Ocata Series (5.0.0 - 5.0.x) Release Notes¶
5.0.2-8¶
Security Issues¶
Fixes insufficient input filtering when looking up a node by information from the introspection data. It could potentially allow SQL injections via the
/v1/continue
API endpoint. See story 2005678 for details.
5.0.1¶
Bug Fixes¶
Exception CalledProcessError is raised when running iptables cmd on start up. The issue is caused by eventlet bug, see: https://github.com/eventlet/eventlet/issues/357 The issue affects ironic-inspector only if it manages firewall - configured with
manage_firewall = True
configuration option.
Do not fail the whole introspection due to a value formatting error during introspection rules rollback. See bug 1686942 for an example and detailed investigation.
5.0.0¶
New Features¶
Extend the introspection status returned from
GET@/v1/introspection/<Node Id>
to contain theuuid
,started_at
andfinished_at
fields.
Add a plugin to parse raw LLDP Basic Management, 802.1, and 802.3 TLVs and store the data in Swift.
Add an API endpoint for listing introspection statuses. Operators can use this to get the status for all running or previously run introspection processing.
Introduce a new configuration option
api_max_limit
that defines the maximum number of items per page when API results are paginated.
InfiniBand interface discovery is now supported through introspection. The ironic-inspector will add the client-id to the corresponding ironic port that represents the InfiniBand interface. The ironic-inspector should be configured with a list of interfaces
firewall.ethoib_interfaces
to indicate which Ethernet Over InfiniBand Interfaces are used for DHCP.
Node introspection state is now kept in a dedicated database column. The introspection is now using a finite state machine. The state isn’t exposed to the user yet.
Adds support for using operators with the root device hints mechanism. The supported operators are
=
,==
,!=
,>=
,<=
,>
,<
,s==
,s!=
,s>=
,s>
,s<=
,s<
,<in>
,<all-in>
and<or>
.
Looking up nodes during introspection or discovery now supports multiple attributes matching. For example, two nodes can use the same
bmc_address
and still can be distinguished by MAC addresses.
Avoid failing introspection on diskless nodes. The node property
local_gb == 0
is set in that case.
Known Issues¶
Due to the nature of the NodeInfo.state attribute (being updated independently from the rest of the node_info attributes) if a (DB) connection was lost before the Node.state column was updated, Node.finished_at and Node.error columns may not be in sync with the Node.state column.
Upgrade Notes¶
Add a new dependency,
pytz
.
A database migration is required to change some columns from Float to DateTime type. This may take some time based on the number of introspection statuses in DB.
Removed previously deprecated authentication options from “ironic”, “swift”, and “keystone_authtoken” sections.
Removed long deprecated support for “discoverd” section in configuration file.
The default value for the configuration option “introspection_delay_drivers” was changed to
.*
, which means that by default “introspection_delay” is now applied to all drivers. Set “introspection_delay” to 0 to disable the delay.
Node.state and Node.version_id database columns are introduced.
The introspection state column defaults to the state
finished
unless the introspection error column value on a node row isn’t null, then node state is set toerror
.
Uniqueness of a node
bmc_address
isn’t enforced any more.
The primary key of the
attributes
table is relaxed from theattributes.name, attributes.value
column pair to a new columnattributes.uuid
.
Deprecation Notes¶
The configuration option “log_bmc_address” is deprecated.
Support for setting IPMI credentials via ironic-inspector is deprecated and will be removed completely in Pike. A new API version 1.9 was introduced with this feature de-activated. For reasoning see https://bugs.launchpad.net/ironic-python-agent/+bug/1654318.
The configuration option “introspection_delay_drivers” is deprecated.
Bug Fixes¶
Change database columns
started_at
andfinished_at
to type DateTime from type Float so that timestamps fit into these columns correctly.
Fix bug where periodic clean up failed with DBDeadlock if introspection timed out.
Ensure the configuration options
firewall.firewall_update_period
andclean_up_period
are applied to theperiodic_clean_up
andperiodic_update
tasks after the config file is read.
LLC hook now formats the chassis ID and port ID MAC addresses into Unix format as expected by ironic.
LLC hook ensures that correct port information is passed to the patch_port function
LLC hook no longer assumes all inspected ports are added to ironic
Loopback BMC addresses (useful e.g. with virtualbmc) are no longer used for lookup.
Introspection fails on nodes with the same IPMI address but different IPMI ports.
Other Notes¶
Default API version is temporary pinned to 1.8 (before deprecating setting IPMI credentials). It will be reset to the latest version again when support for setting IPMI credentials is removed.