Newton Series (6.0.0 - 6.2.x) Release Notes

Newton Series (6.0.0 - 6.2.x) Release Notes

6.2.4-3

Bug Fixes

  • Updating the python-oneviewclient minimum version to 2.5.1 on driver-requirements.txt. The minimum version that was in the requirements was 2.0.2, and is very outdated, causing the driver to not work for this version. With this change, the new minimal version works for the driver, making the CI for stable/newton also work.

6.2.4

Bug Fixes

6.2.3

Security Issues

  • private ssh keys are now masked when using the ssh power driver and node details are requested.

Bug Fixes

  • Fixed a bug that was causing an increase in CPU usage over time.
  • Ironic exceptions that contained arbitrary objects in kwargs and were sent via RPC were causing oslo_messaging serializer to fail. This was leading to 500 errors from ironic API, timing out waiting for response from the conductor. Starting with this release, all non-serializable objects contained in an exception’s kwargs are dropped. If the error is going to be returned by the service will depend on the configuration option [DEFAULT]fatal_exception_format_errors.
  • Fixes an issue with ironic being able to change the power state of nodes currently in use by OneView.
  • PXEBoot driver interface now correctly supports node take-over for netboot-ed nodes in ACTIVE state. During take-over, the PXE environment is first created anew before attempting to switch it to “service mode”.

6.2.2

Bug Fixes

  • adds a missing error check into ipmitool power driver’s reboot so that the reboot can fail properly if power off failed.
  • Fixes an issue which caused the DRAC driver (pxe_drac) get_bios_config() vendor passthru method to unintentionally raise an AttributeError exception. That method once again returns the current BIOS configuration. For more information, see https://bugs.launchpad.net/ironic/+bug/1637671.
  • Fixes a bug in the oneview driver where the periodic task to check if a node is in use by oneview may end prematurely.
  • Fixes a bug with incorrect base socat command, which prevented the usage of console.
  • Remove “dhcp” command from the default iPXE script. It is redundant, and may even break booting when the provisioning NIC is not the first one.
  • Fixes a problem where the deployment of a node would fail to continue if a malformed MAC address was passed to the lookup mechanism in the Ironic API. For example, if a node contains an Infiniband card, the lookup used to fail because the agent ramdisk passes a MAC address (or GID) with 20 octets (instead of the expected 6 octets) as part of the lookup request. Invalid addresses are now ignored.

6.2.0

New Features

  • Pass proxy information from agent driver to IPA ramdisk, so that images can be cached on the proxy server.
  • Adds support for inter-service notifications (disabled by default until the notification_level configuration option is set). For more information, see the notifications documentation in the developer’s guide (http://docs.openstack.org/developer/ironic/dev/notifications.html). Notifications are not actually emitted yet, but will be added in a future release.
  • Adds support for InfiniBand networking to allow hardware inspection and PXE boot over InfiniBand.
  • Add the field standalone_ports_supported to the portgroup object. This field indicates whether ports that are members of this portgroup can be used as stand-alone ports. The default is True.
  • Added configdrive support for whole disk images for iSCSI based deploy. This will work for UEFI only or BIOS only images. It will not work for hybrid images which are capable of booting from BIOS and UEFI boot mode.
  • Adds out-of-band inspection interface usable by DRAC drivers.
  • Adds list_unfinished_jobs method to the vendor-passthru interface of the DRAC driver. It provides a way to check the status of the remote config job after a BIOS configuration change was submitted using the set_bios_config method.
  • Adds out-of-band RAID management to DRAC driver using the generic RAID interface which makes the functionality available via manual cleaning steps.
  • New configuration option, [drac]/query_raid_config_job_status_interval was added. After Ironic has created the RAID config job on the DRAC card, it continues to check for status update on the config job to determine whether the RAID configuration was successfully finished within this interval. Default is 120 seconds.
  • Adds a new [deploy]/erase_devices_metadata_priority configuration option to allow operators to configure the priority of (or disable) the “erase_devices_metadata” cleaning step.
  • iLO drivers now provide out-of-band firmware update as a manual cleaning step, for supported hardware components.
  • By default, the ironic-conductor service caches the node’s deploy ramdisk and kernel images locally and serves them via a separate HTTP server. A new [pxe]/ipxe_use_swift configuration option (disabled by default) allows images to be accessed directly from object store via Swift temporary URLs. This is only applicable if iPXE is enabled (via [pxe]/ipxe_enabled configuration option) and image store is in Glance/Swift. For user images that are partition images requiring non-local boot, the default behavior with local caching and an HTTP server will still apply for user image kernel and ramdisk.
  • Adds a new policy rule that may be used to mask instance-specific secrets, such as configdrive contents or the temp URL used to store a configdrive or instance image. This is similar to how passwords are already masked.

