Victoria Series (8.2.0 - 9.0.x) Release Notes¶
Following an announcement by the CentOS project, Bifrost has switched to CentOS Stream for testing. Regular CentOS is no longer tested in the CI, meaning that both it and RHEL will only be tested indirectly and supported on the best effort basis.
Moves installation of package dependencies for Diskimage Builder (DIB) from the
bifrost-create-dib-imagerole to the
bifrost-install-ironicrole. This provides a cleaner separation between installation and image creation.
Fixes an issue with the Bifrost inventory plugin when used with
BIFROST_INVENTORY_SOURCE=ironic. All node fields are now returned as facts, as in Ussuri and earlier releases. See story 2008394 for details.
Fixes fast-track after inspection: the
power_off_after_inspectionoptions are now correctly handled.
Fixes passing parameters with spaces to
Fixes a failure when building an Ubuntu image due to a missing
Fedora 30 has reached end-of-life and is no longer explicitly tested. Its support will be removed in one of the future releases.
openSUSE Leap 15.1 is reaching end-of-life and is no longer explicitly tested. Its support will be removed in one of the future releases.
OS_CLOUDvariable in the generated
OS_AUTH_TYPEis now always set in the generated
FirewallD is now used on Fedora 32 and newer to fix firewall issues.
Copies ironic-lib rootwrap.d filters to the correct location.
Correctly copies rootwrap.d filters on upgrade.
Explicitly opens ports 68 and 69 in firewall on systems not using firewalld (e.g. Ubuntu).
PATHto always include the virtual environment when running validations.
Fedora 32 and openSUSE Leap 15.2 have been added to the supported OS list.
Adds support to install the Ironic Prometheus Exporter. It can be done through the
--enable-prometheus-exporteroption, or when setting enable_prometheus_expoter=True when deploying.
The first IPv4 address of the
network_interfaceis now used for ironic and ironic-inspector API URLs in
bifrost-keystone-client-configrole now validates that CLI access actually works with the generated configuration, use
Supports TLS configuration by setting
generate_tls=true. The corresponding
--enable-tls(auto-generated certificates only).
bifrost-ironic-installrole now validates that the services have been started successfully, use
Because of Ansible dependencies Bifrost only works on virtual environments created with
When using Keystone for authentication, it may not be possible to disable TLS after enabling it if the certificate is in a non-standard location.
Due to upgrade limitations, it may not be possible to enable TLS on upgrading from a previous version. Do an upgrade first, then enable TLS in a separate installation step.
use_public_urlsparameter is no longer supported, just provide
Bifrost no longer adds ironic and ironic-inspector endpoints to the public firewalld zone, the operator has to do it explicitly if external access is expected.
Support for the legacy CSV inventory format has been removed, only JSON and YAML are supported now.
Support for installing and using RabbitMQ has been removed.
Support for storing introspection data in nginx has been removed. It was useful before ironic-inspector started supporting storing data in the database, which is the default nowadays.
Support for the OpenStack MetaData version 2012-08-10 has been removed from the
bifrost-configdrives-dynamicrole. The newest supported metadata version is now 2015-10-15.
The deprecated parameter
node_network_infohas been removed, use
Adds the explicit setting of file access permissions to get_url calls in bifrost ansible playbooks to ensure that the contents of “/httpboot” are world-readable independently of which Ansible version is in use.
Packaged iPXE ROMs are now used by default on openSUSE, set
Bifrost will no longer kill all running dnsmasq processes for you. If you have dnsmasq processes that are not managed by systemd, you have to stop them yourself.
No longer supports installation outside of a virtual environment. The parameter
enable_venvhas been removed.
Fixes an issue where the bifrost-create-dib-image role overrides any existing ELEMENTS_PATH environment variable value. This fix appends any existing ELEMENTS_PATH value to the path set in the role.
Changes to keystone endpoint configuration are now automatically reflected on existing endpoints.
Correctly updates repositories copied with
When copying repositories using
copy_from_local_path, make sure they are consistently owned by the local user. Previously some repositories could end up owned by
Correctly updates IPA images checksums on a major upgrade.
