Use Python 3.11 instead of 3.12

SLE 15.6 the container is based on does not ship Python 3.12, the next
packaged release will be 3.13, so stick to 3.11 until then.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>

ironic-image/Dockerfile

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.5
+#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.4
-#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.5-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.4-%RELEASE%
 #!BuildVersion: 15.6
 
 ARG SLE_VERSION
@@ -42,8 +42,8 @@ LABEL org.opencontainers.image.description="Openstack Ironic based on the SLE Ba
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opencontainers.image.version="26.1.2.5"
+LABEL org.opencontainers.image.version="26.1.2.4"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:26.1.2.5-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:26.1.2.4-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -69,14 +69,11 @@ RUN mkdir -p $GRUB_DIR
 
 COPY scripts/ /bin/
 COPY configure-nonroot.sh /bin/
-RUN set -euo pipefail; chmod +x /bin/configure-ironic.sh /bin/ironic-probe.sh /bin/rundatabase-upgrade /bin/rundnsmasq /bin/runhttpd /bin/runironic /bin/runlogwatch.sh /bin/runonline-data-migrations /bin/configure-nonroot.sh
+RUN set -euo pipefail; chmod +x /bin/configure-ironic.sh /bin/rundnsmasq /bin/runhttpd /bin/runironic /bin/runironic-exporter /bin/runlogwatch.sh /bin/configure-nonroot.sh
-
-RUN mv /bin/ironic-probe.sh /bin/ironic-readiness
-RUN cp /bin/ironic-readiness /bin/ironic-liveness
 
 COPY ironic-config/inspector.ipxe.j2 ironic-config/httpd-ironic-api.conf.j2 \
      ironic-config/ipxe_config.template ironic-config/dnsmasq.conf.j2 \
-     /tmp/
+     /templates/
 
 # IRONIC #
 RUN cp /usr/share/ipxe/undionly.kpxe /tftpboot/undionly.kpxe
@@ -101,8 +98,8 @@ RUN rm /etc/ironic/ironic.conf.d/010-ironic.conf
 # Custom httpd config, removes all but the bare minimum needed modules
 COPY ironic-config/httpd.conf.j2 /etc/httpd/conf/
 COPY ironic-config/httpd-modules.conf /etc/httpd/conf.modules.d/
-COPY ironic-config/apache2-vmedia.conf.j2 /tmp/httpd-vmedia.conf.j2
+COPY ironic-config/apache2-vmedia.conf.j2 /templates/httpd-vmedia.conf.j2
-COPY ironic-config/apache2-ipxe.conf.j2 /tmp/httpd-ipxe.conf.j2
+COPY ironic-config/apache2-ipxe.conf.j2 /templates/httpd-ipxe.conf.j2
 
 # configure non-root user and set relevant permissions
 RUN configure-nonroot.sh && rm -f /bin/configure-nonroot.sh

ironic-image/configure-nonroot.sh

@@ -1,70 +1,53 @@
 #!/usr/bin/bash
 
-# This script changes permissions to allow Ironic container to run as non-root
-# user. As the same image is used to run ironic, ironic-httpd, ironic-dsnmasq,
-# and ironic-log-watch via BMO's ironic k8s manifest, it has
-# to be configured to work with multiple different users and groups, while they
-# share files via bind mounts (/shared, /certs/*), which can only get one
-# group id as "fsGroup". Additionally, dnsmasq needs three capabilities to run
-# which we provide via "setcap", and "allowPrivilegeEscalation: true" in
-# manifest.
-
-set -eux
-
-# user and group are from ironic rpms (uid 997, gid 994)
 NONROOT_UID=10475
 NONROOT_GID=10475
-IRONIC_USER="ironic-suse"
+USER="ironic-suse"
-IRONIC_GROUP="ironic-suse"
 
-groupadd -r -g ${NONROOT_GID} ${IRONIC_GROUP}
+groupadd -r -g ${NONROOT_GID} ${USER}
 useradd -r -g ${NONROOT_GID} \
            -u ${NONROOT_UID} \
            -d /var/lib/ironic \
            -s /sbin/nologin \
-           ${IRONIC_USER}
+           ${USER}
 
-# most containers mount /shared but dnsmasq can live without it
+# create ironic's http_root directory
-mkdir -p /shared
+mkdir -p /shared/html
-mkdir -p /data
+chown "${NONROOT_UID}":"${NONROOT_GID}" /shared/html
-mkdir -p /conf
-chown "${IRONIC_USER}":"${IRONIC_GROUP}" /shared
-chown "${IRONIC_USER}":"${IRONIC_GROUP}" /data
-chown "${IRONIC_USER}":"${IRONIC_GROUP}" /conf
 