Known Issues

  • When using caching proxy with agent_* drivers, caching the image on the proxy server might involve increasing [glance]swift_temp_url_duration config option value. This way, the cached entry will be valid for a period of time long enough to see the benefits of caching. Large temporary URL duration might become a security issue in some cases.

Upgrade Notes

  • Adds a [glance]swift_temp_url_cache_enabled configuration option to enable Swift temporary URL caching. It is only useful if the caching proxy is used. Also adds [glance]swift_temp_url_expected_download_start_delay, which is used to check if the Swift temporary URL duration is long enough to let the image download to start, and, if temporary URL caching is enabled, to determine if a cached entry will be still valid when download starts. The value of [glance]swift_temp_url_expected_download_start_delay must be less than the value for the [glance]swift_temp_url_duration configuration option.
  • The inspect interface of the pxe_drac driver has switched to use out-of-band inspection. For inband inspection, the node should be updated to use the pxe_drac_inspector driver instead.
  • The new “erase_devices_metadata” cleaning step is enabled by default (if available) in the ironic-python-agent project (priority 99). Wiping the devices metadata is usually very fast and shouldn’t add much time (if any) to the overall cleaning process. Operators wanting to disable this cleaning step can do it by setting the [deploy]/erase_devices_metadata_priority configuration option to 0.
  • Minimum required version of python-ironic-inspector-client was bumped to 1.5.0 (released as part of the Mitaka cycle).
  • Instance secrets will now, by default, be masked in API responses. Operators wishing to expose the configdrive or instance image to specific users will need to update their policy.json file and grant the relevant keystone roles.
  • The minimum required version of proliantutils (needed for iLO drivers) was bumped to 2.1.11. This version includes fixes for the bugs caused by python request library version 2.11.0, Proliant Gen7 support and iLO based RAID configuration.
  • The minimum required version of python-scciclient (needed for the iRMC driver) was bumped to 0.4.0.
  • When registering a OneView node in ironic, operator should make sure field server_profile_template_uri is set in properties/capabilities and not in driver_info anymore. Otherwise the node will fail on validation.
  • The default bootloader for PXE + UEFI has changed from ELILO to Grub2 because ELILO is not being actively developed anymore. Operators relying on ELILO should explicitly set the [pxe]/uefi_pxe_bootfile_name and [pxe]/uefi_pxe_config_template configuration options to the ELILO ROM and configuration template.

Deprecation Notes

  • The ClusteredComputeManager is now deprecated.

    The Newton version of Nova adds functionality to the ironic virt driver to support multiple compute hosts without using the hack we call ClusteredComputeManager. As such, we are marking this unsupported component as deprecated, and plan to remove it before the end of the Ocata development cycle.

