[release-announce] bifrost 8.1.1 (ussuri)

no-reply at openstack.org no-reply at openstack.org
Wed Sep 23 13:13:58 UTC 2020 

We are stoked to announce the release of:

bifrost 8.1.1: Deployment of physical machines using OpenStack Ironic
and Ansible

This release is part of the ussuri stable release series.

The source is available from:

    https://opendev.org/openstack/bifrost

Download the package from:

    https://tarballs.openstack.org/bifrost/

Please report issues through:

    https://storyboard.openstack.org/#!/project/openstack/bifrost

For more details, please see below.

8.1.1
^^^^^


Upgrade Notes
*************

* Bifrost no longer adds ironic and ironic-inspector endpoints to
  the public firewalld zone, the operator has to do it explicitly if
  external access is expected.

* Adds the explicit setting of file access permissions to get_url
  calls in bifrost ansible playbooks to ensure that the contents of
  "/httpboot" are world-readable independently of which Ansible
  version is in use.


Bug Fixes
*********

* Fixes fast-track deployment after inspection/discovery by
  providing the correct ironic API URL to the ramdisk.

* Fixes deployment in a testing environment on CentOS 8 by using
  firewalld instead of iptables to enable access from nodes to ironic.

* Automatically enables DHCP and TFTP services in firewalld on
  CentOS/RHEL.

* Instead of modifying the "public" firewalld zone, creates a new
  zone "bifrost" and puts the "network_interface" in it. Set
  "firewalld_internal_zone=public" to revert to the previous behavior.

* Makes "/var/lib/ironic" and its images subdirectories readable by
  nginx. This is required for using the images cache.

* Fixes ACL of PXE and iPXE boot files to make sure they are world-
  readable.

* Resolves the issue with ansible versions 2.9.12 and 2.8.14 where
  implicit setting of file permissions on files downloaded with
  get_url calls results in overly restrictive permissions. This leads
  to access denied while attempting to read the contents of
  "/httpboot" and results in failed deployments.

* Removing dependency on libselinux-python for Fedora OS family.
  This package is no longer present in Fedora 32 and was causing
  installation failures. It is safe to remove as it is used with
  python2 only.

* On systems with SELinux enforcing, enables nginx to read symbolic
  links. Fixes network boot of instances.

* Adds correct SELinux context for "/tftpboot".

Changes in bifrost 8.1.0..8.1.1
-------------------------------

829e670 Fix install on systems without systemd
924534a Create our own firewalld zone and use it on real bare metal
d900a76 Make /var/lib/ironic/{,images,master_images} readable by nginx
49de1f9 Add correct SELinux context for /tftpboot and fix map-file ACL
5db92e3 Explicitly set permissions on /httpboot contents
3348099 Explicitly enable DHCP services on baremetal CentOS/RHEL
55f7ad3 Use firewalld to open ports on CentOS and RHEL.
b3b4b85 Make the iPXE and PXE boot files world-readable
1877ad5 bifrost_inventory: use stderr for logging
334c309 selinux: allow nginx to read symbolic links
d371d2d Removing libselinux-python package from Fedora dependencies
dc87231 Do not use 'sudo pip install' when venv is used
1070784 Fix bifrost_venv_dir default assignment
37a9205 install-deps: install setuptools early for Debian
98442ec Fix fast-track deployment after discovery/inspection
8b3f75a Install packages all at once instead of looping over them


Diffstat (except docs and test files)
-------------------------------------

bifrost/inventory.py                               |  1 +
.../bifrost-create-dib-image/defaults/main.yml     |  2 +-
.../bifrost-create-vm-nodes/defaults/main.yml      |  2 +-
.../defaults/required_defaults_Fedora.yml          |  2 +-
.../roles/bifrost-create-vm-nodes/tasks/main.yml   |  3 +-
.../roles/bifrost-ironic-install/defaults/main.yml |  4 +-
.../defaults/required_defaults_Fedora.yml          |  1 -
.../defaults/required_defaults_RedHat_family.yml   |  2 +
.../bifrost-ironic-install/files/ironic_policy.te  |  4 +-
.../bifrost-ironic-install/tasks/bootstrap.yml     | 45 ++++++++++++++++-
.../tasks/create_tftpboot.yml                      | 57 ++++++++++++++++++----
.../tasks/download_ipa_image.yml                   | 22 ++++++++-
.../bifrost-ironic-install/tasks/get_ipxe.yml      |  6 +++
.../tasks/inspector_bootstrap.yml                  | 18 ++++++-
.../roles/bifrost-ironic-install/tasks/install.yml |  6 +--
.../tasks/setup_firewalld.yml                      | 50 +++++++++++++++++++
.../templates/inspector-default-boot-ipxe.j2       |  2 +-
.../bifrost-keystone-install/defaults/main.yml     |  2 +-
.../bifrost-keystone-install/tasks/install.yml     |  3 +-
.../fast-track-inspection-a28a062e86f06190.yaml    |  5 ++
releasenotes/notes/firewalld-d53c6396828b91ee.yaml |  5 ++
.../notes/firewalld-services-4c255c02d8d427f8.yaml |  4 ++
.../notes/firewalld-zone-d8c72fb5924a4916.yaml     | 11 +++++
.../notes/images-permissions-2042490e3ca13656.yaml |  5 ++
releasenotes/notes/pxe-acl-26f3be809caa0c88.yaml   |  4 ++
.../notes/releasenote-341a5eebe6168aea.yaml        | 13 +++++
.../notes/releasenote-94bcb2b0da207f94.yaml        |  7 +++
.../notes/selinux-lnk_file-527ac51c60f9c2ad.yaml   |  5 ++
.../notes/tftp-context-6f918743ba9052b0.yaml       |  4 ++
scripts/install-deps.sh                            | 14 ++++--
30 files changed, 276 insertions(+), 33 deletions(-)

More information about the Release-announce mailing list