 # we'll bind mount shared ca and ironic certificate dirs here
 # that need to have correct ownership as the entire ironic in BMO
 # deployment shares a single fsGroup in manifest's securityContext
 mkdir -p /certs/ca
-chown "${IRONIC_USER}":"${IRONIC_GROUP}" /certs{,/ca}
+chown "${NONROOT_UID}":"${NONROOT_GID}" /certs{,/ca}
 chmod 2775 /certs{,/ca}
 
 # apache2 permission changes
-chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /etc/apache2
+chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/apache2
-chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /run
+chown -R "${NONROOT_UID}":"${NONROOT_GID}" /run
 
 # ironic and httpd related changes
 mkdir -p /etc/httpd/conf.d
-chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /etc/ironic /etc/httpd/conf /etc/httpd/conf.d
+chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/ironic /etc/httpd /etc/httpd
+chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/log
 chmod 2775 /etc/ironic /etc/httpd/conf /etc/httpd/conf.d
-#chmod 664 /etc/ironic/* /etc/httpd/conf/* /etc/httpd/conf.d/*
+chmod 664 /etc/ironic/* /etc/httpd/conf/* /etc/httpd/conf.d/*
-chmod 664 /etc/ironic/* /etc/httpd/conf/*
 
-chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /var/lib/ironic
+chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ironic
-chmod 2775 /var/lib/ironic
 chmod 664 /var/lib/ironic/ironic.sqlite
 
 # dnsmasq, and the capabilities required to run it as non-root user
-chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /etc/dnsmasq.conf
+chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/dnsmasq.conf /var/lib/dnsmasq
-#handled at chart level
+chmod 2775 /var/lib/dnsmasq
-#setcap "cap_net_raw,cap_net_admin,cap_net_bind_service=+eip" /usr/sbin/dnsmasq
+touch /var/lib/dnsmasq/dnsmasq.leases
+chmod 664 /etc/dnsmasq.conf /var/lib/dnsmasq/dnsmasq.leases
 
 # ca-certificates permission changes
 touch /var/lib/ca-certificates/ca-bundle.pem.new
-chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /var/lib/ca-certificates/
+chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ca-certificates/
 chmod -R +w /var/lib/ca-certificates/
 
 # probes that are created before start
 touch /bin/ironic-{readi,live}ness
-chown root:"${IRONIC_GROUP}" /bin/ironic-{readi,live}ness
+chown root:"${NONROOT_GID}" /bin/ironic-{readi,live}ness
 chmod 775 /bin/ironic-{readi,live}ness

ironic-image/ironic-config/httpd.conf.j2

@@ -64,7 +64,7 @@ AddDefaultCharset UTF-8
     MIMEMagicFile conf/magic
 </IfModule>
 
-PidFile /var/tmp/httpd.pid
+PidFile {{ env.IRONIC_TMP_DATA_DIR }}/httpd.pid
 
 # EnableSendfile directive could speed up deployments but it could also cause
 # issues depending on the underlying file system, to learn more:

ironic-image/ironic-config/inspector.ipxe.j2

@@ -5,6 +5,6 @@ echo In inspector.ipxe
 imgfree
 # NOTE(dtantsur): keep inspection kernel params in [mdns]params in
 # ironic-inspector-image and configuration in configure-ironic.sh
-kernel --timeout 60000 {{ env.IRONIC_HTTP_URL }}/images/ironic-python-agent-${buildarch}.kernel ipa-insecure={{ env.IPA_INSECURE }} ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent-${buildarch}.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
+kernel --timeout 60000 {{ env.IRONIC_HTTP_URL }}/images/ironic-python-agent-${buildarch}.kernel ipa-insecure=1 ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
-initrd --timeout 60000 {{ env.IRONIC_HTTP_URL }}/images/ironic-python-agent-${buildarch}.initramfs || goto retry_boot
+initrd --timeout 60000 {{ env.IRONIC_HTTP_URL }}/images/ironic-python-agent.initramfs || goto retry_boot
 boot

ironic-image/ironic-config/ironic.conf.j2

@@ -27,7 +27,6 @@ use_stderr = true
 hash_ring_algorithm = sha256
 my_ip = {{ env.IRONIC_IP }}
 host = {{ env.IRONIC_CONDUCTOR_HOST }}
-tempdir = {{ env.IRONIC_TMP_DATA_DIR }}
 
