Current Series Release Notes

In Development - Unreleased

New Features

• Added a new ‘api-call’ action plugin for Ironic inspection rules.

  This action allows triggering an HTTP GET request to a given URL when a rule matches successfully during node inspection. It is useful for integrating with external systems such as webhooks, alerting, or automation tools.

  The following options are supported:

  • url (required): The HTTP endpoint to call

  • timeout (optional, default: 5): Timeout in seconds

  • retries (optional, default: 3): Number of retries on failure

  • backoff_factor (optional, default: 0.3): Delay factor for retry attempts

  • headers, proxies (optional): Additional request configuration

  Retry applies to status codes 429, 500, 502, 503, and 504.

  Example rule:

  [
    {
      "description": "Trigger webhook after node inspection",
      "actions": [
        {
          "action": "api-call",
          "url": "http://example.com/hook",
          "timeout": 10,
          "retries": 5,
          "backoff_factor": 1
        }
      ]
    }
  ]
  

• Allows users to specify the verify_ca path for the corresponding driver through the verify_ca option under the [<driver>] section in the configuration. When [driver_info]/<driver>_verify_ca is specified as None or True, it will be replaced by the value of the verify_ca option. NOTE: For the idrac driver, it uses the same options as the redfish driver.

• Ironic operators can now assign specific steps to run during automated cleaning instead of relying on the driver-based implicit steps typically used for automated cleaning.

  To generally opt-in to this behavior, first set [conductor]/automated_cleaning_step_source to either ‘hybrid’ or ‘runbook’. A setting of ‘autogenerated’ (default), preserves existing behavior. Setting ‘runbook’ causes Ironic to attempt to find and use a configured runbook for automated cleaning, and fails cleaning if one is not found. The ‘hybrid’ setting causes Ironic to attempt to find and use a configured runbook for automated cleaning. If one is not found, we fallback to the default autogenerated cleaning.

  Configuration for cleaning runbooks is tiered to allow maximum flexibility; Ironic will try to find a cleaning runbook in the following places. Values representing the runbook name or the runbook UUID are accepted; and the most specific value found is used. First, node.driver_info['cleaning_runbook'] is a node specific override, disabled by default. To enable it, set [conductor]automated_cleaning_runbook_from_node to True. Next, [conductor]automated_cleaning_runbook_by_resource_class allows you to map resource classes to the expected runbook for them to use in automated cleaning. The global default, and final fallback, is [conductor]automated_cleaning_runbook.

  As with normal runbook usage, the runbook name must match an active trait in node.traits. This behavior can be changed by setting [conductor]automated_cleaning_runbook_validate_traits to False. A cleaning attempt that resolves to an incompatible runbook will cause an error and leave the node uncleaned in a clean fail state.

• Added a new configuration option [conductor]error_on_ramdisk_config_inconsistency to control how Ironic handles inconsistent kernel and ramdisk configurations.

  When error_on_ramdisk_config_inconsistency is set to True, Ironic will raise a MissingParameterValue exception when it encounters inconsistent kernel/ramdisk configurations, such as:

  • A node’s driver_info containing only deploy_kernel but missing deploy_ramdisk (or vice versa)

  • The [conductor]deploy_kernel_by_arch configuration having entries for architectures that are missing from [conductor]deploy_ramdisk_by_arch (or vice versa)

  • Similar inconsistencies with rescue kernel/ramdisk configurations

  When set to False (the default), Ironic will log warning messages about these inconsistencies but continue operation by falling back to global configuration values when possible.

  In a future Ironic release, the default of this value will be changed to True to enforce strict validation.

• The REST API and JSON-RPC listeners now honour new options in their own config sections:

  • [api]cert_file / [api]key_file

  • [json_rpc]cert_file / [json_rpc]key_file

  This lets operators present different certificates for each endpoint without touching the global [ssl] block as that is now deprecated, to be removed in 2026.1.

  Deployments that still rely on the global [ssl] section are advised to move the certificate settings to the per-service options.

Upgrade Notes

• The configuration option [DEFAULT]/graceful_shutdown_timeout from oslo.service has been replaced by configuration option [conductor]/graceful_shutdown_timeout.

  The default value (60 seconds) has not changed, operators using a custom value for should update their configuration files to use the new option.

• The new [conductor]error_on_ramdisk_config_inconsistency configuration option defaults to False to maintain backward compatibility. Existing deployments with inconsistent kernel/ramdisk configurations will continue to work as before, with warning messages logged to help identify potential configuration issues.

