Queens Series (6.1.0 - 7.2.x) Release Notes


Security Issues

  • Fixes insufficient input filtering when looking up a node by information from the introspection data. It could potentially allow SQL injections via the /v1/continue API endpoint. See story 2005678 for details.

Bug Fixes

  • Fix starting inspection of node having IPv6 BMC address. Inspection could not be initiated because v6 address was being considered as a hostname. Thus resolving incorrect hostname ended up with blocking error.


Bug Fixes

  • Allows the set-attribute introspection rule action to accept None as value for a property.


Bug Fixes

  • A new rootwrap filter is now included to allow control of the systemd dnsmasq service used by ironic-inspector. This fixes a permission issue when systemctl commands are used as dnsmasq_start_command and dnsmasq_stop_command in the configuration for the dnsmasq pxe filter. See bug 2002818.


    The filter uses the systemd service name used by the RDO distrubution (openstack-ironic-inspector-dnsmasq.service).

  • Fixes issue that can result in introspection failure when a network switch sends incomplete information for LLDP switch_id or port_id. The validation expects these fields when a port is updated, this fix now handles the validation exception.

  • The dnsmasq PXE filter no longer whitelists the MAC addresses of ports deleted from the Bare Metal service. Instead they are blacklisted unless introspection is active or the node_not_found_hook is set in the configuration. This ensures that no previously enrolled node accidentally boot the inspection image when no node introspection is active. Bug #2001979.


New Features

  • Adds wildcard ignore entry to dnsmasq PXE filter. When node introspection is active, or if node_not_found_hook is set in the configuration the ignore is removed from the wildcard entry. This ensures that unknown nodes do not accidentally boot into the introspection image when no node introspection is active.

    This brings dnsmasq PXE filter driver feature parity with the iptables PXE filter driver, which uses a firewall rule to block any DHCP request on the interface where Ironic Inspector’s DHCP server is listening.


Upgrade Notes

  • Adds dependency on the retrying python library.

Bug Fixes

  • Fixes bug in which the switch_id field in a port’s local_link_connection can be set to a non-MAC address if the processed LLDP has a value other than a MAC address for ChassisID. The bare metal API requires the switch_id field to be a MAC address, and will return an error otherwise. See bug 1748022 for details.

  • Ironic introspection no longer tries to access the Identity service if the auth_strategy option is set to noauth and the auth_type option is not set to none.

  • The periodic PXE filter update task now retries fetching port list from the Bare Metal service 5 times (with 1 second delay) before giving up. This ensures that a temporary networking glitch will not result in the ironic-inspector service stopping.


Deprecation Notes

  • Several configuration options related to ironic API access are deprecated and will be removed in the Rocky release. These include:

    • [ironic]/os_region - use [ironic]/region_name option instead

    • [ironic]/auth_strategy - set [ironic]/auth_type option to none to access ironic API in noauth mode

    • [ironic]/ironic_url - use [ironic]/endpoint_override option to set specific ironic API endpoint address if discovery of ironic API endpoint is not desired or impossible (for example in standalone mode)

    • [ironic]/os_service_type - use [ironic]/service_type option

    • [ironic]/os_endpoint_type - use [ironic]/valid_interfaces option to set ironic endpoint types that will be attempted to be used

  • Several configuration options related to swift API access are deprecated and will be removed in Rocky release. These include:

    • [swift]/os_service_type - use [swift]/service_type option

    • [swift]/os_endpoint_type - use [swift]/valid_interfaces option

    • [swift]/os_region - use [swift]region_name option

Other Notes


New Features

  • Introduces the dnsmasq PXE filter driver. This driver takes advantage of the inotify facility to reconfigure the dnsmasq service in real time to implement a caching black-/white-list of port MAC addresses.

Upgrade Notes

  • A new state aborting was introduced to distinguish between the node introspection abort precondition (being able to perform the state transition from the waiting state) from the activities necessary to abort an ongoing node introspection (power-off, set finished timestamp etc.)

  • Handling of local_gb property was moved from the scheduler hook to root_disk_selection.

Bug Fixes

  • The node_info.finished(<transition>, error=<error>) now updates node state together with other status attributes in a single DB transaction.

Other Notes


New Features

  • The PXE filter drivers mechanism is now enabled. The firewall-based filtering was re-implemented as the iptables PXE filter driver.

  • Adds an API access policy enforcment based on oslo.policy rules. Similar to other OpenStack services, operators now can configure fine-grained access policies using policy.yaml file. See policy.yaml.sample in the code tree for the list of available policies and their default rules. This file can also be generated from the code tree with the following command:

    tox -egenpolicy

    See the oslo.policy package documentation for more information on using and configuring API access policies.

Upgrade Notes

  • Due to the choice of default values for API access policies rules, some API parts of the ironic-inspector service will become available to wider range of users after upgrade:

    • general access to the whole API is by default granted to a user with either admin, administrator or baremetal_admin role (previously it allowed access only to a user with admin role)

    • listing of current introspection statuses and showing a given introspection is by default also allowed to a user with the baremetal_observer role

    If these access policies are not appropriate for your deployment, override them in a policy.json file in the ironic-inspector configuration directory (usually /etc/ironic-inspector).

    See the oslo.policy package documentation for more information on using and configuring API access policies.

Deprecation Notes

  • The firewall-specific configuration options were moved from the firewall to the iptables group. All options in the iptables group are now deprecated.

  • The generic firewall options firewall_update_period and manage_firewall were moved under the pxe_filter group as sync_period and driver=iptables/noop respectively.

Bug Fixes

  • The older ipmi_address field in the introspection data no longer has priority over the newer bmc_address inventory field during lookup. This fixes lookup based on MAC addresses, when the BMC address is reported as for any reason (see bug 1714944).

  • Should the iptables PXE filter encounter an unexpected exception in the periodic sync call, the exception will be logged and the filter driver will be reset in order to make subsequent sync calls fail (and propagate the failure, exiting the ironic-inspector process eventually).

Other Notes

  • Allows a periodic task to shut down an ironic-inspector process upon a failure.