Merge https://github.com/openstack/ironic:master (78201d7) into main#406
Open
ironic-merge-bot[bot] wants to merge 43 commits intoopenshift:mainfrom
Open
Merge https://github.com/openstack/ironic:master (78201d7) into main#406ironic-merge-bot[bot] wants to merge 43 commits intoopenshift:mainfrom
ironic-merge-bot[bot] wants to merge 43 commits intoopenshift:mainfrom
Conversation
The PLDM/MCTP communication channel used for device firmware updates doesn't become available until after a host reboot following BMC firmware updates. Now we check if more firmware components are pending after BMC update. If yes, triggers a host reboot before continuing to the next component, if BMC is the last component, skips reboot as servicing/cleaning cleanup will trigger one. Closes-Bug: #2141574 Assisted-By: Claude Opus 4.6 Change-Id: I599bab15b034a47a8668ec3f1fc691f09c9336dc Signed-off-by: Iury Gregory Melo Ferreira <imelofer@redhat.com>
Switch to the recommended way to specify constraints via the dedicated parameter. Update the docs to list the correct minimum required version of tox. Change-Id: I8a3116e5ada4b4ae3c04b72a6fbfca4b6b57f6c7 Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
When a node owner requested specific fields without including 'owner' in the field list, RBAC policy checks for fields like last_error, reservation, and driver_internal_info would always fail. This happened because _get_fields_for_node_query() only extracted user-requested fields from the RPC object, so the owner and lessee were missing from the node dict passed to node_sanitize(). Without node.owner in the target_dict, the project-scoped ownership policy rule could never match, causing incorrect redaction for legitimate node owners. Always include owner and lessee in the fields extracted from the RPC object so they are available for policy evaluation. The existing sanitize_dict() call strips them from the API response if the caller did not request them, so there is no information leak. Closes-Bug: #2150573 Assisted-By: Claude Opus 4.6 Change-Id: I850db315b10379a9fe861d3432e4b1a8daf1e8ca Signed-off-by: Julia Kreger <juliaashleykreger@gmail.com>
https://packaging.python.org/en/latest/guides/writing-pyproject-toml/#license specifies that SPDX is the format and removing the license from the classifers Change-Id: I6a0ae6f46fc79a51b3cd448af966d5794c2f7814 Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
... following the change in devstack[1]. [1] 6180e73702cfef2011c32f315cde97128a4b7eec Change-Id: If41a564f73dd9c8e068348ea925cc0b2487a1547 Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
The timeout parameter was changed to a tuple and when a retry needed to occur we re-wrapped the tuple in sushy which resulted in an invalid parameter exception and a failure instead of a successful retry. Change-Id: I55a42f0ea1c2df94d3c046146e688e71e3f69445 Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Change-Id: Id651e649d01fbb8fefe4b5c2b80fbdfc2945c244 Signed-off-by: Julia Kreger <juliaashleykreger@gmail.com>
When this config option was created, it was as part of an OSSA/CVE and non-disruptiveness was the openshift#1 priority. Now that we're well past that, we need to make this a good default -- rather than one that just describes existing downstream use cases. Operators who need the existing paths should update their config. Change-Id: I29f24490d97026bd039c667b9de0610131ea48ee Signed-off-by: Jay Faulkner <jay@jvf.cc>
Analysis revealed that a malicious attacker with sufficent access to request a node to be provisioned could supply a maliciously crafted kickstart template configuration, which would then be rendered in an unsafe form ultimately. This is because the underlying render utility was modeled for rendering only admin-suppied files or the in-code tree files. Anaconda had to take this further by allowing the jinja utilized to be user supplied. Anyhow, an attacker with sufficient access, an ironic deployment with the anaconda deploy interface, a node with the anaconda deployment interface set by an admin, and a malicious template could result in conductor internal data being rendered and if the infrastucture operator is allowing traffic egress for the provisioning network, could have sensitive internal data exfiled out of the environment. The render helper has been changed to utilize a sandboxed environment. Attacks such as this now internally raise a Jinja2 SecurityError. Closes-Bug: 2148307 Change-Id: Ie85357166fafca0acd9d852fe05ce34818d2b366 Signed-off-by: Julia Kreger <juliaashleykreger@gmail.com>
Change-Id: I630b4a2445d3d52e99e53e35899d86314901ec21 Signed-off-by: Armin Mahdilou <Armin.Mahdilou@gmail.com>
Change-Id: Iba7534e27bff9475690b3ab5598c09c3a5f30fb0 Signed-off-by: Nicholas Kuechler <nkuechler@gmail.com>
We seem to be getting "502 Bad Gateway" from quay while trying to pull down container images. We're not sure what exactly is going on, but this is causing the metal3 integration CI job to fail. Change-Id: I0a562b77748424cfedfb6855a87643d85da987c5 Signed-off-by: Julia Kreger <juliaashleykreger@gmail.com>
In general we should not upgrade the base image when building a container as the base image is already rebuilt regularly. Also setting the base image explicitely to one recommended by ART.
Adds the parent node support and tests in one change including all DB/Model/API changes along with RBAC and basic API tests. * Updates the API version to 1.83 * Adds parent_node and related index to the nodes table. * Adds new API parameters to list by parent node relationship. Depends-On: https://review.opendev.org/c/openstack/ironic/+/883967 Change-Id: I8d64fee7105718199986db4994e13352d639f04f
Change-Id: I22c8aae89d24d3ff330f10f1e0d43461fd6e52d4
We need to pin libraries that are still compatible with python 3.9 as upstream has already dropped compatibility.
(cherry picked from commit aa7dfab)
Back when we developed service, we expected operators to iterate to fix their issues, but we also put in abort code. We just never wired in the abort code to the abort verb. It really seems like we really should have done that, and this change changes API and Conductor code path to make this happen. Closes-Bug: 2119989 Assisted-By: Claude Clode - Claude Sonnet 4 Change-Id: Ic02ba87485a676e77563057427ab94953bea2cc2 Signed-off-by: Julia Kreger <juliaashleykreger@gmail.com> (cherry picked from commit 1eda807)
Currently, Ironic codebase allows aborting servicing state regardless of whether a servicing step has abortable flag set or not. This patch fixes this by adding handling of service wait states to abort code paths and adding the missing state machine transition. Generated-By: Claude Code Sonnet 3.5 Change-Id: Ie07490bdb9c6461bd6ac7a6315773dcfb13592f9 Signed-off-by: Jacob Anders <janders@redhat.com> (cherry picked from commit fa8a8fb)
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: ironic-merge-bot[bot] The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@ironic-merge-bot[bot]: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.