2023.1 Series Release Notes¶

2023.1-eom¶

Deprecation Notes¶

Support for Fedora is no longer tested in the CI and will be removed from the code in the near future.

Bug Fixes¶

Fixes issue of lack of log rotation for Ironic logs by adding a role which installs and configures the logrotate service.

Fixes an issue where online data migrations were not performed in the default Bifrost configuration where localhost is used as the database address. See LP#2036772 for details.

16.0.0¶

New Features¶

bifrost introduce now the user_data content variable which allows to the user to provide its custom cloud-config file For example: .. code-block:: yaml

user_data_content: |

users:
name: myuser sudo: ALL=(ALL) NOPASSWD:ALL shell: /bin/bash passwd: <HASH_OF_MY_PASSWORD> lock_passwd: false

timezone: “Europe/Paris”

It is now possible to do a PXE network boot with grub as an alternative to iPXE. Grub is loaded via the signed shim, so it may allow end-to-end automated deployments with secure-boot enabled.

To use grub network boot, deploy bifrost with variable default_boot_interface set to pxe and use the pxe boot interface when deploying nodes.

Ubuntu Jammy (22.04) is now supported as a base operating system.

Upgrade Notes¶

Variable enable_uefi_ipxe has been removed, instead enabled_boot_interfaces is checked for containing ipxe.

15.0.0¶

New Features¶

Ansible 5.x is now supported and used by default.

Upgrade Notes¶

Removes support for any distributions using Python 3.6 since OpenStack no longer supports it. This includes:
- CentOS Stream 8, RHEL 8 and derivatives.
- OpenSUSE Leap 15 (all minor versions).
- Debian 10 “Buster”.
- Ubuntu 18.04 “Bionic”.

Bifrost does not support Python 3.6 and 3.7 anymore, please use version 3.8 or higher.

Deprecation Notes¶

The variable include_dhcp_server has been removed to enable_dhcp for consistency with other variables.

The os_ironic_node_info ansible module has been deprecated. Please use openstack.cloud.baremetal_node_info instead.

Bug Fixes¶

Fixes an issue where the MariaDB database tables were not repaired following an upgrade of MariaDB.

Bifrost no longers installs GRUB2 and shim on the host system, avoding potential issues with a local bootloader.

An issue has been fixed where enforcing SELinux resulted in files in tftp_boot_folder not being readable by dnsmasq. This has been fixed by ensuring files in ironic_tftp_master_path have the SELinux context tftpdir_t.

Fixes the redeploy-dynamic playbook to work with TLS and other non-default cloud settings.

Fixes upgrade from Yoga with Keystone enabled by keeping the Yoga version of openstacksdk until ansible-collections-openstack releases version 2.0.0.

14.0.0¶

New Features¶

Adds a new CLI command ./bifrost-cli deploy that runs the deploy playbook, optionally specifying a custom image.

Adds a new way to specify a custom image for the bifrost-deploy-nodes-dynamic role by setting the new parameters deploy_image_source and deploy_image_checksum.

Allows customizing the configdrive URL or JSON for the bifrost-deploy-nodes-dynamic role by setting the new parameter deploy_config_drive.

Upgrade Notes¶

The parameters network_mtu, ipv4_nameserver and ipv4_gateway no longer have default values. If needed, specify them explicitly.

When TLS is enabled, Ironic and Inspector now serve their API via unix sockets in the /run/ironic directory instead of private TCP ports on localhost. The public API is served by Nginx.

Deprecation Notes¶

The deploy_image parameter of the bifrost-deploy-nodes-dynamic role is deprecated in favour of deploy_image_path.

Bug Fixes¶

When several SSH public keys are available, prefers modern algorithms rather than RSA. This fixes logging in Cirros on CentOS 9.

Fixes the Bifrost inventory plugin to not set the network_interface variable since it conflicts with the Bifrost’s variable with a different meaning.

Fixes bifrost-configdrives-dynamic and bifrost-deploy-nodes-dynamic when uuid is not set in the inventory file.

13.0.0¶

New Features¶

Adds support for setting root filesystem’s UUID that can be deployed on top of software RAID based root disk device.

Bifrost now starts a single Ironic process rather than separate API and conductor.

The bifrost-cli install command now generates an environment file (bifrost-install-env.json by default, can be changed with the --output argument) with the variables used during installation.

Adds basic support for running bifrost on CentOS Stream 9.

Add a boolean variable enable_epel that allows to enable the epel repository for CentOS Stream 8/9. Since we need that only when building a debian-based IPA image, the default value is set to install_dib and its installation depends on the value of the dib_os_element used.

TLS (when enabled) is now handled by Nginx in proxy mode rather than services themselves.

Known Issues¶

A bug in the upgrade logic could leave the old ironic-api and ironic-conductor services running. It has been fixed, but if you have already upgraded to an affected version, you need to stop the services manually using systemctl.

Upgrade Notes¶

On upgrade, the existing API and conductor services will be disabled and a single combined ironic process will be started instead.

In your inventory files, please remove sub-sections power, console and management from driver_info. Instead, just place all fields under driver_info directly.

Removes the deprecated Ansible module os_ironic_facts.

JSON RPC is now available only on localhost and without TLS. If you need it exposed to the network (i.e. you’re using Bifrost in a multi-node setting), set expose_json_rpc to true.

The location of the HTTP boot directory has been changed to /var/lib/ironic/httpboot. Please avoid running cleanings or deployments during the upgrade, otherwise PXE booting may fail until Ironic rebuilds the iPXE configuration.

Any custom images will not be migrated from the old location /httpboot, please migrate them manually if needed. You may remove the old location after the upgrade.

TinyIPA (an IPA image based on TinyCoreLinux) is no longer used by default. Instead, a CentOS image published by the Ironic community is used, unless use_tinyipa is set to true.

The TinyIPA image is much lighter, but is not suitable for real bare metal machines because of lack of drivers.

The location of the PXE boot directory has been changed to /var/lib/tftpboot.

Modification to the Bifrost virtual environment (/opt/stack/bifrost by default) will now need sudo as the directory is now owned by root.

The deprecated and non-functioning variable ANSIBLE_INSTALL_ROOT is no longer supported.

Deprecation Notes¶

CentOS Stream 8 and Python 3.6 support is now deprecated and will be best-effort starting with the Z cycle.

Bug Fixes¶

Bifrost no longer defaults to using sub-sections power, console and management under driver_info in inventory.

Password files (htpasswd) are no longer world-readable.

Makes sure the image cache directories are on the same filesystem as the PXE/HTTP directories to avoid the “Invalid cross-device link” error.

The keystone configuration is no longer world-readable.

The keystone process now runs as the keystone user, not as the nginx user.

The TFTP and HTTP directories are no longer world-readable by default. Set boot_folder_permissions to override.

Ironic Prometheus Exporter is now run as the ironic user, not as root.

Ironic Prometheus Exporter, Ironic Inspector, Staging Drivers and Keystone are no longer cloned if they are not enabled.

Actually respects the prometheus_exporter_source_install variable.

The Bifrost virtual environment (/opt/stack/bifrost by default) is no longer owned (and thus writable) by the regular user that started the installation.

12.0.0¶

New Features¶

Ansible 4 is now supported and used by default.

Debian Bullseye (11.0) is now supported as a base operating system.

Upgrade Notes¶

A separate Keystone admin service is no longer installed and will be disabled on upgrade. The main Keystone service can be used instead.

Bifrost now uses UEFI by default. Set default_boot_mode to bios or use the --legacy-boot CLI flag to override.

Deprecation Notes¶

Using legacy boot is deprecated, although we don’t have immediate plans to remove its support. Please consider using UEFI.

