stackhpc · Alex-Welsh · May 18, 2026 · Apr 7, 2026 · Apr 24, 2026 · Apr 28, 2026
@@ -61,10 +61,10 @@
               --name {{ inventory_hostname }} \
               --driver {{ ironic_driver }} \
               {% for key, value in ironic_driver_info.items() %}
-              --driver-info {{ key }}={{ value }} \
+              --driver-info {{ (key ~ '=' ~ value) | quote }} \
               {% endfor %}
               {% for key, value in ironic_properties.items() %}
-              --property {{ key }}={{ value }} \
+              --property {{ (key ~ '=' ~ value) | quote }} \
               {% endfor %}
               --resource-class {{ ironic_resource_class }}
           when:

@@ -83,18 +83,18 @@
 
         - name: Set IPMI serial console terminal port
           vars:
-            name: "{{ node['name'] }}"
-            port: "{{ hostvars[controller_host].console_allocation_result.ports[name] }}"
+            node_name: "{{ node['name'] }}"
+            node_port: "{{ hostvars[controller_host].console_allocation_result.ports[node_name] }}"
             # NOTE: Without this, the controller's ansible_host variable will not
             # be respected when using delegate_to.
             ansible_host: "{{ hostvars[controller_host].ansible_host | default(controller_host) }}"
           command: >
-            {{ venv }}/bin/openstack baremetal node set {{ name }} --driver-info ipmi_terminal_port={{ port }}
+            {{ venv }}/bin/openstack baremetal node set {{ node_name }} --driver-info ipmi_terminal_port={{ node_port }}
           delegate_to: "{{ controller_host }}"
           environment: "{{ openstack_auth_env }}"
           when: >-
             node['driver_info'].ipmi_terminal_port is not defined or
-            node['driver_info'].ipmi_terminal_port | int != port | int
+            node['driver_info'].ipmi_terminal_port | int != node_port | int
 
         - name: Enable the IPMI socat serial console
           vars:

@@ -15,7 +15,6 @@
         name: docker
       vars:
         docker_daemon_mtu: "{{ public_net_name | net_mtu | default }}"
-        docker_configure_for_zun: "{{ kolla_enable_zun | bool }}"
         docker_http_proxy: "{{ kolla_http_proxy }}"
         docker_https_proxy: "{{ kolla_https_proxy }}"
         docker_no_proxy: "{{ kolla_no_proxy | select | join(',') }}"

@@ -10,4 +10,4 @@
     - role: dell-switch-bmp
       # This is the Nginx web server on the seed node.
       dell_switch_bmp_http_base_url: "http://{{ provision_oc_net_name | net_ip }}:8080"
-      when: dell_switch_bmp_images
+      when: dell_switch_bmp_images is truthy
@@ -106,6 +106,11 @@ kolla_bifrost_inspector_keep_ports: "present"
 # kept to retain full node inspection capabilities.
 kolla_bifrost_inspector_extra_kernel_options: "{{ inspector_extra_kernel_options }}"
 
+# Node driver to use for auto-discovered nodes. Default is
+# {{ inspector_discovery_enroll_node_driver }}, defined in inspector.yml. Set
+# to 'redfish' for modern BMC implementations.
+kolla_bifrost_inspector_default_node_driver: "{{ inspector_discovery_enroll_node_driver }}"
+
 # List of introspection rules for Bifrost's Ironic Inspector service.
 kolla_bifrost_inspector_rules: "{{ inspector_rules }}"
 

@@ -174,8 +174,6 @@ overcloud_container_image_regex_map:
     enabled: "{{ kolla_enable_heat | bool }}"
   - regex: ^horizon
     enabled: "{{ kolla_enable_horizon | bool }}"
-  - regex: ^influxdb
-    enabled: "{{ kolla_enable_influxdb | bool }}"
   - regex: ^ironic
     enabled: "{{ kolla_enable_ironic | bool }}"
   - regex: ironic-neutron-agent
@@ -188,8 +186,6 @@ overcloud_container_image_regex_map:
     enabled: "{{ kolla_enable_keystone | bool }}"
   - regex: kolla-toolbox
     enabled: True
-  - regex: ^kuryr
-    enabled: "{{ kolla_enable_kuryr | bool }}"
   - regex: ^letsencrypt
     enabled: "{{ kolla_enable_letsencrypt | bool }}"
   - regex: ^magnum
@@ -250,8 +246,6 @@ overcloud_container_image_regex_map:
     enabled: "{{ kolla_enable_swift | bool }}"
   - regex: ^tacker
     enabled: "{{ kolla_enable_tacker | bool }}"
-  - regex: ^telegraf
-    enabled: "{{ kolla_enable_telegraf | bool }}"
   - regex: ^tgtd
     enabled: "{{ kolla_enable_cinder | bool or kolla_enable_ironic | bool }}"
   - regex: ^trove
@@ -260,8 +254,6 @@ overcloud_container_image_regex_map:
     enabled: "{{ kolla_enable_valkey | bool }}"
   - regex: ^watcher
     enabled: "{{ kolla_enable_watcher | bool }}"
-  - regex: ^zun
-    enabled: "{{ kolla_enable_zun | bool }}"
 
