Victoria Series (8.2.0 - 9.0.x) Release Notes¶
9.1.0¶
Upgrade Notes¶
Following an announcement by the CentOS project, Bifrost has switched to CentOS Stream for testing. Regular CentOS is no longer tested in the CI, meaning that both it and RHEL will only be tested indirectly and supported on the best effort basis.
Moves installation of package dependencies for Diskimage Builder (DIB) from the
bifrost-create-dib-image
role to thebifrost-install-ironic
role. This provides a cleaner separation between installation and image creation.
Bug Fixes¶
Fixes an issue with the Bifrost inventory plugin when used with
BIFROST_INVENTORY_SOURCE=ironic
. All node fields are now returned as facts, as in Ussuri and earlier releases. See story 2008394 for details.
Fixes fast-track after inspection: the
fast_track
andpower_off_after_inspection
options are now correctly handled.
Fixes passing parameters with spaces to
bifrost-cli
.
Fixes a failure when building an Ubuntu image due to a missing
squashfs-tools
package.
9.0.1¶
Deprecation Notes¶
Fedora 30 has reached end-of-life and is no longer explicitly tested. Its support will be removed in one of the future releases.
openSUSE Leap 15.1 is reaching end-of-life and is no longer explicitly tested. Its support will be removed in one of the future releases.
Bug Fixes¶
Unsets the
OS_CLOUD
variable in the generatedopenrc
.
OS_AUTH_TYPE
is now always set in the generatedopenrc
.
FirewallD is now used on Fedora 32 and newer to fix firewall issues.
Copies ironic-lib rootwrap.d filters to the correct location.
Correctly copies rootwrap.d filters on upgrade.
Explicitly opens ports 68 and 69 in firewall on systems not using firewalld (e.g. Ubuntu).
Fixes
PATH
to always include the virtual environment when running validations.
Other Notes¶
Fedora 32 and openSUSE Leap 15.2 have been added to the supported OS list.
9.0.0¶
New Features¶
Adds support to install the Ironic Prometheus Exporter. It can be done through the
bifrost-cli
using--enable-prometheus-exporter
option, or when setting enable_prometheus_expoter=True when deploying.
The first IPv4 address of the
network_interface
is now used for ironic and ironic-inspector API URLs inclouds.yaml
inopenrc
instead oflocalhost
. Useironic_api_url
andironic_inspector_api_url
to override.
The
bifrost-keystone-client-config
role now validates that CLI access actually works with the generated configuration, useskip_validation=false
to disable.
Supports TLS configuration by setting
enable_tls=true
and, optionally,generate_tls=true
. The correspondingbifrost-cli
argument is--enable-tls
(auto-generated certificates only).
The
bifrost-ironic-install
role now validates that the services have been started successfully, useskip_validation
to disable.
Known Issues¶
Because of Ansible dependencies Bifrost only works on virtual environments created with
--system-site-packages
.
When using Keystone for authentication, it may not be possible to disable TLS after enabling it if the certificate is in a non-standard location.
Due to upgrade limitations, it may not be possible to enable TLS on upgrading from a previous version. Do an upgrade first, then enable TLS in a separate installation step.
Upgrade Notes¶
The
use_public_urls
parameter is no longer supported, just providepublic_ip
instead.
Bifrost no longer adds ironic and ironic-inspector endpoints to the public firewalld zone, the operator has to do it explicitly if external access is expected.
Support for the legacy CSV inventory format has been removed, only JSON and YAML are supported now.
Support for installing and using RabbitMQ has been removed.
Support for storing introspection data in nginx has been removed. It was useful before ironic-inspector started supporting storing data in the database, which is the default nowadays.
Support for the OpenStack MetaData version 2012-08-10 has been removed from the
bifrost-configdrives-dynamic
role. The newest supported metadata version is now 2015-10-15.
The deprecated parameter
node_network_info
has been removed, usenode_network_data
instead.
Adds the explicit setting of file access permissions to get_url calls in bifrost ansible playbooks to ensure that the contents of “/httpboot” are world-readable independently of which Ansible version is in use.
Packaged iPXE ROMs are now used by default on openSUSE, set
download_ipxe=true
to override.
Bifrost will no longer kill all running dnsmasq processes for you. If you have dnsmasq processes that are not managed by systemd, you have to stop them yourself.
No longer supports installation outside of a virtual environment. The parameter
enable_venv
has been removed.
Bug Fixes¶
Fixes an issue where the bifrost-create-dib-image role overrides any existing ELEMENTS_PATH environment variable value. This fix appends any existing ELEMENTS_PATH value to the path set in the role.
Changes to keystone endpoint configuration are now automatically reflected on existing endpoints.
Correctly updates repositories copied with
copy_from_local_path
.
When copying repositories using
copy_from_local_path
, make sure they are consistently owned by the local user. Previously some repositories could end up owned byroot
.
Correctly updates IPA images checksums on a major upgrade.
