Current Series Release Notes


New Features

  • The deploy deploy step of the direct deploy interface has been split into three deploy steps:

    • deploy itself (priority 100) boots the deploy ramdisk

    • write_image (priority 80) downloads the user image from inside the ramdisk and writes it to the disk.

    • prepare_instance_boot (priority 60) prepares the boot device and writes the bootloader (if needed).

    Priorities 81 to 99 to be used for in-band deploy steps that run before the image is written. Priorities 61 to 79 can be used for in-band deploy steps that modify the written image before the bootloader is installed.

  • Adds support for running custom in-band deploy steps when provisioning. Step priorities from 41 to 59 can be used for steps that run after the image is written and the bootloader is installed.

Deprecation Notes

  • Running the whole deployment process as a monolithic deploy.deploy deploy step is now deprecated. In a future release this step will only be used to prepare deployment and starting the agent, and special handling will be removed. All third party deploy interfaces must be updated to provide real deploy steps instead and set the has_decomposed_deploy_steps attribute to True on the deploy interface level.

Other Notes

  • As part of the agent deploy interfaces refactoring, breaking changes will be made to implementations of AgentDeploy and ISCSIDeploy. Third party deploy interfaces must be updated to inherit HeartbeatMixin, AgentBaseMixin or AgentDeployMixin from ironic.drivers.modules.agent_base instead since their API is considered more stable.


New Features

  • Adds raid interface for ibmc driver which includes delete_configuration and create_configuration steps.

  • Enable Basic HTTP authentication middleware.

    Having noauth as the only option for standalone ironic causes constraints on how the API is exposed on the network. Having some kind of authentication layer behind a TLS deployment eases these constraints.

    When the config option auth_strategy is set to http_basic then non-public API calls require a valid HTTP Basic authentication header to be set. The config option http_basic_auth_user_file defaults to /etc/ironic/htpasswd and points to a file which supports the Apache htpasswd syntax[1]. This file is read for every request, so no service restart is required when changes are made.

    Like the noauth auth strategy, the http_basic auth strategy is intended for standalone deployments of ironic, and integration with other OpenStack services cannot depend on a service catalog.

    The only password digest supported is bcrypt, and the bcrypt python library is used for password checks since it supports $2y$ prefixed bcrypt passwords as generated by the Apache htpasswd utility.

    To try HTTP basic authentication, the following can be done:

    • Set /etc/ironic/ironic.conf DEFAULT auth_strategy to http_basic

    • Populate the htpasswd file with entries, for example: htpasswd -nbB myName myPassword >> /etc/ironic/htpassw

    • Make basic authenticated HTTP requests, for example: curl --user myName:myPassword http://localhost:6385/v1/drivers


  • Adds a new [ipmi]use_ipmitool_retries option. When set to True and timing is supported by ipmitool, the number of retries and command interval will be passed to ipmitool so that ipmitool will do the retries. When set to False, ironic will do the retries. Default is True.

  • Adds an ability to generate network boot templates even for nodes that use local boot via the new [pxe]enable_netboot_fallback option. This is required to work around the situation where switching boot devices does not work reliably.

  • Adds the ability for Ironic to attach a node to a specific port or portgroup. This is accomplished by having the node vif_attach API accept a port_uuid or portgroup_uuid key within vif_info. If one is specified, then Ironic will attempt to attach to the specified port/portgroup. Specifying both returns an error.

Known Issues

  • Some BMCs do not support the Channel Cipher Suites command that newer versions of ipmitool use. These versions of ipmitool will resend this command for each ipmitool retry, resulting in long response times. Setting [ipmi]use_ipmitool_retries to false will avoid this situation by implementing retries on the ironic level.

  • The SNMP hardware type cannot change boot devices and thus may fail to deploy nodes with local boot. To work around this problem, set [pxe]enable_netboot_fallback to True.

  • Some redfish-enabled hardware is known not to support persistent boot device setting that is used by the Bare Metal service for deployed instances. The redfish hardware type tries to work around this problem, but rebooting such an instance in-band may cause it to boot incorrectly. A predictable boot order should be configured in the node’s boot firmware to avoid issues and at least metadata cleaning must be enabled. See this mailing list thread for technical details.

Upgrade Notes

  • The [conductor]api_url was deprecated and removed, use [service_catalog]endpoint_override instead if required to use a specific ironic api url.

  • The [cinder]url was removed, use [cinder]endpoint_override instead.

  • The [DEFAULT]fatal_exception_format_errors was removed, use [ironic_lib]fatal_exception_format_errors instead.

  • Operators upgrading from earlier versions using PXE should explicitly set [pxe]ipxe_bootfile_name, [pxe]uefi_ipxe_bootfile_name, and possibly [pxe]ipxe_bootfile_name_by_arch settings, as well as a iPXE specific [pxe]ipxe_config_template override, if required.

    Setting the [pxe]ipxe_config_template to no value will result in the [pxe]pxe_config_template being used. The default value points to the supplied standard iPXE template, so only highly customized operators may have to tune this setting.

  • Updates required ibmcclient version for ibmc drivers to 0.2.2.

  • A permission setting has been added for redfish-virtual-media boot interface, which allows for explicit file permission setting when the driver is used. The default for the new [redfish]file_permission setting is ``0u644, or 644 if manually changed using chmod on the command line. Operators may need to check /httpboot/redfish folder permissions if using redfish-virtual-media if they were running the conductor with a specific umask to work around the permission setting defect.