  Operators who want strict validation of kernel/ramdisk configurations can set this option to True, but should first review their configurations to ensure consistency across all node driver_info entries and architecture-specific configuration options. Ironic expects to enable strict validation of these values in a future release.

Deprecation Notes

• The configuration option [DEFAULT]/graceful_shutdown_timeout from oslo.service has been deprecated, replaced by [conductor]/graceful_shutdown_timeout. This change was triggered by the need to remove usage of eventlet.

• The SNMP hardware type and associated interfaces have been deprecated for removal in a future Ironic release. It currently depends on an outdated, unsupported library and unless it is migrated off that library by the end of the 2026.1 cycle it will be removed.

  Operators utilizing this driver will need to find an alternate way to manage their machines. Alternatively, the Ironic community welcomes contributions to keep this driver alive.

Security Issues

• Update jinja2 to 3.1.6 in requirements to address CVE-2023-34064. Single location in code updated to work with new jinja2 version.

• This change permits declarative cleaning via use of runbooks. Please note there is no validation that a runbook performs typical, expected cleaning actions such as a disk wipe. Operators should be careful to ensure they are using sufficient steps to securely wipe the system.

  Additionally, operators of multitenant Ironic clusters should be careful before setting [conductor]automated_cleaning_runbook_from_node to True, as it may permit a node owner to render cleaning ineffective. This is not a concern in deployments utilizing node.lessee via automated_lessee.

Bug Fixes

• [Bug 2092398] Fixes an issue with node servicing/cleaning that caused the node to enter into service failed or clean failed state after doing a bmc firmware update, due to the BMC being unresponsive to requests during the update. Now when doing a BMC update, we wait some time before proceeding with the reboot to finish the update. The time is configurable and can be changed via the config option [redfish]firmware_update_wait_unresponsive_bmc (default, 300 seconds) or by setting firmware_update_unresponsive_bmc_wait in the driver-info.

• Fixes the redfish sensor data output, before any enum value would be treated as an object, now we consider their value as string.

• Fixes an issue where a “null” or missing MTU value for network_data.json payloads in configuration drives forces a regeneration of the configuration drive. This behavior is enabled by default, and can be disabled by using the [conductor]disable_metadata_mtu_check configuration option by setting the option value to True. For more information, see bug 2110322.

• The Ironic REST API and JSON-RPC endpoints are now served by cheroot.wsgi.Server instead of the deprecated oslo_service.wsgi / eventlet stack. Behaviour and CLI commands are unchanged.

30.0.0

New Features

• Adds NVIDIA A10/A40/L40S/L20 to known accelerators that can be reported when present in bare metals.

• It is now possible to filter by conductor groups when listing ports and portgroups. For example, the following request returns only the ports for nodes in conductor groups bear and metal:

  GET /v1/ports?conductor_groups=bear,metal
  

• If allow_image_access_via_auth_token is set to True, Ironic allows access to Glance images if an auth_token is present in the request context.

• Add a new configuration group [agent_containers] that allows users to dynamically configure container-based cleaning via Ironic conductor.

• Adds a new configuration option bootloader_by_arch, a dictionary value that maps architecture names to a Glance ID, http:// or file:// URL of an EFI system partition image containing EFI boot loader, to support architecture-specific images for virtual media boot in mixed-architecture clouds.

• Adds a new boolean configuration option [neutron]fail_on_port_binding_failure and corresponding node driver_info setting fail_on_binding_failure to control whether deployment should fail or continue if Neutron port binding fails. With a default of true, if your network is not configured properly, this will likely cause deployment failures. To maintain the previous behavior, explicitly set this option to False in your configuration.

• A new “description” field has been added to the Port object. This field allows operators to provide human-readable descriptions to easily identify physical ports on bare metal hosts.

• The ipmitool-socat console interface is now available for users of the redfish hardware type. This was done as an enablement action for operators to be able to leverage IPMI based Serial-over-Lan connections. This option requires the IPMI parameters to be configured on the baremetal node in addition to the redfish hardware type.

• Adds a new option [json_rpc]client_use_ssl. It can be set to True in situations where server-side TLS is handled by a reverse proxy, and thus [json_rpc]use_ssl is set to False.

• Add support for a node in service wait state can be unprovisioned via the delete provision action.

• The Ironic conductor can now access images that are shared with its project, in addition to those it owns.