  • The following drivers are marked as unsupported and therefore deprecated. Some or all of these drivers may be removed in the Ocata cycle or later.
    • agent_amt
    • agent_iboot
    • agent_pyghmi
    • agent_ssh
    • agent_vbox
    • agent_wol
    • fake_ipminative
    • fake_ssh
    • fake_seamicro
    • fake_iboot
    • fake_snmp
    • fake_vbox
    • fake_amt
    • fake_msftocs
    • fake_wol
    • pxe_ipminative
    • pxe_ssh
    • pxe_vbox
    • pxe_seamicro
    • pxe_iboot
    • pxe_snmp
    • pxe_amt
    • pxe_msftocs
    • pxe_wol

Security Issues

  • Configdrives often contain sensitive information. Users may upload their own images, which could also contain sensitive information. The Agent drivers may store this information in a Swift temp URL to allow access from the Agent ramdisk. These URLs are considered sensitive information because they grant unauthenticated access to sensitive information. Now, we only selectively expose this information to privileged users, whereas previously it was exposed to all authenticated users.

Bug Fixes

  • The dynamic_allocation flag in a node’s driver_info previously only accepted a Boolean. It now also accepts the strings ‘t’, ‘true’, ‘on’, ‘y’, ‘yes’, or ‘1’ as True, and the strings ‘f’, ‘false’, ‘off’, ‘n’, ‘no’, or ‘0’ as False. These are matched case-insensitively.
  • Fixes a bug which prevented the ironic-conductor service from using the interval values from the configuration options, for the periodic tasks. Instead, the default values had been used.
  • The API now returns an appropriate error message when a chassis description over 255 characters is specified.
  • Fixes DRAC deploy interface failure when automated cleaning is called without any clean step.
  • When no boot mode is explicitly set on a node using an iLO driver, ironic automatically picks a boot mode based on hardware capabilities. This confuses deployers, as these factors are system specific and not configurable. In order to ensure predictable behavior, a new configuration parameter, [ilo]/default_boot_mode, was added to allow deployers to explicitly set a default. The default value of this option keeps behavior consistent for existing deployments.
  • Ironic Inspector inspection interface will now fetch the service endpoint for the service catalog, if “service_url” is not provided and keystone support is enabled.
  • Fixes a problem where the boot mode (UEFI or BIOS) wasn’t being considered when setting the boot device of a node using the “ipminative” management interface. It would incorrectly switch UEFI to legacy BIOS mode as part of the request to change the boot device.
  • Fixes a problem where the boot mode (UEFI or BIOS) wasn’t being considered when setting the boot device of a node using the “ipmitool” management interface. It would incorrectly switch from UEFI to Legacy BIOS mode on some hardware models.
  • Update create provisioning ports logic to fail only when no neutron ports were created. If we created at least one neutron port, proceed with the deployment. It was the default behaviour for flat scenario.
  • Fixed updating a MAC on a port for active instances in maintenance mode (previously returned HTTP 500).
  • Return HTTP 400 for requests to update a MAC on a port for an active instance without maintenance mode set (previously returned HTTP 500).

6.1.0

New Features

  • OneView drivers now support dynamic allocation of nodes in OneView, allowing for better resource sharing with non-OpenStack users since Server Hardware will be allocated only when the node is scheduled to be used. To enable the new allocation feature for a node, set the flag dynamic_allocation=True on the node’s driver_info. More information is available at http://docs.openstack.org/developer/ironic/drivers/oneview.html.
  • Adds a resource_class field to the node resource, which will be used by Nova to define which nodes may quantitatively match a Nova flavor. Operators should populate this accordingly before deploying the Ocata version of Nova.
  • Exposes the local_link_connection and pxe_enabled properties of the Port resource to the REST API, raising the API maximum version to 1.19.
    • The pxe_enabled field indicates whether this Port should be used when PXE booting this Node.
    • The local_link_connection field may be used to supply the port binding profile.
  • A new dictionary field internal_info is added to the port API object. It is readonly from the API side, and can contain any internal information ironic needs to store for the port. cleaning_vif_port_id is being stored inside this dictionary.
  • Adds support for socat-based serial console to ipmitool-based drivers. These are available by using the agent_ipmitool_socat and pxe_ipmitool_socat drivers.
  • The ironic-api service now supports logging audit messages of API calls. The following configuration parameters have been added. By default auditing of ironic-api service is turned off.