Support for distributions using Python 3.6, namely Ubuntu Bionic, Debian 10 “Buster” and openSUSE 15.2/15.3, has been deprecated and may be removed at any moment.

Support for Fedora has been deprecated, please use CentOS Stream 8.

Bug Fixes¶

Fixes an outdated grub and shim efi binaries path for Red Hat to be under EFI/redhat.

Fixes the iptables rule for PXE on systems not using firewalld (use port UDP/67 and UDP/69 instead of TCP/68 and TCP/69).

Other Notes¶

No longer installs /etc/ironic/boot.ipxe, relying on the boot script generated by Ironic instead.

The redfish emulator now has authentication enabled by default.

11.2.0¶

New Features¶

Adds support for using dnsmasq as a DHCP relay target via the new dhcp_pool_mask parameter.

Automatically configures enabled_raid_interfaces based on the enabled_hardware_types.

Adds support for manually specified enabled raid interfaces via the new enabled_raid_interfaces parameter.

Supports customizing the TFTP directory via the new parameter tftp_boot_folder.

Adds a new role bifrost-uwsgi-install encapsulating uWSGI configuration logic.

Virtual media images are now protected by TLS when TLS support is enabled.

Known Issues¶

Fedora 34 cryptography settings may prevent it from logging into CirrOS via SSH. CirrOS images should not be used in production. If this problem affects your development environment, temporary lower the cryptography profile:
```
sudo update-crypto-policies --set LEGACY
```

Upgrade Notes¶

Fedora 34 is now tested in the CI. Fedora 32 and newer should work, but are not tested any more.

The admin Keystone endpoint will be upgraded from using port 35357 (a separate admin API) to use port 5000 (the default Identity API).

Switches TFTP handling from Xinetd to dnsmasq, which must be enabled for TFTP boot to work.

Keystone services are now run as separate systemd services uwsgi@keystone-public and uwsgi@keystone-admin. The standalone uwsgi service is no longer used and is disabled on upgrade.

If enable_tls is true, virtual media images for Redfish, iDRAC-Redfish and iLO are now served via TLS using the Ironic’s TLS certificate. If this is not desired, set the new option vmedia_enable_tls to false.

The new server’s port can be configured via the new file_url_port_tls option.

Deprecation Notes¶

The separate Keystone admin API (served at port 35357) is deprecated and will be removed in a future release. Please update your applications to refer to port 5000 only for Keystone operations.

Bug Fixes¶

When copy_from_local_path is used, destination path is removed on upgrade before copying.

Fixes Fedora 34 support by switching from the removed Xinetd to dnsmasq for TFTP boot.

Fixes support for TLS ca_cert and other current authentication parameters in the os_ironic_node_info module. The implementation uses utilities from the OpenStack Ansible collection.

Other Notes¶

Moves the generic code for managing Nginx into a new role bifrost-nginx-install.

11.1.0¶

New Features¶

Automatically configures enabled_vendor_interfaces based on the enabled_hardware_types.

Adds support for manually specified enabled vendor interfaces via the new enabled_vendor_interfaces parameter.

Automatically configures the required management interface for the ilo5 hardware type.

Adds ipa_download_headers variable to control HTTP headers used when downloading IPA images.

Kernel parameters for the ilo-virtual-media boot interface can now be set via the new ilo_kernel_params variable.

Bug Fixes¶

Adds the require default kernel parameters for the ilo-virtual-media boot interface.

Installs sushy-oem-idrac when the idrac hardware type is enabled.

11.0.0¶

Upgrade Notes¶

Moves installation of package dependencies for Diskimage Builder (DIB) from the bifrost-create-dib-image role to the bifrost-install-ironic role. This provides a cleaner separation between installation and image creation.

Removes support for the deprecated iscsi deploy interface.

Bug Fixes¶

Fixes a failure when building an Ubuntu image due to a missing squashfs-tools package.

10.2.0¶

New Features¶

Adds the --disable-dhcp argument to ./bifrost-cli install to disable the integrated dhcp configuration.

The dynamic DHCP inventory hostsdir is now created and enabled by default, even when inventory_dhcp is false.

Upgrade Notes¶

An additional DNS hosts directory is no longer created by default in /etc/dnsmasq.d/bifrost.hosts.d when inventory_dhcp is true. Set the new variable dnsmasq_additional_hostsdir to keep the previous behavior (you’ll need dnsmasq_enable_dns=true to actually use it).

Deprecation Notes¶

The parameter disable_dnsmasq_dns has been deprecated in favor of the new parameter dnsmasq_enable_dns.

Other Notes¶

No longer passes --no-cache-dir to pip by default.

10.1.0¶

New Features¶

Adds a new command bifrost-cli enroll to simplify enrolling nodes.

The ramdisk deploy interface is now enabled by default.

Supports automatically configuring required hardware interfaces for the idrac hardware type. The Redfish implementations are used.

Upgrade Notes¶

The deprecated iscsi deploy interface is no longer enabled by default, use enabled_deploy_interfaces to override.

Discovery of nodes via the ironic-inspector is now disabled by default. If you wish to enable this, set enable_inspector_discovery to true and re-execute the installation playbook.

Debug logging is now enabled in ironic by default, set the new ironic_debug parameter to false to override.

Bug Fixes¶

Fixes fast-track after inspection: the fast_track and power_off_after_inspection options are now correctly handled.

Works around broken setuptools in virtual environments on openSUSE Leap.

Fixes passing parameters with spaces to bifrost-cli.

10.0.0¶

New Features¶

Set the new boolean parameter ipa_add_ssh_key to True to configure an ability to log into ramdisk with the current user’s SSH key. Only works for DIB-based ramdisks built with the dynamic-login element.

Ansible 2.10 is now supported and used by default (2.9 is still supported).

Adds the --uefi argument to ./bifrost-cli testenv to make testing VMs boot in the UEFI mode.

Adds the --uefi argument to ./bifrost-cli install to make ironic use UEFI by default.

Enables support for redfish-virtual-media in legacy (BIOS) boot mode.

Adds support for testing bifrost with UEFI secure boot enabled in VMs. Requires an IPA ramdisk with kernel signed by a key recognized by GRUB2 on the host machine.

Adds support for emulating UEFI bare metal machines in the testing environment. Pass default_boot_mode=uefi to enable.

Adds support for Redfish virtual media in UEFI mode.

Known Issues¶

UEFI testing with network boot does not work on Ubuntu Focal because of TFTP issues.

Upgrade Notes¶

Following an announcement by the CentOS project, Bifrost has switched to CentOS Stream for testing. Regular CentOS is no longer tested in the CI, meaning that both it and RHEL will only be tested indirectly and supported on the best effort basis.

The role bifrost-create-bootable-image, marked as legacy since 2015, has been removed. Please use diskimage-builder or other external tools to build your images.

Bifrost now uses HTTP basic authentication by default. The generated credentials will be stored in ~/.config/openstack/clouds.yaml. Use noauth_mode=true with enable_keystone=false to disable authentication.

Deprecation Notes¶

Fedora 30 has reached end-of-life and is no longer explicitly tested. Its support will be removed in one of the future releases.

openSUSE Leap 15.1 is reaching end-of-life and is no longer explicitly tested. Its support will be removed in one of the future releases.

Bug Fixes¶

Unsets the OS_CLOUD variable in the generated openrc.

OS_AUTH_TYPE is now always set in the generated openrc.

FirewallD is now used on Fedora 32 and newer to fix firewall issues.

Fixes an issue with the Bifrost inventory plugin when used with BIFROST_INVENTORY_SOURCE=ironic. All node fields are now returned as facts, as in Ussuri and earlier releases. See story 2008394 for details.

Copies ironic-lib rootwrap.d filters to the correct location.

Correctly copies rootwrap.d filters on upgrade.