Automatically enables DHCP and TFTP services in firewalld on CentOS/RHEL.
Instead of modifying the
public
firewalld zone, creates a new zonebifrost
and puts thenetwork_interface
in it. Setfirewalld_internal_zone=public
to revert to the previous behavior.
Makes
/var/lib/ironic
and its images subdirectories readable by nginx. This is required for using the images cache.
Fixes ACL of PXE and iPXE boot files to make sure they are world-readable.
Resolves the issue with ansible versions 2.9.12 and 2.8.14 where implicit setting of file permissions on files downloaded with get_url calls results in overly restrictive permissions. This leads to access denied while attempting to read the contents of “/httpboot” and results in failed deployments.
Ensures that repositories are consistently owned by the calling user.
Removes the
test_vm_network_enable_dhcp
option and disables DHCP on the libvirt network instead of unconditionally killing all dnsmasq processes on the machine.
Adds correct SELinux context for
/tftpboot
.
Other Notes¶
The file
env-vars
has been removed. It contains variables that only work for no-auth mode and only for ironic itself (not inspector). Use the generatedclouds.yaml
oropenrc
in the home directory.
The primary supported version of Ubuntu is now 20.04 (Focal). Ubuntu 18.04 (Bionic) is still supported, but may be removed in a future release.
Ironic JSON RPC is now always authenticated, even in no-auth mode.
Removes the no longer used
transform_boot_image
variable.
8.3.0¶
New Features¶
Adds support for configuring credential-less deploy via the new
agent
power interface and themanual-management
hardware type.
Extra parameters for ansible can now be passed to
bifrost-cli
via the-e
/--extra-vars
flag. The format is the same as for ansible-playbook.
Metadata cleaning is now enabled by default, set
cleaning
tofalse
to disable completely.
To enable full disk cleaning, set
cleaning_disk_erase
totrue
.
The new parameter
default_boot_mode
allows specifying the default boot mode:uefi
orbios
.
Set the new parameter
developer_mode
totrue
to make all packages installed from source to be installed with the--editable
flag. The correspondingbifrost-cli
argument is--develop
.
The new variable
git_url_root
allows overriding the root URL for all repositories (e.g. changing the defaulthttps://opendev.org
to a local path).
HTTP basic authentication for API services is now supported in addition to no authentication and Keystone. It is triggered by setting
noauth_mode=false
withenable_keystone=false
.
Installations with
bifrost-cli
now use HTTP basic authentication if Keystone is disabled.
The ramdisk logs for inspection are now stored by default in
/var/log/ironic-inspector/ramdisk
.
If
keystone_lockout_security_attempts
is enabled, the amount of time the account stays locked is now regulated by the new parameterkeystone_lockout_duration
(defaulting to 1800 seconds).
Deploy/cleaning ramdisk logs are now always stored by default, use
ironic_store_ramdisk_logs
to override.
Added creation of a symbolic link from $VENV/collections directory which contains ansible collections to the playbooks subdirectory of bifrost. This is done in the env-setup.sh script.
The
bifrost-create-vm-nodes
role now supports redfish emulation, settest_vm_node_driver=redfish
(or--driver=redfish
forbifrost-cli testenv
) to use.
The new parameter
default_boot_mode
allows specifying the default boot mode:uefi
orbios
.
Upgrade Notes¶
The variable
ci_testing
is no longer taken into account by the roles. Use the existingcopy_from_local_path
if you need Bifrost to copy repositories from their pre-cached locations.
If you use
cleaning=true
to enable full disk cleaning, you need to also setcleaning_disk_erase=true
now. Omitting it will result in only metadata cleaning enabled.
All services now use journald logging by default,
ironic-api.log
andironic-conductor.log
are no longer populated. Useironic_log_dir
andinspector_log_dir
to override.
The ramdisk logs for deploy/cleaning are now by default stored in
/var/log/ironic/deploy
.
The
inspector_user
user is not created by default any more. Usebifrost_user
instead.
If you’re relying on default passwords (e.g. for the database or keystone passwords), they will be changed on upgrade. Please use explicit values if you want to avoid it.
OpenStackSDK is now installed from PyPI by default, set
openstacksdk_source_install=true
to override.
Previously installation used to be skipped completely if the
skip_install
variable is defined, independent of its value. This has been fixed, and now installation is only skipped ifskip_install
is defined and equalstrue
.
Deprecation Notes¶
Deprecates providing inspector discovery parameters via
inspector[discovery]
, use explicit variables instead.
Bifrost will switch to HTTP basic authentication by default in the future. If you want to avoid it, please set
noauth_mode
tofalse
explicitly.
The
ironic_db_password
parameter is deprecated, please useservice_password
to set a password to use between services or override the wholeironic
andkeystone
objects.
Security Issues¶
Uses mode 0700 for the inspector log directories to prevent them from being world readable.
When using Keystone, no longer locks users out of their accounts on 3 unsuccessful attempts to log in. This creates a very trivially exploitable denial-of-service issue. Use
keystone_lockout_security_attempts
to re-enable (not recommended).