    • [audit]/enabled
    • [audit]/ignore_req_list
    • [audit]/audit_map_file

    Further documentation for this feature is available at http://docs.openstack.org/developer/ironic/deploy/api-audit-support.html.

  • Adds support for collecting deployment logs from the IPA ramdisk. Five new configuration options were added:
    • [agent]/deploy_logs_collect
    • [agent]/deploy_logs_storage_backend
    • [agent]/deploy_logs_local_path
    • [agent]/deploy_logs_swift_container
    • [agent]/deploy_logs_swift_days_to_expire.
  • Ironic now emits timing metrics for all API methods to statsd, if enabled by the [metrics] and [metrics_statsd] configuration sections.
  • RESTful access to every API resource may now be controlled by adjusting policy settings. Defaults are set in code, and remain backwards compatible with the previously-included policy.json file. Two new roles are checked by default, “baremetal_admin” and “baremetal_observer”, though these may be replaced or overridden by configuration. The “baremetal_observer” role grants read-only access to Ironic’s API.
  • New API endpoint for deploy ramdisk lookup /v1/lookup. This endpoint is not authenticated to allow ramdisks to access it without passing the credentials to them.
  • New API endpoint for deploy ramdisk heartbeat /v1/heartbeat/<NODE>. This endpoint is not authenticated to allow ramdisks to access it without passing the credentials to them.
  • Adds multitenant networking support.

    Ironic now has the concept of “network interfaces” for a node, which represent a networking driver.

    There are three network interfaces available:

    • flat: this replicates the old flat network behavior and is the default when using neutron for DHCP.
    • noop: this replicates the old flat behavior when not using neutron for DHCP, and is the default when the configuration option [DHCP]/dhcp_provider is set to “none”.
    • neutron: this allows for separating the provisioning and cleaning networks from the tenant networks, and provides isolation from tenant network to tenant network, and tenant network to control plane. The following configuration options must be set if the neutron interface is enabled, or ironic-conductor will fail to start:
      • [neutron]/provisioning_network_uuid
      • [neutron]/cleaning_network_uuid

    A [DEFAULT]/enabled_network_interfaces option (which must be set for both ironic-api and ironic-conductor services) controls which network interfaces are available for use.

    A network interface is set for a node by setting the network_interface field for the node via the REST API. This field is available in API version 1.20 and above. Changing the network interface may only be done in the enroll, inspecting, and manageable states.

    The configuration option [DEFAULT]/default_network_interface may be used to specify which network interface is defined when a node is created.

    WARNING: don’t set the option ``[DEFAULT]/default_network_interface`` before upgrading to this release without reading the upgrade notes about it, due to data migrations depending on the value.

  • Adds the ability for ironic conductor to pass configurations for agent metrics on lookup. When paired with a sufficiently new ironic python agent, this will configure the metrics backends.
  • Extend the root device hints to identify whether a disk is rotational or not.
  • Added support to validate iLO SSL certificate in iLO drivers. A new configuration option [ilo]/ca_file is added to specify the iLO CA certificate file. If [ilo]/ca_file is specified, the iLO drivers will validate iLO SSL certificates.

Upgrade Notes

  • Adds a resource_class field to the node resource, which will be used by Nova to define which nodes may quantitatively match a Nova flavor. Operators should populate this accordingly before deploying the Ocata version of Nova.
  • Collecting logs on deploy failure is enabled by default and the logs will be saved to the local disk at the location specified by the configuration option [agent]/deploy_logs_local_path (by default, /var/log/ironic/deploy). Operators upgrading may want to disable this feature, enable some form of rotation for the logs or change the configuration to store the logs in Swift to avoid disk space problems.
  • During an upgrade, it is recommended that all deployers re-evaluate the settings in their /etc/ironic/policy.json file. This file should now be used only to override default configuration, such as by limiting access to the ironic service to specific tenants or restricting access to specific API endpoints. A policy.json.sample file is provided that lists all supported policies.
  • Changes the way to configure access credentials for OpenStack services clients. For each service, both Keystone session options (timeout, SSL-related ones) and Keystone auth_plugin options (auth_url, auth_type and corresponding auth_plugin options) should be specified in the configuration section for this service. Configuration sections affected are:

    • [neutron] for Neutron service user
    • [glance] for Glance service user
    • [swift] for Swift service user
    • [inspector] for Ironic Inspector service user
    • [service_catalog] new section for Ironic service user, used to discover Ironic endpoint from Keystone Catalog

    This enables fine tuning of authentication for each service.

    Backward-compatible options handling is provided using values from [keystone_authtoken] config section, but operators are advised to switch to the new config options as the old options are deprecated. The old options will be removed during the Ocata cycle. For more information on sessions, auth plugins and their settings, please refer to http://docs.openstack.org/developer/keystoneauth/.

  • Small change in semantics of default for [neutron]/url option
    • default is changed to None.
    • For the case when [neutron]/auth_strategy is noauth, default means use http://$my_ip:9696.
    • For the case when [neutron]/auth_strategy is keystone, default means to resolve the endpoint from Keystone Catalog.
  • New config section [service_catalog] for access credentials used to discover Ironic API URL from Keystone Catalog. Previously credentials from [keystone_authtoken] section were used, which is now deprecated for such purpose.
  • A new configuration option [api]/restrict_lookup is added, which restricts the lookup API (normally only used by ramdisks) to only work when the node is in specific states used by the ramdisk, and defaults to True. Operators that need this endpoint to work in any state may set this to False, though this is insecure and should not be used in normal operation.
  • [DEFAULT]/default_network_interface configuration option is introduced, with empty default value. If set, the specified interface will be used as the network interface for nodes that don’t have network_interface field set. If it is not set, the network interface is determined by looking at the [dhcp]/dhcp_provider value. If it is neutron - flat network interface is the default, noop otherwise.

    The network interface will be set for all nodes without network_interface already set via a database migration. This will be set following the logic above. When running database migrations for an existing deployment, it’s important to check the above configuration options to ensure the existing nodes will have the expected network_interface. If [DEFAULT]/default_network_interface is not set, everything should go as expected. If it is set, ensure that it is set to the value that you wish existing nodes to use.

  • Note that if the configuration option [DEFAULT]/default_network_interface is set, it must be set in the configuration file for both the API and conductor hosts.
  • If neutron network interface is specified for the configuration option [DEFAULT]/enabled_network_interfaces, then [neutron]/provisioning_network_uuid and [neutron]/cleaning_network_uuid configuration options are required. If either of them is not specified, the ironic-conductor service will fail to start.

Deprecation Notes

  • Deprecates pre-allocation feature for the OneView drivers since it requires resource allocation to Ironic prior to boot time, which makes Server Hardware unavailable to non-OpenStack OneView users. Pre-allocation will be removed in the OpenStack Pike release. All nodes with dynamic_allocation=False set, or that don’t have the dynamic_allocation flag set, will be assumed to be in pre-allocation. Users may use the REST API or the ironic-oneview-cli to migrate nodes from pre-allocation to dynamic allocation. More information is available at http://docs.openstack.org/developer/ironic/drivers/oneview.html.
  • Agent vendor passthru is deprecated and will be removed in Ocata release. Operators should update their IPA image to the Newton version to use the new replacement API. Driver developers should stop using the agent vendor passthru.
  • The [ilo]/clean_priority_erase_devices configuration option is deprecated and will be removed in the Ocata cycle. Please use the [deploy]/erase_devices_priority option instead.
  • The [keystone_authtoken] configuration section is deprecated for configuring clients for other services (but is still used for configuring API token authentication), in favor of the [service_catalog] section. The ability to configure clients for other services via the [keystone_authtoken] section will be removed during the Ocata cycle.
  • The configuration option [agent]/heartbeat_timeout was renamed to [api]/ramdisk_heartbeat_timeout. The old variant is deprecated.
  • create_cleaning_ports and delete_cleaning_ports methods in DHCP providers are deprecated and will be removed completely in the Ocata release. The logic they are implementing should be moved to a custom network interface’s add_cleaning_network and remove_cleaning_network methods respectively. After that, the methods themselves should be removed from DHCP provider so that the custom network interface is used instead. flat network interface does not require [neutron]/cleaning_network_uuid for now so as not to break standalone deployments upon upgrade, but it will be required in the Ocata release if the flat network interface is enabled.
  • Putting periodic tasks on a driver object (rather than interface) is deprecated. Driver developers should move periodic tasks from driver objects to interface objects.

