We are jazzed to announce the release of: bifrost 8.3.0: Deployment of physical machines using OpenStack Ironic and Ansible This release is part of the victoria release series. The source is available from: https://opendev.org/openstack/bifrost Download the package from: https://tarballs.openstack.org/bifrost/ Please report issues through: https://storyboard.openstack.org/#!/project/openstack/bifrost For more details, please see below. 8.3.0 ^^^^^ New Features ************ * Adds support for configuring credential-less deploy via the new "agent" power interface and the "manual-management" hardware type. * Extra parameters for ansible can now be passed to "bifrost-cli" via the "-e"/"--extra-vars" flag. The format is the same as for ansible- playbook. * Metadata cleaning is now enabled by default, set "cleaning" to "false" to disable completely. * To enable full disk cleaning, set "cleaning_disk_erase" to "true". * The new parameter "default_boot_mode" allows specifying the default boot mode: "uefi" or "bios". * Set the new parameter "developer_mode" to "true" to make all packages installed from source to be installed with the "--editable" flag. The corresponding "bifrost-cli" argument is "--develop". * The new variable "git_url_root" allows overriding the root URL for all repositories (e.g. changing the default "https://opendev.org" to a local path). * HTTP basic authentication for API services is now supported in addition to no authentication and Keystone. It is triggered by setting "noauth_mode=false" with "enable_keystone=false". * Installations with "bifrost-cli" now use HTTP basic authentication if Keystone is disabled. * The ramdisk logs for inspection are now stored by default in "/var/log/ironic-inspector/ramdisk". * If "keystone_lockout_security_attempts" is enabled, the amount of time the account stays locked is now regulated by the new parameter "keystone_lockout_duration" (defaulting to 1800 seconds). * Deploy/cleaning ramdisk logs are now always stored by default, use "ironic_store_ramdisk_logs" to override. * Added creation of a symbolic link from $VENV/collections directory which contains ansible collections to the playbooks subdirectory of bifrost. This is done in the env-setup.sh script. * The "bifrost-create-vm-nodes" role now supports redfish emulation, set "test_vm_node_driver=redfish" (or "--driver=redfish" for "bifrost-cli testenv") to use. * The new parameter "default_boot_mode" allows specifying the default boot mode: "uefi" or "bios". Upgrade Notes ************* * The variable "ci_testing" is no longer taken into account by the roles. Use the existing "copy_from_local_path" if you need Bifrost to copy repositories from their pre-cached locations. * If you use "cleaning=true" to enable full disk cleaning, you need to also set "cleaning_disk_erase=true" now. Omitting it will result in only metadata cleaning enabled. * All services now use *journald* logging by default, "ironic- api.log" and "ironic-conductor.log" are no longer populated. Use "ironic_log_dir" and "inspector_log_dir" to override. * The ramdisk logs for deploy/cleaning are now by default stored in "/var/log/ironic/deploy". * The "inspector_user" user is not created by default any more. Use "bifrost_user" instead. * If you're relying on default passwords (e.g. for the database or keystone passwords), they will be changed on upgrade. Please use explicit values if you want to avoid it. * OpenStackSDK is now installed from PyPI by default, set "openstacksdk_source_install=true" to override. * Previously installation used to be skipped completely if the "skip_install" variable is defined, independent of its value. This has been fixed, and now