Fixes SELinux context not being applied to /httpboot and /tftpboot. This renders the ironic_policy module unnecessary, and it has been removed.

Ensures that the checksums file has the correct ownership.

Explicitly opens ports 68 and 69 in firewall on systems not using firewalld (e.g. Ubuntu).

Fixes PATH to always include the virtual environment when running validations.

Other Notes¶

Fedora 32 and openSUSE Leap 15.2 have been added to the supported OS list.

9.0.0¶

New Features¶

Adds support to install the Ironic Prometheus Exporter. It can be done through the bifrost-cli using --enable-prometheus-exporter option, or when setting enable_prometheus_expoter=True when deploying.

The first IPv4 address of the network_interface is now used for ironic and ironic-inspector API URLs in clouds.yaml in openrc instead of localhost. Use ironic_api_url and ironic_inspector_api_url to override.

The bifrost-keystone-client-config role now validates that CLI access actually works with the generated configuration, use skip_validation=false to disable.

Supports TLS configuration by setting enable_tls=true and, optionally, generate_tls=true. The corresponding bifrost-cli argument is --enable-tls (auto-generated certificates only).

The bifrost-ironic-install role now validates that the services have been started successfully, use skip_validation to disable.

Known Issues¶

Because of Ansible dependencies Bifrost only works on virtual environments created with --system-site-packages.

When using Keystone for authentication, it may not be possible to disable TLS after enabling it if the certificate is in a non-standard location.

Due to upgrade limitations, it may not be possible to enable TLS on upgrading from a previous version. Do an upgrade first, then enable TLS in a separate installation step.

Upgrade Notes¶

The use_public_urls parameter is no longer supported, just provide public_ip instead.

Bifrost no longer adds ironic and ironic-inspector endpoints to the public firewalld zone, the operator has to do it explicitly if external access is expected.

Support for the legacy CSV inventory format has been removed, only JSON and YAML are supported now.

Support for installing and using RabbitMQ has been removed.

Support for storing introspection data in nginx has been removed. It was useful before ironic-inspector started supporting storing data in the database, which is the default nowadays.

Support for the OpenStack MetaData version 2012-08-10 has been removed from the bifrost-configdrives-dynamic role. The newest supported metadata version is now 2015-10-15.

The deprecated parameter node_network_info has been removed, use node_network_data instead.

Adds the explicit setting of file access permissions to get_url calls in bifrost ansible playbooks to ensure that the contents of “/httpboot” are world-readable independently of which Ansible version is in use.

Packaged iPXE ROMs are now used by default on openSUSE, set download_ipxe=true to override.

Bifrost will no longer kill all running dnsmasq processes for you. If you have dnsmasq processes that are not managed by systemd, you have to stop them yourself.

No longer supports installation outside of a virtual environment. The parameter enable_venv has been removed.

Bug Fixes¶

Fixes an issue where the bifrost-create-dib-image role overrides any existing ELEMENTS_PATH environment variable value. This fix appends any existing ELEMENTS_PATH value to the path set in the role.

Changes to keystone endpoint configuration are now automatically reflected on existing endpoints.

Correctly updates repositories copied with copy_from_local_path.

When copying repositories using copy_from_local_path, make sure they are consistently owned by the local user. Previously some repositories could end up owned by root.

Correctly updates IPA images checksums on a major upgrade.

Automatically enables DHCP and TFTP services in firewalld on CentOS/RHEL.

Instead of modifying the public firewalld zone, creates a new zone bifrost and puts the network_interface in it. Set firewalld_internal_zone=public to revert to the previous behavior.

Makes /var/lib/ironic and its images subdirectories readable by nginx. This is required for using the images cache.

Fixes ACL of PXE and iPXE boot files to make sure they are world-readable.

Resolves the issue with ansible versions 2.9.12 and 2.8.14 where implicit setting of file permissions on files downloaded with get_url calls results in overly restrictive permissions. This leads to access denied while attempting to read the contents of “/httpboot” and results in failed deployments.

Ensures that repositories are consistently owned by the calling user.

Removes the test_vm_network_enable_dhcp option and disables DHCP on the libvirt network instead of unconditionally killing all dnsmasq processes on the machine.

Adds correct SELinux context for /tftpboot.

Other Notes¶

The file env-vars has been removed. It contains variables that only work for no-auth mode and only for ironic itself (not inspector). Use the generated clouds.yaml or openrc in the home directory.

The primary supported version of Ubuntu is now 20.04 (Focal). Ubuntu 18.04 (Bionic) is still supported, but may be removed in a future release.

Ironic JSON RPC is now always authenticated, even in no-auth mode.

Removes the no longer used transform_boot_image variable.

8.3.0¶

New Features¶

Adds support for configuring credential-less deploy via the new agent power interface and the manual-management hardware type.

Extra parameters for ansible can now be passed to bifrost-cli via the -e/--extra-vars flag. The format is the same as for ansible-playbook.

Metadata cleaning is now enabled by default, set cleaning to false to disable completely.

To enable full disk cleaning, set cleaning_disk_erase to true.

The new parameter default_boot_mode allows specifying the default boot mode: uefi or bios.

Set the new parameter developer_mode to true to make all packages installed from source to be installed with the --editable flag. The corresponding bifrost-cli argument is --develop.

The new variable git_url_root allows overriding the root URL for all repositories (e.g. changing the default https://opendev.org to a local path).

HTTP basic authentication for API services is now supported in addition to no authentication and Keystone. It is triggered by setting noauth_mode=false with enable_keystone=false.

Installations with bifrost-cli now use HTTP basic authentication if Keystone is disabled.

The ramdisk logs for inspection are now stored by default in /var/log/ironic-inspector/ramdisk.

If keystone_lockout_security_attempts is enabled, the amount of time the account stays locked is now regulated by the new parameter keystone_lockout_duration (defaulting to 1800 seconds).

Deploy/cleaning ramdisk logs are now always stored by default, use ironic_store_ramdisk_logs to override.

Added creation of a symbolic link from $VENV/collections directory which contains ansible collections to the playbooks subdirectory of bifrost. This is done in the env-setup.sh script.

The bifrost-create-vm-nodes role now supports redfish emulation, set test_vm_node_driver=redfish (or --driver=redfish for bifrost-cli testenv) to use.

The new parameter default_boot_mode allows specifying the default boot mode: uefi or bios.

Upgrade Notes¶

The variable ci_testing is no longer taken into account by the roles. Use the existing copy_from_local_path if you need Bifrost to copy repositories from their pre-cached locations.

If you use cleaning=true to enable full disk cleaning, you need to also set cleaning_disk_erase=true now. Omitting it will result in only metadata cleaning enabled.

All services now use journald logging by default, ironic-api.log and ironic-conductor.log are no longer populated. Use ironic_log_dir and inspector_log_dir to override.

The ramdisk logs for deploy/cleaning are now by default stored in /var/log/ironic/deploy.

The inspector_user user is not created by default any more. Use bifrost_user instead.

If you’re relying on default passwords (e.g. for the database or keystone passwords), they will be changed on upgrade. Please use explicit values if you want to avoid it.

OpenStackSDK is now installed from PyPI by default, set openstacksdk_source_install=true to override.

Previously installation used to be skipped completely if the skip_install variable is defined, independent of its value. This has been fixed, and now installation is only skipped if skip_install is defined and equals true.

Deprecation Notes¶

Deprecates providing inspector discovery parameters via inspector[discovery], use explicit variables instead.

Bifrost will switch to HTTP basic authentication by default in the future. If you want to avoid it, please set noauth_mode to false explicitly.

The ironic_db_password parameter is deprecated, please use service_password to set a password to use between services or override the whole ironic and keystone objects.