 # List of regular expressions matching names of container images to build for
 # overcloud hosts.
@@ -558,13 +550,11 @@ kolla_enable_grafana: "no"
 kolla_enable_hacluster: "no"
 kolla_enable_heat: "{{ kolla_enable_openstack_core | bool }}"
 kolla_enable_horizon: "{{ kolla_enable_openstack_core | bool }}"
-kolla_enable_influxdb: "{{ kolla_enable_cloudkitty | bool }}"
 kolla_enable_ironic: "no"
 kolla_enable_ironic_dnsmasq: "{{ kolla_enable_ironic | bool and kolla_inspector_enable_discovery | bool }}"
 kolla_enable_ironic_pxe_filter: "{{ kolla_enable_ironic | bool and kolla_inspector_enable_discovery | bool }}"
 kolla_enable_ironic_neutron_agent: "{{ kolla_enable_neutron | bool and kolla_enable_ironic | bool }}"
 kolla_enable_iscsid: "{{ kolla_enable_cinder | bool and kolla_enable_cinder_backend_iscsi | bool }}"
-kolla_enable_kuryr: "no"
 kolla_enable_letsencrypt: "no"
 kolla_enable_magnum: "no"
 kolla_enable_manila: "no"
@@ -583,19 +573,17 @@ kolla_enable_ovs_dpdk: "no"
 kolla_enable_opensearch: "{{ kolla_enable_central_logging | bool or kolla_enable_osprofiler | bool }}"
 kolla_enable_opensearch_dashboards: "{{ kolla_enable_opensearch | bool }}"
 kolla_enable_osprofiler: "no"
-kolla_enable_placement: "{{ kolla_enable_nova | bool or kolla_enable_zun | bool }}"
+kolla_enable_placement: "{{ kolla_enable_nova | bool }}"
 kolla_enable_prometheus: "no"
 kolla_enable_qdrouterd: "no"
 kolla_enable_redis: "no"
 kolla_enable_skyline: "no"
 kolla_enable_swift: "no"
 kolla_enable_tacker: "no"
-kolla_enable_telegraf: "no"
 kolla_enable_trove: "no"
 kolla_enable_valkey: "no"
 kolla_enable_vitrage: "no"
 kolla_enable_watcher: "no"
-kolla_enable_zun: "no"
 
 ###############################################################################
 # Kolla custom config generation.

@@ -32,7 +32,7 @@
       when:
         - item | net_cidr != None
         - item | net_bootproto != 'dhcp'
-        - not item | net_no_ip | bool
+        - item | net_no_ip is falsy
   roles:
     - role: ip-allocation
       ip_allocation_filename: "{{ kayobe_env_config_path }}/network-allocation.yml"

@@ -102,6 +102,10 @@
       vars:
         kolla_ansible_control_host_become: "{{ kayobe_control_host_become | bool }}"
         kolla_ansible_install_epel: "{{ dnf_install_epel }}"
+        kolla_ansible_custom_requirements_search_paths_static:
+          - "{{ kayobe_config_path }}"
+        kolla_ansible_custom_requirements_search_paths: "{{ kolla_ansible_custom_requirements_search_paths_static + kayobe_env_search_paths | default([]) }}"
+        kolla_ansible_custom_requirements_paths: "{{ kolla_ansible_custom_requirements_search_paths | map('regex_replace', '$', '/kolla/requirements.yml') | list }}"
         kolla_external_fqdn_cert: "{{ kolla_config_path }}/certificates/haproxy.pem"
         kolla_internal_fqdn_cert: "{{ kolla_config_path }}/certificates/haproxy-internal.pem"
         kolla_ansible_passwords_path: "{{ kayobe_env_config_path }}/kolla/passwords.yml"

