2024.2 Series Release Notes

26.1.4

Bug Fixes

  • When caching an image between different file systems, the hard link operation would fail. This is fixed by falling back to a copy operation.

26.1.3

Bug Fixes

  • In the redfish inspector, use condition to control whether the pxe_enabled field of a port is updated during inspection. [inspector]update_pxe_enabled is used to control this so it behaves like all other inspection interfaces. The default value for this configuration is True.

  • Fixes an issue with agent startup where the workflow from the first agent heartbeat interaction could fail due to a transient networking issue leaving the Agent and Ironic in a state where the node cannot be deployed and continues to record errors upon each additional heartbeat operation. Logic to check the state of the agent has been adjusted to ignore retry operations which were recorded by the agent. More information on this issue can be found in bug 2110698.

26.1.2

Security Issues

  • Fixes OSSA-2025-001, where Ironic did not properly filter file:// paths when used as image sources. This would permit any file accessible by the conductor to be used as an image to attempt deployment.

    Adds CONF.conductor.file_url_allowed_paths, an allowlist configuration defaulting to /var/lib/ironic, /shared/html, /opt/cache/files, /vagrant, and /templates, permits operators to further restrict where the conductor will fetch images for when provided a file:// URL. This default value was chosen based on known usage by projects downstream of Ironic, including Metal3, Bifrost, and OpenShift. These defaults may change to be more restrictive at a later date. Operators using file:// URLs are encouraged to explicitly set this value even if the current default is sufficient. Operators wishing to fully disable the ability to deploy with a file:// URL should set this configuration to “” (empty).

    Operators wishing to restore the original insecure behavior should set CONF.conductor.file_url_allowed_paths to /. Take note that in the 2025.2 release and later, /dev, /sys, /proc, /run, and /etc will be unconditionally blocked as a security measure.

    This issue only poses a significant security risk when Ironic’s automated cleaning process is disabled and the service is configured in such a way that permits direct deployment by an untrusted API user, such as standalone Ironic installations or environments granting ownership of nodes to projects.

Bug Fixes

  • The set of strings used to detect cipher suite version related errors in the ipmitool command was expanded. If the string Error in open session response message : invalid role is contained in the output of a failed ipmitool command execution, such error will be now considered as related to inappropriate ciphers too, and will be retried with another cipher suite version if Ironic is configured to do so. See bug 2085137 for more details.

  • When changing from glanceclient to OpenStack SDK to communicate with Glance, a bug was introduced reading image properties causing the Anaconda deploy interface to be unable to use Glance images. Other deploy interfaces continued to function but could have resulted in some properties not taking affect. See bug 2099275 for more details.

  • Fixes step validation where some of the reserved step names, hold, and wait, were not being properly handled by the step validation code.

  • Fixes an issue where operators executing complex arrangement of steps which include out-of-band and in-band steps, for example a hardware RAID create_configuration step followed by in-band steps inside of the agent, would effectively get the agent stuck in a wait state in the Cleaning, Servicing, or Deploying workflows. This was related to the way out-of-band steps are executed and monitored. Ironic, before starting to execute a new step, now cleans the polling lockout flag for the respective workflow being executed to prevent the agent from getting stuck. For more information, please see bug 2096938.

  • Fixes newly added policy rules, baremetal:node:set_provision_state:clean_steps and baremetal:node:set_provision_state:service_steps``which impacted ``project scoped users utilizing the 2024.2 release of Ironic where they were attempting to invoke service or clean provision state commands. This was due to a misunderstanding of the correct policy checker to invoke, and additional testing has been added around these functions to ensure they work as expected moving forward.

  • Some vendors insist that floppy images must be 1440 KiB in size and that the file name ends with .img. Make it so.

  • Includes the agent token parameter in get command status requests as the endpoint now requires authentication.

  • The configuration option [inspector]power_off is now actually ignored for nodes with fast track enabled, as documented in its help.

  • Fixes the built-in in-band inspection implementation to power off the node after aborting inspection on user’s request, unless the node is in the fast track mode or [inspector]power_off is set to False.

  • The fix for CVE-2024-47211 results in image checksum being required in all cases. However there is no checksum requirement for file:// based images. When checksum is missing for file:// based image_source it is now calculated on-the-fly.

  • Fixes an error within the redfish session cache when no redfish_password is specified bug 2097019.

  • Update the node cache after a successful servicing and cleaning. This ensures the node information is correctly updated in the database.

26.1.1

Security Issues

  • An issue in Ironic has been resolved where image checksums would not be checked prior to the conversion of an image to a raw format image from another image format.

    With default settings, this normally would not take place, however the image_download_source option, which is available to be set at a node level for a single deployment, by default for that baremetal node in all cases, or via the [agent]image_download_source configuration option when set to local. By default, this setting is http.