Security Issues¶

Uses mode 0700 for the inspector log directories to prevent them from being world readable.

When using Keystone, no longer locks users out of their accounts on 3 unsuccessful attempts to log in. This creates a very trivially exploitable denial-of-service issue. Use keystone_lockout_security_attempts to re-enable (not recommended).

Uses mode 0700 for the ironic log directories to prevent them from being world readable.

Random passwords are now generated by default instead of using a constant. The same parameters as before can be used to override them.

Bug Fixes¶

No longer clones repositories with corresponding *_source_install variables set to false.

Ironic Staging Drivers are now installed from source by default since they are released very infrequently (usually once per cycle).

The addition of the symbolic link makes bifrost playbooks independent of the ANSIBLE_COLLECTIONS_PATHS environment variable which wasn’t reliably set in some environments.

Removing dependency on libselinux-python for Fedora OS family. This package is no longer present in Fedora 32 and was causing installation failures. It is safe to remove as it is used with python2 only.

On systems with SELinux enforcing, enables nginx to read symbolic links. Fixes network boot of instances.

Other Notes¶

The role bifrost-openstack-ci-prep has been removed. It was only used in the upstream CI context and is no longer required.

The variable ci_testing_zuul is no longer used or set.

The version of cirros used by default is now 0.5.1 (instead of 0.4.0).

Bifrost now uses the equivalent modules from the openstack.cloud collection. The change on modules is listed below.
- os_client_config is config
- os_ironic is baremetal_node
- os_ironic_inspect is baremetal_inspect
- os_ironic_node is baremetal_node_action
- os_keystone_role is identity_role
- os_keystone_service is catalog_service
- os_user is identity_user
- os_user_role is role_assignment

8.2.0¶

New Features¶

It is now possible to use the bifrost cloud with introspection commands even in no-auth mode.

Debian Buster is now supported as a base operating system.

Configures the default deploy and rescue kernel/ramdisk, setting them in driver_info is now optional.

Ubuntu Focal (20.04) is now supported as a base operating system.

The values of enabled_bios_interfaces, enabled_boot_interfaces, enabled_management_interfaces and enabled_power_interfaces are now derived from the enabled_hardware_types if left empty (the default).

Adds a new parameter internal_ip specifying which IP address to use for nodes to reach ironic and the HTTP server, and for cross-service interactions when keystone is disabled. By default the IPv4 address of the network_interface is used.

The manual-management hardware type is now enabled by default. It can be used with hardware that does not feature a supported BMC.

The noop management interface can now be used out-of-box with ipmi and redfish nodes to prevent ironic from changing the boot device and order.

MetalSmith is now installed by default.

A normal ironic nodes.json (suitable for the baremetal create command) is now generated when creating testing VMs. The default location is /tmp/nodes.json.

Sets the default resource class for newly enrolled nodes without an explicit resource class. Defaults to baremetal, can be changed via the default_resource_class parameter.

Fedora 30 is now supported as a base operating system.

Adds two new parameters for controlling how existing git checkouts are handled:
- update_repos can be set to false to prevent the repositories from being updated.
- force_update_repos can be set to false to prevent Bifrost from overwriting local changes.

Changes the default version of Ansible to version 2.9.

The new variable use_tinyipa (defaulting to true) defines whether to use the pre-built tinyIPA images or production-ready CentOS images built with DIB.

Upgrade Notes¶

Explicit support for Fedora versions precedent to 30 has been removed.

Explicit support for Debian Jessie has been removed.

OpenStackClient is no longer installed when keystone is not enabled. Use the ironic native baremetal command instead. For example, instead of
```
openstack baremetal node list
```
use just
```
baremetal node list
```

The shade library is no longer used, nor installed by default.

The default version of Ansible used for this release of bifrost is version 2.9. Operators may wish to upgrade if they are directly invoking playbooks or roles.

All packages are now installed in a virtual environment in /opt/stack/bifrost by default instead of system-wide.

Deprecation Notes¶

The bifrost-inspector cloud in clouds.yaml is now deprecated, use the main bifrost cloud for all commands.

The os_ironic_facts module is deprecated. Please use os_ironic_node_info that returns information in the “node” parameter.

Support for system-wide installation of packages is deprecated, untested and may be removed in a future release.

Bug Fixes¶

Fixes installing Keystone under CentOS 8.

Fixes failure to install on systems with a local resolved by setting disable_dnsmasq_dns to True by default.

Fixes fast-track deployment after inspection/discovery by providing the correct ironic API URL to the ramdisk.

Fixes deployment in a testing environment on CentOS 8 by using firewalld instead of iptables to enable access from nodes to ironic.

An ironic-python-agent image is now updated every time the installation playbooks are run. This is done to avoid discrepancy between ironic and the ramdisk on updates. Set update_ipa to false to prevent the ramdisk update (not recommended) or update_repos to false to disable any updates.

Other Notes¶

Support for Ubuntu Xenial and Debian Stretch has been officially removed (Bifrost has been broken on them since Ussuri because of the transition to Python 3.6).

8.0.0¶

New Features¶

The default for bifrost is to enable ironic’s fast_track mode using ironic.conf’s [deploy]fast_track option which enables ironic to skip a power cycle sequence for deployments if the node power is already on and the agent is running, which is how stand-alone deployments tend to operate.

The default operating mode of bifrost now no longer powers off nodes once they have been inspected. This leaves the ironic-python-agent running and ultimately allows moving into deployment skipping a full boot sequence when following the typical use path.

This setting may be disabled and the previous behavior reverted by changing the power_off_after_inspection setting to true. This setting maps to ironic-inspector.conf’s [processing]power_off and ironic.conf’s [inspector]power_off settings.

Upgrade Notes¶

The default version of Ansible becomes 2.8, replacing version 2.6 that is EOL. This version guarantees full bug fix and security patches and has a better support for Python 3.x.

Python 2.7 support has been dropped. Last release of bifrost to support Python 2.7 is OpenStack Train. The minimum version of Python now supported by bifrost is Python 3.6.

Define a default ansible version to install using DEFAULT_PIP_ANSIBLE variable, but allow override it either using a schema understood by pip using ANSIBLE_PIP_VERSION, or setting a local path or a remote url using ANSIBLE_SOURCE_PATH.

Due to the limitations of managed in-band inspection, the inspector_extra_kernel_options parameter must only contain key=value pairs. Use extra_kernel_options to provide generic kernel options.

Bug Fixes¶

Uses the appropriate ironic-python-agent branch when building a deploy ramdisk instead of unconditionally using master. Set ipa_git_branch to override.

Uses ironic-python-agent-builder instead of the deprecated and broken ironic-agent element to build deploy ramdisk.

The inspector iPXE template kernel command line argument ip has been removed as it is incompatible with the BOOTIF and missing autoconf parameters with dracut. Without this change CoreOS IPA images cannot be booted. Further details can be found in story 2006700.

Other Notes¶

We have removed the CI jobs with Ubuntu Xenial and CentOS 7 in favor of CI jobs with Ubuntu Bionic and CentOS 8.

The default libvirt network interface card type has been changed from virtio to e1000 in order to support testing on Bionic. Users should not experience any issues as a result of this, however the bifrost-create-vm-nodes setting test_vm_nic can be used to explicitly choose virtio network interface cards.

7.0.0¶

New Features¶

The redfish hardware type is now enabled by default.

When inspection support is enabled, introspection data is now stored in the database by default. You can use the ironic-inspector-migrate-data command to move the data from nginx to the database, for example:
```
ironic-inspector-migrate-data --from swift --to database --config-file /etc/ironic-inspector/inspector.conf
```

Upgrade Notes¶

The deprecated parameters inspector_auth and ironic_auth_strategy have been removed. Their values are now detected from enable_keystone.