Security Issues

  • Previously, access to Ironic’s REST API was “all or nothing”. With this release, it is now possible to restrict read and write access to API resources to specific cloud roles.

Bug Fixes

  • Adoption feature logic was updated to prevent ramdisk creation and default to instance creation where appropriate based on the driver.
  • Adoption documentation has been updated to note that the boot_option should likely be defined for nodes by a user leveraging the feature.
  • Adoption documentation has been updated to note that a user may wish to utilize the noop network interface that arrived with API version 1.20.
  • Fixes the issue of not attaching virtual media during cleaning operation for vmedia based drivers.
  • A node using the agent_ilo or iscsi_ilo driver now has its driver_info/ilo_deploy_iso field validated during node validation.
  • Clear target_power_state of the nodes locked by the conductor on its startup.
  • Fixed a bug where the ironic python agent ramdisk was not creating an ephemeral partition because the ephemeral partition size was not being passed correctly to the agent.
  • Do not rely on keystonemiddleware config options for instantiating clients for other OpenStack services. This allows changing keystonemiddleware options from legacy ones and thus support Keystone V3 for token validation.

Other Notes

  • The continue_deploy and reboot_to_instance methods in the BaseAgentVendor class stopped accepting ** arguments. They were never used anyway; drivers should stop passing anything there.

6.0.0

Prelude

Starting with this release IPA is the only deployment and inspection ramdisk supported by Ironic.

New Features

  • Addition of the provision state target verb of adopt which allows an operator to move a node into an active state from manageable state, without performing a deployment operation on the node. This can be used to represent nodes that have been previously deployed by other means that will now be managed by ironic and be later released to the available hardware pool.
  • A new configuration option [deploy]continue_if_disk_secure_erase_fails, which has a default value of False, has been added. If set to True, the Ironic Python Agent will revert to a disk shred operation if an ATA secure erase operation fails. Under normal circumstances, the failure of an ATA secure erase operation results in the node being put in clean failed state.
  • IPA supported iSCSI portal port customization already. With this patch, we added new portal_port argument into agent_client.start_iscsi_target() method to pass iSCSI portal port to IPA side. And add new configuration into iscsi module as CONF.iscsi.portal_port
  • Operators can now set deploy.power_off_after_deploy_failure to leave nodes powered on when a deployment fails. This is useful for troubleshooting deployment issues. As a note, Nova will still attempt to delete a node after a failed deployment, so deploy.power_off_after_deploy_failure may not be very effective in non-standalone deployments until a similar patch to ironic’s driver in nova is proposed.
  • This adds the reboot_requested option for in-band cleaning. If set to true, Ironic will reboot the node after that step has completed and before continuing with the next step. This option is useful for when some action, such as a BIOS upgrade or setting change, requires a reboot to take effect.
  • It is now possible to configure the notifications to use a different transport URL than the RPCs. These could potentially be completely different message broker hosts (though they don’t need to be). If the notification-specific configuration is not provided, the notifier will use the same transport as the RPCs.
  • Added support for JBOD volumes in RAID configuration.
  • A new configuration option, shred_final_overwrite_with_zeros is now available. This option controls the final overwrite with zeros done on all block devices for a node under cleaning. This feature was previously always enabled and not configurable. This option is only used when a block device could not be ATA Secure Erased.
  • Adds the ability for node vendor passthru methods to use shared locks. Default behavior of always acquiring an exclusive lock for node vendor passthru methods is unchanged.

