Victoria Series (8.2.0 - 9.0.x) Release Notes

9.1.0

Upgrade Notes

  • Following an announcement by the CentOS project, Bifrost has switched to CentOS Stream for testing. Regular CentOS is no longer tested in the CI, meaning that both it and RHEL will only be tested indirectly and supported on the best effort basis.

  • Moves installation of package dependencies for Diskimage Builder (DIB) from the bifrost-create-dib-image role to the bifrost-install-ironic role. This provides a cleaner separation between installation and image creation.

Bug Fixes

  • Fixes an issue with the Bifrost inventory plugin when used with BIFROST_INVENTORY_SOURCE=ironic. All node fields are now returned as facts, as in Ussuri and earlier releases. See story 2008394 for details.

  • Fixes fast-track after inspection: the fast_track and power_off_after_inspection options are now correctly handled.

  • Fixes passing parameters with spaces to bifrost-cli.

  • Fixes a failure when building an Ubuntu image due to a missing squashfs-tools package.

9.0.1

Deprecation Notes

  • Fedora 30 has reached end-of-life and is no longer explicitly tested. Its support will be removed in one of the future releases.

  • openSUSE Leap 15.1 is reaching end-of-life and is no longer explicitly tested. Its support will be removed in one of the future releases.

Bug Fixes

  • Unsets the OS_CLOUD variable in the generated openrc.

  • OS_AUTH_TYPE is now always set in the generated openrc.

  • FirewallD is now used on Fedora 32 and newer to fix firewall issues.

  • Copies ironic-lib rootwrap.d filters to the correct location.

  • Correctly copies rootwrap.d filters on upgrade.

  • Explicitly opens ports 68 and 69 in firewall on systems not using firewalld (e.g. Ubuntu).

  • Fixes PATH to always include the virtual environment when running validations.

Other Notes

  • Fedora 32 and openSUSE Leap 15.2 have been added to the supported OS list.

9.0.0

New Features

  • Adds support to install the Ironic Prometheus Exporter. It can be done through the bifrost-cli using --enable-prometheus-exporter option, or when setting enable_prometheus_expoter=True when deploying.

  • The first IPv4 address of the network_interface is now used for ironic and ironic-inspector API URLs in clouds.yaml in openrc instead of localhost. Use ironic_api_url and ironic_inspector_api_url to override.

  • The bifrost-keystone-client-config role now validates that CLI access actually works with the generated configuration, use skip_validation=false to disable.

  • Supports TLS configuration by setting enable_tls=true and, optionally, generate_tls=true. The corresponding bifrost-cli argument is --enable-tls (auto-generated certificates only).

  • The bifrost-ironic-install role now validates that the services have been started successfully, use skip_validation to disable.

Known Issues

  • Because of Ansible dependencies Bifrost only works on virtual environments created with --system-site-packages.

  • When using Keystone for authentication, it may not be possible to disable TLS after enabling it if the certificate is in a non-standard location.

  • Due to upgrade limitations, it may not be possible to enable TLS on upgrading from a previous version. Do an upgrade first, then enable TLS in a separate installation step.

Upgrade Notes

  • The use_public_urls parameter is no longer supported, just provide public_ip instead.

  • Bifrost no longer adds ironic and ironic-inspector endpoints to the public firewalld zone, the operator has to do it explicitly if external access is expected.

  • Support for the legacy CSV inventory format has been removed, only JSON and YAML are supported now.

  • Support for installing and using RabbitMQ has been removed.

  • Support for storing introspection data in nginx has been removed. It was useful before ironic-inspector started supporting storing data in the database, which is the default nowadays.

  • Support for the OpenStack MetaData version 2012-08-10 has been removed from the bifrost-configdrives-dynamic role. The newest supported metadata version is now 2015-10-15.

  • The deprecated parameter node_network_info has been removed, use node_network_data instead.

  • Adds the explicit setting of file access permissions to get_url calls in bifrost ansible playbooks to ensure that the contents of “/httpboot” are world-readable independently of which Ansible version is in use.

  • Packaged iPXE ROMs are now used by default on openSUSE, set download_ipxe=true to override.

  • Bifrost will no longer kill all running dnsmasq processes for you. If you have dnsmasq processes that are not managed by systemd, you have to stop them yourself.

  • No longer supports installation outside of a virtual environment. The parameter enable_venv has been removed.

Bug Fixes

  • Fixes an issue where the bifrost-create-dib-image role overrides any existing ELEMENTS_PATH environment variable value. This fix appends any existing ELEMENTS_PATH value to the path set in the role.

  • Changes to keystone endpoint configuration are now automatically reflected on existing endpoints.

  • Correctly updates repositories copied with copy_from_local_path.

  • When copying repositories using copy_from_local_path, make sure they are consistently owned by the local user. Previously some repositories could end up owned by root.

  • Correctly updates IPA images checksums on a major upgrade.

