Xena Series (11.0.0 - 11.2.x) Release Notes


Deprecation Notes

  • Support for Fedora is no longer tested in the CI and will be removed from the code in the near future.


Bug Fixes

  • Password files (htpasswd) are no longer world-readable.

  • Fixes the Bifrost inventory plugin to not set the network_interface variable since it conflicts with the Bifrost’s variable with a different meaning.

  • Ironic Prometheus Exporter is now run as the ironic user, not as root.

  • Fixes bifrost-configdrives-dynamic and bifrost-deploy-nodes-dynamic when uuid is not set in the inventory file.


Bug Fixes

  • Fixed an outdated grub and shim efi binaries path for Red Hat to to be under EFI/redhat.

  • Fixes the iptables rule for PXE on systems not using firewalld (use port UDP/67 and UDP/69 instead of TCP/68 and TCP/69).


New Features

  • Adds support for using dnsmasq as a DHCP relay target via the new dhcp_pool_mask parameter.

  • Automatically configures enabled_raid_interfaces based on the enabled_hardware_types.

  • Adds support for manually specified enabled raid interfaces via the new enabled_raid_interfaces parameter.

  • Supports customizing the TFTP directory via the new parameter tftp_boot_folder.

  • Adds a new role bifrost-uwsgi-install encapsulating uWSGI configuration logic.

  • Virtual media images are now protected by TLS when TLS support is enabled.

Known Issues

  • Fedora 34 cryptography settings may prevent it from logging into CirrOS via SSH. CirrOS images should not be used in production. If this problem affects your development environment, temporary lower the cryptography profile:

    sudo update-crypto-policies --set LEGACY

Upgrade Notes

  • Fedora 34 is now tested in the CI. Fedora 32 and newer should work, but are not tested any more.

  • The admin Keystone endpoint will be upgraded from using port 35357 (a separate admin API) to use port 5000 (the default Identity API).

  • Switches TFTP handling from Xinetd to dnsmasq, which must be enabled for TFTP boot to work.

  • Keystone services are now run as separate systemd services uwsgi@keystone-public and uwsgi@keystone-admin. The standalone uwsgi service is no longer used and is disabled on upgrade.

  • If enable_tls is true, virtual media images for Redfish, iDRAC-Redfish and iLO are now served via TLS using the Ironic’s TLS certificate. If this is not desired, set the new option vmedia_enable_tls to false.

    The new server’s port can be configured via the new file_url_port_tls option.

Deprecation Notes

  • The separate Keystone admin API (served at port 35357) is deprecated and will be removed in a future release. Please update your applications to refer to port 5000 only for Keystone operations.

Bug Fixes

  • When copy_from_local_path is used, destination path is removed on upgrade before copying.

  • Fixes Fedora 34 support by switching from the removed Xinetd to dnsmasq for TFTP boot.

  • Fixes support for TLS ca_cert and other current authentication parameters in the os_ironic_node_info module. The implementation uses utilities from the OpenStack Ansible collection.

Other Notes

  • Moves the generic code for managing Nginx into a new role bifrost-nginx-install.