Upgrade Notes

  • A new configuration option [deploy]continue_if_disk_secure_erase_fails, which has a default value of False, has been added. The default setting represents the standard behavior of the Ironic Python Agent during a cleaning failure.
  • Fixed Mitaka ironic python agent ramdisk iSCSI deploy compatibility with newer versions of ironic by logging the warning and retrying the deploy if wiping root disk metadata before exposing it over iSCSI fails. If custom iSCSI port is requested, an error clarifying the issue is logged and the operator is requested either to use the default iSCSI portal port, or to upgrade ironic python agent ramdisk to version >= 1.3 (Newton).
  • Removes support for “hexraw” type in the iPXE script (boot.ipxe) since “hexraw” is not supported in older versions of iPXE. “hexhyp” replaced “hexraw” and has been used since kilo.
  • Support for the old ramdisk (“deploy-ironic” diskimage-builder element) was removed. Please switch to IPA before upgrading.
  • Removed the workaround in API allowing removing “instance_uuid” during cleaning. It was only required for Nova during introduction of cleaning.
  • In the configuration group [agent], the following options were deprecated in the Liberty cycle and they have been removed:
    • [agent]/agent_pxe_append_params
    • [agent]/agent_pxe_config_template
  • Remove the deprecated “[conductor]/clean_nodes” option. Configuration files should instead use the “[conductor]/automated_clean” option.
  • In the config section [agent] two config options were deprecated in the Liberty cycle and they have been removed. The options were named:
    • [agent]/agent_erase_devices_priority
    • [agent]/agent_erase_devices_iterations
  • Removes support for the deprecated “discoverd” group for inspection options. Configuration files should use the “inspector” group instead.
  • Removes the deprecated decorator “driver_periodic_task”, Drivers should use the “periodics.periodic” decorator from the futurist library instead.
  • Removes support for the “message” attribute from the “IronicException” class. Subclasses of “IronicException” should instead use the “_msg_fmt” attribute. This change is only relevant to developers.
  • Removes deprecated option “[agent]/manage_tftp”. Configuration files should instead use the “[agent]/manage_agent_boot” option.
  • Removes the deprecated config option “periodic_interval”.
  • Removes deprecated options “[pxe]/http_url” and “[pxe]/http_root”. Configuration files should instead use “[deploy]/http_url” and “[deploy]/http_root”.
  • The ‘verbose’ configuration option was removed, consequently the “–verbose, -v” parameter from all command lines was also removed. This affects the ironic-api, ironic-conductor, ironic-dbsync, and ironic-rootwrap commands. The verbose config/parameter was originally a shortcut to set the log level to INFO, however the log level has defaulted to INFO since this option was deprecated, so this option was a noop.

Deprecation Notes

  • The [deploy]/erase_devices_iterations config is deprecated and will be removed in the Ocata cycle. It has been replaced by the [deploy]/shred_random_overwrite_iterations config. This configuration option controls the number of times block devices are overwritten with random data. This option is only used when a block device could not be ATA Secure Erased.

Security Issues

  • A critical security vulnerability (CVE-2016-4985) was fixed in this release. Previously, a client with network access to the ironic-api service was able to bypass Keystone authentication and retrieve all information about any Node registered with Ironic, if they knew (or were able to guess) the MAC address of a network card belonging to that Node, by sending a crafted POST request to the /v1/drivers/$DRIVER_NAME/vendor_passthru resource. Ironic’s policy.json configuration is now respected when responding to this request such that, if passwords should be masked for other requests, they are also masked for this request.