installation is only skipped if "skip_install" is defined and equals "true". Deprecation Notes ***************** * Deprecates providing inspector discovery parameters via "inspector[discovery]", use explicit variables instead. * Bifrost will switch to HTTP basic authentication by default in the future. If you want to avoid it, please set "noauth_mode" to "false" explicitly. * The "ironic_db_password" parameter is deprecated, please use "service_password" to set a password to use between services or override the whole "ironic" and "keystone" objects. Security Issues *************** * Uses mode 0700 for the inspector log directories to prevent them from being world readable. * When using Keystone, no longer locks users out of their accounts on 3 unsuccessful attempts to log in. This creates a very trivially exploitable denial-of-service issue. Use "keystone_lockout_security_attempts" to re-enable (not recommended). * Uses mode 0700 for the ironic log directories to prevent them from being world readable. * Random passwords are now generated by default instead of using a constant. The same parameters as before can be used to override them. Bug Fixes ********* * No longer clones repositories with corresponding "*_source_install" variables set to "false". * Ironic Staging Drivers are now installed from source by default since they are released very infrequently (usually once per cycle). * The addition of the symbolic link makes bifrost playbooks independent of the ANSIBLE_COLLECTIONS_PATHS environment variable which wasn't reliably set in some environments. * Removing dependency on libselinux-python for Fedora OS family. This package is no longer present in Fedora 32 and was causing installation failures. It is safe to remove as it is used with python2 only. * On systems with SELinux enforcing, enables nginx to read symbolic links. Fixes network boot of instances. Other Notes *********** * The role "bifrost-openstack-ci-prep" has been removed. It was only used in the upstream CI context and is no longer required. * The variable "ci_testing_zuul" is no longer used or set. * The version of cirros used by default is now 0.5.1 (instead of 0.4.0). * Bifrost now uses the equivalent modules from the openstack.cloud collection. The change on modules is listed below. * *os_client_config* is *config* * *os_ironic* is *baremetal_node* * *os_ironic_inspect* is *baremetal_inspect* * *os_ironic_node* is *baremetal_node_action* * *os_keystone_role* is *identity_role* * *os_keystone_service* is *catalog_service* * *os_user* is *identity_user* * *os_user_role* is *role_assignment* Changes in bifrost 8.2.0..8.3.0 ------------------------------- bcda97b Support HTTP basic auth and switch bifrost-cli to it 02fb11f Support redfish emulation and run the keystone jobs with redfish 9f62bc9 Support default_boot_mode and prepare the CI for different boot modes a52b831 Change to "collections" where needed 73d71b2 Clean up bindep.txt d6f0551 Dynamic roles: consolidate auth parameters in one place 1dc4564 Add developer mode to bifrost da35932 Clean up requirements 0d3cf24 Install openstacksdk from pypi by default 77d09f0 Remove upstart templates 33a63bc Make ironic logging more in line with other services. e816543 Add non-voting jobs with the openstack ansible collection from source 42f6d94 Consolidate env-setup 29cbe1b Support installing the openstack collection from a local location fbb66d1 Add ansible collections symlink to .gitignore 2a6fc72 Use random passwords by default 90ec389 Switch bifrost to openstack.cloud collections 1606aad Store inspector ramdisk logs by default 112932d Enable debug logging in virtualbmc 92ec342 Correct handling of inspect_nodes