 # If a path to a certificate is defined, use that first for webserver
 {% if env.WEBSERVER_CACERT_FILE %}
@@ -85,7 +84,7 @@ send_sensor_data = {{ env.SEND_SENSOR_DATA }}
 # Power state is checked every 60 seconds and BMC activity should
 # be avoided more often than once every sixty seconds.
 send_sensor_data_interval = 160
-bootloader = {{ env.IRONIC_HTTP_URL }}/uefi_esp-{{ env.DEPLOY_ARCHITECTURE }}.img
+bootloader = file:///templates/uefi_esp.img
 verify_step_priority_override = management.clear_job_queue:90
 # We don't use this feature, and it creates an additional load on the database
 node_history = False
@@ -100,6 +99,9 @@ deploy_ramdisk = file://{{ env.IRONIC_DEFAULT_RAMDISK }}
 {% if env.DISABLE_DEEP_IMAGE_INSPECTION | lower == "true" %}
 disable_deep_image_inspection = True
 {% endif %}
+# Allowed path for file:// links: ipa-downloader uses /shared/html/images,
+# while the bootloader configuration above refers to /templates.
+file_url_allowed_paths = /shared/html/images,/templates
 
 [database]
 {% if env.IRONIC_USE_MARIADB | lower == "true" %}
@@ -192,6 +194,11 @@ insecure = {{ env.IRONIC_INSECURE }}
 [nova]
 send_power_notifications = false
 
+[oslo_messaging_notifications]
+driver = prometheus_exporter
+location = /shared/ironic_prometheus_exporter
+transport_url = fake://
+
 [pxe]
 # NOTE(dtantsur): keep this value at least 3x lower than
 # [conductor]deploy_callback_timeout so that at least some retries happen.
@@ -201,7 +208,7 @@ images_path = /shared/html/tmp
 instance_master_path = /shared/html/master_images
 tftp_master_path = /shared/tftpboot/master_images
 tftp_root = /shared/tftpboot
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
 # This makes networking boot templates generated even for nodes using local
 # boot (the default), ensuring that they boot correctly even if they start
 # netbooting for some reason (e.g. with the noop management interface).
@@ -209,19 +216,19 @@ enable_netboot_fallback = true
 # Enable the fallback path to in-band inspection
 ipxe_fallback_script = inspector.ipxe
 {% if env.IPXE_TLS_SETUP | lower == "true" %}
-ipxe_config_template = /tmp/ipxe_config.template
+ipxe_config_template = /templates/ipxe_config.template
 {% endif %}
 
 [redfish]
 use_swift = false
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
 
 [ilo]
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
 use_web_server_for_images = true
 
 [irmc]
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
 
 [service_catalog]
 endpoint_override = {{ env.IRONIC_BASE_URL }}

ironic-image/scripts/configure-ironic.sh

@@ -79,6 +79,7 @@ echo 'Options set from Environment variables'
 env | grep "^OS_" || true
 
 mkdir -p /shared/html
+mkdir -p /shared/ironic_prometheus_exporter
 
 if [[ -f /proc/sys/crypto/fips_enabled ]]; then
     ENABLE_FIPS_IPA=$(cat /proc/sys/crypto/fips_enabled)

ironic-image/scripts/rundnsmasq

@@ -36,7 +36,7 @@ fi
 # Template and write dnsmasq.conf
 # we template via /tmp as sed otherwise creates temp files in /etc directory
 # where we can't write
-python3.11 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' <"/tmp/dnsmasq.conf.j2" >"${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"
+python3.11 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' <"/templates/dnsmasq.conf.j2" >"${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"
 
 for iface in $(echo "$DNSMASQ_EXCEPT_INTERFACE" | tr ',' ' '); do
     sed -i -e "/^interface=.*/ a\except-interface=${iface}" "${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"

ironic-image/scripts/runhttpd

@@ -36,8 +36,7 @@ fi
 export INSPECTOR_EXTRA_ARGS
 
 # Copy files to shared mount
-render_j2_config /tmp/inspector.ipxe.j2 /shared/html/inspector.ipxe
+render_j2_config /templates/inspector.ipxe.j2 /shared/html/inspector.ipxe
-cp /tmp/uefi_esp*.img /shared/html/
 # cp -r /etc/httpd/* "${HTTPD_DIR}"
 if [[ -f "${HTTPD_CONF_DIR}/httpd.conf" ]]; then
     mv "${HTTPD_CONF_DIR}/httpd.conf" "${HTTPD_CONF_DIR}/httpd.conf.example"
@@ -49,7 +48,7 @@ render_j2_config "/etc/httpd/conf/httpd.conf.j2" \
 
 if [[ "$IRONIC_TLS_SETUP" == "true" ]]; then
     if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
-        render_j2_config "/tmp/httpd-ironic-api.conf.j2" \
+        render_j2_config "/templates/httpd-ironic-api.conf.j2" \
             "${HTTPD_CONF_DIR_D}/ironic.conf"
     fi
 else
@@ -60,7 +59,7 @@ write_htpasswd_files
 
