5b272b0c46
Removes the deprecated support for token-less agents which better secures the ironic-python-agent<->ironic interactions to help ensure heartbeat operations are coming from the same node which originally checked-in with the Ironic and that commands coming to an agent are originating from the same ironic deployment which the agent checked-in with to begin with. Story: 2007025 Task: 40814 Change-Id: Id7a3f402285c654bc4665dcd45bd0730128bf9b0
21 lines
1.1 KiB
YAML
21 lines
1.1 KiB
YAML
---
|
|
upgrade:
|
|
- |
|
|
Support for token-less agents has been removed as the token-less agent
|
|
support was deprecated in the Ussuri development cycle. The ironic-python-agent
|
|
must be updated to 6.1.0 or higher to support communicating with the
|
|
Ironic deployment after upgrade. This will generally require deployment,
|
|
cleaning, and rescue kernels and ramdisks to be updated. If this is not
|
|
done, actions such as cleaning and deployment will time out as the agent
|
|
will be unable to record heartbeats with Ironic. For more information,
|
|
please see the `agent token <https://docs.openstack.org/ironic/latest/admin/agent-token.html>`_
|
|
documentation.
|
|
security:
|
|
- |
|
|
Ramdisks supporting agent token are now globally required by Ironic.
|
|
As this is a core security mechanism, it cannot be disabled and support
|
|
for the ``[DEFAULT]require_agent_token`` configuration parameter has been
|
|
removed as tokens are now always required by Ironic. For more information,
|
|
please see the `agent token <https://docs.openstack.org/ironic/latest/admin/agent-token.html>`_
|
|
documentation.
|