2024.1 Series (11.8.0 - 12.1.x) Release Notes¶
12.1.0-3¶
Bug Fixes¶
Fixes memory leak with openstacksdk 2.0 and newer. This version requires connections to be explicitly closed, otherwise they stay in memory forever.
12.0.0¶
Upgrade Notes¶
The legacy Role Based Access Control policy used by ironic-inspector has been disabled by default. The end result of this is that the legacy
baremetal_admin
andbaremetal_observer
roles are no longer enabled by default. System-scoped access can be utilised to connect to theironic-inspector
service, or alternatively a user with anadmin
orservice
role.The Ironic project does not anticipate any issues with this change, as the the
ironic-inspector
service is a service for the system itself. That being said, if the operator deployed configuration is reliant upon the deprecated roles, configuration changes will be required.This change is a result of the new policy which was introduced as part of Consistent and Secure RBAC community goal and the underlying
[oslo_policy] enforce_scope
and[oslo_policy] enforce_new_defaults
settings being changed toTrue
.Operators wishing to revert to the old policy configuration may do so by setting the following values in
ironic-inspector.conf
.:[oslo_policy] enforce_new_defaults=False enforce_scope=False
Operators who revert the configuration are encouraged to make the necessary changes to their configuration, as the legacy RBAC policy will be removed at some point in the future. Please review 2024.1-Release Timeline. Failure to do so will may force operators to craft custom policy override configuration.
Bug Fixes¶
In case the LLDP raw data collected by the inspection process includes non UTF-8 information, the parser fails breaking the inspection process. This patch works around that excluding the malformed data and adding an entry in the logs to provide information on the failed tlv.
Fixes the Role Based Access Control state and capabilities to align with OpenStack Community RBAC goals which includes support for a
service
role by default to enable inter-service communication to be configured without anadmin
username. In large part, these changes were missed as the Inspector service is considered an “admin-only” service.Also in alignment with overall community position changes, where the
admin
role is sufficient without an explicitsystem
scope. To help ensure a high level of security, explicit testing was also added for themanager
role, which is unavailable as that role is reserved for administrative functions inside of a tenant’s project.