 # Render httpd TLS configuration for /shared/html/<redifsh;ilo>
 if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
-    render_j2_config "/tmp/httpd-vmedia.conf.j2" \
+    render_j2_config "/templates/httpd-vmedia.conf.j2" \
         "${HTTPD_CONF_DIR_D}/vmedia.conf"
 fi
 
@@ -68,7 +67,7 @@ fi
 if [[ "$IPXE_TLS_SETUP" == "true" ]]; then
     mkdir -p /shared/html/custom-ipxe
     chmod 0777 /shared/html/custom-ipxe
-    render_j2_config "/tmp/httpd-ipxe.conf.j2" "${HTTPD_CONF_DIR_D}/ipxe.conf"
+    render_j2_config "/templates/httpd-ipxe.conf.j2" "${HTTPD_CONF_DIR_D}/ipxe.conf"
     cp "${IPXE_CUSTOM_FIRMWARE_DIR}/undionly.kpxe" \
        "${IPXE_CUSTOM_FIRMWARE_DIR}/snponly.efi" \
        "/shared/html/custom-ipxe"

ironic-image/scripts/runironic-exporter

@@ -0,0 +1,14 @@
+#!/usr/bin/bash
+
+# shellcheck disable=SC1091
+. /bin/configure-ironic.sh
+# shellcheck disable=SC1091
+. /bin/ironic-common.sh
+
+FLASK_RUN_HOST=${FLASK_RUN_HOST:-0.0.0.0}
+FLASK_RUN_PORT=${FLASK_RUN_PORT:-9608}
+
+export IRONIC_CONFIG="${IRONIC_CONF_DIR}/ironic.conf"
+
+exec gunicorn -b "${FLASK_RUN_HOST}:${FLASK_RUN_PORT}" -w 4 \
+    ironic_prometheus_exporter.app.wsgi:application

ironic-image/scripts/runlogwatch.sh

@@ -12,6 +12,10 @@ python3.11 -m pyinotify --raw-format -e IN_CLOSE_WRITE -v "${LOG_DIR}" |
         # <Event dir=False mask=0x8 maskname=IN_CLOSE_WRITE name=mylogs.gzip path=/shared/log/ironic/deploy pathname=/shared/log/ironic/deploy/mylogs.gzip wd=1 >
         FILENAME=$(echo "${filename}" | cut -d'=' -f2-)
         echo "************ Contents of ${LOG_DIR}/${FILENAME} ramdisk log file bundle **************"
-        tar -xOzvvf "${LOG_DIR}/${FILENAME}" | sed -e "s/^/${FILENAME}: /"
+        tar -tzf "${LOG_DIR}/${FILENAME}" | while read -r entry; do
+            echo "${FILENAME}: **** Entry: ${entry} ****"
+            tar -xOzf "${LOG_DIR}/${FILENAME}" "${entry}" | sed -e "s/^/${FILENAME}: /"
+            echo
+        done
         rm -f "${LOG_DIR}/${FILENAME}"
     done

ironic-image/scripts/tls-common.sh

@@ -20,11 +20,6 @@ export MARIADB_CACERT_FILE=/certs/ca/mariadb/tls.crt
 
 export IPXE_TLS_PORT="${IPXE_TLS_PORT:-8084}"
 
-mkdir -p /certs/ironic
-mkdir -p /certs/ca/ironic
-mkdir -p /certs/ipxe
-mkdir -p /certs/vmedia
-
 if [[ -f "$IRONIC_CERT_FILE" ]] && [[ ! -f "$IRONIC_KEY_FILE" ]]; then
     echo "Missing TLS Certificate key file $IRONIC_KEY_FILE"
     exit 1
@@ -69,6 +64,7 @@ if [[ -f "$IRONIC_CERT_FILE" ]] || [[ -f "$IRONIC_CACERT_FILE" ]]; then
     export IRONIC_TLS_SETUP="true"
     export IRONIC_SCHEME="https"
     if [[ ! -f "$IRONIC_CACERT_FILE" ]]; then
+        mkdir -p "$(dirname "${IRONIC_CACERT_FILE}")"
         copy_atomic "$IRONIC_CERT_FILE" "$IRONIC_CACERT_FILE"
     fi
 else
@@ -107,7 +103,7 @@ configure_restart_on_certificate_update()
         if [[ "${service}" == httpd ]]; then
             signal="WINCH"
         fi
-        python3 -m pyinotify --raw-format -e IN_DELETE_SELF -v "${cert_file}" |
+        python3.12 -m pyinotify --raw-format -e IN_DELETE_SELF -v "${cert_file}" |
             while read -r; do
                 pkill "-${signal}" "${service}"
             done &

ironic-ipa-downloader-image/Dockerfile

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.8
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.7
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.8-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.7-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 
@@ -18,11 +18,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
 LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="3.0.8"
+LABEL org.opencontainers.image.version="3.0.6"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.8-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.7-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -33,6 +33,8 @@ LABEL com.suse.release-stage="released"
 
