Victoria Series (10.2.0 - 10.4.x) Release Notes


Bug Fixes

  • Fixes an issue where a failed inspection due to a transient failure can prevent retry attempts to inspect to be perceived as a failure. If a prior inspection fails and is in error state, when a new introspection is requested, the state is now appropriately set to starting.


Bug Fixes

  • Fixes database migrations with SQLAlchemy 1.3.20.


New Features

  • Adds an accelerators plugin to identify acclerator devices and update the bare metal node for future scheduling. The accelerator devices will be saved to node properties under the key accelerators. Introduces a configuration option [accelerators]known_devices to specify a configuration file which contains required information to identify accelerator devices, by default it uses the in-tree configuration file named known_accelerators.yaml.

  • The dnsmasq pxe-filter now supports mapping between host InfiniBand MAC to EthernetOverInfiniBand MAC. (This was previously only supported by the iptables pxe-filter.)

  • By default the DHCP filtering will open the DHCP server for any node when introspection is active. It will only block DHCP for enrolled nodes that are not being introspected. Doing so is required to support interface discovery (which by default will enroll the pxe port to ironic if not present). This behaviour is not always wanted, as nodes not managed by ironic may boot the inspection image.

    A new option was added [pxe_filter]deny_unknown_macs which allow changeing this behaviour so that the DHCP server only allow enrolled nodes being introspected and deny everything else.


    If this option is True, nodes must have at least one enrolled port prior to introspection.

Bug Fixes

  • Fixes the node identification logic to enable a user to list the redfish_address label for driver_info field values for identification of a machine using the [DEFAULT]ipmi_address_fields configuration option. Previously the host would just not be matched as the full URL would be evaluated instead of what the URL may resolve to.


New Features

  • The new API GET /v1/introspection/<node>/data/unprocessed allows retrieving raw (unprocessed) data if data store is enabled.

Upgrade Notes

  • API now listens on :: by default, change the listen_address configuration option to modify.

Bug Fixes

  • The extra_hardware processing hook no longer refuses to parse extra data if some records are empty or have unexpected length. These records are now discared.

    The previous behavior can be returned by setting the new option [extra_hardware]strict to True.

  • The extra_hardware processing hook no longer removes the incoming data object if it has unexpected data format, assuming that this object is used for something else.

    The previous behavior can be returned by setting the new option [extra_hardware]strict to True.

  • Using auth_strategy=http_basic incorrectly required authentication for public paths such as / and /v1. These paths are now public.

  • Fixes an issue which may occur with Apache httpd webservers acting as a proxy where the server may report Bad Gateway, however inspector continues operating as if there was no problem. This was due to a lack of a Content-Type header on HTTP 202 and 204 replies, and lack of message body with HTTP 202 messages which Apache httpd can error upon.

  • No longer tries to set local_gb to -1 if the matched root device has size of zero.


New Features

  • Adds the ability for periodic clean-up and synchronization tasks with ironic to be able to be disabled by setting the [DEFAULT]clean_up_period to a value of 0. This is intended for “stand-alone” operators only as it may result in unexpected behaviors if used in a non-standalone environment.

  • Adds a new configuration option [discovery]enroll_node_fields that specifies additional fields to set on a node (e.g. driver interfaces).

  • Enable Basic HTTP authentication middleware.

    When the config option [DEFAULT]auth_strategy is set to http_basic then non-public API calls require a valid HTTP Basic authentication header to be set. The config option [DEFAULT]http_basic_auth_user_file defaults to /etc/ironic-inspector/htpasswd and points to a file that supports the Apache htpasswd syntax[1]. This file is read for every request, so no service restart is required when changes are made.

    The only password digest supported is bcrypt, and the bcrypt python library is used for password checks since it supports $2y$ prefixed bcrypt passwords as generated by the Apache htpasswd utility.

    To try basic authentication, the following can be done:

    • Set /etc/ironic-inspector/inspector.conf [DEFAULT]auth_strategy to http_basic

    • Populate the htpasswd file with entries, for example: htpasswd -nbB myName myPassword >> /etc/ironic-inspector/htpasswd

    • Make basic authenticated HTTP requests, for example: curl --user myName:myPassword http://localhost:6385/v1/introspection


  • Adds periodic leader election for the cleanup sync with Ironic. The election interval is configured by the new leader_election_interval config option.

  • Adds a configuration option [processing]update_pxe_enabled to control whether the pxe_enabled should be updated according to introspection data for ports. The default value is True which is backwards compatible.

Upgrade Notes

  • Remove upper constraint for python construct library and use the latest version available. The minimum compatible version for python construct is now 2.9.39

  • The raw data from the extra_hardware processing hook is no longer stored in Swift in an object named extra_hardware-<node UUID>. The same information is already available as part of the unprocessed introspection data without a hard dependency on Swift.

Deprecation Notes

  • The deprecated [swift]max_retries parameter has been removed.

Bug Fixes

  • Fixes an issue where IPv6 link local addresses are ignored during interface validation, making introspection fail.

  • Fixes AttributeError: 'Node' object has no attribute 'uuid' when trying to introspect an active node that is not currently in the cache.

  • No longer aborts the whole process if one periodic task fails.

  • Fixes accessing API endpoints with trailing slashes. Now they’re treated the same way as without slashes, although the latter remain canonical URLs.

  • No longer uses introspection delay for nodes with manage_boot==False (i.e. boot is managed by ironic). It is useless and may actually break introspection if a node boots before it gets whitelisted in the PXE filter.

  • The introspection start API is now synchronous when manage_boot==False. This means that any failures will be propagated to ironic, preventing it from powering a node on and booting it without the PXE filter updated.