2025.1 Series Release Notes

29.0.5-1

Bug Fixes

  • Fixes security issue identified in bug 2148307 where users of the anaconda deployment interface could supply a malicious template. The conductor process now sandboxes all jinja2 rendering operations.

29.0.5

Bug Fixes

  • [Bug 2135265] Fixes an issue where an exception in one of the inspection hooks when using the agent inspector interface would result in the node not being cleaned up.

  • Performance of Basic HTTP authentication has been improved by keeping a memory cache of bcrypt password checks. This improves the performance of Ironic conductor with JSON-RPC, and API access when using Basic HTTP authentication.

  • Ensure that the path to where we are copying the bootloader exists before attempting to copy the bootloader in.

  • Fixes a race condition where the Redfish power interface could fail with HTTP 400 (BadRequest) or HTTP 409 (Conflict) errors during power operations. These errors are now treated as success when the node is already in the target power state (either on or off), preventing deployment failures when power state changes complete after Ironic’s state verification times out. Also refresh system state to get current power state from BMC instead of using potentially stale cached data.

  • Fixes an issue where console command passed to socat’s EXEC: was not quoted which could have security implications.

  • Fixes a security issue where the deprecated configuration molds feature would allow an user invoking molds to request authorization to be sent to a remote endpoint. This user supplied URL could be a swift or http url. While when used with http, the feature was explicitly designed around a concept of just publishing to a file in a limited context with authentication details provided by the conductor, where as with swift the impact is greater because the time limited session token for Ironic’s access of swift resources could be leaked, captured, and used.

    The configuration molds feature now explicitly checks the swift endpoint URL and raises an exception when the URL does not match the user supplied the configured Swift endpoint.

    More information can be found in bug 2148317.

  • Fixes an issue where disable_ramdisk could bypass API validation when supplied via a runbook because validation happened before runbook resolution.

  • Fixes an issue with the redfish firmware updates attached to the management interface where firmware updates performed as part of the SERVICE steps workflow could end up stuck in service wait. This issue has been corrected and the nodes should now properly have their state checked. For more information, please consult bug 2136895.

  • Fixed an issue in the Redfish management driver where boot device setting failed for vendors requiring full boot parameter requests (such as American Megatrends International, ASRock Rack, and Redfish compatible systems). The driver was incorrectly using a parameter that could be None, but these vendors require explicit values for all boot parameters. This fix ensures that vendors in VENDORS_REQUIRING_FULL_BOOT_REQUEST always receive explicit boot configuration values, resolving boot device configuration failures on affected systems.

  • Fixes storage of inventory and plugin data in Swift. Previously, the data has not been stored as JSON. This meant that the data was stored in an odd format with part of the fields missing.

  • The flat network driver now raises NetworkError when rebind operations fail to bind any VIFs, instead of silently continuing. This prevents unexpected behavior when all port bindings fail during node rebind.

  • Extremely large instance images, post eventlet removal, were causing CPU spikes and the conductor process to hang while the image was being fetched and validated. This optimizes the instance fetch and validation in two ways – first, we now calculate the image checksum while the file is being fetched instead of as a separate step. Secondly, we were, in some cases, using the default chunk size of 128 bytes during downloads. Now, we use a more standard and reasonable value of 1 megabyte.

  • Avoid an unhandled exception in the local_link_connection inspection hook which would cause inspection to fail instead of skipping past missing ports as originally intended.

  • Improved Redfish compatibility with ASRock Rack servers by updating how boot mode and boot device settings are applied.

    Previously, calls to set_boot_device and set_boot_mode only included minimal parameters (e.g., BootOverrideTarget and BootOverrideMode), which were insufficient for certain vendor implementations like ASRockRack.

    This fix updates the Redfish driver to send the full payload, including BootSourceOverrideEnabled, BootSourceOverrideTarget, BootSourceOverrideMode, ensuring better compliance and reliability on these platforms.

  • Report a better error message than a KeyError when there are no interfaces in the inspection data when running the validate-interfaces inspection hook.

Other Notes

  • Addition of an additional vendor variable for VENDORS_REQUIRING_FULL_BOOT_REQUEST. This is because there are some recognised vendors, i.e. Lenovo, which use various BMC for their hardware, some of which require a full boot request; in such cases the vendor can now be changed to redfish_compatible.

29.0.4

Bug Fixes

  • When caching an image between different file systems, the hard link operation would fail. This is fixed by falling back to a copy operation.

  • Fixes schema validation by raising formatting and schema errors early during inspection rule creation, updates and execution.

  • Adds support for standard comparison operators (le, ge, ne) to extend inspection rules capabilities for common logical conditions.

  • Fixed HttpImageService.validate_href() ImageRefValidationFailed exception if protocol is HTTP/HTTPS and the HTTP header response is a redirection other then 301 (MOVED_PERMANENTLY). HTTP/HTTPS protocol is often used under standalone Ironic configuration to identify an image source (e.g –instance-info image_source=<URI>). The HTTP server may use redirection to load balance or geographically distribute the requests, or simply point to the correct URL. The redirection may vary from 301 (MOVED_PERMANENTLY), to 302 (FOUND), or 307 (TEMPORARY_REDIRECT), and 308 (PERMANENT_REDIRECT).

  • Fixes deploying OCI artifacts uploaded by ORAS to Quay.io (and potentially other registries) as a single manifest.

29.0.3

New Features

  • Add support for a node in service wait state can be unprovisioned via the delete provision action.

Bug Fixes

  • In the redfish inspector, use condition to control whether the pxe_enabled field of a port is updated during inspection. [inspector]update_pxe_enabled is used to control this so it behaves like all other inspection interfaces. The default value for this configuration is True.