in test-bifrost.yaml ac2c136 bifrost_inventory: use stderr for logging c331093 Create symlink to ansible collections on install 3c5377c Auto-set ansible_python_interpreter when in venv 3657bf7 Support configuring credential-less deploy 716f0fe Disable keystone account locking by default 639d9a5 Make ansible ask for sudo password b67115d Support extra-vars in bifrost-cli e3f5984 Expand advanced install instructions e03d187 Update to cirros 0.5.1 d5b49bd Enable metadata cleaning by default fc2b247 Make skip_install a normal boolean variable 8210ff3 selinux: allow nginx to read symbolic links 6610cf4 Rework installation documentation for an easier start df9c0d4 Set min version of tox to 3.2.1 f4f456d Removing libselinux-python package from Fedora dependencies a47db1e Account for bugfix branches in bifrost-cli 9e9249c Add git_url_root to override root for all repositories at once ab69cca Get rid of ci_testing variable in roles 9b1d1d5 Do not clone repos with source_install==false 12bbea5 Remove bifrost-openstack-ci-prep role Diffstat (except docs and test files) ------------------------------------- .gitignore | 1 + ...nts.yml => ansible-collections-requirements.yml | 0 bifrost/cli.py | 50 +++- bifrost/inventory.py | 1 + bindep.txt | 13 +- lower-constraints.txt | 7 +- playbooks/ci/run.yaml | 3 + playbooks/install.yaml | 3 +- playbooks/inventory/group_vars/localhost | 4 +- playbooks/inventory/group_vars/target | 4 +- playbooks/redeploy-dynamic.yaml | 1 - playbooks/roles/bifrost-cloud-config/README.md | 89 +++++++ .../roles/bifrost-cloud-config/defaults/main.yml | 2 + .../roles/bifrost-cloud-config/tasks/main.yml | 62 +++++ .../bifrost-configdrives-dynamic/defaults/main.yml | 8 +- .../tasks/update_facts_from_ironic.yaml | 26 +- .../defaults/main.yml | 5 + .../bifrost-create-dib-image/defaults/main.yml | 1 + .../bifrost-create-vm-nodes/defaults/main.yml | 10 +- .../defaults/required_defaults_CentOS.yml | 1 + .../defaults/required_defaults_Debian.yml | 3 + .../defaults/required_defaults_Fedora.yml | 3 +- .../defaults/required_defaults_RedHat.yml | 1 + .../defaults/required_defaults_Suse.yml | 3 + .../defaults/required_defaults_Ubuntu_20.04.yml | 3 + .../bifrost-create-vm-nodes/tasks/create_vm.yml | 12 +- .../roles/bifrost-create-vm-nodes/tasks/main.yml | 11 +- .../tasks/prepare_libvirt.yml | 68 +++++- .../templates/redfish-emulator.conf.j2 | 11 + .../templates/redfish-emulator.service.j2 | 15 ++ .../templates/virtualbmc.conf | 2 + .../roles/bifrost-deploy-nodes-dynamic/README.md | 2 +- .../bifrost-deploy-nodes-dynamic/defaults/main.yml | 7 +- .../bifrost-deploy-nodes-dynamic/tasks/main.yml | 29 +-- playbooks/roles/bifrost-ironic-install/README.md | 29 ++- .../roles/bifrost-ironic-install/defaults/main.yml | 128 +++++----- .../defaults/required_defaults_Debian_family.yml | 1 + .../defaults/required_defaults_Fedora.yml | 2 +- .../defaults/required_defaults_RedHat_family.yml | 1 + .../defaults/required_defaults_Suse_family.yml | 1 + .../defaults/required_defaults_Ubuntu.yml | 1 + .../bifrost-ironic-install/files/ironic_policy.te | 4 +- .../bifrost-ironic-install/tasks/bootstrap.yml | 59 +++-- .../bifrost-ironic-install/tasks/hw_types.yml | 8 + .../tasks/inspector_bootstrap.yml | 43 +++- .../roles/bifrost-ironic-install/tasks/install.yml | 8 +- .../tasks/keystone_setup.yml | 15 +- .../tasks/keystone_setup_inspector.yml | 11 +- .../templates/ironic-inspector.conf.j2 | 23 +- .../templates/ironic.conf.j2 | 58 ++++- .../templates/upstart_template.j2 | 10 - .../defaults/main.yml | 18 ++ .../templates/clouds.yaml.j2 | 23 +- .../templates/openrc.j2 | 25 +- .../bifrost-keystone-install/defaults/main.yml | 25 +- .../bifrost-keystone-install/tasks/install.yml | 2 +- .../roles/bifrost-keystone-install/tasks/main.yml | 26 ++ .../templates/keystone.conf.j2 | 5 +- .../templates/upstart_template.j2 | 10 - .../roles/bifrost-openstack-ci-prep/README.md | 80 ------- .../bifrost-openstack-ci-prep/defaults/main.yml | 3 - .../roles/bifrost-openstack-ci-prep/meta/main.yml | 15 -- .../roles/bifrost-openstack-ci-prep/tasks/main.yml | 49 ---- .../roles/bifrost-pip-install/defaults/main.yml | 3 + playbooks/roles/bifrost-pip-install/tasks/main.yml | 7 +- playbooks/roles/bifrost-prep-for-install/README.md | 20 +- .../bifrost-prep-for-install/defaults/main.yml | 47 +++- .../roles/bifrost-prep-for-install/tasks/main.yml | 4 +- .../defaults/main.yml | 5 + playbooks/roles/bifrost-rabbitmq/defaults/main.yml | 5 + .../defaults/main.yml | 7 +- .../tasks/main.yml | 25 +- .../roles/ironic-delete-dynamic/defaults/main.yml | 6 +- .../roles/ironic-delete-dynamic/tasks/main.yml | 24 +- .../roles/ironic-enroll-dynamic/defaults/main.yml | 8 +- .../roles/ironic-enroll-dynamic/tasks/main.yml | 22 +- .../roles/ironic-inspect-node/defaults/main.yml | 5 + playbooks/roles/ironic-inspect-node/tasks/main.yml | 42 +--- playbooks/test-bifrost-create-vm.yaml | 7 +- playbooks/test-bifrost.yaml | 49 +--- .../notes/agent-power-0773acb338ae4169.yaml | 9 + .../notes/bifrost-cli-extra-19fd989a05b2e4b4.yaml | 6 + ...bifrost-openstack-ci-prep-172cbb159e0a2b78.yaml | 5 + .../notes/ci-testing-faa63db25ebc94df.yaml | 9 + .../notes/cirros-0.5.1-d09a433cbea1a3b9.yaml | 4 + releasenotes/notes/cleaning-9b4241342320f315.yaml | 12 + .../notes/default-boot-mode-5561325f68224719.yaml | 5 + .../notes/developer-mode-000e7a125642b9e1.yaml | 6 + .../notes/git-url-root-c81478d395f66e46.yaml | 6 + .../notes/http-basic-40df399ea63956aa.yaml | 14 ++ .../inspector-ramdisk-logs-0db7c111fd455cec.yaml | 9 + .../notes/keystone-lockout-c8a26a09e0f0560b.yaml | 12 + releasenotes/notes/logging-bcc7d552944c94e4.yaml | 17 ++ releasenotes/notes/no-clone-cebedc81211dcfa5.yaml | 8 + .../notes/random-passwords-b33b8de010ee82b6.yaml | 18 ++ .../notes/releasenote-4812959d071329fc.yaml | 11 + .../notes/releasenote-94bcb2b0da207f94.yaml | 7 + .../notes/sdk-source-1bd77dbd11b08577.yaml | 5 + .../notes/selinux-lnk_file-527ac51c60f9c2ad.yaml | 5 + .../notes/skip-install-bfd642f5065cf304.yaml | 7 + ...h_to_openstack_collection-a6eb3e24a68a1a82.yaml | 14 ++ .../notes/test-redfish-54ed748e2305d8eb.yaml | 9 + requirements.txt | 7 +- scripts/collect-test-info.sh | 27 +-- scripts/env-setup.sh | 45 ++-- scripts/test-bifrost.sh | 33 ++- test-requirements.txt | 4 - tox.ini | 2 +- zuul.d/bifrost-jobs.yaml | 14 +- zuul.d/project.yaml | 4 + 114 files changed, 1333 insertions(+), 715 deletions(-) Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt index 7531fba..70f3ed9 100644 --- a/requirements.txt +++ b/requirements.txt @@ -7 +7,4 @@ oslo.log>=3.36.0 # Apache-2.0 -paramiko>=2.0.0 # LGPLv2.1+ +PyYAML>=3.12 # MIT +passlib>=1.7.2 # BSD +# TODO(dtantsur): remove pyOpenSSL when we no longer support Bionic and +# openSUSE updates its version to at least 18.0.0. @@ -9 +12 @@ pyOpenSSL>=18.0.0 # Apache-2.0 -setuptools!=24.0.0,!=34.0.0,!=34.0.1,!=34.0.2,!=34.0.3,!=34.1.0,!=34.1.1,!=34.2.0,!=34.3.0,!=34.3.1,!=34.3.2,!=36.2.0,>=21.0.0 # PSF/ZPL +setuptools!=48.0.0,!=49.0.0,>=39.0.1 # PSF/ZPL diff --git a/test-requirements.txt b/test-requirements.txt index 08571a1..d9fdd01 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -9 +8,0 @@ doc8>=0.6.0 # Apache-2.0 -oslotest>=3.2.0 # Apache-2.0 @@ -11,2 +9,0 @@ stestr>=2.0.0 # Apache-2.0 -testrepository>=0.0.18 # Apache-2.0/BSD -testscenarios>=0.4 # Apache-2.0/BSD @@ -14 +10,0 @@ testtools>=2.2.0 # MIT -PyYAML>=3.12 # MIT