Deprecation Notes¶

The inspector_store_data_in_nginx configuration option is deprecated and will be removed in a future release. Introspection data can now be stored in the database.

Bug Fixes¶

Fixes an issue where the deployment logs would not be saved if using a non-default value of ironic_log_dir. See Story 2006150.

6.1.0¶

New Features¶

Adds support to disable RabbitMQ via the new use_rabbitmq variable in favour of JSON RPC (in ironic) and fake transport (in ironic-inspector).

Upgrade Notes¶

The image building with diskimage-builder now uses Debian Stretch by default, and all CI testing has been switched to it as well.

RabbitMQ is no longer used by default, set use_rabbitmq=true to enable.

Bug Fixes¶

Fixes building images with diskimage-builder by switching to Debian Stretch (from Jessie).

Fixes an issue where the proliantutils library version was unconstrained, potentially resulting in installation of an incompatibile library. The version has been pinned to 2.8.x.

6.0.0¶

Upgrade Notes¶

UcsSdk support was removed due to being Python 2 only.

Bug Fixes¶

Fixes default non-testing configuration to remove UCS drivers as they are Python2 only being based on UcsSdk which has ceased development and is no longer maintained.

5.2.0¶

New Features¶

By adding extra string variable -e private_ip=8.8.8.8 Bifrost, if used with Keystone enabled, will configure private/internal services endpoints (for Keystone, Ironic and Ironic Inspector) to contain this private IP address in replacement of the default values which are set to point to localhost.

The default behaviour is kept unchanged, which means that services private endpoints will contain references to localhost aka 127.0.0.1.

By adding extra string variable -e public_ip=8.8.8.8 which is to be used in conjunction with use_public_urls=true Bifrost, if used with Keystone enabled, will configure public services endpoints (for Keystone, Ironic and Ironic Inspector) to contain this public IP address in replacement of the default values which are set to point to localhost.

The default behaviour is kept unchanged, which means that services public endpoints will contain references to localhost aka 127.0.0.1.

Adds ability to enroll or deploy specific nodes from the bifrost inventory using the new environment variable BIFROST_NODE_NAMES for example:

export BIFROST_NODE_NAMES=node1,node2,node5

Adds a new variable enabled_deploy_interfaces which allows the user to set the enabled_deploy_interfaces configuration option in ironic.

Adds support for installing the openstack client, even when the Identity service is disabled. If the Identity service is disabled, also adds a new cloud in clouds.yml called bifrost-inspector which references to the Bare Metal Introspection service.

Extra packages to install with ironic may be specified as a list in the variable ironic_extra_packages. This is especially useful for out-of-tree drivers.

Adds support for performing ironic online data migrations.

Adds the use of the openstacksdk library which is superceeding the shade library for communicating with OpenStack services using the Ansible modules. By default this will attempted to be installed from source. Set the openstacksdk_source_install option to false in order to install from PyPI.

Changes the default version of Ansible to version 2.6.

By adding extra boolean variable -e use_public_urls=true Bifrost, if used with Keystone enabled, will configure public services endpoints (for Keystone, Ironic and Ironic Inspector) to contain the public IP address of the node where Bifrost is running in replacement of the default values which are set to point to localhost.

The default behaviour is kept unchanged, which means that services public endpoints will contain references to localhost aka 127.0.0.1.

Upgrade Notes¶

The default version of Ansible used for this release of bifrost is version 2.6. Operators may wish to upgrade if they are directly invoking playbooks or roles.

5.1.0¶

New Features¶

By adding extra variable -e ipa_upstream_release=stable-mitaka for instance, the deployment can now use all ramdisk and kernel images available in https://tarballs.openstack.org/ironic-python-agent/tinyipa/files/ instead of the default master.

Furthermore, as some of these files do not have any .sha256 checksum associated to them, the downloading of these file is now just issuing a “warning” and is not reported as an Ansible error in the final summary.

Custom partitioning YAML file can now be specified using partitioning_file variable which contains a path to the YAML file describing the partitions layout. For example:

- local_loop:
    name: image0
- partitioning:
    base: image0
    label: mbr
    partitions:
      - name: root
        flags: [ boot,primary ]
        size: 6G
        mkfs:
          type: xfs
          label: "img-rootfs"
          mount:
            mount_point: /
            fstab:
              options: "rw,relatime"
              fck-passno: 1
      - name: tmp
        size: 1G
        mkfs:
          type: xfs
          mount:
            mount_point: /tmp
            fstab:
                options: "rw,nosuid,nodev,noexec,relatime"
      - name: var
        size: 7G
        mkfs:
          type: xfs
          mount:
            mount_point: /var
            fstab:
              options: "rw,relatime"
      - name: log
        size: 5G
        mkfs:
          type: xfs
          mount:
            mount_point: /var/log
            fstab:
              options: "rw,relatime"
      - name: home
        size: 1G
        mkfs:
          type: xfs
          mount:
            mount_point: /home
            fstab:
              options: "rw,nodev,relatime"

For more informations please refer to the following links: Disk Image Layout Section Standard Partitioning LVM Partitioning

Allow to populate the NTP servers setting of dnsmasq. This is optional, but if dnsmasq_ntp_servers``setting is set, it adds a ``dhcp-option=42,dnsmasq_ntp_servers to the generated dnsmasq configuration for bifrost.

Stores introspection data in nginx.

In the absence of swift, we can now use the bifrost nginx web server - masquerading as an object store - to store raw and processed introspection data for nodes. This is configured via the boolean variable inspector_store_data_in_nginx and is enabled by default.

Upgrade Notes¶

The deprecated support for classic drivers has been removed.

Other Notes¶

When configuring the dnsmasq_ntp_servers setting, several NTP servers can be specified, separated by commas.

5.0.0¶

New Features¶

Now leverages stable Ansible version (2.4).

The bifrost role which is used to create a clouds.yaml, now also creates an openrc file in the user home directory when keystone is enabled. This should be used to call OpenStack CLI utilities and have proper credentials. The file location is ~/openrc.

The enabled_hardware_types variable has been introduced to support use of hardware types. The default_deploy_interface variable has been introduced to support setting a default method of deployment for new nodes. It defaults to the direct deployment interface.

Adds support for Fedora 25, 26, and 27.

Adds support for tweaking the vCPU model for the VMs created by bifrost-create-vm-nodes. The default vCPU model is host-model which should provide the best possible performance whilst using only the CPU features which are understood by libvirt. The model can be changed using the test_vm_cpu Ansible variable.

Adds support for modifying the vNIC model for the VMs created by bifrost-create-vm-nodes. The default vNIC model is virtio which should provide the best possible performance. The model can be changed using the test_vm_nic Ansible variable.

Known Issues¶

Support for hardware types is in the beginning stages in Bifrost. Presently the os_ironic ansible module does not yet understand hardware types.

Deprecation Notes¶

Ironic has deprecated support for classic drivers. These were the drivers that were prepended with agent or pxe. The new default hardware type, which superceeds drivers, is ipmi. The default deployment interface is direct, which superceeds the agent driver type. Support for classic Drivers, will be removed from Bifrost in the Rocky release cycle.

Bug Fixes¶

Addresses issues with setuptools on various distributions such as Centos 7.3 and Fedora 25 where the shipped version is too old to build the python packages.

Changes the application of SELinux security policy from using the command line tools to leveraging the Ansible module which addresses issues with newer version of Ansible on Fedora.

4.0.0¶

New Features¶

bifrost now always writes clouds.yaml configuration file for os-client-config independently of whether keystone is installed or not.

