We are pleased to announce the release of: bifrost 13.0.0: Deployment of physical machines using OpenStack Ironic and Ansible This release is part of the yoga release series. The source is available from: https://opendev.org/openstack/bifrost Download the package from: https://tarballs.openstack.org/bifrost/ Please report issues through: https://storyboard.openstack.org/#!/project/openstack/bifrost For more details, please see below. 13.0.0 ^^^^^^ New Features ************ * Adds support for setting root filesystem's UUID that can be deployed on top of software RAID based root disk device. * Bifrost now starts a single Ironic process rather than separate API and conductor. * The "bifrost-cli install" command now generates an environment file ("bifrost-install-env.json" by default, can be changed with the "-- output" argument) with the variables used during installation. * Adds basic support for running bifrost on CentOS Stream 9. * Add a boolean variable "enable_epel" that allows to enable the epel repository for CentOS Stream 8/9. Since we need that only when building a debian-based IPA image, the default value is set to "install_dib" and its installation depends on the value of the dib_os_element used. * TLS (when enabled) is now handled by Nginx in proxy mode rather than services themselves. Known Issues ************ * A bug in the upgrade logic could leave the old "ironic-api" and "ironic-conductor" services running. It has been fixed, but if you have already upgraded to an affected version, you need to stop the services manually using "systemctl". Upgrade Notes ************* * On upgrade, the existing API and conductor services will be disabled and a single combined "ironic" process will be started instead. * In your inventory files, please remove sub-sections "power", "console" and "management" from "driver_info". Instead, just place all fields under "driver_info" directly. * Removes the deprecated Ansible module "os_ironic_facts". * JSON RPC is now available only on localhost and without TLS. If you need it exposed to the network (i.e. you're using Bifrost in a multi-node setting), set "expose_json_rpc" to "true". * The location of the HTTP boot directory has been changed to "/var/lib/ironic/httpboot". Please avoid running cleanings or deployments during the upgrade, otherwise PXE booting may fail until Ironic rebuilds the iPXE configuration. Any custom images will not be migrated from the old location "/httpboot", please migrate them manually if needed. You may remove the old location after the upgrade. * TinyIPA (an IPA image based on TinyCoreLinux) is no longer used by default. Instead, a CentOS image published by the Ironic community (https://tarballs.opendev.org/openstack/ironic-python- agent/dib/files/) is used, unless "use_tinyipa" is set to "true". The TinyIPA image is much lighter, but is not suitable for real bare metal machines because of lack of drivers. * The location of the PXE boot directory has been changed to "/var/lib/tftpboot". * Modification to the Bifrost virtual environment ("/opt/stack/bifrost" by default) will now need "sudo" as the directory is now owned by root. * The deprecated and non-functioning variable "ANSIBLE_INSTALL_ROOT" is no longer supported. Deprecation Notes ***************** * CentOS Stream 8 and Python 3.6 support is now deprecated and will be best-effort starting with the Z cycle. Bug Fixes ********* * Bifrost no longer defaults to using sub-sections "power", "console" and "management" under "driver_info" in inventory. * Password files ("htpasswd") are no longer world-readable. * Makes sure the image cache directories are on the same filesystem as the PXE/HTTP directories to avoid the "Invalid cross-device link" error. * The keystone configuration is no longer world-readable. * The keystone process now runs as the "keystone" user, not as the nginx user. * The TFTP and HTTP directories are no longer world-readable by default. Set "boot_folder_permissions" to override. * Ironic Prometheus Exporter is now run as the "ironic" user, not as root. * Ironic Prometheus Exporter, Ironic Inspector, Staging Drivers and Keystone are no longer cloned if they are not enabled. * Actually respects the "prometheus_exporter_source_install" variable. * The Bifrost virtual environment ("/opt/stack/bifrost" by default) is no longer owned (and thus writable) by the regular user that started the installation. Changes in bifrost 12.0.0..13.0.0 --------------------------------- bb43fd8b Fix dib ipa jobs 9941e443 CI: properly report failures in the upgrade job 72ee1ff4 Only remove old services after they are stopped 629bf522 Update /etc/keystone ownership on upgrade from Xena 2d5026da CI: properly publish artifacts for the upgrade job 6323ae77 Revert "Install libvirt-python from source instead of a wheel" f2825ad1 Enable epel repository only when needed 909c0405 Add dhcp, vmedia and dibipa CentOS Stream 9 jobs 6a10fcd2 CI: store bifrost.log as a Zuul artifact 7307ba28 Use Type=notify in systemd units for services fa3c10c0 bindep: don't try to