Current Series Release Notes

6.5.0-1

Upgrade Notes

  • The kernel parameter lldp-timeout was deprecated during Newton development cycle and removed, please use ipa-lldp-timeout instead.

6.5.0

New Features

  • Adds UUID of the disks to the inventory of block devices that is collected during inspection.

  • Adds the ability to bring up VLAN interfaces and include them in the introspection report. A new kernel params field is added - ipa-enable-vlan-interfaces, which defines either the VLAN interface to enable, the interface to use, or ‘all’ - which indicates all interfaces. If the particular VLAN is not provided, IPA will use the LLDP information for the interface to determine which VLANs should be enabled. See story 2008298.

  • Adds a clean step to erase the Linux kernel’s pstore. The step is disabled by default.

  • Adds an configuration option which can be encoded into the ramdisk itself or the PXE parameters being provided to instruct the agent to ignore bootloader installation or configuration failures. This functionality is useful to work around well-intentioned hardware which is auto-populating all possible device into the UEFI nvram firmware in order to try and help ensure the machine boots. Except, this can also mean any explict configuration attempt will fail. Operators needing this bypass can use the ipa-ignore-bootloader-failure configuration option on the PXE command line or utilize the ignore_bootloader_failure option for the Ramdisk configuration. In a future version of ironic, this setting may be able to be overriden by ironic node level configuration.

  • Deployers in highly-secure environments can now manually set Ironic API version instead of relying on unauthenticated autodetection via the ipa-ironic-api-version on the kernel command line. This is not a recommended configuration.

  • For Software RAID, the IPA will use partition LABEL along with UUID and PARTUUID passed from the conductor to identify the root partition. The root file system LABEL can be set as value of the rootfs_uuid image metadata property.

Security Issues

  • If enabled, the new clean step ‘erase_pstore’ removes all pstore entries (the oops/panic logs from a failing kernel) upon cleaning. This is to reduce the risk that potentially sensitive data is preserved across instantiations (and therefore different users) of a bare metal node.

Bug Fixes

  • Fixes an issue where intermittent or transitory connection issues can cause inspection to fail. The ramdisk now retries to report to inspector a total of five times.

  • The system file system configuration file for Linux machines, the /etc/fstab file is now updated to include a reference to the EFI partition in the case of a partition image base deployment. Without this reference, images deployed using partition images could end up in situations where upgrading the bootloader could fail.

  • Automatically generated TLS certificates now have their validity starting in the past (1 hour by default) to allow for clock skew.

  • Fixes the agent process for determining what partition label type to utilize when writing partition images. In many cases, this could fallback to msdos if the instance flavor was not properly labeled.

  • Fixes issue where the running system operating mode was not taken into account when writing partition images. The agent now utilises a helper instead of explicitly expecting the flavor derived information to supply all deployment context.

  • Fixes an issue where deployments of Fedora or Centos can hang when using grub2 with the execution of the grub2-mkconfig command not returning before the deployment process times out. This is because grub2-mkconfig triggers os-prober which can take an extended period of time to evaluate additional unrelated devices for dual-boot scenarios. Since operators are not dual booting their machines enrolled in ironic, it seems like an un-necessary scan and has thus been disabled.

  • Correctly decodes error messages from ironic API.

  • The mdadm utility is no longer a hard requirement. It’s still required if software RAID is used (even when not managed by ironic).

  • Fixes the write_image deploy step to actually check and return any errors during its execution.

  • Fixes the agent’s EFI boot handling such that EFI assets from a partition image are preserved and used instead of overridden. This should permit operators to use Secure Boot with partition images IF the assets are already present in the partition image.

  • Upon the creation of Software RAID devices, component devices are sometimes kicked out immediately (for no apparent reason). This fix re-adds devices in such cases in order to prevent the component to be missing next time the device is assembled, which, for instance may prevent the UEFI ESPs to be installed properly.

  • Avoids a traceback when using install_bootloader with whole disk images. If the root UUID cannot be detected, don’t try to call grub.

Other Notes

  • Agent configuration files found on attached virtual media or config drive devices are now copied to the ramdisk and loaded on start up.