Automatically enables DHCP and TFTP services in firewalld on CentOS/RHEL.
Instead of modifying the
publicfirewalld zone, creates a new zone
bifrostand puts the
network_interfacein it. Set
firewalld_internal_zone=publicto revert to the previous behavior.
/var/lib/ironicand its images subdirectories readable by nginx. This is required for using the images cache.
Fixes ACL of PXE and iPXE boot files to make sure they are world-readable.
Resolves the issue with ansible versions 2.9.12 and 2.8.14 where implicit setting of file permissions on files downloaded with get_url calls results in overly restrictive permissions. This leads to access denied while attempting to read the contents of “/httpboot” and results in failed deployments.
Ensures that repositories are consistently owned by the calling user.
test_vm_network_enable_dhcpoption and disables DHCP on the libvirt network instead of unconditionally killing all dnsmasq processes on the machine.
Adds correct SELinux context for
env-varshas been removed. It contains variables that only work for no-auth mode and only for ironic itself (not inspector). Use the generated
openrcin the home directory.
The primary supported version of Ubuntu is now 20.04 (Focal). Ubuntu 18.04 (Bionic) is still supported, but may be removed in a future release.
Ironic JSON RPC is now always authenticated, even in no-auth mode.
Removes the no longer used
Adds support for configuring credential-less deploy via the new
agentpower interface and the
Extra parameters for ansible can now be passed to
--extra-varsflag. The format is the same as for ansible-playbook.
Metadata cleaning is now enabled by default, set
falseto disable completely.
To enable full disk cleaning, set
The new parameter
default_boot_modeallows specifying the default boot mode:
Set the new parameter
trueto make all packages installed from source to be installed with the
--editableflag. The corresponding
The new variable
git_url_rootallows overriding the root URL for all repositories (e.g. changing the default
https://opendev.orgto a local path).
HTTP basic authentication for API services is now supported in addition to no authentication and Keystone. It is triggered by setting
bifrost-clinow use HTTP basic authentication if Keystone is disabled.
The ramdisk logs for inspection are now stored by default in
keystone_lockout_security_attemptsis enabled, the amount of time the account stays locked is now regulated by the new parameter
keystone_lockout_duration(defaulting to 1800 seconds).
Deploy/cleaning ramdisk logs are now always stored by default, use
Added creation of a symbolic link from $VENV/collections directory which contains ansible collections to the playbooks subdirectory of bifrost. This is done in the env-setup.sh script.
bifrost-create-vm-nodesrole now supports redfish emulation, set
bifrost-cli testenv) to use.
The new parameter
default_boot_modeallows specifying the default boot mode:
ci_testingis no longer taken into account by the roles. Use the existing
copy_from_local_pathif you need Bifrost to copy repositories from their pre-cached locations.
If you use
cleaning=trueto enable full disk cleaning, you need to also set
cleaning_disk_erase=truenow. Omitting it will result in only metadata cleaning enabled.
All services now use journald logging by default,
ironic-conductor.logare no longer populated. Use
The ramdisk logs for deploy/cleaning are now by default stored in
inspector_useruser is not created by default any more. Use
If you’re relying on default passwords (e.g. for the database or keystone passwords), they will be changed on upgrade. Please use explicit values if you want to avoid it.
OpenStackSDK is now installed from PyPI by default, set
Previously installation used to be skipped completely if the
skip_installvariable is defined, independent of its value. This has been fixed, and now installation is only skipped if
skip_installis defined and equals
Deprecates providing inspector discovery parameters via
inspector[discovery], use explicit variables instead.
Bifrost will switch to HTTP basic authentication by default in the future. If you want to avoid it, please set
ironic_db_passwordparameter is deprecated, please use
service_passwordto set a password to use between services or override the whole
Uses mode 0700 for the inspector log directories to prevent them from being world readable.
When using Keystone, no longer locks users out of their accounts on 3 unsuccessful attempts to log in. This creates a very trivially exploitable denial-of-service issue. Use
keystone_lockout_security_attemptsto re-enable (not recommended).
Uses mode 0700 for the ironic log directories to prevent them from being world readable.
Random passwords are now generated by default instead of using a constant. The same parameters as before can be used to override them.
