Try with my PR

Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-06-27 16:19:58 +02:00
141 changed files with 1258 additions and 2017 deletions
--- a/.gitea/workflows/check_manifest.yaml
+++ b/.gitea/workflows/check_manifest.yaml
@@ -17,7 +17,7 @@ jobs:
          object-format: 'sha256'
      - name: Setup dependencies
        run: |
-          zypper in -y python3-ruamel.yaml
+          zypper in -y python3-PyYAML
      - name: Check release manifest
        run: |
-          python3 .obs/manifest-check.py --check
+          python3 .obs/manifest-check.py
--- a/.gitmodules
+++ b/.gitmodules
@@ -13,27 +13,3 @@
 [submodule "autoconf"]
 	path = autoconf
 	url = https://src.opensuse.org/SLFO-pool/autoconf.git
 [submodule "python-pydantic"]
 	path = python-pydantic
 	url = https://src.opensuse.org/SLFO-pool/python-pydantic
 [submodule "python-pydantic-core"]
 	path = python-pydantic-core
 	url = https://src.opensuse.org/SLFO-pool/python-pydantic-core
 [submodule "python-inline-snapshot"]
 	path = python-inline-snapshot
 	url = https://src.opensuse.org/SLFO-pool/python-inline-snapshot
 [submodule "python-executing"]
 	path = python-executing
 	url = https://src.opensuse.org/SLFO-pool/python-executing
 [submodule "python-typing-inspection"]
 	path = python-typing-inspection
 	url = https://src.opensuse.org/SLFO-pool/python-typing-inspection
 [submodule "python-annotated-types"]
 	path = python-annotated-types
 	url = https://src.opensuse.org/SLFO-pool/python-annotated-types
 [submodule "python-typing_extensions"]
 	path = python-typing_extensions
 	url = https://src.opensuse.org/SLFO-pool/python-typing_extensions
 [submodule "python-flit-core"]
 	path = python-flit-core
 	url = https://src.opensuse.org/SLFO-pool/python-flit-core
--- a/.obs/manifest-check.py
+++ b/.obs/manifest-check.py
@@ -1,15 +1,11 @@
 #!/usr/bin/python3
-import ruamel.yaml
+import yaml
 import pathlib
 import argparse
 import sys
 yaml = ruamel.yaml.YAML()
 def get_chart_version(chart_name: str) -> str:
    with open(f"./{chart_name}-chart/Chart.yaml") as f:
-        chart = yaml.load(f)
+        chart = yaml.safe_load(f)
        return chart["version"]
 def get_charts(chart):
@@ -25,57 +21,22 @@ def get_charts(chart):
 def get_charts_list():
    with open("./release-manifest-image/release_manifest.yaml") as f:
-        manifest = yaml.load(f)
+        manifest = yaml.safe_load(f)
    charts = {}
    for chart in manifest["spec"]["components"]["workloads"]["helm"]:
        charts.update(get_charts(chart))
    return charts
-def check_charts(fix: bool) -> bool:
+def main():
    print("Checking charts versions in release manifest")
    success = True
    charts = get_charts_list()
    to_fix = {}
    for chart in charts:
        expected_version = get_chart_version(chart)
        if expected_version != charts[chart]:
            success = False
            to_fix[f'%%CHART_REPO%%/%%CHART_PREFIX%%{chart}'] = expected_version
            print(f"{chart}: Expected: {expected_version}, Got: {charts[chart]}")
-    if fix and not success:
+    if not success:
        fix_charts(to_fix)
        return True
    return success
 def fix_charts(to_fix):
    manifest_path = pathlib.Path("./release-manifest-image/release_manifest.yaml")
    manifest = yaml.load(manifest_path)
    yaml.indent(mapping=2, sequence=4, offset=2)
    yaml.width = 4096
    for chart_index, chart in enumerate(manifest["spec"]["components"]["workloads"]["helm"]):
        changed = False
        if chart["chart"] in to_fix.keys():
            changed = True
            chart["version"] = to_fix[chart["chart"]]
        for subchart_index, subchart in enumerate(chart.get("addonCharts", [])):
            if subchart["chart"] in to_fix.keys():
                changed = True
                subchart["version"] = to_fix[subchart["chart"]]
                chart["addonCharts"][subchart_index] = subchart
        for subchart_index, subchart in enumerate(chart.get("dependencyCharts", [])):
            if subchart["chart"] in to_fix.keys():
                changed = True
                subchart["version"] = to_fix[subchart["chart"]]
                chart["dependencyCharts"][subchart_index] = subchart
        if changed:
            manifest["spec"]["components"]["workloads"]["helm"][chart_index] = chart
    yaml.dump(manifest, manifest_path)
 def main():
    print("Checking charts versions in release manifest")
    parser = argparse.ArgumentParser()
    parser.add_argument('-c', '--check', action='store_true')
    args = parser.parse_args()
    if not check_charts(not args.check):
        sys.exit(1)
    else:
        print("All local charts in release manifest are using the right version")
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,10 +0,0 @@
 repos:
  - repo: local
    hooks:
      - id: check-manifest
        name: "Check release-manifest"
        entry: python3 .obs/manifest-check.py
        language: python
        additional_dependencies: ['ruamel.yaml']
        pass_filenames: false
        always_run: true
--- a/12
+++ b/12
@@ -1,5 +1,4 @@
 Prefer: -libqpid-proton10 -python311-urllib3_1
 Prefer: -cargo1.58 -cargo1.57 cargo1.89
 Macros:
 %__python3 /usr/bin/python3.11
@@ -50,15 +49,6 @@ Macros:
 BuildFlags: excludebuild:autoconf:el
 BuildFlags: excludebuild:autoconf:testsuite
 # Missing deps for python packages related to suse-edge-components-versions
 BuildFlags: excludebuild:python-pydantic:test
 BuildFlags: excludebuild:python-pydantic-core:test
 BuildFlags: excludebuild:python-inline-snapshot:test
 BuildFlags: excludebuild:python-executing:test
 BuildFlags: excludebuild:python-annotated-types:test
 BuildFlags: excludebuild:python-typing-inspection:test
 BuildFlags: excludebuild:python-typing_extensions:test
 # Only build manifest embedding images here
 %if "%_repository" == "test_manifest_images"
 BuildFlags: onlybuild:edge-image-builder-image
@@ -115,7 +105,7 @@ BuildFlags: onlybuild:release-manifest-image
    Patterntype: none
    BuildEngine: podman
    Prefer: sles-release
-    BuildFlags: dockerarg:SLE_VERSION=15.7
+    BuildFlags: dockerarg:SLE_VERSION=15.6
    # Publish multi-arch container images only once all archs have been built
    PublishFlags: archsync
--- a/6
+++ b/6
@@ -45,7 +45,7 @@
      <path project="SUSE:SLFO:Products:SLES:16.0" repository="standard"/>
      <path project="SUSE:SLFO:Main:Build" repository="standard"/>
    {%- else %}
-      <path project="SUSE:CA" repository="SLE_15_SP7"/>
+      <path project="SUSE:CA" repository="SLE_15_SP6"/>
      <path project="{{ project }}" repository="standard"/>
    {%- endif %}
    <arch>x86_64</arch>
@@ -56,8 +56,8 @@
    {%- if release_project is defined and not for_release %}
    <releasetarget project="{{ release_project }}" repository="standard" trigger="manual"/>
    {%- endif %}
-    <path project="{{ ironic_base }}:2025.1" repository="15.7"/>
+    <path project="{{ ironic_base }}:2024.2" repository="15.6"/>
-    <path project="SUSE:SLE-15-SP7:Update" repository="standard"/>
+    <path project="SUSE:SLE-15-SP6:Update" repository="standard"/>
    <arch>x86_64</arch>
    <arch>aarch64</arch>
  </repository>
--- a/akri-dashboard-extension-chart/Chart.yaml
+++ b/akri-dashboard-extension-chart/Chart.yaml
@@ -1,5 +1,5 @@
-#!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.3_up1.3.1
+#!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.2_up1.3.1
-#!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.3_up1.3.1-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.2_up1.3.1-%RELEASE%
 annotations:
  catalog.cattle.io/certified: rancher
  catalog.cattle.io/namespace: cattle-ui-plugin-system
@@ -12,10 +12,10 @@ annotations:
  catalog.cattle.io/ui-extensions-version: '>= 3.0.2 < 4.0.0'
  catalog.cattle.io/kube-version: '>= v1.26.0-0'
 apiVersion: v2
-appVersion: 304.0.3+up1.3.1
+appVersion: 303.0.2+up1.3.1
 description: 'SUSE Edge: Akri extension for Rancher Dashboard'
 name: akri-dashboard-extension
 type: application
-version: "%%CHART_MAJOR%%.0.3+up1.3.1"
+version: "%%CHART_MAJOR%%.0.2+up1.3.1"
 icon: >-
  https://raw.githubusercontent.com/cncf/artwork/main/projects/akri/icon/color/akri-icon-color.svg
--- a/akri-dashboard-extension-chart/templates/cr.yaml
+++ b/akri-dashboard-extension-chart/templates/cr.yaml
@@ -8,7 +8,7 @@ spec:
  plugin:
    name: {{ include "extension-server.fullname" . }}
    version: {{ (semver (default .Chart.AppVersion .Values.plugin.versionOverride)).Original }}
-    endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/akri-dashboard-extension/304.0.3+up1.3.1
+    endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/akri-dashboard-extension/303.0.2+up1.3.1
    noCache: {{ .Values.plugin.noCache }}
    noAuth: {{ .Values.plugin.noAuth }}
    metadata: {{ include "extension-server.pluginMetadata" . | indent 6 }}
--- a/baremetal-operator-image/Dockerfile
+++ b/baremetal-operator-image/Dockerfile
@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: Apache-2.0
 #!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%.0
 #!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%.0-%RELEASE%
 #!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -18,7 +19,7 @@ LABEL org.opencontainers.image.version="%%baremetal-operator_version%%"
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%.0-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%.1-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
--- a/baremetal-operator/0001-Allow-configuring-different-IPA-images-per-architect.patch
+++ b/baremetal-operator/0001-Allow-configuring-different-IPA-images-per-architect.patch
@@ -0,0 +1,529 @@
 From 19cbf4febbf042248266188e3629e0c88e06906a Mon Sep 17 00:00:00 2001
 From: Nicolas Belouin <nicolas.belouin@suse.com>
 Date: Thu, 26 Jun 2025 09:37:19 +0200
 Subject: [PATCH] Allow configuring different IPA images per architecture
 When using multiple architectures, having a way to set the Ironic
 "bootloader" (a.k.a EFI partition) accordingly is important, so this
 commit adds a new `DEPLOY_BOOTLOADER_URL` variable to set this Ironic
 option.
 This commit adds a set of new environment variables allowing to specify
 different URLs per target CPU architecture for the IPA image:
 - `DEPLOY_KERNEL_URL_<ARCH>`
 - `DEPLOY_RAMDISK_URL_<ARCH>`
 - `DEPLOY_ISO_URL_<ARCH>`
 - `DEPLOY_BOOTLOADER_URL_<ARCH>`
 Non suffixed variables are used as defaults, if there is no architecture
 specific image(s) defined for the BMH CPU architecture.
 Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
 ---
 .../metal3.io/baremetalhost_controller.go     |  1 +
 pkg/imageprovider/imageprovider.go            |  1 +
 pkg/provisioner/ironic/factory.go             | 61 ++++++++++----
 pkg/provisioner/ironic/factory_test.go        | 25 ++++--
 pkg/provisioner/ironic/ironic.go              | 46 ++++++++---
 pkg/provisioner/ironic/ironic_test.go         | 10 ++-
 pkg/provisioner/ironic/register_test.go       | 80 ++++++++++++-------
 pkg/provisioner/provisioner.go                |  1 +
 8 files changed, 160 insertions(+), 65 deletions(-)
 diff --git a/internal/controller/metal3.io/baremetalhost_controller.go b/internal/controller/metal3.io/baremetalhost_controller.go
 index d04bb618..a4ea9d19 100644
 --- a/internal/controller/metal3.io/baremetalhost_controller.go
 +++ b/internal/controller/metal3.io/baremetalhost_controller.go
@@ -847,6 +847,7 @@ func (r *BareMetalHostReconciler) registerHost(prov provisioner.Provisioner, inf
 			PreprovisioningNetworkData: preprovisioningNetworkData,
 			HasCustomDeploy:            hasCustomDeploy(info.host),
 			DisablePowerOff:            info.host.Spec.DisablePowerOff,
 +			CPUArchitecture:            getHostArchitecture(info.host),
 		},
 		credsChanged,
 		info.host.Status.ErrorType == metal3api.RegistrationError)
 diff --git a/pkg/imageprovider/imageprovider.go b/pkg/imageprovider/imageprovider.go
 index 459fdf2d..f307c041 100644
 --- a/pkg/imageprovider/imageprovider.go
 +++ b/pkg/imageprovider/imageprovider.go
@@ -20,6 +20,7 @@ type ImageData struct {
 type GeneratedImage struct {
 	ImageURL          string
 	KernelURL         string
 +	BootloaderURL     string
 	ExtraKernelParams string
 }
 diff --git a/pkg/provisioner/ironic/factory.go b/pkg/provisioner/ironic/factory.go
 index 95cc21b4..5f4189bb 100644
 --- a/pkg/provisioner/ironic/factory.go
 +++ b/pkg/provisioner/ironic/factory.go
@@ -58,9 +58,10 @@ func (f *ironicProvisionerFactory) init(havePreprovImgBuilder bool) error {
 	f.log.Info("ironic settings",
 		"endpoint", ironicEndpoint,
 		"ironicAuthType", ironicAuth.Type,
 -		"deployKernelURL", f.config.deployKernelURL,
 -		"deployRamdiskURL", f.config.deployRamdiskURL,
 -		"deployISOURL", f.config.deployISOURL,
 +		"defaultDeployKernelURL", f.config.defaultDeployConfig.kernelURL,
 +		"defaultDeployRamdiskURL", f.config.defaultDeployConfig.ramdiskURL,
 +		"defaultDeployISOURL", f.config.defaultDeployConfig.ISOURL,
 +		"defaultDeployBootloaderURL", f.config.defaultDeployConfig.bootloaderURL,
 		"liveISOForcePersistentBootDevice", f.config.liveISOForcePersistentBootDevice,
 		"CACertFile", tlsConf.TrustedCAFile,
 		"ClientCertFile", tlsConf.ClientCertificateFile,
@@ -105,27 +106,55 @@ func (f ironicProvisionerFactory) NewProvisioner(ctx context.Context, hostData p
 	return f.ironicProvisioner(ctx, hostData, publisher)
 }
 -func loadConfigFromEnv(havePreprovImgBuilder bool) (ironicConfig, error) {
 -	c := ironicConfig{
 -		havePreprovImgBuilder: havePreprovImgBuilder,
 +func loadDeployURLFromEnv(arch string, havePreprovImgBuilder bool) (ironicDeployConfig, error) {
 +	c := ironicDeployConfig{}
 +	var suffix string
 +	if arch != "" {
 +		suffix = "_" + strings.ToUpper(arch)
 	}
 +	c.kernelURL = os.Getenv("DEPLOY_KERNEL_URL" + suffix)
 +	c.ramdiskURL = os.Getenv("DEPLOY_RAMDISK_URL" + suffix)
 +	c.ISOURL = os.Getenv("DEPLOY_ISO_URL" + suffix)
 +	c.bootloaderURL = os.Getenv("DEPLOY_BOOTLOADER_URL" + suffix)
 -	c.deployKernelURL = os.Getenv("DEPLOY_KERNEL_URL")
 -	c.deployRamdiskURL = os.Getenv("DEPLOY_RAMDISK_URL")
 -	c.deployISOURL = os.Getenv("DEPLOY_ISO_URL")
 	if !havePreprovImgBuilder {
 -		if c.deployISOURL == "" &&
 -			(c.deployKernelURL == "" || c.deployRamdiskURL == "") {
 -			return c, errors.New("either DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL or DEPLOY_ISO_URL must be set")
 -		}
 -		if (c.deployKernelURL == "" && c.deployRamdiskURL != "") ||
 -			(c.deployKernelURL != "" && c.deployRamdiskURL == "") {
 +		if (c.kernelURL == "" && c.ramdiskURL != "") ||
 +			(c.kernelURL != "" && c.ramdiskURL == "") {
 			return c, errors.New("DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL can only be set together")
 		}
 	}
 -	if c.deployKernelURL == "" && c.deployRamdiskURL != "" {
 +	if c.kernelURL == "" && c.ramdiskURL != "" {
 		return c, errors.New("DEPLOY_RAMDISK_URL requires DEPLOY_KERNEL_URL to be set also")
 	}
 +	return c, nil
 +}
 +
 +func loadConfigFromEnv(havePreprovImgBuilder bool) (ironicConfig, error) {
 +	c := ironicConfig{
 +		havePreprovImgBuilder: havePreprovImgBuilder,
