開発中バージョンのリリースノート¶

In Development - Unreleased¶

Adds NVIDIA A10/A40/L40S/L20 to known accelerators that can be reported when present in bare metals.

If allow_image_access_via_auth_token is set to True, Ironic allows access to Glance images if an auth_token is present in the request context.

Add a new configuration group [agent_containers] that allows users to dynamically configure container-based cleaning via Ironic conductor.

A new "description" field has been added to the Port object. This field allows operators to provide human-readable descriptions to easily identify physical ports on bare metal hosts.

The ipmitool-socat console interface is now available for users of the redfish hardware type. This was done as an enablement action for operators to be able to leverage IPMI based Serial-over-Lan connections. This option requires the IPMI parameters to be configured on the baremetal node in addition to the redfish hardware type.

The Ironic conductor can now access images that are shared with its project, in addition to those it owns.

To use the feature, ensure the images are shared with the project associated with the conductor's credentials.

CONF.allow_image_access_via_auth_token is set to True in this Ironic release. OpenStack integrated operators should ensure images for Ironic use are using image visibility "public" or "community" for the most reliable results.

Fixes OSSA-2025-001, where Ironic did not properly filter file:// paths when used as image sources. This would permit any file accessible by the conductor to be used as an image to attempt deployment. Ironic now unconditionally forbids paths that provide access to system configuration (/dev, /sys, /proc, /boot, /run, and /etc).

Adds CONF.conductor.file_url_allowed_paths, an allowlist configuration defaulting to /var/lib/ironic, /shared/html, /opt/cache/files, /vagrant, and /templates, permits operators to further restrict where the conductor will fetch images for when provided a file:// URL. This default value was chosen based on known usage by projects downstream of Ironic, including Metal3, Bifrost, and OpenShift. These defaults may change to be more restrictive at a later date. Operators using file:// URLs are encouraged to explicitly set this value even if the current default is sufficient. Operators wishing to fully disable the ability to deploy with a file:// URL should set this configuration to "" (empty).

This issue only poses a significant security risk when Ironic's automated cleaning process is disabled and the service is configured in such a way that permits direct deployment by an untrusted API user, such as standalone Ironic installations or environments granting ownership of nodes to projects.

Fixes loop functionality to align more closely with the spec where, with loop present, args reference loop items using '{item}' placeholder to support direct array iteration; plus, separately handle list and dict loop item types.

Updates the patch validation logic to support special characters (~ and /) in field keys, provided they align with the escaping rules defined in RFC 6901 (JSON Pointer) as required for the path field specified in RFC 6902 (JSON Patch).