install epel-release on fedora 1f0662bc Remove deprecated os_ironic_facts 73df7ea1 Stop using sub-sections of driver_info 4cb0395d Make virtual environment owned by root 1cb49d7a Clean up the new architecture docs ba2d0a40 Do not clone repositories that are not used d2897574 Add CentOS Stream 9 keystone integration job 96ff3df0 Do not run ironic-prometheus-exporter as root 77f45dd3 Tighten permissions on keystone directories f23369c2 Start Bifrost Architecture documentation fc2e9e1c Change the TFTP directory to /var/lib/tftpboot 3cb96f1b Tighten permissions for PXE directories 786f8e10 Do not make password files world-readable 747d7750 Follow up to "Run bifrost on CentOS Stream 9" 03b56cf5 Run bifrost on CentOS Stream 9 9b83665d Generate an environment file during bifrost-cli install 40842895 Clean up the "How to" documentation 779e4d8a Move /httpboot to /var/lib/ironic efe81e99 Remove configuration for ironic-agent element eed8f33a Install pip package in dib based images 30ea9714 Change the default image to a DIB-built one f284b98d [trivial] add python 3.9 in classifier 5bb8253d Use "none" RPC by default, disable JSON RPC ea2d2a37 Use the combined Ironic service instead of API+conductor f30cc865 Terminate TLS on Nginx 3b613719 Stop exposing JSON RPC to the whole network b8833c5a Add support for root filesystem UUID customisation Diffstat (except docs and test files) ------------------------------------- .gitignore | 1 + ansible-collections-requirements.yml | 2 +- bifrost/cli.py | 31 +++- bifrost/inventory.py | 14 +- bindep.txt | 4 +- playbooks/ci/post.yaml | 20 +++ playbooks/ci/upgrade.yaml | 14 +- playbooks/install.yaml | 1 + playbooks/inventory/baremetal.json.example | 26 ++- playbooks/inventory/baremetal.yml.example | 24 ++- playbooks/inventory/group_vars/baremetal | 2 +- playbooks/inventory/group_vars/localhost | 2 +- playbooks/inventory/group_vars/target | 2 +- playbooks/library/os_ironic_facts.py | 1 - playbooks/library/os_ironic_node_info.py | 14 +- .../bifrost-configdrives-dynamic/defaults/main.yml | 2 +- .../bifrost-create-dib-image/defaults/main.yml | 1 + .../roles/bifrost-create-dib-image/tasks/main.yml | 5 - .../defaults/required_defaults_CentOS.yml | 1 - .../bifrost-create-vm-nodes/tasks/create_vm.yml | 17 +- .../roles/bifrost-create-vm-nodes/tasks/main.yml | 6 + .../tasks/prepare_libvirt.yml | 12 +- .../templates/redfish-emulator.service.j2 | 2 +- .../roles/bifrost-deploy-nodes-dynamic/README.md | 15 +- .../bifrost-deploy-nodes-dynamic/defaults/main.yml | 2 +- .../bifrost-deploy-nodes-dynamic/tasks/main.yml | 1 + .../roles/bifrost-ironic-install/defaults/main.yml | 10 +- .../bifrost-ironic-install/tasks/bootstrap.yml | 68 ++++--- .../tasks/create_tftpboot.yml | 20 ++- .../tasks/inspector_bootstrap.yml | 20 ++- .../roles/bifrost-ironic-install/tasks/install.yml | 33 +++- .../roles/bifrost-ironic-install/tasks/start.yml | 28 ++- .../templates/ironic-inspector.conf.j2 | 8 +- .../ironic-prometheus-exporter.service.j2 | 4 +- .../templates/ironic.conf.j2 | 18 +- .../templates/nginx_conf.d_bifrost-ironic.conf.j2 | 35 ++++ .../templates/systemd_template.j2 | 9 +- .../bifrost-keystone-install/defaults/main.yml | 5 - .../files/keystone_policy.te | 3 + .../bifrost-keystone-install/tasks/bootstrap.yml | 17 +- .../templates/uwsgi-keystone.ini.j2 | 1 + .../bifrost-prep-for-install/defaults/main.yml | 11 +- .../roles/bifrost-prep-for-install/tasks/main.yml | 4 + .../tasks/main.yml | 9 + .../bifrost-uwsgi-install/tasks/bootstrap.yml | 8 + .../templates/uwsgi@.service.j2 | 5 +- playbooks/roles/ironic-enroll-dynamic/README.md | 18 +- .../roles/ironic-enroll-dynamic/tasks/main.yml | 3 +- ...d-support-for-rootfs-uuid-9c332327954f7580.yaml | 5 + releasenotes/notes/allinone-5fc5355f46192351.yaml | 9 + .../bifrost-install-env-c424fe35422ca815.yaml | 6 + releasenotes/notes/centos9-16c9853d1dd0554b.yaml | 8 + .../notes/conditional-epel-b52ad3ad29f195f5.yaml | 8 + .../notes/driver-info-5281b1ec920bd44d.yaml | 10 ++ releasenotes/notes/facts-1a84f77291c7d39d.yaml | 4 + .../notes/global-rpc-b399d65310367951.yaml | 6 + .../notes/htpasswd-perm-7754c0be7cc676e1.yaml | 4 + releasenotes/notes/httpboot-f3891f6343c96914.yaml | 15 ++ .../notes/keystone-perm-4ce28fff2edd677a.yaml | 7 + .../libvirt-not-importable-c8e88a8ef11a1f09.yaml | 5 - .../notes/nginx-proxy-a4aa77ff045060be.yaml | 5 + .../notes/no-tinyipa-8d18f3b21dbb9fe9.yaml | 10 ++ releasenotes/notes/perm-8b4236c6eddf1f1f.yaml | 5 + .../notes/prometheus-user-e75a43f1b13e0049.yaml | 4 + .../notes/service-upgrade-54fda4d86e9d7575.yaml | 7 + releasenotes/notes/tftpboot-b7f448c1eb0b8187.yaml | 5 + .../notes/unused-repos-af1949f7bbeca5e6.yaml | 7 + .../notes/venv-owner-30669e2f5cffef2f.yaml | 13 ++ scripts/collect-test-info.sh | 13 +- scripts/env-setup.sh | 22 +-- scripts/install-deps.sh | 12 +- scripts/test-bifrost.sh | 12 +- setup.cfg | 1 + tools/vagrant_dev_env/Vagrantfile | 14 +- tools/vagrant_dev_env/vagrant.yml | 4 - zuul.d/bifrost-jobs.yaml | 37 +++- zuul.d/project.yaml | 12 +- 86 files changed, 948 insertions(+), 333 deletions(-)