Victoria Series (8.2.0 - 9.0.x) Release Notes


Deprecation Notes

  • Support for Fedora is no longer tested in the CI and will be removed from the code in the near future.


Upgrade Notes

  • Following an announcement by the CentOS project, Bifrost has switched to CentOS Stream for testing. Regular CentOS is no longer tested in the CI, meaning that both it and RHEL will only be tested indirectly and supported on the best effort basis.

  • Moves installation of package dependencies for Diskimage Builder (DIB) from the bifrost-create-dib-image role to the bifrost-install-ironic role. This provides a cleaner separation between installation and image creation.

Bug Fixes

  • Fixes an issue with the Bifrost inventory plugin when used with BIFROST_INVENTORY_SOURCE=ironic. All node fields are now returned as facts, as in Ussuri and earlier releases. See story 2008394 for details.

  • Fixes fast-track after inspection: the fast_track and power_off_after_inspection options are now correctly handled.

  • Fixes passing parameters with spaces to bifrost-cli.

  • Fixes a failure when building an Ubuntu image due to a missing squashfs-tools package.


Deprecation Notes

  • Fedora 30 has reached end-of-life and is no longer explicitly tested. Its support will be removed in one of the future releases.

  • openSUSE Leap 15.1 is reaching end-of-life and is no longer explicitly tested. Its support will be removed in one of the future releases.

Bug Fixes

  • Unsets the OS_CLOUD variable in the generated openrc.

  • OS_AUTH_TYPE is now always set in the generated openrc.

  • FirewallD is now used on Fedora 32 and newer to fix firewall issues.

  • Copies ironic-lib rootwrap.d filters to the correct location.

  • Correctly copies rootwrap.d filters on upgrade.

  • Explicitly opens ports 68 and 69 in firewall on systems not using firewalld (e.g. Ubuntu).

  • Fixes PATH to always include the virtual environment when running validations.

Other Notes

  • Fedora 32 and openSUSE Leap 15.2 have been added to the supported OS list.


New Features

  • Adds support to install the Ironic Prometheus Exporter. It can be done through the bifrost-cli using --enable-prometheus-exporter option, or when setting enable_prometheus_expoter=True when deploying.

  • The first IPv4 address of the network_interface is now used for ironic and ironic-inspector API URLs in clouds.yaml in openrc instead of localhost. Use ironic_api_url and ironic_inspector_api_url to override.

  • The bifrost-keystone-client-config role now validates that CLI access actually works with the generated configuration, use skip_validation=false to disable.

  • Supports TLS configuration by setting enable_tls=true and, optionally, generate_tls=true. The corresponding bifrost-cli argument is --enable-tls (auto-generated certificates only).

  • The bifrost-ironic-install role now validates that the services have been started successfully, use skip_validation to disable.

Known Issues

  • Because of Ansible dependencies Bifrost only works on virtual environments created with --system-site-packages.

  • When using Keystone for authentication, it may not be possible to disable TLS after enabling it if the certificate is in a non-standard location.

  • Due to upgrade limitations, it may not be possible to enable TLS on upgrading from a previous version. Do an upgrade first, then enable TLS in a separate installation step.

Upgrade Notes

  • The use_public_urls parameter is no longer supported, just provide public_ip instead.

  • Bifrost no longer adds ironic and ironic-inspector endpoints to the public firewalld zone, the operator has to do it explicitly if external access is expected.

  • Support for the legacy CSV inventory format has been removed, only JSON and YAML are supported now.

  • Support for installing and using RabbitMQ has been removed.

  • Support for storing introspection data in nginx has been removed. It was useful before ironic-inspector started supporting storing data in the database, which is the default nowadays.

  • Support for the OpenStack MetaData version 2012-08-10 has been removed from the bifrost-configdrives-dynamic role. The newest supported metadata version is now 2015-10-15.

  • The deprecated parameter node_network_info has been removed, use node_network_data instead.

  • Adds the explicit setting of file access permissions to get_url calls in bifrost ansible playbooks to ensure that the contents of “/httpboot” are world-readable independently of which Ansible version is in use.

  • Packaged iPXE ROMs are now used by default on openSUSE, set download_ipxe=true to override.

  • Bifrost will no longer kill all running dnsmasq processes for you. If you have dnsmasq processes that are not managed by systemd, you have to stop them yourself.

  • No longer supports installation outside of a virtual environment. The parameter enable_venv has been removed.

Bug Fixes

  • Fixes an issue where the bifrost-create-dib-image role overrides any existing ELEMENTS_PATH environment variable value. This fix appends any existing ELEMENTS_PATH value to the path set in the role.

  • Changes to keystone endpoint configuration are now automatically reflected on existing endpoints.

  • Correctly updates repositories copied with copy_from_local_path.

  • When copying repositories using copy_from_local_path, make sure they are consistently owned by the local user. Previously some repositories could end up owned by root.

  • Correctly updates IPA images checksums on a major upgrade.

  • Automatically enables DHCP and TFTP services in firewalld on CentOS/RHEL.

  • Instead of modifying the public firewalld zone, creates a new zone bifrost and puts the network_interface in it. Set firewalld_internal_zone=public to revert to the previous behavior.

  • Makes /var/lib/ironic and its images subdirectories readable by nginx. This is required for using the images cache.

  • Fixes ACL of PXE and iPXE boot files to make sure they are world-readable.

  • Resolves the issue with ansible versions 2.9.12 and 2.8.14 where implicit setting of file permissions on files downloaded with get_url calls results in overly restrictive permissions. This leads to access denied while attempting to read the contents of “/httpboot” and results in failed deployments.

  • Ensures that repositories are consistently owned by the calling user.

  • Removes the test_vm_network_enable_dhcp option and disables DHCP on the libvirt network instead of unconditionally killing all dnsmasq processes on the machine.

  • Adds correct SELinux context for /tftpboot.

Other Notes

  • The file env-vars has been removed. It contains variables that only work for no-auth mode and only for ironic itself (not inspector). Use the generated clouds.yaml or openrc in the home directory.

  • The primary supported version of Ubuntu is now 20.04 (Focal). Ubuntu 18.04 (Bionic) is still supported, but may be removed in a future release.

  • Ironic JSON RPC is now always authenticated, even in no-auth mode.

  • Removes the no longer used transform_boot_image variable.