  • Fixes an issue with agent startup where the workflow from the first agent heartbeat interaction could fail due to a transient networking issue leaving the Agent and Ironic in a state where the node cannot be deployed and continues to record errors upon each additional heartbeat operation. Logic to check the state of the agent has been adjusted to ignore retry operations which were recorded by the agent. More information on this issue can be found in bug 2110698.

29.0.2

Security Issues

  • Fixes OSSA-2025-001, where Ironic did not properly filter file:// paths when used as image sources. This would permit any file accessible by the conductor to be used as an image to attempt deployment.

    Adds CONF.conductor.file_url_allowed_paths, an allowlist configuration defaulting to /var/lib/ironic, /shared/html, /opt/cache/files, /vagrant, and /templates, permits operators to further restrict where the conductor will fetch images for when provided a file:// URL. This default value was chosen based on known usage by projects downstream of Ironic, including Metal3, Bifrost, and OpenShift. These defaults may change to be more restrictive at a later date. Operators using file:// URLs are encouraged to explicitly set this value even if the current default is sufficient. Operators wishing to fully disable the ability to deploy with a file:// URL should set this configuration to “” (empty).

    Operators wishing to restore the original insecure behavior should set CONF.conductor.file_url_allowed_paths to /. Take note that in the 2025.2 release and later, /dev, /sys, /proc, /run, and /etc will be unconditionally blocked as a security measure.

    This issue only poses a significant security risk when Ironic’s automated cleaning process is disabled and the service is configured in such a way that permits direct deployment by an untrusted API user, such as standalone Ironic installations or environments granting ownership of nodes to projects.

29.0.1

New Features

  • If allow_image_access_via_auth_token is set to True, Ironic allows access to Glance images if an auth_token is present in the request context.

Upgrade Notes

  • In this release, the default value of allow_image_access_via_auth_token has been changed to True. This enables Ironic to access Glance images when an auth token is present in the request context.

    This change was backported from the master branch but with a modified default value for this stable release. OpenStack integrated operators should ensure images for Ironic use are using image visibility “public” or “community” for the most reliable results.

Bug Fixes

  • Fixes loop functionality to align more closely with the spec where, with loop present, args reference loop items using ‘{item}’ placeholder to support direct array iteration; plus, separately handle list and dict loop item types.

29.0.0

New Features

  • Adds a bootc deploy interface which can be enabled by an Ironic deployment administrator, which can then enable users of the bootc deploy interface to have a streamlined path for the deployment of bootc supporting container images to a host directly, without additional intermediate steps. More information about bootc can be found on the bootc website.

  • Adds support for OCI Container Registries for the retrieval of deployment artifacts and whole-disk images to be written to a remote host.

  • If ignore_project_check_for_admin_tasks is set to True, the system will check if the requester is an admin for verifying image availability, bypassing the project check for administrative tasks.

  • Adds the capability for Ironic’s conductor to detect Zstandard compressed content and to automatically decompress the files to enable image format detection and conversion.

    This is due to use of Zstandard compression upon artifacts stored in container registries is a popular practice, and can be disabled using the [conductor]disable_zstandard_decompression configuration option.

  • A new entry point ironic.console.container is added to determine how console containers are orchestrated when ironic.conf [vnc]enabled=True. By default the fake provider is specified by [vnc]container_provider which performs no orchestration. The only functional implementation included is systemd which manages containers as Systemd Quadlet containers. These containers run as user services and rootless podman containers. Having podman installed is also a dependency for this provider. See ironic.conf [vnc] options to see how this provider can be configured.

    The systemd provider is opinionated and will not be appropriate for some Ironic deployment methods, especially those which run Ironic inside containers. External implementations of ironic.console.container are encouraged to integrate with other deployment / management methods.

  • New console drivers redfish-graphical and fake-graphical have been added. This allows the graphical console to be accessed for Dell iDRAC, HPE iLO, and Supermicro hosts. The fake-graphical driver is useful for demonstrating the full integration of ironic-novncproxy and the systemd provider of ironic.console.container.

  • A new service ironic-novncproxy has been added which allows the graphical console of a host to be presented in a NoVNC web browser interface. Hosts required a supported console driver to access its graphical console.

  • Add support for a node in service failed state can be unprovisioned via the delete provision action.

  • When ironic.conf [vnc]read_only=True is set, keyboard and mouse events will not be passed to the console.

Upgrade Notes

  • If graphical console support is required, the ironic-novncproxy service needs to be started and managed. Graphical console specific options need to be set in the [vnc] section of ironic.conf.

  • Remove unused and (pre-Rocky release) deprecated token parameter from the DHCP driver interface method.

Deprecation Notes

  • Use of the console driver ipmitool-shellinabox has been deprecated and will be removed in a future release of Ironic. This decision was reached with the reality that the fork of shellinabox appears abandoned with no changes in 7 years and open issues to call for the project to hand over maintainership.

Bug Fixes

  • When changing from glanceclient to OpenStack SDK to communicate with Glance, a bug was introduced reading image properties causing the Anaconda deploy interface to be unable to use Glance images. Other deploy interfaces continued to function but could have resulted in some properties not taking affect. See bug 2099275 for more details.

  • Fixes the identification of physical network segment mapping so a virtual interface (VIF) which has already been mapped to a physical network segment can be identified.

  • Fix the issue that restart of conductor service can not recover a node stuck at the servicing state.

  • Some vendors insist that floppy images must be 1440 KiB in size and that the file name ends with .img. Make it so.

  • Includes the agent token parameter in get command status requests as the endpoint now requires authentication.

  • Log non-recoverable secure boot status check failures at INFO level.