 COPY --from=base /installroot /
 RUN cp /getopt /usr/bin/
+RUN cp /srv/tftpboot/openstack-ironic-image/initrd*.zst /tmp
+RUN cp /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel /tmp
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/

ironic-ipa-downloader-image/Dockerfile.aarch64

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.8
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.7
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.8-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.7-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 
@@ -18,11 +18,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
 LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="3.0.8"
+LABEL org.opencontainers.image.version="3.0.6"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.8-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.7-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -33,6 +33,8 @@ LABEL com.suse.release-stage="released"
 
 COPY --from=base /installroot /
 RUN cp /getopt /usr/bin/
+RUN cp /srv/tftpboot/openstack-ironic-image/initrd*.zst /tmp
+RUN cp /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel /tmp
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/

ironic-ipa-downloader-image/Dockerfile.x86_64

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.8
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.7
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.8-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.7-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 
@@ -18,11 +18,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
 LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="3.0.8"
+LABEL org.opencontainers.image.version="3.0.6"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.8-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.7-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -33,6 +33,8 @@ LABEL com.suse.release-stage="released"
 
 COPY --from=base /installroot /
 RUN cp /getopt /usr/bin/
+RUN cp /srv/tftpboot/openstack-ironic-image/initrd*.zst /tmp
+RUN cp /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel /tmp
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/

ironic-ipa-downloader-image/get-resource.sh

@@ -6,8 +6,6 @@ export http_proxy=${http_proxy:-$HTTP_PROXY}
 export https_proxy=${https_proxy:-$HTTPS_PROXY}
 export no_proxy=${no_proxy:-$NO_PROXY}
 
-IMAGES_BASE_PATH="/srv/tftpboot/openstack-ironic-image"
-
 if [ -d "/tmp/ironic-certificates" ]; then
   sha256sum /tmp/ironic-certificates/* > /tmp/certificates.sha256
   if cmp "/shared/certificates.sha256" "/tmp/certificates.sha256"; then
@@ -28,14 +26,14 @@ if [ -z "${IPA_BASEURI}" ]; then
   IMAGE_CHANGED=1
   # SLES BASED IPA - ironic-ipa-ramdisk-x86_64 and ironic-ipa-ramdisk-aarch64 packages
   mkdir -p /shared/html/images
-  if [ -f ${IMAGES_BASE_PATH}/initrd-x86_64.zst ]; then
+  if [ -f /tmp/initrd-x86_64.zst ]; then
-    cp ${IMAGES_BASE_PATH}/initrd-x86_64.zst /shared/html/images/ironic-python-agent-x86_64.initramfs
+    cp /tmp/initrd-x86_64.zst /shared/html/images/ironic-python-agent-x86_64.initramfs
-    cp ${IMAGES_BASE_PATH}/openstack-ironic-image.x86_64*.kernel /shared/html/images/ironic-python-agent-x86_64.kernel
+    cp /tmp/openstack-ironic-image.x86_64*.kernel /shared/html/images/ironic-python-agent-x86_64.kernel
   fi
   # Use arm64 as destination for iPXE compatibility
-  if [ -f ${IMAGES_BASE_PATH}/initrd-aarch64.zst ]; then
+  if [ -f /tmp/initrd-aarch64.zst ]; then
-    cp ${IMAGES_BASE_PATH}/initrd-aarch64.zst /shared/html/images/ironic-python-agent-arm64.initramfs
+    cp /tmp/initrd-aarch64.zst /shared/html/images/ironic-python-agent-arm64.initramfs
-    cp ${IMAGES_BASE_PATH}/openstack-ironic-image.aarch64*.kernel /shared/html/images/ironic-python-agent-arm64.kernel
+    cp /tmp/openstack-ironic-image.aarch64*.kernel /shared/html/images/ironic-python-agent-arm64.kernel
   fi
 