  • Automatically enables DHCP and TFTP services in firewalld on CentOS/RHEL.

  • Instead of modifying the public firewalld zone, creates a new zone bifrost and puts the network_interface in it. Set firewalld_internal_zone=public to revert to the previous behavior.

  • Makes /var/lib/ironic and its images subdirectories readable by nginx. This is required for using the images cache.

  • Fixes ACL of PXE and iPXE boot files to make sure they are world-readable.

  • Resolves the issue with ansible versions 2.9.12 and 2.8.14 where implicit setting of file permissions on files downloaded with get_url calls results in overly restrictive permissions. This leads to access denied while attempting to read the contents of “/httpboot” and results in failed deployments.

  • Ensures that repositories are consistently owned by the calling user.

  • Removes the test_vm_network_enable_dhcp option and disables DHCP on the libvirt network instead of unconditionally killing all dnsmasq processes on the machine.

  • Adds correct SELinux context for /tftpboot.

Other Notes

  • The file env-vars has been removed. It contains variables that only work for no-auth mode and only for ironic itself (not inspector). Use the generated clouds.yaml or openrc in the home directory.

  • The primary supported version of Ubuntu is now 20.04 (Focal). Ubuntu 18.04 (Bionic) is still supported, but may be removed in a future release.

  • Ironic JSON RPC is now always authenticated, even in no-auth mode.

  • Removes the no longer used transform_boot_image variable.

8.3.0

New Features

  • Adds support for configuring credential-less deploy via the new agent power interface and the manual-management hardware type.

  • Extra parameters for ansible can now be passed to bifrost-cli via the -e/--extra-vars flag. The format is the same as for ansible-playbook.

  • Metadata cleaning is now enabled by default, set cleaning to false to disable completely.

  • To enable full disk cleaning, set cleaning_disk_erase to true.

  • The new parameter default_boot_mode allows specifying the default boot mode: uefi or bios.

  • Set the new parameter developer_mode to true to make all packages installed from source to be installed with the --editable flag. The corresponding bifrost-cli argument is --develop.

  • The new variable git_url_root allows overriding the root URL for all repositories (e.g. changing the default https://opendev.org to a local path).

  • HTTP basic authentication for API services is now supported in addition to no authentication and Keystone. It is triggered by setting noauth_mode=false with enable_keystone=false.

  • Installations with bifrost-cli now use HTTP basic authentication if Keystone is disabled.

  • The ramdisk logs for inspection are now stored by default in /var/log/ironic-inspector/ramdisk.

  • If keystone_lockout_security_attempts is enabled, the amount of time the account stays locked is now regulated by the new parameter keystone_lockout_duration (defaulting to 1800 seconds).

  • Deploy/cleaning ramdisk logs are now always stored by default, use ironic_store_ramdisk_logs to override.

  • Added creation of a symbolic link from $VENV/collections directory which contains ansible collections to the playbooks subdirectory of bifrost. This is done in the env-setup.sh script.

  • The bifrost-create-vm-nodes role now supports redfish emulation, set test_vm_node_driver=redfish (or --driver=redfish for bifrost-cli testenv) to use.

  • The new parameter default_boot_mode allows specifying the default boot mode: uefi or bios.

Upgrade Notes

  • The variable ci_testing is no longer taken into account by the roles. Use the existing copy_from_local_path if you need Bifrost to copy repositories from their pre-cached locations.

  • If you use cleaning=true to enable full disk cleaning, you need to also set cleaning_disk_erase=true now. Omitting it will result in only metadata cleaning enabled.

  • All services now use journald logging by default, ironic-api.log and ironic-conductor.log are no longer populated. Use ironic_log_dir and inspector_log_dir to override.

  • The ramdisk logs for deploy/cleaning are now by default stored in /var/log/ironic/deploy.

  • The inspector_user user is not created by default any more. Use bifrost_user instead.

  • If you’re relying on default passwords (e.g. for the database or keystone passwords), they will be changed on upgrade. Please use explicit values if you want to avoid it.

  • OpenStackSDK is now installed from PyPI by default, set openstacksdk_source_install=true to override.

  • Previously installation used to be skipped completely if the skip_install variable is defined, independent of its value. This has been fixed, and now installation is only skipped if skip_install is defined and equals true.

Deprecation Notes

  • Deprecates providing inspector discovery parameters via inspector[discovery], use explicit variables instead.

  • Bifrost will switch to HTTP basic authentication by default in the future. If you want to avoid it, please set noauth_mode to false explicitly.

  • The ironic_db_password parameter is deprecated, please use service_password to set a password to use between services or override the whole ironic and keystone objects.

Security Issues

  • Uses mode 0700 for the inspector log directories to prevent them from being world readable.

  • When using Keystone, no longer locks users out of their accounts on 3 unsuccessful attempts to log in. This creates a very trivially exploitable denial-of-service issue. Use keystone_lockout_security_attempts to re-enable (not recommended).