This allows unified usage of ironic-related openstackclient commands both in presence and absence of installed keystone by using the openstack command in the following form for both situations:
```
openstack --os-cloud bifrost baremetal ...
```

Changes the bifrost-create-vm-nodes role to use Ansible’s virt modules to create virtual machines for bifrost testing. This supersedes the embedded bash script to create virtual machines. As a result, all variables that were present in the bash script are now available as default role variables and can be overridden by standard Ansible means.

For backward compatibility, some of the variables still support the use of shell variables, but this is deprecated and should be avoided.

Allows configuration of inspector processing hooks.

It is now possible to configure the set of inspection data processing hooks used by ironic inspector via the variable inspector_processing_hooks, which defaults to using inspector’s default list.

Allows additional kernel arguments to be specified in inspector PXE config.

A number of optional features in the Ironic Python Agent (IPA) are configured via kernel command line arguments, e.g. ipa-collect-lldp.

It is now possible to specify additional kernel arguments for use by the IPA ramdisk during inspection with the inspector_extra_kernel_options variable.

Allows to set more than one nameserver in the provisioned instances. The ipv4_nameserver setting can now accept either a string or a list of strings, allowing to populate all desired nameservers.

Allows log directories to be configured

In some cases it is useful to be able to configure the directory into which log files are written by bifrost services.

It is now possible to configure the ironic, inspector and nginx log directories using the ironic_log_dir, inspector_log_dir, and nginx_log_dir variables respectively.

Bifrost now supports the definition of a specific database server, username, password, and database name for ironic and ironic-inspector.

If the host for the database is not set to localhost, then actions such as database and user creation are skipped. This functionality is present in both the bootstrapping for ironic, ironic-inspector, and keystone, and applies to initial explicit database schema creation steps where applicable.

Bifrost has removed support for Ironic’s SSH based power and management drivers, as a result of Ironic removing the drivers altogether.

Bifrost testing has moved to ipmitools-based ironic drivers and virtual hardware exposed via ‘virtualbmc’ utility.

Default ironic drivers set up by bifrost are changed to pxe_ipmitool and agent_ipmitool.

Default driver for CSV baremetal data files in bifrost’s dynamic inventory is changed to agent_ipmitool.

Moves all preparation for testing with ‘virtual’ hardware to the bifrost-create-vm-nodes role, and libvirt interactions have been decoupled from the bifrost-ironic-install role.

Allow consuming upper_constraints_file from an env var UPPER_CONSTRAINTS_FILE. This will be specially useful for OpenStack CI, where this var is defined on each job run, pointing to the right requirements file depending on branch.

It is now possible to define additional per-host inventory groups for all the hosts that make use of the dynamic JSON inventory. The way to do that is to simply define a list of groups in the host_group property as illustrated in the following example:
```
"node1": {
    "uuid": "a8cb6624-0d9f-c882-affc-046ebb96ec01",
    "host_groups": [
        "baremetal"
    ],
}
```
When provisioning virtual machines it’s possible to set the per-VM inventory groups by setting the test_vm_host_groups variable as follows:
```
{ test_vm_host_groups: { testhost: [nova, cinder] } }
```
It is also possible to change the default baremetal group for virtual machines by simply setting the host_default_group variable to a list of default groups as follows:
```
{ test_vm_default_groups: [baremetal vms] }
```
The list of default groups can also be set in the DEFAULT_HOST_GROUPS environmental variable. This is currently the only way to change the default group for baremetal hosts:
```
export DEFAULT_HOST_GROUPS="foo bar zoo"
```
This will change the default groups to [foo, bar, zoo] instead of the currently [baremetal] default. Extra care should be taken when using this method since most bifrost playbooks depend on having a [baremetal] group available for provisioning hosts.

Bifrost’s testing has been moved to use JSON-formatted baremetal inventory file instead of deprecated CSV-formatted one. The bifrost-create-vm-nodes role still accepts baremetal_csv_file variable as path to where to write inventory, but the file content will always be in JSON format. A new variable baremetal_json_file should instead be used as a location to where to write the test baremetal inventory file.

Downloaded IPA files can now be verified using checksum files. Upstream builds will be verified by default but you can disable this behavior by setting ipa_kernel_upstream_checksum_url or ipa_ramdisk_upstream_checksum_url variables to empty strings. The default checksum algorithm is sha256 which matches the one provided in the upstream files. In case you want to provide your own checksum files, you can set the previously mentioned variables appropriately to match your setup. You can also set ipa_kernel_upstream_checksum_algo or ipa_ramdisk_upstream_checksum_algo to checksum algorithms like md5 in case you want to provide non-sha256 checksums. Be careful though because these values must be valid for Ansible get_url module’s checksum parameter. Finally, it’s also possible to provide the checksum directly by setting the ipa_kernel_checksum or ipa_ramdisk_checksum variables to $algorithm:$checksum. In case the verification fails, bifrost will retry a few more times to re-download and re-verify the files before giving up assuming there is a network issue or a file corruption on the remote server.

Upgrade Notes¶

Default ironic drivers set up by bifrost are changed to pxe_ipmitool and agent_ipmitool.

Default driver for CSV baremetal data files in bifrost’s dynamic inventory is changed to agent_ipmitool. Those bifrost users relying on such behavior must explicitly set the driver in CSV baremetal data file.

The baremetal_csv_file variable in bifrost-create-vm-nodes role has been deprecated and will be removed in the Queens release. The inventory file written to this location by this role is now always in JSON format. The variable baremetal_json_file should be used instead of baremetal_csv_file. This concerns only those operators who run tests for bifrost on virtual hardware using bifrost-create-vm-nodes role and out-of-tree scripts to process the baremetal inventory file produced by this role. If such scripts do rely on this file being in CSV format, they must be updated to use JSON format instead.

Deprecation Notes¶

Relying on shell environment variables to set parameters for created virtual nodes is deprecated and will be removed in the Queens release. Any scripts relying on such behavior need to be changed to explicitly pass these parameters as extra-vars to ansible-playbook invocations.

Use of the ironic_db_password variable as an available default will be removed in the Queens release of bifrost.

Handling of *_ssh drivers for CSV baremetal data format has been removed as the drivers have been removed from ironic.

The CSV format for baremetal inventory file is deprecated and using it will be impossible in the Queens release. During deprecation period it’s handling is still supported by bifrost’s dynamic inventory, but this functionality will be removed in the Queens release.

Bug Fixes¶

The CI test playbook previously looked for the requirements respository in /opt/git/openstack/. This has been changed to use the WORKSPACE environment variable when being executed.

Corrects an issue where execution of install.yaml would return an error indicating SUDO_USER was not found, by providing a fallback to the ansible_user_id variable.

Allows undionly.kpxe boot option to be overridden.

As an operator, I may wish to provide DHCP boot options for hosts not managed by bifrost using the bifrost dnsmasq server.

Previously, if a dhcp-boot configuration option was provided to dnsmasq via a file in /etc/dnsmasq.d/, and the server was not booted via iPXE, the option would have been overridden by the undionly.kpxe option added by bifrost in /etc/dnsmasq.conf.

Bifrost now supports user-provided dhcp-boot options in /etc/dnsmasq.d. These should be specified with an appropriate set of tags to match against to ensure that the rule overrides the default rule configured by bifrost.

Supports passing no_proxy environment variable to Ansible, users can use no_proxy to exclude specified hosts from using proxy.

Other Notes¶

bifrost host dependencies are now being installed using the bindep tool. New dependencies should be added to the bindep.txt file with the appropriate profile information if necessary. Core dependencies (ie those needed to bootstrap the system such as python, gcc, libffi, etc) must be listed in both the bindep.txt file and the scripts/install-deps.sh one for mainly two reasons. First of all, the OpenStack CI may only consult the bindep.txt in order to pull the necessary dependencies. Second, bindep needs certain packages to be present in order to its dependencies to build properly. More information about the bindep tool can be found at https://docs.openstack.org/infra/bindep/

3.0.0¶

Prelude¶

During the Ocata cycle, a number of improvements have been made to bifrost to improve the managability and longevity of a bifrost installation. Coupled with a number of fixes, and improvements, users upgrading should take the time to read the entire release notes. A few highlights are below:

Bifrost now installs and utilizes Ansible 2.1 by default from PyPI.

