Mitaka Series (4.3.0 - 5.1.x) Release Notes


Upgrade Notes

  • Updated python-scciclient required version number for iRMC driver to 0.3.1 which contains the bug fix ‘#1561852’ and maintenance updates.

Bug Fixes

  • A node using ‘agent_ilo’ or ‘iscsi_ilo’ driver has their ‘driver_info/ilo_deploy_iso’ field validated during node validate. This closes bug
  • Fixes a problem which causes the conductor to error out on startup in case there’s a duplicated entry in the enabled_drivers configuration option.
  • Fixes a problem where the boot mode (UEFI or BIOS) wasn’t being considered when setting the boot device of a node using the ipminative driver making it to switch from UEFI to legacy BIOS as part of the request to change the boot device.
  • Fixes a problem where the boot mode (UEFI or BIOS) wasn’t checked as part of changing the boot device of a node, making it incorrectly switch from UEFI to Legacy BIOS mode on some hardware models.
  • Fixed updating a MAC on a port for active instances in maintenance mode (used to return HTTP 500 previously).
  • Return HTTP 400 for requests to update a MAC on a port for an active instance without maintenance mode set (used to return HTTP 500 previously).


Security Issues

  • A critical security vulnerability (CVE-2016-4985) was fixed in this release. Previously, a client with network access to the ironic-api service was able to bypass Keystone authentication and retrieve all information about any Node registered with Ironic, if they knew (or were able to guess) the MAC address of a network card belonging to that Node, by sending a crafted POST request to the /v1/drivers/$DRIVER_NAME/vendor_passthru resource. Ironic’s policy.json configuration is now respected when responding to this request such that, if passwords should be masked for other requests, they are also masked for this request.


Bug Fixes


New Features

  • Adds support for partition images for agent based drivers.
  • Adds support to pass a optional CA certificate using [glance]glance_cafile configuration option to validate the SSL certificate served by glance for secured https communication between Glance and Ironic.
  • Append request_id as Openstack-Request-Id header to the response.

Upgrade Notes

  • Adds a [glance]glance_cafile configuration option to pass a optional certificate for secured https communication. It is used when [glance]glance_api_insecure configuration option is set to False.

Bug Fixes

  • Ensure node’s target_provision_state is cleared when the node is moved to a stable state, indicating that the state transition is done.
  • Fixes the bug where the user specified disk_label is ignored for the agent drivers for partition images.
  • Fixes a problem where some hardware/firmware (specially faulty ones) won’t come back online after an in-band ACPI soft power off by adding a new driver property called “deploy_forces_oob_reboot” that can be set to the nodes being deployed by the IPA ramdisk. If the value of this property is True, Ironic will power cycle the node via out-of-band.
  • Fixes a bug where the keystone_authtoken/region_name wasn’t passed to Swift when instantiating its client, in a multi-region environment this is needed so the client can choose the correct swift endpoint.