Uses mode 0700 for the ironic log directories to prevent them from being world readable.
Random passwords are now generated by default instead of using a constant. The same parameters as before can be used to override them.
Bug Fixes¶
No longer clones repositories with corresponding
*_source_install
variables set tofalse
.
Ironic Staging Drivers are now installed from source by default since they are released very infrequently (usually once per cycle).
The addition of the symbolic link makes bifrost playbooks independent of the ANSIBLE_COLLECTIONS_PATHS environment variable which wasn’t reliably set in some environments.
Removing dependency on libselinux-python for Fedora OS family. This package is no longer present in Fedora 32 and was causing installation failures. It is safe to remove as it is used with python2 only.
On systems with SELinux enforcing, enables nginx to read symbolic links. Fixes network boot of instances.
Other Notes¶
The role
bifrost-openstack-ci-prep
has been removed. It was only used in the upstream CI context and is no longer required.
The variable
ci_testing_zuul
is no longer used or set.
The version of cirros used by default is now 0.5.1 (instead of 0.4.0).
Bifrost now uses the equivalent modules from the openstack.cloud collection. The change on modules is listed below.
os_client_config is config
os_ironic is baremetal_node
os_ironic_inspect is baremetal_inspect
os_ironic_node is baremetal_node_action
os_keystone_role is identity_role
os_keystone_service is catalog_service
os_user is identity_user
os_user_role is role_assignment
8.2.0¶
New Features¶
It is now possible to use the
bifrost
cloud with introspection commands even in no-auth mode.
Debian Buster is now supported as a base operating system.
Configures the default deploy and rescue kernel/ramdisk, setting them in
driver_info
is now optional.
Ubuntu Focal (20.04) is now supported as a base operating system.
The values of
enabled_bios_interfaces
,enabled_boot_interfaces
,enabled_management_interfaces
andenabled_power_interfaces
are now derived from theenabled_hardware_types
if left empty (the default).
Adds a new parameter
internal_ip
specifying which IP address to use for nodes to reach ironic and the HTTP server, and for cross-service interactions when keystone is disabled. By default the IPv4 address of thenetwork_interface
is used.
The
manual-management
hardware type is now enabled by default. It can be used with hardware that does not feature a supported BMC.
The
noop
management interface can now be used out-of-box withipmi
andredfish
nodes to prevent ironic from changing the boot device and order.
MetalSmith is now installed by default.
A normal ironic
nodes.json
(suitable for thebaremetal create
command) is now generated when creating testing VMs. The default location is/tmp/nodes.json
.
Sets the default resource class for newly enrolled nodes without an explicit resource class. Defaults to
baremetal
, can be changed via thedefault_resource_class
parameter.
Fedora 30 is now supported as a base operating system.
Adds two new parameters for controlling how existing git checkouts are handled:
update_repos
can be set tofalse
to prevent the repositories from being updated.force_update_repos
can be set tofalse
to prevent Bifrost from overwriting local changes.
Changes the default version of Ansible to version 2.9.
The new variable
use_tinyipa
(defaulting totrue
) defines whether to use the pre-built tinyIPA images or production-ready CentOS images built with DIB.
Upgrade Notes¶
Explicit support for Fedora versions precedent to 30 has been removed.
Explicit support for Debian Jessie has been removed.
OpenStackClient is no longer installed when keystone is not enabled. Use the ironic native
baremetal
command instead. For example, instead ofopenstack baremetal node list
use just
baremetal node list
The shade library is no longer used, nor installed by default.
The default version of Ansible used for this release of bifrost is version 2.9. Operators may wish to upgrade if they are directly invoking playbooks or roles.
All packages are now installed in a virtual environment in
/opt/stack/bifrost
by default instead of system-wide.
Deprecation Notes¶
The
bifrost-inspector
cloud inclouds.yaml
is now deprecated, use the mainbifrost
cloud for all commands.
The
os_ironic_facts
module is deprecated. Please useos_ironic_node_info
that returns information in the “node” parameter.
Support for system-wide installation of packages is deprecated, untested and may be removed in a future release.
Bug Fixes¶
Fixes installing Keystone under CentOS 8.
Fixes failure to install on systems with a local resolved by setting
disable_dnsmasq_dns
toTrue
by default.
Fixes fast-track deployment after inspection/discovery by providing the correct ironic API URL to the ramdisk.
Fixes deployment in a testing environment on CentOS 8 by using firewalld instead of iptables to enable access from nodes to ironic.
An ironic-python-agent image is now updated every time the installation playbooks are run. This is done to avoid discrepancy between ironic and the ramdisk on updates. Set
update_ipa
tofalse
to prevent the ramdisk update (not recommended) orupdate_repos
tofalse
to disable any updates.
Other Notes¶
Support for Ubuntu Xenial and Debian Stretch has been officially removed (Bifrost has been broken on them since Ussuri because of the transition to Python 3.6).