 +		archDeployConfig:      make(map[string]ironicDeployConfig),
 +	}
 +	var err error
 +	c.defaultDeployConfig, err = loadDeployURLFromEnv("", havePreprovImgBuilder)
 +	if err != nil {
 +		return c, err
 +	}
 +	for _, arch := range supportedArch {
 +		archDeployConfig, err := loadDeployURLFromEnv(arch, havePreprovImgBuilder)
 +		// Only register valid arch specific deploy configuration
 +		if archDeployConfig.ISOURL != "" || (archDeployConfig.kernelURL != "" && archDeployConfig.ramdiskURL != "") {
 +			c.archDeployConfig[arch] = archDeployConfig
 +		}
 +		if err != nil {
 +			return c, err
 +		}
 +	}
 +	if !havePreprovImgBuilder {
 +		if c.defaultDeployConfig.ISOURL == "" &&
 +			(c.defaultDeployConfig.kernelURL == "" || c.defaultDeployConfig.ramdiskURL == "") {
 +			return c, errors.New("either DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL or DEPLOY_ISO_URL must be set")
 +		}
 +	}
 	c.maxBusyHosts = 20
 	if maxHostsStr := os.Getenv("PROVISIONING_LIMIT"); maxHostsStr != "" {
 diff --git a/pkg/provisioner/ironic/factory_test.go b/pkg/provisioner/ironic/factory_test.go
 index db47d8b2..acdedf1c 100644
 --- a/pkg/provisioner/ironic/factory_test.go
 +++ b/pkg/provisioner/ironic/factory_test.go
@@ -14,6 +14,11 @@ type EnvFixture struct {
 	kernelURL                        string
 	ramdiskURL                       string
 	isoURL                           string
 +	bootloaderURL                    string
 +	aarch64kernelURL                 string
 +	aarch64ramdiskURL                string
 +	aarch64isoURL                    string
 +	aarch64bootloaderURL             string
 	liveISOForcePersistentBootDevice string
 	ironicCACertFile                 string
 	ironicClientCertFile             string
@@ -49,6 +54,11 @@ func (f *EnvFixture) SetUp() {
 	f.replace("DEPLOY_KERNEL_URL", f.kernelURL)
 	f.replace("DEPLOY_RAMDISK_URL", f.ramdiskURL)
 	f.replace("DEPLOY_ISO_URL", f.isoURL)
 +	f.replace("DEPLOY_BOOTLOADER_URL", f.bootloaderURL)
 +	f.replace("DEPLOY_KERNEL_URL_AARCH64", f.aarch64kernelURL)
 +	f.replace("DEPLOY_RAMDISK_URL_AARCH64", f.aarch64ramdiskURL)
 +	f.replace("DEPLOY_ISO_URL_AARCH64", f.aarch64isoURL)
 +	f.replace("DEPLOY_BOOTLOADER_URL_AARCH64", f.aarch64bootloaderURL)
 	f.replace("LIVE_ISO_FORCE_PERSISTENT_BOOT_DEVICE", f.liveISOForcePersistentBootDevice)
 	f.replace("IRONIC_CACERT_FILE", f.ironicCACertFile)
 	f.replace("IRONIC_CLIENT_CERT_FILE", f.ironicClientCertFile)
@@ -58,9 +68,14 @@ func (f *EnvFixture) SetUp() {
 }
 func (f EnvFixture) VerifyConfig(t *testing.T, c ironicConfig, _ string) {
 	t.Helper()
 -	assert.Equal(t, f.kernelURL, c.deployKernelURL)
 -	assert.Equal(t, f.ramdiskURL, c.deployRamdiskURL)
 -	assert.Equal(t, f.isoURL, c.deployISOURL)
 +	assert.Equal(t, f.kernelURL, c.defaultDeployConfig.kernelURL)
 +	assert.Equal(t, f.ramdiskURL, c.defaultDeployConfig.ramdiskURL)
 +	assert.Equal(t, f.isoURL, c.defaultDeployConfig.ISOURL)
 +	assert.Equal(t, f.bootloaderURL, c.defaultDeployConfig.bootloaderURL)
 +	assert.Equal(t, f.aarch64kernelURL, c.archDeployConfig["aarch64"].kernelURL)
 +	assert.Equal(t, f.aarch64ramdiskURL, c.archDeployConfig["aarch64"].ramdiskURL)
 +	assert.Equal(t, f.aarch64isoURL, c.archDeployConfig["aarch64"].ISOURL)
 +	assert.Equal(t, f.aarch64bootloaderURL, c.archDeployConfig["aarch64"].bootloaderURL)
 	assert.Equal(t, f.liveISOForcePersistentBootDevice, c.liveISOForcePersistentBootDevice)
 }
@@ -108,14 +123,14 @@ func TestLoadConfigFromEnv(t *testing.T) {
 			env: EnvFixture{
 				kernelURL: "http://kernel",
 			},
 -			expectedError: "either DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL or DEPLOY_ISO_URL must be set",
 +			expectedError: "DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL can only be set together",
 		},
 		{
 			name: "only ramdisk",
 			env: EnvFixture{
 				ramdiskURL: "http://ramdisk",
 			},
 -			expectedError:         "either DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL or DEPLOY_ISO_URL must be set",
 +			expectedError:         "DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL can only be set together",
 			expectedImgBuildError: "DEPLOY_RAMDISK_URL requires DEPLOY_KERNEL_URL to be set also",
 		},
 		{
 diff --git a/pkg/provisioner/ironic/ironic.go b/pkg/provisioner/ironic/ironic.go
 index 4bc753f2..52d03479 100644
 --- a/pkg/provisioner/ironic/ironic.go
 +++ b/pkg/provisioner/ironic/ironic.go
@@ -30,6 +30,7 @@ var (
 	subscriptionRequeueDelay  = time.Second * 10
 	introspectionRequeueDelay = time.Second * 15
 	softPowerOffTimeout       = time.Second * 180
 +	supportedArch             = [...]string{"x86_64", "aarch64"}
 )
 const (