No longer clones repositories with corresponding
*_source_installvariables set to
Ironic Staging Drivers are now installed from source by default since they are released very infrequently (usually once per cycle).
The addition of the symbolic link makes bifrost playbooks independent of the ANSIBLE_COLLECTIONS_PATHS environment variable which wasn’t reliably set in some environments.
Removing dependency on libselinux-python for Fedora OS family. This package is no longer present in Fedora 32 and was causing installation failures. It is safe to remove as it is used with python2 only.
On systems with SELinux enforcing, enables nginx to read symbolic links. Fixes network boot of instances.
bifrost-openstack-ci-prephas been removed. It was only used in the upstream CI context and is no longer required.
ci_testing_zuulis no longer used or set.
The version of cirros used by default is now 0.5.1 (instead of 0.4.0).
Bifrost now uses the equivalent modules from the openstack.cloud collection. The change on modules is listed below.
os_client_config is config
os_ironic is baremetal_node
os_ironic_inspect is baremetal_inspect
os_ironic_node is baremetal_node_action
os_keystone_role is identity_role
os_keystone_service is catalog_service
os_user is identity_user
os_user_role is role_assignment
It is now possible to use the
bifrostcloud with introspection commands even in no-auth mode.
Debian Buster is now supported as a base operating system.
Configures the default deploy and rescue kernel/ramdisk, setting them in
driver_infois now optional.
Ubuntu Focal (20.04) is now supported as a base operating system.
The values of
enabled_power_interfacesare now derived from the
enabled_hardware_typesif left empty (the default).
Adds a new parameter
internal_ipspecifying which IP address to use for nodes to reach ironic and the HTTP server, and for cross-service interactions when keystone is disabled. By default the IPv4 address of the
manual-managementhardware type is now enabled by default. It can be used with hardware that does not feature a supported BMC.
noopmanagement interface can now be used out-of-box with
redfishnodes to prevent ironic from changing the boot device and order.
MetalSmith is now installed by default.
A normal ironic
nodes.json(suitable for the
baremetal createcommand) is now generated when creating testing VMs. The default location is
Sets the default resource class for newly enrolled nodes without an explicit resource class. Defaults to
baremetal, can be changed via the
Fedora 30 is now supported as a base operating system.
Adds two new parameters for controlling how existing git checkouts are handled:
update_reposcan be set to
falseto prevent the repositories from being updated.
force_update_reposcan be set to
falseto prevent Bifrost from overwriting local changes.
Changes the default version of Ansible to version 2.9.
The new variable
true) defines whether to use the pre-built tinyIPA images or production-ready CentOS images built with DIB.
Explicit support for Fedora versions precedent to 30 has been removed.
Explicit support for Debian Jessie has been removed.
OpenStackClient is no longer installed when keystone is not enabled. Use the ironic native
baremetalcommand instead. For example, instead of
openstack baremetal node list
baremetal node list
The shade library is no longer used, nor installed by default.
The default version of Ansible used for this release of bifrost is version 2.9. Operators may wish to upgrade if they are directly invoking playbooks or roles.
All packages are now installed in a virtual environment in
/opt/stack/bifrostby default instead of system-wide.
clouds.yamlis now deprecated, use the main
bifrostcloud for all commands.
os_ironic_factsmodule is deprecated. Please use
os_ironic_node_infothat returns information in the “node” parameter.
Support for system-wide installation of packages is deprecated, untested and may be removed in a future release.
Fixes installing Keystone under CentOS 8.
Fixes failure to install on systems with a local resolved by setting
Fixes fast-track deployment after inspection/discovery by providing the correct ironic API URL to the ramdisk.
Fixes deployment in a testing environment on CentOS 8 by using firewalld instead of iptables to enable access from nodes to ironic.
An ironic-python-agent image is now updated every time the installation playbooks are run. This is done to avoid discrepancy between ironic and the ramdisk on updates. Set
falseto prevent the ramdisk update (not recommended) or
falseto disable any updates.
Support for Ubuntu Xenial and Debian Stretch has been officially removed (Bifrost has been broken on them since Ussuri because of the transition to Python 3.6).