Ocata Series (5.0.0 - 5.0.x) Release Notes


Security Issues

  • Fixes insufficient input filtering when looking up a node by information from the introspection data. It could potentially allow SQL injections via the /v1/continue API endpoint. See story 2005678 for details.


Bug Fixes

  • Exception CalledProcessError is raised when running iptables cmd on start up. The issue is caused by eventlet bug, see: https://github.com/eventlet/eventlet/issues/357 The issue affects ironic-inspector only if it manages firewall - configured with manage_firewall = True configuration option.

  • Do not fail the whole introspection due to a value formatting error during introspection rules rollback. See bug 1686942 for an example and detailed investigation.


New Features

  • Extend the introspection status returned from GET@/v1/introspection/<Node Id> to contain the uuid, started_at and finished_at fields.

  • Add a plugin to parse raw LLDP Basic Management, 802.1, and 802.3 TLVs and store the data in Swift.

  • Add an API endpoint for listing introspection statuses. Operators can use this to get the status for all running or previously run introspection processing.

  • Introduce a new configuration option api_max_limit that defines the maximum number of items per page when API results are paginated.

  • InfiniBand interface discovery is now supported through introspection. The ironic-inspector will add the client-id to the corresponding ironic port that represents the InfiniBand interface. The ironic-inspector should be configured with a list of interfaces firewall.ethoib_interfaces to indicate which Ethernet Over InfiniBand Interfaces are used for DHCP.

  • Node introspection state is now kept in a dedicated database column. The introspection is now using a finite state machine. The state isn’t exposed to the user yet.

  • Adds support for using operators with the root device hints mechanism. The supported operators are =, ==, !=, >=, <=, >, <, s==, s!=, s>=, s>, s<=, s<, <in>, <all-in> and <or>.

  • Looking up nodes during introspection or discovery now supports multiple attributes matching. For example, two nodes can use the same bmc_address and still can be distinguished by MAC addresses.

  • Avoid failing introspection on diskless nodes. The node property local_gb == 0 is set in that case.

Known Issues

  • Due to the nature of the NodeInfo.state attribute (being updated independently from the rest of the node_info attributes) if a (DB) connection was lost before the Node.state column was updated, Node.finished_at and Node.error columns may not be in sync with the Node.state column.

Upgrade Notes

  • Add a new dependency, pytz.

  • A database migration is required to change some columns from Float to DateTime type. This may take some time based on the number of introspection statuses in DB.

  • Removed previously deprecated authentication options from “ironic”, “swift”, and “keystone_authtoken” sections.

  • Removed long deprecated support for “discoverd” section in configuration file.

  • The default value for the configuration option “introspection_delay_drivers” was changed to .*, which means that by default “introspection_delay” is now applied to all drivers. Set “introspection_delay” to 0 to disable the delay.

  • Node.state and Node.version_id database columns are introduced.

  • The introspection state column defaults to the state finished unless the introspection error column value on a node row isn’t null, then node state is set to error.

  • Uniqueness of a node bmc_address isn’t enforced any more.

  • The primary key of the attributes table is relaxed from the attributes.name, attributes.value column pair to a new column attributes.uuid.

Deprecation Notes

  • The configuration option “log_bmc_address” is deprecated.

  • The configuration option “introspection_delay_drivers” is deprecated.

Bug Fixes

  • Change database columns started_at and finished_at to type DateTime from type Float so that timestamps fit into these columns correctly.

  • Fix bug where periodic clean up failed with DBDeadlock if introspection timed out.

  • Ensure the configuration options firewall.firewall_update_period and clean_up_period are applied to the periodic_clean_up and periodic_update tasks after the config file is read.

  • LLC hook now formats the chassis ID and port ID MAC addresses into Unix format as expected by ironic.

  • LLC hook ensures that correct port information is passed to the patch_port function

  • LLC hook no longer assumes all inspected ports are added to ironic

  • Loopback BMC addresses (useful e.g. with virtualbmc) are no longer used for lookup.

  • Introspection fails on nodes with the same IPMI address but different IPMI ports.

Other Notes

  • Default API version is temporary pinned to 1.8 (before deprecating setting IPMI credentials). It will be reset to the latest version again when support for setting IPMI credentials is removed.