@@ -41,6 +42,7 @@ const (
 	nameSeparator        = "~"
 	customDeployPriority = 80
 +	bootloaderKey    = "bootloader"
 	deployKernelKey  = "deploy_kernel"
 	deployRamdiskKey = "deploy_ramdisk"
 	deployISOKey     = "deploy_iso"
@@ -61,11 +63,17 @@ func NewMacAddressConflictError(address, node string) error {
 	return macAddressConflictError{Address: address, ExistingNode: node}
 }
 +type ironicDeployConfig struct {
 +	kernelURL     string
 +	ramdiskURL    string
 +	bootloaderURL string
 +	ISOURL        string
 +}
 +
 type ironicConfig struct {
 	havePreprovImgBuilder            bool
 -	deployKernelURL                  string
 -	deployRamdiskURL                 string
 -	deployISOURL                     string
 +	defaultDeployConfig              ironicDeployConfig
 +	archDeployConfig                 map[string]ironicDeployConfig
 	liveISOForcePersistentBootDevice string
 	maxBusyHosts                     int
 	externalURL                      string
@@ -318,7 +326,7 @@ func (p *ironicProvisioner) createPXEEnabledNodePort(uuid, macAddress string) er
 func (p *ironicProvisioner) configureImages(data provisioner.ManagementAccessData, ironicNode *nodes.Node, bmcAccess bmc.AccessDetails) (result provisioner.Result, err error) {
 	updater := clients.UpdateOptsBuilder(p.log)
 -	deployImageInfo := setDeployImage(p.config, bmcAccess, data.PreprovisioningImage)
 +	deployImageInfo := setDeployImage(p.config, bmcAccess, data.PreprovisioningImage, data.CPUArchitecture)
 	updater.SetDriverInfoOpts(deployImageInfo, ironicNode)
 	// NOTE(dtantsur): It is risky to update image information for active nodes since it may affect the ability to clean up.
@@ -430,14 +438,20 @@ func setExternalURL(p *ironicProvisioner, driverInfo map[string]interface{}) map
 	return driverInfo
 }
 -func setDeployImage(config ironicConfig, accessDetails bmc.AccessDetails, hostImage *provisioner.PreprovisioningImage) clients.UpdateOptsData {
 +func setDeployImage(config ironicConfig, accessDetails bmc.AccessDetails, hostImage *provisioner.PreprovisioningImage, cpuArch string) clients.UpdateOptsData {
 	deployImageInfo := clients.UpdateOptsData{
 +		bootloaderKey:    nil,
 		deployKernelKey:  nil,
 		deployRamdiskKey: nil,
 		deployISOKey:     nil,
 		kernelParamsKey:  nil,
 	}
 +	deployConfig, ok := config.archDeployConfig[cpuArch]
 +	if !ok {
 +		deployConfig = config.defaultDeployConfig
 +	}
 +
 	allowISO := accessDetails.SupportsISOPreprovisioningImage()
 	if hostImage != nil {
@@ -450,10 +464,15 @@ func setDeployImage(config ironicConfig, accessDetails bmc.AccessDetails, hostIm
 		case metal3api.ImageFormatInitRD:
 			if hostImage.KernelURL != "" {
 				deployImageInfo[deployKernelKey] = hostImage.KernelURL
 -			} else if config.deployKernelURL == "" {
 +			} else if deployConfig.kernelURL == "" {
 				return nil
 			} else {
 -				deployImageInfo[deployKernelKey] = config.deployKernelURL
 +				deployImageInfo[deployKernelKey] = deployConfig.kernelURL
 +			}
 +			if hostImage.BootloaderURL != "" {
 +				deployImageInfo[bootloaderKey] = hostImage.BootloaderURL
 +			} else if deployConfig.bootloaderURL != "" {
 +				deployImageInfo[bootloaderKey] = deployConfig.bootloaderURL
 			}
 			deployImageInfo[deployRamdiskKey] = hostImage.ImageURL
 			if hostImage.ExtraKernelParams != "" {
@@ -465,13 +484,16 @@ func setDeployImage(config ironicConfig, accessDetails bmc.AccessDetails, hostIm
 	}
 	if !config.havePreprovImgBuilder {
 -		if allowISO && config.deployISOURL != "" {
 -			deployImageInfo[deployISOKey] = config.deployISOURL
 +		if allowISO && deployConfig.ISOURL != "" {
 +			deployImageInfo[deployISOKey] = deployConfig.ISOURL
 			return deployImageInfo
 		}
 -		if config.deployKernelURL != "" && config.deployRamdiskURL != "" {
 -			deployImageInfo[deployKernelKey] = config.deployKernelURL
 -			deployImageInfo[deployRamdiskKey] = config.deployRamdiskURL
 +		if deployConfig.kernelURL != "" && deployConfig.ramdiskURL != "" {
 +			deployImageInfo[deployKernelKey] = deployConfig.kernelURL
 +			deployImageInfo[deployRamdiskKey] = deployConfig.ramdiskURL
 +			if deployConfig.bootloaderURL != "" {
 +				deployImageInfo[bootloaderKey] = deployConfig.bootloaderURL
 +			}
 			return deployImageInfo
 		}
 	}
 diff --git a/pkg/provisioner/ironic/ironic_test.go b/pkg/provisioner/ironic/ironic_test.go
 index a8759c44..f65592e6 100644
 --- a/pkg/provisioner/ironic/ironic_test.go
 +++ b/pkg/provisioner/ironic/ironic_test.go
@@ -27,10 +27,12 @@ func newTestProvisionerFactory() ironicProvisionerFactory {
 	return ironicProvisionerFactory{
 		log: logf.Log,
 		config: ironicConfig{
