Stein Series Release Notes


New Features

  • The parameter ironic::pxe::ipxe_name_base has been added, which allows alternative ipxe files to be copied to /tftpboot/ipxe.efi. For example, setting this to ‘ipxe-snponly’ on CentOS8 would result in the source file being /usr/share/ipxe/ipxe-snponly-x86_64.efi.

Bug Fixes

  • It was not possible to configre Ironic Inspector DHCP (dnsmasq) service to provide the MTU option. This caused inspection to fail when operating on a network with <1500 bytes MTU. See bug: 1845487.


New Features

  • Add the log_file option for logging.

  • Classless static routes can now be configured for ironic inspector subnets. The dnsmasq_ip_subnets has been extended to support the classless_static_routes key in a subnet defention. This allow advanced routing options to be pushed to the inspection ramdisk. For example:

    dnsmasq_ip_subnets = [
        { 'tag'                     => 'subnet2',
          'ip_range'                => ',',
          'netmask'                 => '',
          'gateway'                 => '',
          'classless_static_routes' => [
              {'destination' => '', 'nexthop' => ''},
              {'destination' => '', 'nexthop' => ''}],



In this release Ubuntu has moved all projects that supported it to python3 which means that there will be a lot of changes. The Puppet OpenStack project does not test the upgrade path from python2 to python3 packages so there might be manual steps required when moving to the python3 packages.

New Features

  • Expose the versioned_notifications_topics parameter in ::ironic

  • Add possibility to configure the size of executor thread pool.

  • Service_token_roles_required missing in the server config file which allows backwards compatibility to ensure that the service tokens are compared against a list of possible roles for validity.

Upgrade Notes

  • The default value of ironic::inspector::ironic_auth_url is changed from to

  • The default value of ironic::inspector::swift_auth_url is changed from to

  • This module now requires a puppetlabs-mysql version >= 6.0.0

  • Ubuntu packages are now using python3, the upgrade path is not tested by Puppet OpenStack. Manual steps may be required when upgrading.


New Features

  • Add transport_url config param for ironic-inspector. It’s added in ironic-inspector in, and is suggested to set it to ‘fake://’ when rpc backend not available or not desired, so need to add support for it in puppet-ironic.

  • ironic::inspector::dhcp_debug has been added and should be set to enable dnsmasq debug logging.

Upgrade Notes

  • The deprecated parameter auth_uri is now removed, please use www_authenticate_uri.

  • The deprecated parameters use_syslog, use_stderr, log_facility, log_dir and debug in the ::ironic class is now removed. Please set them in ::ironic::logging instead.

  • ironic::inspector::logging is not included in ironic::inspector by default, you should define it to set logging options for the inspector.

Deprecation Notes

  • check_revocations_for_cached option is now deprecated for removal, the parameter has no effect.

  • hash_algorithms option is now deprecated for removal, the parameter has no effect.

  • ironic::inspector::debug is deprecated will be removed. Please set ironic::inspector::logging::debug to enable debug logging and/or set ironic::inspector::dhcp_debug to enable dnsmasq debugging.


New Features

  • Expose the endpoint_override parameter in both ::ironic::drivers::inspector and ::ironic::service_catalog

  • Expose the notification_level parameter in ::ironic

  • Adds ironic::conductor::force_raw_images which controls whether ironic forces the image format to be raw before deployment.

  • Adds ironic::drivers::agent::image_download_source which controls how ironic serves the image when using the direct deploy interface: via swift or via its local HTTP server.

Bug Fixes

  • In order to allow the ironic inspector dnsmasq service to receive packets after the network service is restarted, the bind-interfaces option should not be set. Since the ironic inspector is bound to the br-ctlplane interface, its not necessary to set this field as this dnsmasq instance will only service this interface.

    From the dnsmasq man page:

    -z, –bind-interfaces On systems which support it, dnsmasq binds the wildcard address, even when it is listening on only some interfaces. It then discards requests that it shouldn’t reply to. This has the advantage of working even when interfaces come and go and change address. This option forces dnsmasq to really bind only the interfaces it is listening on. About the only time when this is useful is when running another nameserver (or another instance of dnsmasq) on the same machine. Setting this option also enables multiple instances of dnsmasq which provide DHCP service to run in the same machine.

    We do run another dnsmasq instance for neutron but that is bound to the tap interface in the namespace.

  • Fixes default configuration where only a single concurrent thread was permitted per WSGI worker process, which does not match the upstream configuration where threads are enabled per each spawned worker process. This allows for greater request concurrency to prevent situations where the webserver may incorrectly return a 500 error due to the server being unable to process the request in time.

  • In order to allow portability between x86_64 and ppc the syslinux-tftpboot package is used for ironix-pxe.