@@ -51,8 +51,8 @@
         ping {{ item | net_gateway }} -c1 -M do {% if mtu %} -s {{ mtu | int - icmp_overhead_bytes }}{% endif %}
       with_items: "{{ network_interfaces }}"
       when:
-        - item | net_ip
-        - item | net_gateway
+        - item | net_ip is truthy
+        - item | net_gateway is truthy
       changed_when: False
       vars:
         mtu: "{{ item | net_mtu }}"
@@ -77,14 +77,14 @@
       when:
         - remote_hosts | length > 0
         - remote_ip | length > 0
-        - item | net_ip
+        - item | net_ip is truthy
       changed_when: False
       vars:
         # Select other hosts targeted by this play which have this network
         # interface (item).
         remote_hosts: >
           {{ hostvars.values() |
-             selectattr('inventory_hostname', 'is_in', play_hosts) |
+             selectattr('inventory_hostname', 'is_in', ansible_play_batch) |
              selectattr('network_interfaces', 'defined') |
              selectattr('network_interfaces', 'issuperset', [item]) |
              rejectattr('inventory_hostname', 'equalto', inventory_hostname) |
@@ -95,5 +95,5 @@
         # in the command.  Assumption was that this was being evaluated once
         # for the when clause and then again for the command. Bug?
         remote_host: "{{ remote_hosts | random(seed=ansible_facts.date_time.iso8601) if remote_hosts | length > 0 else '' }}"
-        remote_ip: "{{ lookup('cached', 'vars', item ~ '_ips', default={})[remote_host] | default('', true) }}"
+        remote_ip: "{{ lookup('vars', item ~ '_ips', default={})[remote_host] | default('', true) }}"
         mtu: "{{ item | net_mtu }}"
@@ -0,0 +1,61 @@
+---
+- name: Ensure overcloud hosts are registered in Bifrost
+  hosts: overcloud
+  gather_facts: false
+  vars:
+    seed_host: "{{ groups['seed'][0] }}"
+  # Try to reduce contention on Bifrost and resolve db lock errors
+  serial: 10
+  tasks:
+    - name: Fail when no supported drivers are available
+      ansible.builtin.fail:
+        msg: This node uses an unsupported or undefined driver, only Redfish is supported.
+      when:
+        - ironic_driver | default ('') not in ['redfish']
+
+    - name: List baremetal nodes
+      command: >
+        {{ container_engine }} exec bifrost_deploy
+        bash -c '
+        export OS_CLOUD=bifrost &&
+        openstack baremetal node show {{ inventory_hostname }}'
+      register: node_show
+      failed_when: false
+      changed_when: false
+      delegate_to: "{{ seed_host }}"
+      vars:
+        ansible_host: "{{ hostvars[seed_host].ansible_host | default(seed_host) }}"
+
+    - name: Create baremetal nodes
+      command: >
+        {{ container_engine }} exec bifrost_deploy
+        bash -c '
+        export OS_CLOUD=bifrost &&
+        openstack baremetal node create
+        --driver {{ ironic_driver }}
+        {% for key, value in ironic_driver_info.items() %}
+        --driver-info {{ (key ~ '=' ~ value) | quote }}
+        {% endfor %}
+        {% for key, value in ironic_properties.items() %}
+        --property {{ (key ~ '=' ~ value) | quote }}
+        {% endfor %}
+        --name {{ inventory_hostname }}'
+      delegate_to: "{{ seed_host }}"
+      vars:
+        ansible_host: "{{ hostvars[seed_host].ansible_host | default(seed_host) }}"
+      when:
+        - node_show.rc != 0
+
+    - name: Manage baremetal nodes
+      command: >
+        {{ container_engine }} exec bifrost_deploy
+        bash -c '
+        export OS_CLOUD=bifrost &&
+        openstack baremetal node manage
+        {{ inventory_hostname }}
+        --wait'
+      delegate_to: "{{ seed_host }}"
+      vars:
+        ansible_host: "{{ hostvars[seed_host].ansible_host | default(seed_host) }}"
+      when:
+        - node_show.rc != 0
@@ -12,9 +12,10 @@
   when: (role_path ~ '/templates/' ~ item ~ '.j2') is exists
   loop:
     - "{{ repo_file_prefix }}.repo"
-    - "{{ repo_file_prefix }}-extras.repo"
     - "{{ repo_file_prefix }}-addons.repo"
     - "{{ repo_file_prefix }}-devel.repo"
+    - "{{ repo_file_prefix }}-extras.repo"
+    - "{{ repo_file_prefix }}-security.repo"
 
 - name: Update cache
   dnf:

@@ -0,0 +1,37 @@
+# rocky-security.repo
+#
+# The mirrorlist system uses the connecting IP address of the client and the
+# update status of each mirror to pick current mirrors that are geographically
+# close to the client.  You should use this for Rocky updates unless you are
+# manually picking other mirrors.
+#
+# If the mirrorlist does not work for you, you can try the commented out
+# baseurl line instead.
+
+[security]
+name=Rocky Linux $releasever - Security
+#mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=security-$releasever$rltype
+baseurl=http://{{ dnf_rocky_mirror_host }}/{{ dnf_rocky_mirror_directory }}/$releasever/security/$basearch/os/
+gpgcheck=1
+enabled=0
+countme=1
+metadata_expire=6h
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-10
+
+[security-debuginfo]
+name=Rocky Linux $releasever - Security Debug
+#mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=security-$releasever-debug$rltype
+baseurl=http://{{ dnf_rocky_mirror_host }}/{{ dnf_rocky_mirror_directory }}/$releasever/security/$basearch/debug/tree/
+gpgcheck=1
+enabled=0
+metadata_expire=6h
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-10
+
+[security-source]
+name=Rocky Linux $releasever - Security Source
+#mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=security-$releasever-source$rltype
+baseurl=http://{{ dnf_rocky_mirror_host }}/{{ dnf_rocky_mirror_directory }}/$releasever/security/source/tree/
+gpgcheck=1
+enabled=0
+metadata_expire=6h
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-10
@@ -30,6 +30,7 @@
     regexp: "^127.0.1.1\\b.*\\s{{ ansible_facts.hostname }}\\b"
     state: absent
   become: True
+  when: inventory_hostname in etc_hosts_hosts
 
 - name: Generate /etc/hosts for all of the nodes
   blockinfile:

@@ -96,7 +96,7 @@
           checksum: "{{ ipa_images_checksum.results[1].stat.checksum }}"
           glance_checksum: "{{ ipa_images_ramdisk.images[0].checksum | default }}"
       when:
-        - item.glance_checksum
+        - item.glance_checksum | default('') | length > 0
         - item.checksum != item.glance_checksum
       environment: "{{ ipa_images_openstack_auth_env }}"
 

@@ -34,6 +34,11 @@ kolla_ansible_requirements_yml: "{{ kolla_ansible_venv }}/share/kolla-ansible/re
 # Path to a an additional requirements.yml file for Ansible collections when using ansible-core.
 kolla_ansible_core_requirements_yml: "{{ kolla_ansible_venv }}/share/kolla-ansible/requirements-core.yml"
 
+# List of optional paths to custom requirements.yml files for Ansible
+# collections. Files that exist will be installed in order.
+# If None, custom collections are not installed.
+kolla_ansible_custom_requirements_paths:
+
 # Virtualenv directory where Kolla-ansible's ansible modules will execute
 # remotely on the target nodes. If None, no virtualenv will be used.
 kolla_ansible_target_venv:
@@ -228,9 +233,7 @@ kolla_openstack_logging_debug:
 #kolla_enable_grafana:
 #kolla_enable_heat:
 #kolla_enable_horizon:
-#kolla_enable_influxdb:
 #kolla_enable_ironic:
-#kolla_enable_kuryr:
 #kolla_enable_magnum:
 #kolla_enable_manila:
 #kolla_enable_mistral:
@@ -241,7 +244,6 @@ kolla_openstack_logging_debug:
 #kolla_enable_neutron_vpnaas:
 #kolla_enable_prometheus:
 #kolla_enable_swift:
-#kolla_enable_telegraf:
 #kolla_enable_watcher:
 
 #######################

@@ -160,3 +160,29 @@
     ANSIBLE_COLLECTIONS_SCAN_SYS_PATH: "False"
     # NOTE(wszumski): Don't use path configured for kayobe
     ANSIBLE_COLLECTIONS_PATH: ''
+
+- name: Check for custom Ansible collections requirements files
+  stat:
+    path: "{{ item }}"
+    get_checksum: False
+    mime: False
+  with_items: "{{ kolla_ansible_custom_requirements_paths }}"
+  register: kolla_ansible_custom_requirements_file
+  when: kolla_ansible_custom_requirements_paths is not none
+
+- name: Ensure custom Ansible collections are installed
+  command:
+    cmd: >-
+      ansible-galaxy collection install --force
+      -r {{ item.item }}
+      -p {{ kolla_ansible_venv }}/share/kolla-ansible/ansible/collections/
+  with_items: "{{ kolla_ansible_custom_requirements_file.results }}"
+  environment:
+    # NOTE(wszumski): Ignore collections shipped with ansible, so that we can install
+    # newer versions.
+    ANSIBLE_COLLECTIONS_SCAN_SYS_PATH: "False"
+    # NOTE(wszumski): Don't use path configured for kayobe
+    ANSIBLE_COLLECTIONS_PATH: ''
+  when:
+    - kolla_ansible_custom_requirements_paths is not none
+    - item.stat.exists
@@ -74,8 +74,6 @@ docker_namespace: "{{ kolla_docker_namespace }}"
 docker_registry_username: "{{ kolla_docker_registry_username }}"
 {% endif %}
 
-#docker_configure_for_zun: "no"
-
 ###################
 # Messaging options
 ###################

@@ -135,9 +135,6 @@ control
 [bifrost:children]
 deployment
 
-[zun:children]
-control
-
 [skyline:children]
 control