  • Uses mode 0700 for the ironic log directories to prevent them from being world readable.

  • Random passwords are now generated by default instead of using a constant. The same parameters as before can be used to override them.

Bug Fixes

  • No longer clones repositories with corresponding *_source_install variables set to false.

  • Ironic Staging Drivers are now installed from source by default since they are released very infrequently (usually once per cycle).

  • The addition of the symbolic link makes bifrost playbooks independent of the ANSIBLE_COLLECTIONS_PATHS environment variable which wasn’t reliably set in some environments.

  • Removing dependency on libselinux-python for Fedora OS family. This package is no longer present in Fedora 32 and was causing installation failures. It is safe to remove as it is used with python2 only.

  • On systems with SELinux enforcing, enables nginx to read symbolic links. Fixes network boot of instances.

Other Notes

  • The role bifrost-openstack-ci-prep has been removed. It was only used in the upstream CI context and is no longer required.

  • The variable ci_testing_zuul is no longer used or set.

  • The version of cirros used by default is now 0.5.1 (instead of 0.4.0).

  • Bifrost now uses the equivalent modules from the openstack.cloud collection. The change on modules is listed below.

    • os_client_config is config

    • os_ironic is baremetal_node

    • os_ironic_inspect is baremetal_inspect

    • os_ironic_node is baremetal_node_action

    • os_keystone_role is identity_role

    • os_keystone_service is catalog_service

    • os_user is identity_user

    • os_user_role is role_assignment

8.2.0

New Features

  • It is now possible to use the bifrost cloud with introspection commands even in no-auth mode.

  • Debian Buster is now supported as a base operating system.

  • Configures the default deploy and rescue kernel/ramdisk, setting them in driver_info is now optional.

  • Ubuntu Focal (20.04) is now supported as a base operating system.

  • The values of enabled_bios_interfaces, enabled_boot_interfaces, enabled_management_interfaces and enabled_power_interfaces are now derived from the enabled_hardware_types if left empty (the default).

  • Adds a new parameter internal_ip specifying which IP address to use for nodes to reach ironic and the HTTP server, and for cross-service interactions when keystone is disabled. By default the IPv4 address of the network_interface is used.

  • The manual-management hardware type is now enabled by default. It can be used with hardware that does not feature a supported BMC.

  • The noop management interface can now be used out-of-box with ipmi and redfish nodes to prevent ironic from changing the boot device and order.

  • A normal ironic nodes.json (suitable for the baremetal create command) is now generated when creating testing VMs. The default location is /tmp/nodes.json.

  • Sets the default resource class for newly enrolled nodes without an explicit resource class. Defaults to baremetal, can be changed via the default_resource_class parameter.

  • Fedora 30 is now supported as a base operating system.

  • Adds two new parameters for controlling how existing git checkouts are handled:

    • update_repos can be set to false to prevent the repositories from being updated.

    • force_update_repos can be set to false to prevent Bifrost from overwriting local changes.

  • Changes the default version of Ansible to version 2.9.

  • The new variable use_tinyipa (defaulting to true) defines whether to use the pre-built tinyIPA images or production-ready CentOS images built with DIB.

Upgrade Notes

  • Explicit support for Fedora versions precedent to 30 has been removed.

  • Explicit support for Debian Jessie has been removed.

  • OpenStackClient is no longer installed when keystone is not enabled. Use the ironic native baremetal command instead. For example, instead of

    openstack baremetal node list

    use just

    baremetal node list

  • The shade library is no longer used, nor installed by default.

  • The default version of Ansible used for this release of bifrost is version 2.9. Operators may wish to upgrade if they are directly invoking playbooks or roles.

  • All packages are now installed in a virtual environment in /opt/stack/bifrost by default instead of system-wide.

Deprecation Notes

  • The bifrost-inspector cloud in clouds.yaml is now deprecated, use the main bifrost cloud for all commands.

  • The os_ironic_facts module is deprecated. Please use os_ironic_node_info that returns information in the “node” parameter.

  • Support for system-wide installation of packages is deprecated, untested and may be removed in a future release.

Bug Fixes

  • Fixes installing Keystone under CentOS 8.

  • Fixes failure to install on systems with a local resolved by setting disable_dnsmasq_dns to True by default.

  • Fixes fast-track deployment after inspection/discovery by providing the correct ironic API URL to the ramdisk.

  • Fixes deployment in a testing environment on CentOS 8 by using firewalld instead of iptables to enable access from nodes to ironic.

  • An ironic-python-agent image is now updated every time the installation playbooks are run. This is done to avoid discrepancy between ironic and the ramdisk on updates. Set update_ipa to false to prevent the ramdisk update (not recommended) or update_repos to false to disable any updates.

Other Notes

  • Support for Ubuntu Xenial and Debian Stretch has been officially removed (Bifrost has been broken on them since Ussuri because of the transition to Python 3.6).