    This was in concert with the [DEFAULT]force_raw_images when set to True, which caused Ironic to download and convert the file.

    In a fully integrated context of Ironic’s use in a larger OpenStack deployment, where images are coming from the Glance image service, the previous pattern was not problematic. The overall issue was introduced as a result of the capability to supply, cache, and convert a disk image provided as a URL by an authenticated user.

    Ironic will now validate the user supplied checksum prior to image conversion on the conductor. This can be disabled using the [conductor]disable_file_checksum configuration option.

Bug Fixes

  • Fixes a security issue where Ironic would fail to checksum disk image files it downloads when Ironic had been requested to download and convert the image to a raw image format. This required the image_download_source to be explicitly set to local, which is not the default.

    This fix can be disabled by setting [conductor]disable_file_checksum to True, however this option will be removed in new major Ironic releases.

    As a result of this, parity has been introduced to align Ironic to Ironic-Python-Agent’s support for checksums used by standalone users of Ironic. This includes support for remote checksum files to be supplied by URL, in order to prevent breaking existing users which may have inadvertently been leveraging the prior code path. This support can be disabled by setting [conductor]disable_support_for_checksum_files to True.

  • Fixes aborting in-band inspection. Previously, it would fail with Can not transition from state 'inspect failed' on event 'abort'.

26.1.0

Prelude

The Ironic project is pleased to announce the release Ironic 26.1, also known as the 2024.2 or Dalmatian release. This release adds functionality to enable the creation and use of runbooks of repeated steps in cleaning and service states. Furthermore, cloud admins are now able to lease baremetal nodes to Nova users automatically through the use of metadata provided by Nova. Firmware updates have improved capability and ease-of-use on BMCs which manage multiple hosts. Also users of the redfish hardware type can now invoke firmware updates as a service step. Operators seeking to migrate away from BIOS booting now have additional options to help enforce migration mandates. Coupled with numerous bug fixes and other minor enhancements, this release of Ironic will improve the life of operators for years to come. We hope you enjoy!

New Features

  • Adds a new API concept, runbooks, to enable self-service of maintenance items on nodes by project members.

    Runbooks are curated lists of steps that can be run on nodes only associated via traits and used in lieu of an explicit list of steps for manual cleaning or servicing.

  • Adds a new top-level REST API endpoint /v1/runbooks/ with basic CRUD support.

  • Extends the /v1/nodes/<node>/states/provision API to accept a runbook ident (name or UUID) instead of clean_steps or service_steps for servicing or manual cleaning.

  • Implements RBAC-aware lifecycle management for runbooks, allowing projects to limit who can CRUD and use a runbook.

  • Ironic now supports automatically setting node.lessee at deployment time using metadata provided at deploy time, typically by OpenStack Nova. When [conductor]/automatic_lessee_source is set to instance, Ironic will set the lessee field on the node and remove it before cleaning.

  • Adds a new capability allowing to fetch the list of virtual media devices attached to a node by making a GET request.

  • Make the idrac hardware type inherit from the redfish hardware type since the idrac hardware type is an extension of the redfish with Dell specific overrides. This will ensure that features available to the redfish hardware type will always be available to idrac. Added redfish interface as available for the bios, power and vendor interfaces of the idrac hardware type.

Upgrade Notes

  • When upgrading Ironic to address the qemu-img image conversion security issues, the ironic-python-agent ramdisks will also need to be upgraded.

  • When upgrading Ironic to address the qemu-img image conversion security issues, the [conductor]conductor_always_validates_images setting may be set to True as a short term remedy while ironic-python-agent ramdisks are being updated. Alternatively it may be advisable to also set the [agent]image_download_source setting to local to minimize redundant network data transfers.

  • As a result of security fixes to address qemu-img image conversion security issues, a new configuration parameter has been added to Ironic, [conductor]permitted_image_formats with a default value of “raw,qcow2,iso”. Raw and qcow2 format disk images are the image formats the Ironic community has consistently stated as what is supported and expected for use with Ironic. These formats also match the formats which the Ironic community tests. Operators who leverage other disk image formats, may need to modify this setting further.

  • [conductor]/automatic_lessee has been deprecated in favor of [conductor]/automatic_lessee_source.

    Standalone Ironic deployments previously setting automatic_lessee to True now may want to set automatic_lessee_source to request to retain existing behavior.

    Deployers explicitly setting automatic_lessee to false may want to set automatic_lessee_source to none to retain existing behavior. The old configuration option, when explicitly set, will be honored until fully removed.

  • Ironic will now automatically set the node.lessee field for all deployments by default when provided in node instance_info at deployment time. Deployers are encouraged to review their security settings and Ironic Secure RBAC documentation to ensure no unexpected access is granted.

  • Ironic now requires rescue passwords to be hashed. Operators who would like to continue using unhashed passwords must set [conductor]/require_rescue_password_hashed to false.

