Current Series Release Notes¶
26.1.0-58¶
New Features¶
A new module,
ironic.wsgi
has been enabled as an entrypoint for WSGI runners. For example, if using uWSGI then now instead of:[uwsgi] wsgi-file = /bin/ironic-api-wsgi
You can now use:
[uwsgi] module = ironic.wsgi:application
Legacy installed wsgi scripts will be removed in a future version of Ironic.
Upgrade Notes¶
Because of the code reorganization, some metrics have been removed: all metrics prefixed with
AgentDeployMixin
are now prefixed withCustomAgentDeploy
orAgentDeploy
instead.
Deployers using PostgreSQL must migrate to a supported mysql-compatible database, such as MySQL or MariaDB.
Support for Python 3.8 has been removed. Now the minimum python version supported is 3.9 .
Deprecation Notes¶
Use of postgresql has been deprecated for all OpenStack projects, including ironic, for several years. However, in an effort to avoid breaking existing installs, we had tested database migrations and performed a basic functionality test against PostgreSQL. This test has now been removed, and operators deployed on PostgreSQL must migrate to a MySQL-compatible database, such as MySQL or MariaDB, before upgrade.
Security Issues¶
An issue in Ironic has been resolved where image checksums would not be checked prior to the conversion of an image to a
raw
format image from another image format.With default settings, this normally would not take place, however the
image_download_source
option, which is available to be set at anode
level for a single deployment, by default for that baremetal node in all cases, or via the[agent]image_download_source
configuration option when set tolocal
. By default, this setting ishttp
.This was in concert with the
[DEFAULT]force_raw_images
when set toTrue
, which caused Ironic to download and convert the file.In a fully integrated context of Ironic’s use in a larger OpenStack deployment, where images are coming from the Glance image service, the previous pattern was not problematic. The overall issue was introduced as a result of the capability to supply, cache, and convert a disk image provided as a URL by an authenticated user.
Ironic will now validate the user supplied checksum prior to image conversion on the conductor. This can be disabled using the
[conductor]disable_file_checksum
configuration option.
Bug Fixes¶
The set of strings used to detect cipher suite version related errors in the
ipmitool
command was expanded. If the stringError in open session response message : invalid role
is contained in the output of a failedipmitool
command execution, such error will be now considered as related to inappropriate ciphers too, and will be retried with another cipher suite version if Ironic is configured to do so. See bug 2085137 for more details.
Fixes the policy scope checking for the RBAC Policy
baremetal:node:disable_cleaning
, which previously restricted tosystem
user scope. The scope restriction has been revised to permitproject
scoped matching, but the default RBAC policy has not been revised.
Fixes a security issue where Ironic would fail to checksum disk image files it downloads when Ironic had been requested to download and convert the image to a raw image format. This required the
image_download_source
to be explicitly set tolocal
, which is not the default.This fix can be disabled by setting
[conductor]disable_file_checksum
toTrue
, however this option will be removed in new major Ironic releases.As a result of this, parity has been introduced to align Ironic to Ironic-Python-Agent’s support for checksums used by
standalone
users of Ironic. This includes support for remote checksum files to be supplied by URL, in order to prevent breaking existing users which may have inadvertently been leveraging the prior code path. This support can be disabled by setting[conductor]disable_support_for_checksum_files
toTrue
.
Fixes newly added policy rules,
baremetal:node:set_provision_state:clean_steps
andbaremetal:node:set_provision_state:service_steps``which impacted ``project scoped
users utilizing the2024.2
release of Ironic where they were attempting to invokeservice
orclean
provision state commands. This was due to a misunderstanding of the correct policy checker to invoke, and additional testing has been added around these functions to ensure they work as expected moving forward.
Fix issue on SQLite database usage. Previously ironic node provisioning may fail with error related accessing the hostname. For more details please see bug 2086682.
Fixes aborting in-band inspection. Previously, it would fail with
Can not transition from state 'inspect failed' on event 'abort'
.
The configuration option
[inspector]power_off
is now actually ignored for nodes with fast track enabled, as documented in its help.
Fixes the built-in in-band inspection implementation to power off the node after aborting inspection on user’s request, unless the node is in the fast track mode or
[inspector]power_off
is set toFalse
.
Adds a timeout to the
service wait
state. Previously, a node stuck in this state would remain in it forever. The timeout value can be adjusted via the new option[conductor]service_callback_timeout
.
Add support for passing either a node’s name or UUID through the ‘node_ident’ parameter during port creation. The ‘node_uuid’ parameter is now deprecated.
Other Notes¶
The
AgentDeployMixin
class has been removed fromagent_base.py
. Third-party deploy interfaces that inherit it most probably want to inheritironic.drivers.modules.agent.CustomAgentDeploy
instead.If you rely on the
prepare_instance_to_boot
orconfigure_local_boot
helper methods, inherit fromAgentDeploy
instead.