We are stoked to announce the release of: bifrost 8.1.1: Deployment of physical machines using OpenStack Ironic and Ansible This release is part of the ussuri stable release series. The source is available from: https://opendev.org/openstack/bifrost Download the package from: https://tarballs.openstack.org/bifrost/ Please report issues through: https://storyboard.openstack.org/#!/project/openstack/bifrost For more details, please see below. 8.1.1 ^^^^^ Upgrade Notes ************* * Bifrost no longer adds ironic and ironic-inspector endpoints to the public firewalld zone, the operator has to do it explicitly if external access is expected. * Adds the explicit setting of file access permissions to get_url calls in bifrost ansible playbooks to ensure that the contents of "/httpboot" are world-readable independently of which Ansible version is in use. Bug Fixes ********* * Fixes fast-track deployment after inspection/discovery by providing the correct ironic API URL to the ramdisk. * Fixes deployment in a testing environment on CentOS 8 by using firewalld instead of iptables to enable access from nodes to ironic. * Automatically enables DHCP and TFTP services in firewalld on CentOS/RHEL. * Instead of modifying the "public" firewalld zone, creates a new zone "bifrost" and puts the "network_interface" in it. Set "firewalld_internal_zone=public" to revert to the previous behavior. * Makes "/var/lib/ironic" and its images subdirectories readable by nginx. This is required for using the images cache. * Fixes ACL of PXE and iPXE boot files to make sure they are world- readable. * Resolves the issue with ansible versions 2.9.12 and 2.8.14 where implicit setting of file permissions on files downloaded with get_url calls results in overly restrictive permissions. This leads to access denied while attempting to read the contents of "/httpboot" and results in failed deployments. * Removing dependency on libselinux-python for Fedora OS family. This package is no longer present in Fedora 32 and was causing installation failures. It is safe to remove as it is used with python2 only. * On systems with SELinux enforcing, enables nginx to read symbolic links. Fixes network boot of instances. * Adds correct SELinux context for "/tftpboot". Changes in bifrost 8.1.0..8.1.1 ------------------------------- 829e670 Fix install on systems without systemd 924534a Create our own firewalld zone and use it on real bare metal d900a76 Make /var/lib/ironic/{,images,master_images} readable by nginx 49de1f9 Add correct SELinux context for /tftpboot and fix map-file ACL 5db92e3 Explicitly set permissions on /httpboot contents 3348099 Explicitly enable DHCP services on baremetal CentOS/RHEL 55f7ad3 Use firewalld to open ports on CentOS and RHEL. b3b4b85 Make the iPXE and PXE boot files world-readable 1877ad5 bifrost_inventory: use stderr for logging 334c309 selinux: allow nginx to read symbolic links d371d2d Removing libselinux-python package from Fedora dependencies dc87231 Do not use 'sudo pip install' when venv is used 1070784 Fix bifrost_venv_dir default assignment 37a9205 install-deps: install setuptools early for Debian 98442ec Fix fast-track deployment after discovery/inspection 8b3f75a Install packages all at once instead of looping over them Diffstat (except docs and test files) ------------------------------------- bifrost/inventory.py | 1 + .../bifrost-create-dib-image/defaults/main.yml | 2 +- .../bifrost-create-vm-nodes/defaults/main.yml | 2 +- .../defaults/required_defaults_Fedora.yml | 2 +- .../roles/bifrost-create-vm-nodes/tasks/main.yml | 3 +- .../roles/bifrost-ironic-install/defaults/main.yml | 4 +- .../defaults/required_defaults_Fedora.yml | 1 - .../defaults/required_defaults_RedHat_family.yml | 2 + .../bifrost-ironic-install/files/ironic_policy.te | 4 +- .../bifrost-ironic-install/tasks/bootstrap.yml | 45 ++++++++++++++++- .../tasks/create_tftpboot.yml | 57 ++++++++++++++++++---- .../tasks/download_ipa_image.yml | 22 ++++++++- .../bifrost-ironic-install/tasks/get_ipxe.yml | 6 +++ .../tasks/inspector_bootstrap.yml | 18 ++++++- .../roles/bifrost-ironic-install/tasks/install.yml | 6 +-- .../tasks/setup_firewalld.yml | 50 +++++++++++++++++++ .../templates/inspector-default-boot-ipxe.j2 | 2 +- .../bifrost-keystone-install/defaults/main.yml | 2 +- .../bifrost-keystone-install/tasks/install.yml | 3 +- .../fast-track-inspection-a28a062e86f06190.yaml | 5 ++ releasenotes/notes/firewalld-d53c6396828b91ee.yaml | 5 ++ .../notes/firewalld-services-4c255c02d8d427f8.yaml | 4 ++ .../notes/firewalld-zone-d8c72fb5924a4916.yaml | 11 +++++ .../notes/images-permissions-2042490e3ca13656.yaml | 5 ++ releasenotes/notes/pxe-acl-26f3be809caa0c88.yaml | 4 ++ .../notes/releasenote-341a5eebe6168aea.yaml | 13 +++++ .../notes/releasenote-94bcb2b0da207f94.yaml | 7 +++ .../notes/selinux-lnk_file-527ac51c60f9c2ad.yaml | 5 ++ .../notes/tftp-context-6f918743ba9052b0.yaml | 4 ++ scripts/install-deps.sh | 14 ++++-- 30 files changed, 276 insertions(+), 33 deletions(-)