Bug Fixes

  • Fixes a bug where Ironic won’t log the request-id during hardware inspection.
  • Fix a problem that caused the bmc_reset() vendor passthru method from the IPMI drivers to be always executed as “warm”.
  • This fixes the issue of RAID interface not being supported in iscsi_ilo driver.
  • A bug has been corrected where a node’s current clean_step was not purged upon that node timing out from a CLEANWAIT state. Previously, this bug would prevent a user from retrying cleaning operations. For more information, see https://bugs.launchpad.net/ironic/+bug/1590146.
  • Correct api version check conditional for node.name to address an issue that we could set node name to ‘’ using API version lower than 1.5, where node names were introduced.
  • Fixes a problem which causes the conductor to error out on startup in case there’s a duplicated entry in the enabled_drivers configuration option.
  • Remove the possibility to set incorrect node name by specifying multiple add/replace operations in patch request. Since this version, all the values specified in the patch for name are checked, in order to conform to JSON PATCH RFC https://tools.ietf.org/html/rfc6902.
  • Fixed the default value of ‘port’ in iscsi_deploy.get_deploy_info to be set to [iscsi]/portal_port option value, instead of hardcoding it to ‘3260’.
  • Fixes an issue where iLO drivers fail to download the firmware file from swift when the swift file path includes swift pseudo folder.
  • This fixes InvalidMAC exception of iRMC out-of-band inspection.
  • Fixed a VirtualBox issue that Ironic fails to set VirtualBox VM’s boot device when it is powered on. This bug causes two problems 1. VirtualBox cannot deploy VMs in local boot mode. 2. Ironic fails to set boot device when VirtualBox VMs is powered on and also fails to get the correct boot device from Ironic API call when VMs is powered on.
  • A bug was identified in the behavior of the iLO drivers where nodes that are not active but taking part of a conductor takeover could be powered off. In preparation for new features and functionality, that risk encountering this bug, we are limiting the deployment preparation steps to the deploying state to prevent nodes from being erroneously powered off.
  • Fixed performance issue for ‘ironic.nova.compute.ClusteredComputeManager’ when during Nova instance termination resources were updated for all Nova hypervisors.
  • Fixes a problem which allowed nodes to be named with some reserved words that are implicitly not allowed due the way the Ironic API works. The reserved words are “maintenance”, “management”, “ports”, “states”, “vendor_passthru”, “validate” and “detail”.
  • Some nodes’ console may be enabled but the corresponding console services stopped while starting conductors, this tries to start consoles on conductor startup to make the status consistent.
  • Fixed a bug that was causing grub installation failure. If the disk was already coming with a partition table, the conductor was not able to wipe it properly and the new partition table would conflict with the old one. The issue was only impacting new nodes and installations with automated_clean disabled in the configuration. A disk instance without preserve_ephemeral is now purged before new deployment. See https://bugs.launchpad.net/ironic-lib/+bug/1550604

Other Notes

  • When a node is enrolled into ironic, upon transition to the manageable state, the current power state of the node is recorded. Once the node is adopted and in an active state, that recorded power state will be enforced by ironic unless an operator changes the power state in ironic. This was the default behavior of ironic prior to the adoption feature.
  • Adopt oslo-config-generator to generate sample config files. New config options from Ironic code should register with ironic/conf/opts.py. New external libraries should register with tools/config/ironic-config-generator.conf. A deprecated option should add a deprecated group even if it didn’t alter its group, otherwise the deprecated group will use ‘DEFAULT’ by default.
  • Do not show DEBUG logging from keystoneauth and keystonemiddleware by default.
  • Log eventlet.wsgi.server events with a proper logger name and ignore DEBUG logging by default.
  • Add Neutron port_setup_delay configuration option. This delay allows Ironic to wait for Neutron port operations until we have a mechanism for synchronizing events with Neutron. Set to 0 by default.
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.