 -			deployKernelURL:  "http://deploy.test/ipa.kernel",
 -			deployRamdiskURL: "http://deploy.test/ipa.initramfs",
 -			deployISOURL:     "http://deploy.test/ipa.iso",
 -			maxBusyHosts:     20,
 +			defaultDeployConfig: ironicDeployConfig{
 +				kernelURL:  "http://deploy.test/ipa.kernel",
 +				ramdiskURL: "http://deploy.test/ipa.initramfs",
 +				ISOURL:     "http://deploy.test/ipa.iso",
 +			},
 +			maxBusyHosts: 20,
 		},
 	}
 }
 diff --git a/pkg/provisioner/ironic/register_test.go b/pkg/provisioner/ironic/register_test.go
 index c7d6bc75..9ded5946 100644
 --- a/pkg/provisioner/ironic/register_test.go
 +++ b/pkg/provisioner/ironic/register_test.go
@@ -1112,9 +1112,11 @@ func TestSetDeployImage(t *testing.T) {
 			Scenario: "iso no imgbuilder",
 			Config: ironicConfig{
 				havePreprovImgBuilder: false,
 -				deployKernelURL:       localKernel,
 -				deployRamdiskURL:      localRamdisk,
 -				deployISOURL:          localIso,
 +				defaultDeployConfig: ironicDeployConfig{
 +					kernelURL:  localKernel,
 +					ramdiskURL: localRamdisk,
 +					ISOURL:     localIso,
 +				},
 			},
 			Driver:      isoDriver,
 			ExpectBuild: false,
@@ -1125,8 +1127,10 @@ func TestSetDeployImage(t *testing.T) {
 			Scenario: "no imgbuilder no iso",
 			Config: ironicConfig{
 				havePreprovImgBuilder: false,
 -				deployKernelURL:       localKernel,
 -				deployRamdiskURL:      localRamdisk,
 +				defaultDeployConfig: ironicDeployConfig{
 +					kernelURL:  localKernel,
 +					ramdiskURL: localRamdisk,
 +				},
 			},
 			Driver:      isoDriver,
 			ExpectBuild: false,
@@ -1137,9 +1141,11 @@ func TestSetDeployImage(t *testing.T) {
 			Scenario: "pxe no imgbuilder",
 			Config: ironicConfig{
 				havePreprovImgBuilder: false,
 -				deployKernelURL:       localKernel,
 -				deployRamdiskURL:      localRamdisk,
 -				deployISOURL:          localIso,
 +				defaultDeployConfig: ironicDeployConfig{
 +					kernelURL:  localKernel,
 +					ramdiskURL: localRamdisk,
 +					ISOURL:     localIso,
 +				},
 			},
 			Driver:      pxeDriver,
 			ExpectBuild: false,
@@ -1150,9 +1156,11 @@ func TestSetDeployImage(t *testing.T) {
 			Scenario: "iso no build",
 			Config: ironicConfig{
 				havePreprovImgBuilder: true,
 -				deployKernelURL:       localKernel,
 -				deployRamdiskURL:      localRamdisk,
 -				deployISOURL:          localIso,
 +				defaultDeployConfig: ironicDeployConfig{
 +					kernelURL:  localKernel,
 +					ramdiskURL: localRamdisk,
 +					ISOURL:     localIso,
 +				},
 			},
 			Driver:    isoDriver,
 			ExpectISO: false,
@@ -1162,9 +1170,11 @@ func TestSetDeployImage(t *testing.T) {
 			Scenario: "iso build",
 			Config: ironicConfig{
 				havePreprovImgBuilder: true,
 -				deployKernelURL:       localKernel,
 -				deployRamdiskURL:      localRamdisk,
 -				deployISOURL:          localIso,
 +				defaultDeployConfig: ironicDeployConfig{
 +					kernelURL:  localKernel,
 +					ramdiskURL: localRamdisk,
 +					ISOURL:     localIso,
 +				},
 			},
 			Driver: isoDriver,
 			Image: &provisioner.PreprovisioningImage{
@@ -1181,9 +1191,11 @@ func TestSetDeployImage(t *testing.T) {
 			Scenario: "pxe build",
 			Config: ironicConfig{
 				havePreprovImgBuilder: true,
 -				deployKernelURL:       localKernel,
 -				deployRamdiskURL:      localRamdisk,
 -				deployISOURL:          localIso,
 +				defaultDeployConfig: ironicDeployConfig{
 +					kernelURL:  localKernel,
 +					ramdiskURL: localRamdisk,
 +					ISOURL:     localIso,
 +				},
 			},
 			Driver: pxeDriver,
 			Image: &provisioner.PreprovisioningImage{
@@ -1200,9 +1212,11 @@ func TestSetDeployImage(t *testing.T) {
 			Scenario: "pxe build with new kernel and kernel params",
 			Config: ironicConfig{
 				havePreprovImgBuilder: true,
 -				deployKernelURL:       localKernel,
 -				deployRamdiskURL:      localRamdisk,
 -				deployISOURL:          localIso,
 +				defaultDeployConfig: ironicDeployConfig{
 +					kernelURL:  localKernel,
 +					ramdiskURL: localRamdisk,
 +					ISOURL:     localIso,
 +				},
 			},
 			Driver: pxeDriver,
 			Image: &provisioner.PreprovisioningImage{
@@ -1223,9 +1237,11 @@ func TestSetDeployImage(t *testing.T) {
 			Scenario: "pxe iso build",
 			Config: ironicConfig{
 				havePreprovImgBuilder: true,
 -				deployKernelURL:       localKernel,
 -				deployRamdiskURL:      localRamdisk,
 -				deployISOURL:          localIso,
 +				defaultDeployConfig: ironicDeployConfig{
 +					kernelURL:  localKernel,
 +					ramdiskURL: localRamdisk,
 +					ISOURL:     localIso,
 +				},
 			},
 			Driver: pxeDriver,
 			Image: &provisioner.PreprovisioningImage{