Bug Fixes

  • Instead of increasing timeout when running long synchronous tasks on ironic-python-agent, ironic now runs them asynchronously and polls the agent until completion. It is no longer necessary to account for long-running tasks when setting [agent]command_timeout.

  • Fixes a rare issue where agent successfully powers off a node after deployment, but ironic never learns about it and does another reboot.

  • Fixes deployment in fast-track mode by keeping the required internal fields (agent_url and agent_secret_token) intact when starting and finishing deployment and cleaning.

  • Fixes deleting nodes with maintenance mode on and an allocation present. Previously it caused an internal server error. See story 2007823 for details.

  • Change the default for use_ipmitool_retries to False so that Ironic will do the retries by default. This is needed for certain BMCs that don’t support the Cipher Suites command and ipmitool retries take an excessively long time. See story 2007632 for additional information.

  • Cleans up nodes stuck in the deleting state on conductor restart.

  • Fixes fast-track deployments with the direct deploy interface that used to hang previously.

  • Fixes periodic task initialization options to prevent a negative number. If [conductor]clean_callback_timeout, [conductor]inspect_wait_timeout or [conductor]inspect_wait_timeout have a negative value an error will be triggered.

  • Ironic now does not try to allocate the space needed for instance image conversion to raw format if it is already raw.

  • Addresses the lack of an ability to explicitly set different bootloaders for iPXE and PXE based boot operations via their respective ipxe and pxe boot interfaces.

  • Fixes a bug in “fast track” where Ironic would delete the agent token upon exiting cleaning steps. However, if we are in fast track mode, we can preserve the token and continue operations with the agent as it is not powered off during fast track operations.

  • Fixes a workaround for hardware that does not support persistent boot device setting with the redfish or idrac-redfish management interface implementation. When such situation is detected, ironic falls back to one-time boot device setting, restoring it on every reboot or power on.

    For more information, see story 2007733.

  • Fixes the virtual disks creation by changing PERC H740P controller mode from Enhanced HBA to RAID in delete_configuration clean step. PERC H740P controllers supports RAID mode and Enhanced HBA mode. When the controller is in Enhanced HBA, it creates single disk RAID0 virtual disks of NON-RAID physical disks. Hence the request for VD creation with supported RAID fails due to no available physical disk. This patch converts the PERC H740P RAID controllers to RAID mode if enhanced HBA mode found enabled See bug bug 2007711 for more details

  • Fixes fast track deployment preceeded by managed inspection by providing the ironic API URL to the ramdisk so that it can heartbeat.

  • Fixes the JSON RPC backend potentially hanging on inability to connect to a conductor. The default timeout is now 120 seconds. The timeout and the number of retries can be adjusted via the configuration options [json_rpc]timeout and [json_rpc]connect_retries accordingly.

  • Fixes logic that is applied to port deletions to also consider the presence of a VIF attachment record, which should be removed before attempting to delete the node. Failure to do so can result in erroneous records in the Networking Service.

  • No longer tries to set local_gb to MAX when building RAID with the root disk using MAX for its size.

  • To provide a workaround for incorrect boot order problems on some hardware, the redfish hardware type now supports the noop management interface, similarly to IPMI and SNMP.

  • Rebooting a node with the redfish power interface is now implemented via a power off request followed by power on to avoid returning success when a node stays powered on after the reboot request.

  • Provides a workaround for hardware that does not support persistent boot device setting with the redfish hardware type. When such situation is detected, ironic will fall back to one-time boot device setting, restoring it on every reboot.

  • Fixes an issue where the folder /httpboot/redfish was being created with incorrect permissions.

  • If the disk format of the image is provided in the instance_info, skip the memory check if it is set to raw and raw image streaming is enabled. That allows to stream raw images provided as URL and not through Glance.

Other Notes

  • Ramdisk logs are now collected during cleaning the same way as during deployment.

  • The following configuration options can now be reloaded without restarting ironic:

    From [agent]: memory_consumed_by_agent, stream_raw_images, deploy_logs_*, image_download_source, command_timeout and neutron_agent_poll_interval.

    From [api]: max_limit, public_endpoint and ramdisk_heartbeat_timeout.

    From [conductor]: heartbeat_timeout, force_power_state_during_sync, automated_clean, soft_power_off_timeout, power_state_change_timeout, rescue_password_hash_algorithm and require_rescue_password_hashed.

    From [DEFAULT]: default_resource_class, force_raw_images, parallel_image_downloads, default_portgroup_mode and require_agent_token.

    From [deploy]: enable_ata_secure_erase, erase_devices_priority, erase_devices_metadata_priority, shred_random_overwrite_iterations, shred_final_overwrite_with_zeros, continue_if_disk_secure_erase_fails, disk_erasure_concurrency, power_off_after_deploy_failure, default_boot_option, default_boot_mode, configdrive_use_object_store, fast_track, and fast_track_timeout.

    From [ipmi]: kill_on_timeout, disable_boot_timeout, command_retry_interval, min_command_interval, debug and additional_retryable_ipmi_errors.

    From [iscsi]: portal_port, conv_flags and verify_attempts.

    From [neutron]: port_setup_delay, *_network, *_network_security_groups, request_timeout, add_all_ports and dhcpv6_stateful_address_count.

    From [nova]: send_power_notifications.

    From [pxe]: pxe_append_params, default_ephemeral_format, pxe_config_template, uefi_pxe_config_template, pxe_config_template_by_arch, ip_version and ipxe_use_swift.

    From [redfish]: use_swift, swift_container, swift_object_expiry_timeout and kernel_append_params.