Queens Series (6.1.0 - 7.2.x) Release Notes¶
7.2.4¶
Security Issues¶
Fixes insufficient input filtering when looking up a node by information from the introspection data. It could potentially allow SQL injections via the
/v1/continue
API endpoint. See story 2005678 for details.
Bug Fixes¶
Fix starting inspection of node having IPv6 BMC address. Inspection could not be initiated because v6 address was being considered as a hostname. Thus resolving incorrect hostname ended up with blocking error.
7.2.3¶
Bug Fixes¶
Allows the
set-attribute
introspection rule action to acceptNone
as value for a property.
7.2.2¶
Bug Fixes¶
A new rootwrap filter is now included to allow control of the systemd dnsmasq service used by ironic-inspector. This fixes a permission issue when systemctl commands are used as
dnsmasq_start_command
anddnsmasq_stop_command
in the configuration for the dnsmasq pxe filter. See bug 2002818.Note
The filter uses the systemd service name used by the RDO distribution (
openstack-ironic-inspector-dnsmasq.service
).
Fixes issue that can result in introspection failure when a network switch sends incomplete information for LLDP switch_id or port_id. The validation expects these fields when a port is updated, this fix now handles the validation exception.
The
dnsmasq
PXE filter no longer whitelists the MAC addresses of ports deleted from the Bare Metal service. Instead they are blacklisted unless introspection is active or thenode_not_found_hook
is set in the configuration. This ensures that no previously enrolled node accidentally boot the inspection image when no node introspection is active. Bug #2001979.
7.2.1¶
New Features¶
Adds wildcard ignore entry to
dnsmasq
PXE filter. When node introspection is active, or ifnode_not_found_hook
is set in the configuration the ignore is removed from the wildcard entry. This ensures that unknown nodes do not accidentally boot into the introspection image when no node introspection is active.This brings
dnsmasq
PXE filter driver feature parity with theiptables
PXE filter driver, which uses a firewall rule to block any DHCP request on the interface where Ironic Inspector’s DHCP server is listening.
7.2.0¶
Upgrade Notes¶
Adds dependency on the retrying Python library.
Bug Fixes¶
Fixes bug in which the
switch_id
field in a port’slocal_link_connection
can be set to a non-MAC address if the processed LLDP has a value other than a MAC address forChassisID
. The Bare Metal API requires theswitch_id
field to be a MAC address, and will return an error otherwise. See bug 1748022 for details.
Ironic introspection no longer tries to access the Identity service if the
auth_strategy
option is set tonoauth
and theauth_type
option is not set tonone
.
The periodic PXE filter update task now retries fetching port list from the Bare Metal service 5 times (with 1 second delay) before giving up. This ensures that a temporary networking glitch will not result in the ironic-inspector service stopping.
7.1.0¶
Deprecation Notes¶
Several configuration options related to ironic API access are deprecated and will be removed in the Rocky release. These include:
[ironic]/os_region
- use[ironic]/region_name
option instead[ironic]/auth_strategy
- set[ironic]/auth_type
option tonone
to access ironic API in noauth mode[ironic]/ironic_url
- use[ironic]/endpoint_override
option to set specific ironic API endpoint address if discovery of Ironic API endpoint is not desired or impossible (for example in standalone mode)[ironic]/os_service_type
- use[ironic]/service_type
option[ironic]/os_endpoint_type
- use[ironic]/valid_interfaces
option to set Ironic endpoint types that will be attempted to be used
Several configuration options related to Swift API access are deprecated and will be removed in Rocky release. These include:
[swift]/os_service_type
- use[swift]/service_type
option[swift]/os_endpoint_type
- use[swift]/valid_interfaces
option[swift]/os_region
- use[swift]region_name
option
Other Notes¶
The sample configuration file located at
example.conf
and the sample policy file located atpolicy.yaml.sample
were removed in this release, as they are now published with documentation. See the sample configuration file and the sample policy file.