Deprecation Notes¶

• Support for Fedora is no longer tested in the CI and will be removed fromthe code in the near future.

Bug Fixes¶

• Password files (htpasswd) are no longer world-readable.

• Fixes the Bifrost inventory plugin to not set thenetwork_interfacevariable since it conflicts with the Bifrost’s variable with a differentmeaning.

• Ironic Prometheus Exporter is now run as theironic user, not as root.

• Fixesbifrost-configdrives-dynamic andbifrost-deploy-nodes-dynamicwhenuuid is not set in the inventory file.

Bug Fixes¶

• Fixed an outdated grub and shim efi binaries path for Red Hat to to beunderEFI/redhat.

• Fixes the iptables rule for PXE on systems not using firewalld (useport UDP/67 and UDP/69 instead of TCP/68 and TCP/69).

New Features¶

• Adds support for using dnsmasq as a DHCP relay target via the newdhcp_pool_mask parameter.

• Automatically configuresenabled_raid_interfaces based on theenabled_hardware_types.

• Adds support for manually specified enabled raid interfaces via the newenabled_raid_interfaces parameter.

• Supports customizing the TFTP directory via the new parametertftp_boot_folder.

• Adds a new rolebifrost-uwsgi-install encapsulating uWSGI configurationlogic.

• Virtual media images are now protected by TLS when TLS support is enabled.

Known Issues¶

• Fedora 34 cryptography settings may prevent it from logging into CirrOSvia SSH. CirrOS images should not be used in production. If this problemaffects your development environment, temporary lower the cryptographyprofile:

  sudoupdate-crypto-policies--setLEGACY

Upgrade Notes¶

• Fedora 34 is now tested in the CI. Fedora 32 and newer should work, butare not tested any more.

• Theadmin Keystone endpoint will be upgraded from using port 35357(a separate admin API) to use port 5000 (the default Identity API).

• Switches TFTP handling from Xinetd to dnsmasq, which must be enabled forTFTP boot to work.

• Keystone services are now run as separate systemd servicesuwsgi@keystone-public anduwsgi@keystone-admin. The standaloneuwsgi service is no longer used and is disabled on upgrade.

• Ifenable_tls istrue, virtual media images for Redfish,iDRAC-Redfish and iLO are now served via TLS using the Ironic’sTLS certificate. If this is not desired, set the new optionvmedia_enable_tls tofalse.

  The new server’s port can be configured via the newfile_url_port_tlsoption.

Deprecation Notes¶

• The separate Keystone admin API (served at port 35357) is deprecated andwill be removed in a future release. Please update your applications torefer to port 5000 only for Keystone operations.

Bug Fixes¶

• Whencopy_from_local_path is used, destination path is removed onupgrade before copying.

• Fixes Fedora 34 support by switching from the removed Xinetd todnsmasq for TFTP boot.

• Fixes support for TLSca_cert and other current authenticationparameters in theos_ironic_node_info module. The implementation usesutilities from the OpenStack Ansible collection.

Other Notes¶

• Moves the generic code for managing Nginx into a new rolebifrost-nginx-install.