Zed Series (8.6.0 - 9.1.x) Release Notes

9.1.1-2

Security Issues

  • Ironic-Python-Agent versions prior to the 2023.1 release are vulnerable to CVE-2024-44082, tracked in bug 2071740 <https://bugs.launchpad.net/bugs/2071740>_. Deployers of Ironic versions Zed or older must apply CVE-2024-44082 fixes to their Ironic environment and leave (default for all releases Zed and older) [conductor]/conductor_always_validates_images set to True. This ensures the conductor will security check the image because Ironic-Python-Agent will not.

9.1.1

Bug Fixes

  • Fixes a failure case where a deployed instance may be unable to access the configuration drive post-deployment. This can occur when block devices only support 4KB IO interactions. When 4KB block IO sizes are in use, the ISO9660 filesystem driver in Linux cannot be used as it is modeled around a 2KB block. We now attempt to verify, and rebuild the configuration drive on a FAT filesystem when we cannot mount the supplied configuration drive. Operators can force the agent to write configuration drives using the FAT filesystem using the [DEFAULT]config_drive_rebuild option.

  • Fixes UEFI NVRAM record handling with efibootmgr so we can accept and handle UTF-16 encoded data which is to be expected in UEFI NVRAM as the records are UTF-16 encoded.

  • Fixes handling of UEFI NVRAM records to allow for unexpected characters in the response, so it is non-fatal to Ironic.

  • Fixes an issue with rebuilding instances on Software RAID with RAIDed ESP partitions.

  • Fixes, or at least lessens the case where a running Ironic agent can stack up numerous lookup requests against an Ironic deployment when a node is locked. In particular, this is beause the lookup also drives generation of the agent token, which requires the conductor to allocate a worker, and generate the token, and return the result to the API client. Ironic’s retry logic will now wait up to 60 seconds, and if an HTTP Conflict (409) message is received, the agent will automatically pause lookup operations for thirty seconds as opposed continue to attempt lookups which could create more work for the Ironic deployment needlessly.

9.1.0

New Features

  • Software RAID devices are built with the –name option followed by volume name if it is defined in target raid config and an internal ID otherwise.

  • The node property skip_block_devices supports specifying volume names of software RAID devices. These devices are not cleaned during cleaning and are not created provided they already exist.

Bug Fixes

  • Fixes handling of Software RAID device discovery so RAID device Names and Events field values do not inadvertently cause the command to return unexpected output. Previously this could cause a deployment to fail when handling UEFI partitions.