@@ -1242,7 +1258,9 @@ func TestSetDeployImage(t *testing.T) {
 			Scenario: "pxe build no kernel",
 			Config: ironicConfig{
 				havePreprovImgBuilder: true,
 -				deployISOURL:          localIso,
 +				defaultDeployConfig: ironicDeployConfig{
 +					ISOURL: localIso,
 +				},
 			},
 			Driver: pxeDriver,
 			Image: &provisioner.PreprovisioningImage{
@@ -1273,7 +1291,9 @@ func TestSetDeployImage(t *testing.T) {
 			Scenario: "pxe iso build no initrd",
 			Config: ironicConfig{
 				havePreprovImgBuilder: true,
 -				deployKernelURL:       localKernel,
 +				defaultDeployConfig: ironicDeployConfig{
 +					kernelURL: localKernel,
 +				},
 			},
 			Driver: pxeDriver,
 			Image: &provisioner.PreprovisioningImage{
@@ -1289,7 +1309,9 @@ func TestSetDeployImage(t *testing.T) {
 			Scenario: "no build no initrd",
 			Config: ironicConfig{
 				havePreprovImgBuilder: true,
 -				deployKernelURL:       localKernel,
 +				defaultDeployConfig: ironicDeployConfig{
 +					kernelURL: localKernel,
 +				},
 			},
 			Driver:    pxeDriver,
 			ExpectISO: false,
@@ -1299,7 +1321,9 @@ func TestSetDeployImage(t *testing.T) {
 			Scenario: "pxe no imgbuilder no pxe",
 			Config: ironicConfig{
 				havePreprovImgBuilder: false,
 -				deployISOURL:          localIso,
 +				defaultDeployConfig: ironicDeployConfig{
 +					ISOURL: localIso,
 +				},
 			},
 			Driver:    pxeDriver,
 			ExpectISO: false,
@@ -1318,7 +1342,7 @@ func TestSetDeployImage(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.Scenario, func(t *testing.T) {
 -			opts := setDeployImage(tc.Config, tc.Driver, tc.Image)
 +			opts := setDeployImage(tc.Config, tc.Driver, tc.Image, "x86_64")
 			switch {
 			case tc.ExpectISO:
 diff --git a/pkg/provisioner/provisioner.go b/pkg/provisioner/provisioner.go
 index faddd0fd..f7f55c0d 100644
 --- a/pkg/provisioner/provisioner.go
 +++ b/pkg/provisioner/provisioner.go
@@ -82,6 +82,7 @@ type ManagementAccessData struct {
 	PreprovisioningNetworkData string
 	HasCustomDeploy            bool
 	DisablePowerOff            bool
 +	CPUArchitecture            string
 }
 type AdoptData struct {
 -- 
 2.50.0
--- a/baremetal-operator/baremetal-operator.spec
+++ b/baremetal-operator/baremetal-operator.spec
@@ -22,6 +22,7 @@ Release:        0
 Summary:        Implements a Kubernetes API for managing bare metal hosts
 License:        Apache-2.0
 URL:            https://github.com/metal3-io/baremetal-operator
 Patch0:         0001-Allow-configuring-different-IPA-images-per-architect.patch
 Source:         baremetal-operator-%{version}.tar
 Source1:        vendor.tar.gz
 BuildRequires:  golang(API) = 1.24
--- a/cdi-chart/Chart.yaml
+++ b/cdi-chart/Chart.yaml
@@ -1,9 +1,9 @@
-#!BuildTag: %%CHART_PREFIX%%cdi:%%CHART_MAJOR%%.0.1_up0.6.0
+#!BuildTag: %%CHART_PREFIX%%cdi:%%CHART_MAJOR%%.0.0_up0.5.0
-#!BuildTag: %%CHART_PREFIX%%cdi:%%CHART_MAJOR%%.0.1_up0.6.0-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%cdi:%%CHART_MAJOR%%.0.0_up0.5.0-%RELEASE%
 apiVersion: v2
-appVersion: 1.62.0
+appVersion: 1.61.0
 description: A Helm chart for Containerized Data Importer (CDI)
 icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/kubevirt/icon/color/kubevirt-icon-color.svg
 name: cdi
 type: application
-version: "%%CHART_MAJOR%%.0.1+up0.6.0"
+version: "%%CHART_MAJOR%%.0.0+up0.5.0"
--- a/cdi-chart/crds/cdi.yaml
+++ b/cdi-chart/crds/cdi.yaml
@@ -109,9 +109,9 @@ spec:
                  description: CDIConfig at CDI level
                  properties:
                    dataVolumeTTLSeconds:
-                      description: |-
+                      description: DataVolumeTTLSeconds is the time in seconds after
-                        DataVolumeTTLSeconds is the time in seconds after DataVolume completion it can be garbage collected. Disabled by default.
+                        DataVolume completion it can be garbage collected. Disabled
-                        Deprecated: Removed in v1.62.
+                        by default.
                      format: int32
                      type: integer
                    featureGates:
@@ -2641,9 +2641,9 @@ spec:
                  description: CDIConfig at CDI level
                  properties:
                    dataVolumeTTLSeconds:
-                      description: |-
+                      description: DataVolumeTTLSeconds is the time in seconds after
-                        DataVolumeTTLSeconds is the time in seconds after DataVolume completion it can be garbage collected. Disabled by default.
+                        DataVolume completion it can be garbage collected. Disabled
-                        Deprecated: Removed in v1.62.
