Ocata Series (5.0.0 - 5.0.x) Release Notes

Ocata Series (5.0.0 - 5.0.x) Release Notes


Security Issues

  • Fixes insufficient input filtering when looking up a node by information from the introspection data. It could potentially allow SQL injections via the /v1/continue API endpoint. See story 2005678 for details.


Bug Fixes

  • Exception CalledProcessError is raised when running iptables cmd on start up. The issue is caused by eventlet bug, see: https://github.com/eventlet/eventlet/issues/357 The issue affects ironic-inspector only if it manages firewall - configured with manage_firewall = True configuration option.

  • Do not fail the whole introspection due to a value formatting error during introspection rules rollback. See bug 1686942 for an example and detailed investigation.


New Features

  • Extend the introspection status returned from GET@/v1/introspection/<Node Id> to contain the uuid, started_at and finished_at fields.

  • Add a plugin to parse raw LLDP Basic Management, 802.1, and 802.3 TLVs and store the data in Swift.

  • Add an API endpoint for listing introspection statuses. Operators can use this to get the status for all running or previously run introspection processing.

  • Introduce a new configuration option api_max_limit that defines the maximum number of items per page when API results are paginated.

  • InfiniBand interface discovery is now supported through introspection. The ironic-inspector will add the client-id to the corresponding ironic port that represents the InfiniBand interface. The ironic-inspector should be configured with a list of interfaces firewall.ethoib_interfaces to indicate which Ethernet Over InfiniBand Interfaces are used for DHCP.

  • Node introspection state is now kept in a dedicated database column. The introspection is now using a finite state machine. The state isn’t exposed to the user yet.

  • Adds support for using operators with the root device hints mechanism. The supported operators are =, ==, !=, >=, <=, >, <, s==, s!=, s>=, s>, s<=, s<, <in>, <all-in> and <or>.

  • Looking up nodes during introspection or discovery now supports multiple attributes matching. For example, two nodes can use the same bmc_address and still can be distinguished by MAC addresses.

  • Avoid failing introspection on diskless nodes. The node property local_gb == 0 is set in that case.

Known Issues

  • Due to the nature of the NodeInfo.state attribute (being updated independently from the rest of the node_info attributes) if a (DB) connection was lost before the Node.state column was updated, Node.finished_at and Node.error columns may not be in sync with the Node.state column.

Upgrade Notes

  • Add a new dependency, pytz.

  • A database migration is required to change some columns from Float to DateTime type. This may take some time based on the number of introspection statuses in DB.

  • Removed previously deprecated authentication options from “ironic”, “swift”, and “keystone_authtoken” sections.

  • Removed long deprecated support for “discoverd” section in configuration file.

  • The default value for the configuration option “introspection_delay_drivers” was changed to .*, which means that by default “introspection_delay” is now applied to all drivers. Set “introspection_delay” to 0 to disable the delay.

  • Node.state and Node.version_id database columns are introduced.

  • The introspection state column defaults to the state finished unless the introspection error column value on a node row isn’t null, then node state is set to error.

  • Uniqueness of a node bmc_address isn’t enforced any more.

  • The primary key of the attributes table is relaxed from the attributes.name, attributes.value column pair to a new column attributes.uuid.

Deprecation Notes

  • The configuration option “log_bmc_address” is deprecated.

  • The configuration option “introspection_delay_drivers” is deprecated.

Bug Fixes

  • Change database columns started_at and finished_at to type DateTime from type Float so that timestamps fit into these columns correctly.

  • Fix bug where periodic clean up failed with DBDeadlock if introspection timed out.

  • Ensure the configuration options firewall.firewall_update_period and clean_up_period are applied to the periodic_clean_up and periodic_update tasks after the config file is read.

  • LLC hook now formats the chassis ID and port ID MAC addresses into Unix format as expected by ironic.

  • LLC hook ensures that correct port information is passed to the patch_port function

  • LLC hook no longer assumes all inspected ports are added to ironic

  • Loopback BMC addresses (useful e.g. with virtualbmc) are no longer used for lookup.

  • Introspection fails on nodes with the same IPMI address but different IPMI ports.

Other Notes

  • Default API version is temporary pinned to 1.8 (before deprecating setting IPMI credentials). It will be reset to the latest version again when support for setting IPMI credentials is removed.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.