   cp /tmp/images.sha256 /shared/images.sha256

metal3-chart/Chart.yaml

@@ -1,7 +1,7 @@
-#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.9_up0.11.7
+#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.8_up0.11.6
-#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.9_up0.11.7-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.8_up0.11.6-%RELEASE%
 apiVersion: v2
-appVersion: 0.11.7
+appVersion: 0.11.6
 dependencies:
 - alias: metal3-baremetal-operator
   name: baremetal-operator
@@ -10,7 +10,7 @@ dependencies:
 - alias: metal3-ironic
   name: ironic
   repository: file://./charts/ironic
-  version: 0.10.6
+  version: 0.10.5
 - alias: metal3-mariadb
   condition: global.enable_mariadb
   name: mariadb
@@ -20,9 +20,9 @@ dependencies:
   condition: global.enable_metal3_media_server
   name: media
   repository: file://./charts/media
-  version: 0.6.3
+  version: 0.6.2
 description: A Helm chart that installs all of the dependencies needed for Metal3
 icon: https://github.com/cncf/artwork/raw/master/projects/metal3/icon/color/metal3-icon-color.svg
 name: metal3
 type: application
-version: "%%CHART_MAJOR%%.0.9+up0.11.7"
+version: "%%CHART_MAJOR%%.0.8+up0.11.6"

metal3-chart/charts/ironic/Chart.yaml

@@ -3,4 +3,4 @@ appVersion: 26.1.2
 description: A Helm chart for Ironic, used by Metal3
 name: ironic
 type: application
-version: 0.10.6
+version: 0.10.5

metal3-chart/charts/ironic/templates/configmap.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: ironic
+  name: ironic-bmo
   labels:
     {{- include "ironic.labels" . | nindent 4 }}
 data:
@@ -9,6 +9,7 @@ data:
   {{- $enableVMediaTLS := .Values.global.enable_vmedia_tls }}
   {{- $protocol := ternary "https" "http" $enableTLS }}
   {{- $ironicIP := .Values.global.ironicIP | default "" }}
+  {{- $ironicApiHost := print $ironicIP ":6385" }}
   {{- $ironicBootHost := print $ironicIP ":6180" }}
   {{- $ironicCacheHost := print $ironicIP ":6180" }}
   {{- $deployArch := .Values.global.deployArchitecture }}
@@ -24,6 +25,11 @@ data:
   {{- end }}
   HTTP_PORT: "6180"
   PREDICTABLE_NIC_NAMES: "{{ .Values.global.predictableNicNames }}"
+  USE_IRONIC_INSPECTOR: "false"
+  IRONIC_API_BASE_URL: {{ $protocol }}://{{ $ironicApiHost }}
+  IRONIC_API_HOST: {{ $ironicApiHost }}
+  IRONIC_API_HTTPD_SERVER_NAME: {{ $ironicApiHost }}
+  IRONIC_ENDPOINT: {{ $protocol }}://{{ $ironicApiHost }}/v1/
   # Switch VMedia to HTTP if enable_vmedia_tls is false
   {{- if and $enableTLS $enableVMediaTLS }}
     {{- $ironicBootHost = print $ironicIP ":" .Values.global.vmediaTLSPort }}
@@ -33,8 +39,12 @@ data:
     {{- $protocol = "http" }}
   {{- end }}
   IRONIC_EXTERNAL_HTTP_URL: {{ $protocol }}://{{ $ironicCacheHost }}
+  CACHEURL: {{ $protocol }}://{{ $ironicCacheHost }}/images
+  DEPLOY_KERNEL_URL: {{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent-{{ $deployArch }}.kernel
+  DEPLOY_RAMDISK_URL: {{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent-{{ $deployArch }}.initramfs
   DEPLOY_ARCHITECTURE: {{ $deployArch }}
   IRONIC_BOOT_BASE_URL: {{ $protocol }}://{{ $ironicBootHost }}
+  IRONIC_VMEDIA_HTTPD_SERVER_NAME: {{ $ironicBootHost }}
   ENABLE_PXE_BOOT: "{{ .Values.global.enable_pxe_boot }}"
   {{- if .Values.global.provisioningInterface }}
   PROVISIONING_INTERFACE: {{ .Values.global.provisioningInterface }}
@@ -42,6 +52,8 @@ data:
   {{- if .Values.global.provisioningIP }}
   PROVISIONING_IP: {{ .Values.global.provisioningIP }}
   {{- end }}
+  IRONIC_ILO_USE_SWIFT: "false"
+  IRONIC_ILO_USE_WEB_SERVER_FOR_IMAGES: "true"
   IRONIC_FAST_TRACK: "true"
   LISTEN_ALL_INTERFACES: "true"
   {{- if .Values.global.ironicIP }}