Deprecation Notes

  • The [[agent]]manage_agent_boot configuration directive is being deprecated. It is completely untested, and requires operators to manually configure significant parts of infrastructure typically handled by Ironic. Operators using this configuration are advised to migrate away from it before it’s scheduled removal during the 2025.2 cycle releases, coming out late 2025.

  • Deprecates the idrac-redfish interfaces in favor of the redfish interfaces for the bios, power, and vendor interfaces. This is a no-op change as these interfaces wrapped the redfish interface with no change already.

Security Issues

  • Ironic now checks the supplied image format value against the detected format of the image file, and will prevent deployments should the values mismatch. If being used with Glance and a mismatch in metadata is identified, it will require images to be re-uploaded with a new image ID to represent corrected metadata. This is the result of CVE-2024-44082 tracked as bug 2071740.

  • Ironic always inspects the supplied user image content for safety prior to deployment of a node should the image pass through the conductor, even if the image is supplied in raw format. This is utilized to identify the format of the image and the overall safety of the image, such that source images with unknown or unsafe feature usage are explicitly rejected. This can be disabled by setting [conductor]disable_deep_image_inspection to True. This is the result of CVE-2024-44082 tracked as bug 2071740.

  • Ironic can also inspect images which would normally be provided as a URL for direct download by the ironic-python-agent ramdisk. This is not enabled by default as it will increase the overall network traffic and disk space utilization of the conductor. This level of inspection can be enabled by setting [conductor]conductor_always_validates_images to True. Once the ironic-python-agent ramdisk has been updated, it will perform similar image security checks independently, should an image conversion be required. This is the result of CVE-2024-44082 tracked as bug 2071740.

  • Ironic now explicitly enforces a list of permitted image types for deployment via the [conductor]permitted_image_formats setting, which defaults to “raw”, “qcow2”, and “iso”. While the project has classically always declared permissible images as “qcow2” and “raw”, it was previously possible to supply other image formats known to qemu-img, and the utility would attempt to convert the images. The “iso” support is required for “boot from ISO” ramdisk support.

  • Ironic now explicitly passes the source input format to executions of qemu-img to limit the permitted qemu disk image drivers which may evaluate an image to prevent any mismatched format attacks against qemu-img.

  • The ansible deploy interface example playbooks now supply an input format to execution of qemu-img. If you are using customized playbooks, please add “-f {{ ironic.image.disk_format }}” to your invocations of qemu-img. If you do not do so, qemu-img will automatically try and guess which can lead to known security issues with the incorrect source format driver.

  • Operators who have implemented any custom deployment drivers or additional functionality like machine snapshot, should review their downstream code to ensure they are properly invoking qemu-img. If there are any questions or concerns, please reach out to the Ironic project developers.

  • Operators are reminded that they should utilize cleaning in their environments. Disabling any security features such as cleaning or image inspection are at your own risk. Should you have any issues with security related features, please don’t hesitate to open a bug with the project.

  • The [conductor]disable_deep_image_inspection setting is conveyed to the ironic-python-agent ramdisks automatically, and will prevent those operating ramdisks from performing deep inspection of images before they are written.

  • The [conductor]permitted_image_formats setting is conveyed to the ironic-python-agent ramdisks automatically. Should a need arise to explicitly permit an additional format, that should take place in the Ironic service configuration.

Bug Fixes

  • Adds microversion headers to the root (‘/’) endpoint.

  • Fixes multiple issues in the handling of images as it relates to the execution of the qemu-img utility, which is used for image format conversion, where a malicious user could craft a disk image to potentially extract information from an ironic-conductor process’s operating environment.

    Ironic now explicitly enforces a list of approved image formats as a [conductor]permitted_image_formats list, which mirrors the image formats the Ironic project has historically tested and expressed as known working. Testing is not based upon file extension, but upon content fingerprinting of the disk image files. This is tracked as CVE-2024-44082 via bug 2071740.

  • Fixes inspection failure when bmc_address or bmc_v6address is null in the inventory received from the ramdisk.

  • The network_data fetched from Neutron contained ‘links’, ‘networks’ but was missing ‘services’. This patch brings in ‘services’ to include dns nameservers that can be configured by Glean or cloud-init during cleaning and provisioning operations, especially when virtual media boot is used without DHCP.

  • Set node “alive” and make it fast trackable as soon as inspection is finished, in addition add a wait for the agent to callback should it not be available when fast track is attempted.

  • Replaces ari/aki format references with appropriate artifacts for kernel and ramdisk in the documentation and Ironic DevStack plugin.

  • Update kernel_append_params to match the [pxe] configuration, addressing a TODO from the Xena release.

Other Notes

  • Removes support for pre-SQLAlchemy 2.0 query objects from the internal database API. Downstream plug-ins must be adjusted to use the new-style queries.