleaning or deployment fails, the "last_error" field is no
  longer temporary set to "None" while the power off action is
  running.

* Fixes an issue where if selinux is enabled and enforcing, and the
  published image is a hardlink, the source selinux context is
  preserved, causing access denied when retrieving the image using
  hardlink URL.

* Fixes bug of iRMC driver in parse_driver_info where, if FIPS is
  enabled, SNMP version is always required to be version 3 even though
  iRMC driver's xxx_interface doesn't use SNMP actually.

* Fixes "'NoneType' object is not iterable" in conductor logs for
  "redfish" and "idrac-redfish" RAID clean and deploy steps. The
  message should no longer appear. For affected nodes re-create the
  node or delete "raid_configs" entry from "driver_internal_info"
  field.

* Fixes an issue in the online upgrade logic where database models
  for Node Traits and BIOS Settings resulted in an error when
  performing the online data migration. This was because these tables
  were originally created as extensions of the Nodes database table,
  and the schema of the database was slightly different enough to
  result in an error if there was data to migrate in these tables upon
  upgrade, which would have occured if an early BIOS Setting adopter
  had data in the database prior to upgrading to the Yoga release of
  Ironic.

  The online upgrade parameter now subsitutes an alternate primary key
  name name when applicable.

* Fixes SNMPv3 message authentication and encryption functionality
  of iRMC driver. The SNMPv3 authentication between iRMC driver and
  iRMC was only by the security name with no passwords and encryption.
  To increase security, the following parameters are now added to the
  node's "driver_info", and can be used for authentication:

  * "irmc_snmp_user"

  * "irmc_snmp_auth_password"

  * "irmc_snmp_priv_password"

  * "irmc_snmp_auth_proto" (Optional, defaults to "sha")

  * "irmc_snmp_priv_proto" (Optional, defaults to "aes")

  "irmc_snmp_user" replaces "irmc_snmp_security". "irmc_snmp_security"
  will be ignored if "irmc_snmp_user" is set. "irmc_snmp_auth_proto"
  and "irmc_snmp_priv_proto" can also be set through the following
  options in the "[irmc]" section of "/etc/ironic/ironic.conf":

  * "snmp_auth_proto"

  * "snmp_priv_proto"

* Fixes a race condition in PXE initialization where logic to retry
  what we suspect as potentially failed PXE boot operations was not
  consulting if an "agent token" had been established, which is the
  very first step in agent initialization.

* Fixes an issue where an agent token was being orphaned if a
  baremetal node timed out during cleaning operations, leading to
  issues where the node would not be able to establish a new token
  with Ironic upon future in some cases. We now always wipe the token
  in this case.


Other Notes
***********

* Updates the minimum version of "python-scciclient" library to
  "0.12.2".

Changes in ironic 20.1.1..20.1.2
--------------------------------

72d124856 [iRMC] Fix parse_driver_info bug enforcing SNMP v3 under FIPS mode
4ec0ee677 [ci] [stable-only] Cinder fixed; make BFV job vote
d1ad9e8d0 [stable-only] [CI] BFV, RBAC jobs marked non-voting
94358e471 Fix Cinder Integration fallout from CVE-2023-2088
ad227de24 Fix online upgrades for Bios/Traits
59cdb9aeb Wipe Agent Token when cleaning timeout occcurs
92c187a32 Do not move nodes to CLEAN FAILED with empty last_error
e5267b58e Move and fix reno config for releasenotes job
31a0b0c1d Fix selinux context of published image hardlink
959fc9163 Fix "'NoneType' object is not iterable" in RAID
26573bed3 Prevent pxe retry when agent token exists
177e93de9 Fixes for tox 4.0
1f4fabf88 Add support auth protocols for iRMC
c274231bf Add SNMPv3 authentication functionality


Diffstat (except docs and test files)
-------------------------------------

devstack/lib/ironic                                |   2 +-
ironic/common/cinder.py                            |  71 +++++-
ironic/common/keystone.py                          |  24 +-
ironic/common/states.py                            |   3 +
ironic/common/utils.py                             |  12 +
ironic/conductor/cleaning.py                       |  26 +-
ironic/conductor/manager.py                        |   3 +-
ironic/conductor/task_manager.py                   |  11 +-
ironic/conductor/utils.py                          |  12 +-
ironic/conf/irmc.py                                |  28 ++-
ironic/db/sqlalchemy/api.py                        |  33 ++-
ironic/drivers/modules/image_utils.py              |  10 +
ironic/drivers/modules/irmc/common.py              | 249 +++++++++++++++---
ironic/drivers/modules/irmc/inspect.py             |  24 +-
ironic/drivers/modules/irmc/power.py               |  22 +-
ironic/drivers/modules/pxe_base.py                 |   6 +
ironic/drivers/modules/redfish/raid.py             |   8 +-
.../unit/drivers/modules/redfish/test_raid.py      |   4 +
releasenotes/config.yaml                           |   5 +
.../notes/cinder-2019892-6b5a9de5c5f05aa6.yaml     |  16 ++
.../notes/cleaning-error-5c13c33c58404b97.yaml     |   8 +
...ix-context-image-hardlink-16f452974abc7327.yaml |   7 +
...nforcing-snmpv3-with-fips-e45971d363925ec3.yaml |   6 +
...pe-object-is-not-iterable-0592926d890d6c11.yaml |   7 +
...-online-version-migration-db432a7b239647fa.yaml |  14 ++
...c-add-snmp-auth-protocols-3ff7597cea7ef9dd.yaml |   5 +
.../irmc-add-snmpv3-security-fca05bfc30f50d1a.yaml |  28 +++
...e-retry-when-token-exists-a4f38f7da56c1397.yaml |   7 +
...ken-upon-cleaning-timeout-c9add514fad1b02c.yaml |   7 +
reno.yaml                                          |   4 -
tox.ini                                            |   9 +-
zuul.d/project.yaml                                |  11 +-
43 files changed, 1052 insertions(+), 151 deletions(-)

More information about the Release-announce mailing list