  To use the feature, ensure the images are shared with the project associated with the conductor’s credentials.

Upgrade Notes

• CONF.allow_image_access_via_auth_token is set to True in this Ironic release. OpenStack integrated operators should ensure images for Ironic use are using image visibility “public” or “community” for the most reliable results.

Deprecation Notes

• While never supported outside of the Ironic project’s CI testing, use of the TinyIPA ramdisk image is in the process of being discontinued. Any users who chose to utilize TinyIPA for any reasons should leverage ironic-python-agent-builder images.

Security Issues

• Fixes OSSA-2025-001, where Ironic did not properly filter file:// paths when used as image sources. This would permit any file accessible by the conductor to be used as an image to attempt deployment. Ironic now unconditionally forbids paths that provide access to system configuration (/dev, /sys, /proc, /boot, /run, and /etc).

  Adds CONF.conductor.file_url_allowed_paths, an allowlist configuration defaulting to /var/lib/ironic, /shared/html, /opt/cache/files, /vagrant, and /templates, permits operators to further restrict where the conductor will fetch images for when provided a file:// URL. This default value was chosen based on known usage by projects downstream of Ironic, including Metal3, Bifrost, and OpenShift. These defaults may change to be more restrictive at a later date. Operators using file:// URLs are encouraged to explicitly set this value even if the current default is sufficient. Operators wishing to fully disable the ability to deploy with a file:// URL should set this configuration to “” (empty).

  This issue only poses a significant security risk when Ironic’s automated cleaning process is disabled and the service is configured in such a way that permits direct deployment by an untrusted API user, such as standalone Ironic installations or environments granting ownership of nodes to projects.

Bug Fixes

• In the redfish inspector, use condition to control whether the pxe_enabled field of a port is updated during inspection. [inspector]update_pxe_enabled is used to control this so it behaves like all other inspection interfaces. The default value for this configuration is True.

• Fixes loop functionality to align more closely with the spec where, with loop present, args reference loop items using ‘{item}’ placeholder to support direct array iteration; plus, separately handle list and dict loop item types.

• Fixes an issue with the neutron network_interface driver where validate calls by member scoped API users, triggered through a port update or explicit node interface validation action would fail due to the user being unable to resolve provisioning or cleaning networks because the networks are in a different project.

• Fixes interface binding logic as it relates to Neutron VIF attachments, such that an initial neutron port update occurs to ensure Neutron performs any necessary address assignments, which will now result in the port entering an ACTIVE state. The state may change later on as the port is updated as part of any workflow actions with supplied port configuration information to allow ML2 plugins to finalize any port binding actions, when appropriate. The base bug which identified this issue is bug 2106073, which will require additional work to completely fix.

  Related, this logic also detaches any previously bound VIF which might have been supplied to Ironic. To have done so in advance of attachment is erroneous, yet understandable behavior.

• Fixes an issue with agent startup where the workflow from the first agent heartbeat interaction could fail due to a transient networking issue leaving the Agent and Ironic in a state where the node cannot be deployed and continues to record errors upon each additional heartbeat operation. Logic to check the state of the agent has been adjusted to ignore retry operations which were recorded by the agent. More information on this issue can be found in bug 2110698.

• Fixes an issue where a Nova, or other consumer attempting to send network data to Ironic can send invalid network metadata which needs to be replaced. Ironic now identifies the condition, and regenerates the network metadata utilizing the attached VIF records. This results in some minor data differences, such as Nova’s internal VIF tap naming which is redundant, and MTUs to be included in the Network data when they might not have been included previously. More information about this bug can be found in bug 2106073. This logic does not attempt to patch or modify configuration drive URLs which are supplied by tools like Bifrost, which is unaffected by this issue. This fix can be disabled by setting [conductor]disable_configdrive_check to True.

• Updates the patch validation logic to support special characters (~ and /) in field keys, provided they align with the escaping rules defined in RFC 6901 (JSON Pointer) as required for the path field specified in RFC 6902 (JSON Patch).

• Fixes an error that node does not move to failed state when removing vif failed due to unexpected errors during tear down.

Other Notes

• Ironic is in the process of removing testing and use of TinyIPA, which was originally developed as a lightweight low memory IPA image to simplify upstream testing and had no use outside of that context. Due to the OpenStack move away from Python3.9, TinyIPA cannot continue to be maintained, and as such all testing and use of images will be discontinued by the Ironic community.