metal3-chart/charts/ironic/templates/deployment.yaml

@@ -39,7 +39,7 @@ spec:
         - /bin/runhttpd
         envFrom:
         - configMapRef:
-            name: ironic
+            name: ironic-bmo
         livenessProbe:
           exec:
             command: ["sh", "-c", "curl -sSfk https://127.0.0.1:6385"]
@@ -97,7 +97,7 @@ spec:
         - /bin/runironic
         envFrom:
         - configMapRef:
-            name: ironic
+            name: ironic-bmo
         env:
         {{- if .Values.global.enable_basicAuth }}
         - name: IRONIC_HTPASSWD
@@ -170,7 +170,7 @@ spec:
         - /bin/rundnsmasq
         envFrom:
         - configMapRef:
-            name: ironic
+            name: ironic-bmo
         livenessProbe:
           exec:
             command:

metal3-chart/charts/ironic/values.yaml

@@ -56,11 +56,11 @@ images:
   ironic:
     repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic
     pullPolicy: IfNotPresent
-    tag: 26.1.2.5
+    tag: 26.1.2.4
   ironicIPADownloader:
     repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic-ipa-downloader
     pullPolicy: IfNotPresent
-    tag: 3.0.8
+    tag: 3.0.7
 
 nameOverride: ""
 fullnameOverride: ""

metal3-chart/charts/media/Chart.yaml

@@ -3,4 +3,4 @@ appVersion: 1.16.0
 description: A Helm chart for Media, used by Metal3
 name: media
 type: application
-version: 0.6.3
+version: 0.6.2

metal3-chart/charts/media/values.yaml

@@ -24,7 +24,7 @@ replicaCount: 1
 image:
   repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic
   pullPolicy: IfNotPresent
-  tag: 26.1.2.5
+  tag: 26.1.2.4
 
 imagePullSecrets: []
 nameOverride: ""

release-manifest-image/Dockerfile

@@ -20,4 +20,4 @@ LABEL com.suse.image-type="release-manifest"
 LABEL com.suse.release-stage="released"
 # endlabelprefix
 
-COPY release_manifest.yaml release_images.yaml ./
+COPY release_manifest.yaml release_manifest.yaml

release-manifest-image/_service

@@ -2,7 +2,6 @@
   <service mode="buildtime" name="kiwi_metainfo_helper"/>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="file">release_images.yaml</param>
     <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %manifest_repo)</param>