Ironic’s default of modifying a pre-existing ironic.conf upon the installation being re-executed, has been changed to a utilize a template file.

Bifrost supports generating and reading from a os-client-config clouds.yaml file for obtaining credentials.

Bifrost can now leverage authentiation, as well as install and configure keystone if requested by the installer.

As a number of in-tree drivers in ironic were removed this past cycle, due to lack of third-party CI, support has been added to enable installation of the staging drivers repository.

New Features¶

Allow user to insert private SSH key for ironic user. This is useful for ansible deploy driver and another ssh based drivers. The private key can be specified as path to local file in ssh_private_key_path variable, or as string in ssh_private_key.

Allow install Ironic on remote server. Added group ‘target’ to inventory, which is same as localhost by default. For install ironic remotely, address and ssh credentials should be configured in playbooks/inventory/target file.

Bifrost has been updated to utilize Ansible 2.1’s stable branch for the version of ansible installed.

Bifrost now prefers to use a system with Ansible already installed. When this is the case, execution of the env-setup.sh script is not required as it is geared for development and testing use of bifrost.

In order to use the playbooks on a system with Ansible already installed, the library requirements must be installed prior to playbook execution:

pip install -r requirements.txt

Administrative privileges may be required if the packages must be installed system wide.

The environment setup script will now attempt to install bifrost from PyPI instead of using a stable branch. This is to address stability issues with Ansible stable branches.

If not requested to be installed into virtualenv, Ansible will be installed into user’s ~/.local directory to not clobber possibly existing system installation. To use such installed Ansible, modifications of $PATH environment variable might be required to include ~/.local/bin path.

Some backwards compatibility is provided via the use of the ANSIBLE_GIT_BRANCH variable, where a user can define stable-X.Y and the latest available version in that series will be installed. To install the Ansible 2.1 series as part of the env-setup script, execute env ANSIBLE_GIT_BRANCH="stable-2.1" scripts/env-setup.

Similarly, ANSIBLE_PIP_VERSION can be utilized to specify the exact version, or range of version desired. Example:

ANSIBLE_PIP_VERSION=2.1.0.1 or ANSIBLE_PIP_VERSION=<2.2

Bifrost now has a role that can create a clouds.yaml file for os-client-config based client auto-configuration.

The functionality to create a service account and default user account to bifrost has been added. This is controlled by the enable_keystone parameter as well a keystone and ironic data structure that contains all required parameters. Please consult the bifrost-ironic-install/defaults/main.yml file for more details.

Previously bifrost deployments on RedHat/Suse systems had to be performed with selinux at least in permissive mode. This patch adds the necessary policies to allow the components to operate with selinux in enforcing mode.

bifrost now supports dnf as package manager on RedHat-based distros. It tries to use it by default and falls back to yum when dnf is not available.

Discovery of nodes via the ironic-inspector is now enabled by default. If you wish to disable this, set enable_inspector_discovery to false and re-execute the installation playbook.

Inspector is now installed and enabled by default. This changes default value for the enable_inspector variable from false to true.

Functionality to configure the ironic-inspector to utilize keystone, utilizing the base enable_keystone boolean parameter.

An ansible role enabling the installation of keystone has been added in preparation for the addition of keystone support to bifrost.

The bifrost-keystone-client-config role can now write a clouds.yaml file with several clouds settings. It starts to accept a single compound variable clouds that must contain a dictionary describing key:value pairs in the format of <cloud-name>:<dict-of-cloud-settings>. The previous way of passing config_* vars to the role is supported for backward compatibility but is deprecated and should be expected to be removed in Pike.

In addition to previous bifrost cloud, the default install.yaml playbook now also writes bifrost-admin cloud settings that contain Keystone admin credentials so that when installed, the Keystone service is fully usable right away (users/projects etc can be managed).

The capability for Bifrost to read directly from the os-client-config data has been added. While shade can do this for us to a degree, bifrost also allows a user to directly choose the server which they are connecting to via the ironic_url parameter. Instead of duplicate code and retool, if no global auth parameter is detected, the authentication parameters from the os_client_config module is utilized to set the parameters.

An optional parameter has been added to the roles that interact with ironic that defines a cloud_name. This cloud name is utilized by the roles to determine the entry from os-client-config to utilize.

Add support of remote logging. This feature allows to send logs from local syslog server and not collects logs from services on baremetal nodes. To collect from the actual running nodes requires configuration injected into each deployed host. Syslog server address and port can be specified in options remote_syslog_server and remote_syslog_port respectively.

Ironic-Staging-Drivers can now be installed. These are drivers that are not included in the ironic repo, and provide additional hardware support for ironic. More information about the drivers can be found at Ironic-Staging-Drivers To install the staging drivers set staging_drivers_include to true. The default value is false.

Ironic.conf is templated and only sets required options now, as opposed to editing the sample configuration of Ironic.

Known Issues¶

If installing bifrost in a virtualenv (venv) and running playbooks against localhost, you must install the basic python requirements on a system-wide level due to the operating behavior of Ansible.

Bifrost now has a role that can create a clouds.yaml file for os-client-config based client auto-configuration. This file overwrites the default file for the user executing bifrost, located at ~/.config/openstack/clouds.yaml. It is recommended that users execute bifrost’s installation via a service account.

The addition of support for os-client-config does not allow a user to choose their cloud directly. Only the first entry returned is utilized.

Log entries where authentication data is read and stored have been masked with the no_log parameter. Troubleshooting non-standard authentication configurations may require modifying the playbooks so users can debug their input OR pass data directly in a different way.

Upgrade Notes¶

Bifrost has been changed to utilize Ansible 2.1 by default. Should a deployment encounter issues with Ansible, they may wish to check/update their version of Ansible, or re-execute the env-setup.sh script.

Bifrost no longer supports installing ironic AMT drivers when PXE drivers are enabled (which is the default) due to AMT drivers having been removed from ironic in Ocata release.

Upon installation, bifrost will replace the installed ironic.conf file with a template generated file. Custom setting changes to that file, which were previously retained, will now be lost upon re-installation.

Deprecation Notes¶

The ANSIBLE_INSTALL_ROOT variable has been deprecated and is used only to raise a warning for third party scripts.

The ANSIBLE_FROM_PYPI variable no longer has any effect, as Ansible is always installed from PyPI now.

The node_network_info parameter has been deperecated in favor of the node_network_data parameter as the related configuration drive network_info.json file was misnamed originally, and should have been named network_data.json. Support for the node_network_info, and the continued write-out of the network_info.json file in configuration drives will be removed in the Queens cycle.

The ironic_auth_strategy setting is deprecated and will be removed in Pike. The setting has no effect if the enable_keystone setting is present and set to true.

The inspector_auth setting is deprecated and will be removed in Pike. The setting has no effect if the enable_keystone setting is present and set to true.

Passing config_* variables defining credentials for bifrost cloud to the bifrost-keystone-client-config role has been deprecated, and will be removed in the Pike cycle. Instead a single compound variable named clouds defining sets of settings to be written to clouds.yaml should be passed to that role.

Bug Fixes¶

Due to breaking change in the stable branch tags utilized with Ansible, bifrost now utilizes installation of Ansible from PyPI.

When support for passing configuration drive data to the nodes was originally created, the file was accidently named incorrectly as network_info.json. The correct filename is network_data.json. Both files will now be written until support for writing network_info.json is removed in the Queens cycle.

