Rocky Series (8.0.0 - 8.0.x) Release Notes¶
Fixes an issue while mapping port InfiniBand MAC address to EthernetOverInfiniBand MAC. Prior to this fix, it will fail to map and raise an exception.
Fixes insufficient input filtering when looking up a node by information from the introspection data. It could potentially allow SQL injections via the
/v1/continueAPI endpoint. See story 2005678 for details.
Fix starting inspection of node having IPv6 BMC address. Inspection could not be initiated because v6 address was being considered as a hostname. Thus resolving incorrect hostname ended up with blocking error.
set-attributeintrospection rule action to accept
Noneas value for a property.
A new rootwrap filter is now included to allow control of the systemd dnsmasq service used by ironic-inspector. This fixes a permission issue when systemctl commands are used as
dnsmasq_stop_commandin the configuration for the dnsmasq pxe filter. See bug 2002818.
The filter uses the systemd service name used by the RDO distrubution (
Fixes issue that can result in introspection failure when a network switch sends incomplete information for LLDP switch_id or port_id. The validation expects these fields when a port is updated, this fix now handles the validation exception.
Adds new parameter
manage_bootto the introspection API to allow disabling boot management (setting the boot device and rebooting) for a specific node. If it is set to
False, the boot is supposed to be managed by a 3rd party.
If the new option
can_manage_bootis set to
False(the default is
True), then ``manage_bootmust be explicitly set to
Modifies introspection rules to allow formatting to be applied to strings nested in dicts and lists in the actions.
Updates the default Ironic API version to 1.38.
This version is used by default within the Bare Metal Inspection service when communicating with the Bare Metal API. It is the default used by processing plugins, which may override the version, and by introspection rules, which may not override the version.
1.38 was the API version at the time of the most recent Queens series Bare Metal service release (10.1.0).
See story 2002166.
dnsmasqPXE filter no longer whitelists the MAC addresses of ports deleted from the Bare Metal service. Instead they are blacklisted unless introspection is active or the
node_not_found_hookis set in the configuration. This ensures that no previously enrolled node accidentally boot the inspection image when no node introspection is active. Bug #2001979.
Stops introspection when setting boot device is failed, as the node is not guarenteed to perform a PXE boot in this case.
The deprecated configuration option
[iptables]manage_firewallwas removed, use
[pxe_filter]driverto set filtering driver.
Adds wildcard ignore entry to
dnsmasqPXE filter. When node introspection is active, or if
node_not_found_hookis set in the configuration the ignore is removed from the wildcard entry. This ensures that unknown nodes do not accidentally boot into the introspection image when no node introspection is active.
dnsmasqPXE filter driver feature parity with the
iptablesPXE filter driver, which uses a firewall rule to block any DHCP request on the interface where Ironic Inspector’s DHCP server is listening.
Issuing a SIGHUP to the ironic-inspector service will cause the service to reload and use any changed values for mutable configuration options.
Mutable configuration options are indicated as such in the sample configuration file by
Note: This option can be changed without restarting.
A warning is logged for any changes to immutable configuration options.
[discovery]enroll_node_driveroption, specifying the hardware type or driver to use for newly discovered nodes, was changed from
fakeclassic driver to
Adds dependency on the retrying python library.
Fixes bug in which the
switch_idfield in a port’s
local_link_connectioncan be set to a non-MAC address if the processed LLDP has a value other than a MAC address for
ChassisID. The bare metal API requires the
switch_idfield to be a MAC address, and will return an error otherwise. See bug 1748022 for details.
Ironic introspection no longer tries to access the Identity service if the
auth_strategyoption is set to
auth_typeoption is not set to
The periodic PXE filter update task now retries fetching port list from the Bare Metal service 5 times (with 1 second delay) before giving up. This ensures that a temporary networking glitch will not result in the ironic-inspector service stopping.