release-manifest-image/release_images.yaml

@@ -1,64 +0,0 @@
-images:
-  - name: quay.io/jetstack/cert-manager-cainjector:v1.14.2
-  - name: quay.io/jetstack/cert-manager-controller:v1.14.2
-  - name: quay.io/jetstack/cert-manager-webhook:v1.14.2
-  - name: registry.rancher.com/rancher/hardened-cluster-autoscaler:v1.10.2-build20250507
-  - name: registry.rancher.com/rancher/hardened-cni-plugins:v1.7.1-build20250509
-  - name: registry.rancher.com/rancher/hardened-coredns:v1.12.1-build20250507
-  - name: registry.rancher.com/rancher/hardened-etcd:v3.5.21-k3s1-build20250411
-  - name: registry.rancher.com/rancher/hardened-k8s-metrics-server:v0.7.2-build20250507
-  - name: registry.rancher.com/rancher/hardened-kubernetes:v1.32.5-rke2r1-build20250515
-  - name: registry.rancher.com/rancher/hardened-multus-cni:v4.2.0-build20250326
-  - name: registry.rancher.com/rancher/klipper-helm:v0.9.5-build20250306
-  - name: registry.rancher.com/rancher/mirrored-cilium-cilium:v1.17.3
-  - name: registry.rancher.com/rancher/mirrored-cilium-operator-generic:v1.17.3
-  - name: registry.rancher.com/rancher/mirrored-longhornio-csi-attacher:v4.8.1
-  - name: registry.rancher.com/rancher/mirrored-longhornio-csi-node-driver-registrar:v2.13.0
-  - name: registry.rancher.com/rancher/mirrored-longhornio-csi-provisioner:v5.2.0
-  - name: registry.rancher.com/rancher/mirrored-longhornio-csi-resizer:v1.13.2
-  - name: registry.rancher.com/rancher/mirrored-longhornio-csi-snapshotter:v8.2.0
-  - name: registry.rancher.com/rancher/mirrored-longhornio-livenessprobe:v2.15.0
-  - name: registry.rancher.com/rancher/mirrored-longhornio-longhorn-engine:v1.8.1
-  - name: registry.rancher.com/rancher/mirrored-longhornio-longhorn-instance-manager:v1.8.1
-  - name: registry.rancher.com/rancher/mirrored-longhornio-longhorn-manager:v1.8.1
-  - name: registry.rancher.com/rancher/mirrored-longhornio-longhorn-share-manager:v1.8.1
-  - name: registry.rancher.com/rancher/mirrored-longhornio-longhorn-ui:v1.8.1
-  - name: registry.rancher.com/rancher/mirrored-sig-storage-snapshot-controller:v8.2.0
-  - name: registry.rancher.com/rancher/neuvector-compliance-config:1.0.4
-  - name: registry.rancher.com/rancher/neuvector-controller:5.4.3
-  - name: registry.rancher.com/rancher/neuvector-enforcer:5.4.3
-  - name: registry.rancher.com/rancher/nginx-ingress-controller:v1.12.1-hardened6
-  - name: registry.rancher.com/rancher/rke2-cloud-provider:v1.32.0-rc3.0.20241220224140-68fbd1a6b543-build20250101
-  - name: %%IMG_REPO%%/%%IMG_PREFIX%%baremetal-operator:0.9.1.1
-  - name: %%IMG_REPO%%/%%IMG_PREFIX%%endpoint-copier-operator:0.3.0
-  - name: %%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.8
-  - name: %%IMG_REPO%%/%%IMG_PREFIX%%ironic:26.1.2.5
-  - name: %%IMG_REPO%%/%%IMG_PREFIX%%metallb-controller:v0.14.9
-  - name: %%IMG_REPO%%/%%IMG_PREFIX%%metallb-speaker:v0.14.9
-  - name: %%IMG_REPO%%/%%IMG_PREFIX%%upgrade-controller:0.1.1
-  - name: registry.rancher.com/rancher/cluster-api-operator:v0.17.0
-  - name: registry.rancher.com/rancher/fleet-agent:v0.12.3
-  - name: registry.rancher.com/rancher/fleet:v0.12.3
-  - name: registry.rancher.com/rancher/hardened-node-feature-discovery:v0.15.7-build20250425
-  - name: registry.rancher.com/rancher/rancher-webhook:v0.7.2
-  - name: registry.rancher.com/rancher/rancher/turtles:v0.20.0
-  - name: registry.rancher.com/rancher/rancher:v2.11.2
-  - name: registry.rancher.com/rancher/shell:v0.4.1
-  - name: registry.rancher.com/rancher/system-upgrade-controller:v0.15.2
-  - name: registry.suse.com/rancher/cluster-api-addon-provider-fleet:v0.10.0
-  - name: registry.suse.com/rancher/cluster-api-controller:v1.9.5
-  - name: registry.suse.com/rancher/cluster-api-provider-metal3:v1.9.3
-  - name: registry.suse.com/rancher/cluster-api-provider-rke2-bootstrap:v0.16.1
-  - name: registry.suse.com/rancher/cluster-api-provider-rke2-controlplane:v0.16.1
-  - name: registry.suse.com/rancher/elemental-operator:1.6.8
-  - name: registry.suse.com/rancher/hardened-sriov-network-operator:v1.5.0-build20250425
-  - name: registry.suse.com/rancher/ip-address-manager:v1.9.4
-  - name: registry.suse.com/suse/sles/15.6/cdi-apiserver:1.61.0-150600.3.12.1
-  - name: registry.suse.com/suse/sles/15.6/cdi-controller:1.61.0-150600.3.12.1
-  - name: registry.suse.com/suse/sles/15.6/cdi-operator:1.61.0-150600.3.12.1
-  - name: registry.suse.com/suse/sles/15.6/cdi-uploadproxy:1.61.0-150600.3.12.1
-  - name: registry.suse.com/suse/sles/15.6/virt-api:1.4.0-150600.5.15.1
-  - name: registry.suse.com/suse/sles/15.6/virt-controller:1.4.0-150600.5.15.1
-  - name: registry.suse.com/suse/sles/15.6/virt-handler:1.4.0-150600.5.15.1
-  - name: registry.suse.com/suse/sles/15.6/virt-launcher:1.4.0-150600.5.15.1
-  - name: registry.suse.com/suse/sles/15.6/virt-operator:1.4.0-150600.5.15.1

release-manifest-image/release_manifest.yaml

@@ -171,12 +171,8 @@ spec:
         - prettyName: Metal3
           releaseName: metal3
           chart: "%%CHART_REPO%%/%%CHART_PREFIX%%metal3"
-          version: "%%CHART_MAJOR%%.0.9+up0.11.7"
+          version: "%%CHART_MAJOR%%.0.8+up0.11.6"
         - prettyName: RancherTurtles
           releaseName: rancher-turtles
           chart: "%%CHART_REPO%%/%%CHART_PREFIX%%rancher-turtles"
           version: "%%CHART_MAJOR%%.0.4+up0.20.0"
-        - prettyName: RancherTurtlesAirgapResources
-          releaseName: rancher-turtles-airgap-resources
-          chart: "%%CHART_REPO%%/%%CHART_PREFIX%%rancher-turtles-airgap-resources"
-          version: "%%CHART_MAJOR%%.0.4+up0.20.0"