Added dhcp configuration tasks to inspection role. In case when inventory_dhcp is enabled and node is not deployed yet, inspection is not working because dnsmasq ignores requests from unknown address. This fix introduces tasks which configures dhcp before inspection.

Some users have encountered issues with introspection periodically timing out for systems. As a result, we have added a new parameter inspection_wait_timeout that is now defaulted to 1800 seconds.

Other Notes¶

By default, the installation process now downloads iPXE binaries from ipxe.org upon re-installation. Previously, the download was not set to be forced, and thus would be skipped if the file was already present.

In the past, the sample config in Ironic may have set some boilerplate that Bifrost took advantage of. But now that config is entirely made up of comments, and so this change does not change much except stripping out all of those comments and leaving just the required content in ironic.conf to use Ironic with Bifrost.

2.1.0¶

New Features¶

Allows install of ironic-inspector and python-ironic-inspector-client from git sources and to specify source branch via env variables.

2.0.0¶

New Features¶

Allows to create VMs with custom names instead of using testvm or NODE_BASE and sequential prefixes. This can be achieved by passing the TEST_VM_NODE_NAMES env var.

The ironic install role has been split into 3 phases. install phase installs all ironic packages and dependencies. bootstrap phase generates configs and initializes the ironic db. start phase starts all ironic services and dependencies. Each phase is run by default and can be skipped by defining skip_package_install, skip_bootstrap and skip_start respectively.

Add support for kvm acceleration for the VMs created by bifrost-create-vm-nodes. The default domain type for the created VMs is qemu which uses tcg acceleration. In order to use kvm acceleration, users need to set VM_DOMAIN_TYPE to kvm.

A new playbook was added to redeploy nodes. The playbook transitions each node’s provision state to ‘available’, waiting for the nodes to reach that state. Next, the playbook deploys the nodes, waiting for the nodes to reach provision state ‘active’. The playbook is redeploy-dynamic.yaml in the playbooks directory.

Upgrade Notes¶

A new test playbook, test-bifrost.yaml, has been added. This playbook merges the functionality of the existing test-bifrost-dynamic.yaml and test-bifrost-dhcp.yaml playbooks.

Bifrost has changed to using TinyIPA as the default IPA image for testing. TinyIPA has a smaller footprint for downloads and memory utilization. Users can continue to utilize CoreOS or diskimage-builder based IPA images, however this was done to improve testing performance and reliability. If the pre-existing IPA image is removed, bifrost will automatically re-download the file upon being updated in an installation process. Otherwise, the pre-existing IPA image will be utilized.

Deprecation Notes¶

test-bifrost-dynamic.yaml and test-bifrost-dhcp.yaml have been superseded by test-bifrost.yaml and will be removed in the Ocata release.

Other Notes¶

A new install_dib varible has been introduced to the ironic install role to control installation of disk image builder and dib-utils. To maintain the previous behavior install_dib will default to the value of create_image_via_dib.

1.0.0¶

Prelude¶

Starting with bifrost 0.1.x, release note generation is via the reno utility.

New Features¶

Add support for passing a Mysql username and password via environment variables mysql_user for username and mysql_pass for password. Useful for cases where Mysql server may be existing and have usernames with password already set.

Allows to choose to leverage authentication with roles that interact with ironic services via ansible modules. This is limited to sessions that obtain authentication information via os-client-config. The role defaults ultimately remain unchanged and default to noauth mode. More information on os-client-config can be found at https://docs.openstack.org/developer/os-client-config/

Bifrost traditionally utilized a generated HTTP URL to point ironic to the location of IPA, which is utilized for the boot sequence of machines. A user may now override that default and explicitly choose https if their environment has been pre-configured such that HTTPS support is in place.

The inventory_dhcp feature permits configuration of dnsmasq to provide the IP configuration on servers deployed by Bifrost, rather than setting that information into the config drive. Previously, the feature assumed the IP set by dnsmasq was both the provisioning and the management IP, but on some scenarios that is not always the case. With the inclusion of the inventory_dhcp_static_ip option a user can provide an specific provisioning IP via the JSON/YAML/CSV inventory in a server by server basis, which will be used just for the provisioning.

Adds new feature to manage DNS with the settings on the inventory. When inventory_dns setting is True, it will populate a set of record-host entries, for each of the hostnames present on the inventory, matching the ipv4_address. This will override the default dnsmasq behaviour, that will associate hostnames with IP present on the leases file.

Allow to populate the DNS servers setting of dnsmasq. This is optional, but if dnsmasq_dns_servers``setting is set, it adds a ``dhcp-option=6,dnsmasq_dns_servers to the generated dnsmasq configuration for bifrost.

Allow to populate the domain setting of dnsmasq. As shown in documentation, this is optional, but if it is set, it does the following things. 1) Allows DHCP hosts to have fully qualified domain names, as long as the domain part matches this setting. 2) Sets the “domain” DHCP option thereby potentially setting the domain of all systems configured by DHCP. 3) Provides the domain part for “expand-hosts”

Support for PXE driver substrate is now installed which utilizes iSCSI to write the disk image to the target node. By default, this support is enabled.

Known Issues¶

Users wishing to utilize authentication without leveraging os-client-config, will need to manually update the playbooks in order to set the appropriate module settings.

Basic testing has revealed that PXE drivers may not result in the configurtion drive being written out with the current configuration of bifrost.

Upgrade Notes¶

Bifrost has moved to focusing its use on Ansible 2.0. While Ansible 2.0 is relatively new, it has been stable development for quite some time. If a pre-existing user intends to reinstall/upgrade their environment, they may find the need to remove their pre-existing ansible environment located at /opt/stack/ansible.

Ironic inspector has been switched to using MySQL as its back-end database. This was to correct a bug that functionally broke inspection.

PXE driver substrate support is now enabled by default. If a user wishes to prevent this, the enable_pxe_drivers setting should be set to false.

Deprecation Notes¶

Moving forward, bifrost will be targeting use of Ansible 2.0. Due to some style/configuration changes, some roles have been marked in their metadata as being intended and only functional with Ansible 2.0 due to required features having been added in 2.0 that were not present or available to reproduce in a 1.9.x compatible way.

Security Issues¶

PXE driver support substrate has been added, however this requires the ability for the conductor to connect to the node being provisioned via iSCSI. As a result sudoers configuration is updated by default to enable ironic to initiate the iSCSI connection and apply the image to the remote disk. As a reminder, users should default to using agent drivers as cleaning support does not exist in the PXE drivers.

Bug Fixes¶

A bug in file ownership resulted in the ironic-inspector functionality not working as expected, and the test being unable to be re-executed without manual clean-up. This has been corrected by moving the database use to MySQL.

Dnsmasq option was added to only offer DHCP leases to known mac addresses when inventory_dhcp is being used.

Functional tests were added for the inventory module that leverage JSON and YAML parsing to ensure that the input is same as the expected output of the conversion being leveraged.

A functional test was added that reconsumes JSON data generated by the CSV file format to help identify any logic parity breaks between the logic present in each data parsing method.

PXE driver support substrate was previously incomplete and has been revised to properly support PXE drivers. This has been tested on Ubuntu 14.04 LTS.

Other Notes¶

The README.rst file was updated to include a list of the drivers enabled by default, as well as what driver is available in testing mode.

A pointer was added to the README.rst file for users possibly wishing to utilize the OneView driver for mass machine deployment via bifrost, since the driver cannot be enabled by default.

When configuring the dnsmasq_dns_servers setting, several nameservers can be specified, separated by commas.

The role will accept the domain setting. If that’s present, it will be populated to equivalent domain setting in dnsmasq.conf