Xena Series (8.0.0 - 8.2.x) Release Notes

8.2.3-4

Security Issues

  • Ironic-Python-Agent versions prior to the 2023.1 release are vulnerable to CVE-2024-44082, tracked in bug 2071740 <https://bugs.launchpad.net/bugs/2071740>_. Deployers of Ironic versions Zed or older must apply CVE-2024-44082 fixes to their Ironic environment and leave (default for all releases Zed and older) [conductor]/conductor_always_validates_images set to True. This ensures the conductor will security check the image because Ironic-Python-Agent will not.

Bug Fixes

  • Fixes UEFI NVRAM record handling with efibootmgr so we can accept and handle UTF-16 encoded data which is to be expected in UEFI NVRAM as the records are UTF-16 encoded.

  • Fixes handling of UEFI NVRAM records to allow for unexpected characters in the response, so it is non-fatal to Ironic.

  • Fixes, or at least lessens the case where a running Ironic agent can stack up numerous lookup requests against an Ironic deployment when a node is locked. In particular, this is beause the lookup also drives generation of the agent token, which requires the conductor to allocate a worker, and generate the token, and return the result to the API client. Ironic’s retry logic will now wait up to 60 seconds, and if an HTTP Conflict (409) message is received, the agent will automatically pause lookup operations for thirty seconds as opposed continue to attempt lookups which could create more work for the Ironic deployment needlessly.

8.2.2

Known Issues

  • Creating a configdrive partition on a devicemapper device (e.g. a multipath storage device) with MBR partitioning may fail with the following error:

    Command execution failed: Failed to create config drive on disk /dev/dm-0
    for node 168af30d-0fad-4d67-af99-b28b3238e977. Error: Unexpected error
    while running command.
    

    Use GPT partitioning instead.

Bug Fixes

  • Fixes creating a configdrive partition on a devicemapper device (e.g. a multipath storage device) with GPT partitioning. The newly created partition is now detected by a pre-generated UUID rather than by comparing partition numbers.

  • In case the CSV file used for the bootloader hint does not have BOM we fail reading its content as utf-16 codec is too generic. Fail over to utf-16-le as Little Endian is mostly used.

  • Fixes configuring UEFI boot when the EFI partition is located on a devicemapper device.

  • Fixes GenericHardwareManager to find network information for bonded interfaces if they exist.

  • Fixes handling of Software RAID device discovery so RAID device Names and Events field values do not inadvertently cause the command to return unexpected output. Previously this could cause a deployment to when handling UEFI partitions.

  • Fixes handling of a Partition UUID being returned instead of a Partition’s UUID when the OS may not return the Partition’s UUID in time. These two fields are typically referred to as PARTUUID and UUID, respectively. Often these sorts of issues arise under heavy IO load. We now scan, and identify which “UUID” we identified, and update a Linux fstab entry appropriately. For more information, please see story #2009881.

  • Use efibootmgr instead of grub2-install for software RAID. This fixes an issue with images which include newer versions of grub2-install as they refuse bootloader installations in UEFI boot mode due to the lack of secure boot support.

  • Fixes failures with handling of Multipath IO devices where Active/Passive storage arrays are in use. Previously, “standby” paths could result in IO errors causing cleaning to terminate. The agent now explicitly attempts to handle and account for multipaths based upon the MPIO data available. This requires the multipath and multipathd utility to be present in the ramdisk. These are supplied by the device-mapper-multipath or multipath-tools packages, and are not requried for the agent’s use.

  • Fixes non-ideal behavior when performing cleaning where Active/Active MPIO devices would ultimately be cleaned once per IO path, instead of once per backend device.

  • Fixes discovering WWN/serial numbers for devicemapper devices.

  • Adds device rescan operation after partitioning the root device to ensure that updated UUIDs are reflected correctly

Other Notes

  • The ramdisk logs now contain an lsblk output with all pairs in the new lsblk-full file.

  • The agent will now attempt to collect any multipath path information and upload it to the agent ramdisk, if the tooling is present.

8.2.1

Bug Fixes

  • No longer ignores global TLS configuration options (ipa-insecure, etc) when downloading a configdrive via a URL.

  • No longer ignores error status codes from the server when downloading a configdrive via a URL.

  • The configdrive downloading code now respects the ipa-image-download-connection-timeout option and will no longer hang for a long time if the server does not respond.

  • Fixes a minor issue with the regular expression used for UEFI duplicate entry cleanup which was introduced in a prior change to refactor the cleanup operation to avoid UEFI firmware which treats deletion of entries after addition as an invalid operation.

  • Fixes cases where duplicates may not be found in the UEFI firmware NVRAM boot entry table by explicitly looking for, and deleting for matching labels in advance of creating the EFI boot loader entry.

  • Fixes a race on software RAID creation: since the creation of partitions is asynchronous, we need to wait for all udev events to be processed before we can use the partitions to create an md device.

  • Fixes an issue where partitions are not visible due to a incorrect call to have the partition table re-read.

  • Fixes an issue where partitions are not visible due to an incorrect call to have the partition table re-read during raid configuration creation.

  • Fixes an issue when the EFI partition UUID is not set and an attempt to edit /etc/fstab is made.

  • The configured log file and/or log directory is now always explicitly included in the ramdisk logs.

8.2.0

New Features

  • The introspection now includes the MAC address of the IPMI LAN channel which has a valid IP address and MAC address assigned in the hardware inventory data as bmc_mac.