Security Issues¶

• Ironic-Python-Agent versions prior to the 2023.1 release are vulnerable toCVE-2024-44082, tracked inbug 2071740 <https://bugs.launchpad.net/bugs/2071740>_. Deployers ofIronic versions Zed or older must apply CVE-2024-44082 fixes to theirIronic environment and leave (default for all releases Zed and older)[conductor]/conductor_always_validates_images set toTrue. Thisensures the conductor will security check the image becauseIronic-Python-Agent will not.

Bug Fixes¶

• Fixes a failure case where a deployed instance may be unable to accessthe configuration drive post-deployment. This can occur when blockdevices only support 4KB IO interactions. When 4KB block IO sizesare in use, the ISO9660 filesystem driver in Linux cannot be usedas it is modeled around a 2KB block. We now attempt to verify, andrebuild the configuration drive on a FAT filesystem when we cannotmount the supplied configuration drive. Operators can force the agentto write configuration drives using the FAT filesystem using the[DEFAULT]config_drive_rebuild option.

• Fixes UEFI NVRAM record handling with efibootmgr so we can accept andhandle UTF-16 encoded data which is to be expected in UEFI NVRAM asthe records are UTF-16 encoded.

• Fixes handling of UEFI NVRAM records to allow for unexpected charactersin the response, so it is non-fatal to Ironic.

• Fixes an issue with rebuilding instances on Software RAID withRAIDed ESP partitions.

• Fixes, or at least lessens the case where a running Ironic agent can stackup numerous lookup requests against an Ironic deployment when a node islocked. In particular, this is beause the lookup also drives generation ofthe agent token, which requires the conductor to allocate a worker, andgenerate the token, and return the result to the API client.Ironic’s retry logic will now wait up to60 seconds, and if an HTTPConflict (409) message is received, the agent will automatically pauselookup operations for thirty seconds as opposed continue to attemptlookups which could create more work for the Ironic deploymentneedlessly.

New Features¶

• Software RAID devices are built with the–name option followed by volume name if it is defined in target raid config and an internal ID otherwise.

• The node propertyskip_block_devices supports specifying volume names of software RAID devices. These devices are not cleaned during cleaning and are not created provided they already exist.

Bug Fixes¶

• Fixes handling of Software RAID device discovery so RAID deviceNamesandEvents field values do not inadvertently cause the command toreturn unexpected output. Previously this could cause a deployment tofail when handling UEFI partitions.