+                        by default.
                      format: int32
                      type: integer
                    featureGates:
--- a/cdi-chart/templates/cdi-operator.yaml
+++ b/cdi-chart/templates/cdi-operator.yaml
@@ -599,8 +599,6 @@ spec:
  strategy: {}
  template:
    metadata:
      annotations:
        openshift.io/required-scc: restricted-v2
      labels:
        cdi.kubevirt.io: cdi-operator
        name: cdi-operator
--- a/cdi-chart/templates/cdi.yaml
+++ b/cdi-chart/templates/cdi.yaml
@@ -18,8 +18,4 @@ spec:
  {{- with .Values.cdi.workload }}
  workload:
  {{- toYaml . | nindent 4 }}
-  {{- end }}
+  {{- end }}
  {{- with .Values.cdi.customizeComponents }}
  customizeComponents:
  {{- toYaml . | nindent 4 }}
  {{- end }}
--- a/cdi-chart/values.yaml
+++ b/cdi-chart/values.yaml
@@ -1,12 +1,12 @@
 deployment:
-  version: 1.62.0-150700.9.3.1
+  version: 1.61.0-150600.3.12.1
-  operatorImage: registry.suse.com/suse/sles/15.7/cdi-operator
+  operatorImage: registry.suse.com/suse/sles/15.6/cdi-operator
-  controllerImage: registry.suse.com/suse/sles/15.7/cdi-controller
+  controllerImage: registry.suse.com/suse/sles/15.6/cdi-controller
-  importerImage: registry.suse.com/suse/sles/15.7/cdi-importer
+  importerImage: registry.suse.com/suse/sles/15.6/cdi-importer
-  clonerImage: registry.suse.com/suse/sles/15.7/cdi-cloner
+  clonerImage: registry.suse.com/suse/sles/15.6/cdi-cloner
-  apiserverImage: registry.suse.com/suse/sles/15.7/cdi-apiserver
+  apiserverImage: registry.suse.com/suse/sles/15.6/cdi-apiserver
-  uploadserverImage: registry.suse.com/suse/sles/15.7/cdi-uploadserver
+  uploadserverImage: registry.suse.com/suse/sles/15.6/cdi-uploadserver
-  uploadproxyImage: registry.suse.com/suse/sles/15.7/cdi-uploadproxy
+  uploadproxyImage: registry.suse.com/suse/sles/15.6/cdi-uploadproxy
  pullPolicy: IfNotPresent
  affinity:
    podAffinity:
@@ -30,7 +30,6 @@ cdi:
    featureGates:
      - HonorWaitForFirstConsumer
  imagePullPolicy: "IfNotPresent"
  customizeComponents: {}
  infra:
    nodeSelector:
      kubernetes.io/os: linux
@@ -42,7 +41,7 @@ cdi:
    nodeSelector:
      kubernetes.io/os: linux
-hookImage: registry.rancher.com/rancher/kubectl:v1.33.1
+hookImage: registry.rancher.com/rancher/kubectl:v1.30.10
 hookRestartPolicy: OnFailure
 hookSecurityContext:
  seccompProfile:
--- a/edge-image-builder-image/Dockerfile
+++ b/edge-image-builder-image/Dockerfile
@@ -1,5 +1,6 @@
-#!BuildTag: %%IMG_PREFIX%%edge-image-builder:latest
+#!BuildTag: %%IMG_PREFIX%%edge-image-builder:1.2.1
-#!BuildTag: %%IMG_PREFIX%%edge-image-builder:latest-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%edge-image-builder:1.2.1-%RELEASE%
 #!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-base:$SLE_VERSION
 MAINTAINER SUSE LLC (https://www.suse.com/)
@@ -14,11 +15,11 @@ RUN zypper --non-interactive install --no-recommends edge-image-builder qemu-x86
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE edge-image-builder Container Image"
 LABEL org.opencontainers.image.description="edge-image-builder based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="latest"
+LABEL org.opencontainers.image.version="1.2.1"
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%edge-image-builder:latest-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%edge-image-builder:1.2.1-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
--- a/edge-image-builder-image/artifacts.yaml
+++ b/edge-image-builder-image/artifacts.yaml
@@ -10,8 +10,6 @@ kubernetes:
  k3s:
    selinuxPackage: k3s-selinux-1.6-1.slemicro.noarch
    selinuxRepository: https://rpm.rancher.io/k3s/stable/common/slemicro/noarch
    releaseURL: https://github.com/k3s-io/k3s/releases/download/
  rke2:
    selinuxPackage: rke2-selinux
    selinuxRepository: https://rpm.rancher.io/rke2/stable/common/slemicro/noarch
    releaseURL: https://github.com/rancher/rke2/releases/download/
--- a/edge-image-builder/_service
+++ b/edge-image-builder/_service
@@ -3,11 +3,11 @@
    <param name="url">https://github.com/suse-edge/edge-image-builder.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
-    <param name="revision">1bfee6bb5bd0dc1ed18e2d09820750f9987c96c9</param>
+    <param name="revision">v1.2.1</param>
    <!-- Uncomment and set this For Pre-Release Version -->
    <!-- <param name="version">1.2.0~rc1</param> -->
    <!-- Uncomment and this for regular version -->
-    <param name="versionformat">%h</param>
+    <param name="versionformat">@PARENT_TAG@</param>
    <param name="versionrewrite-pattern">v(\d+).(\d+).(\d+)</param>
    <param name="versionrewrite-replacement">\1.\2.\3</param>
    <param name="changesgenerate">enable</param>
--- a/edge-image-builder/edge-image-builder.spec
+++ b/edge-image-builder/edge-image-builder.spec
@@ -17,7 +17,7 @@
 Name:           edge-image-builder
-Version:        latest
+Version:        1.2.1
 Release:        0
 Summary:        Edge Image Builder
 License:        Apache-2.0
--- a/endpoint-copier-operator-image/Dockerfile
+++ b/endpoint-copier-operator-image/Dockerfile
@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: Apache-2.0
 #!BuildTag: %%IMG_PREFIX%%endpoint-copier-operator:%%endpoint-copier-operator_version%%
 #!BuildTag: %%IMG_PREFIX%%endpoint-copier-operator:%%endpoint-copier-operator_version%%-%RELEASE%
 #!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
--- a/frr-image/Dockerfile
+++ b/frr-image/Dockerfile
@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: MIT
 #!BuildTag: %%IMG_PREFIX%%frr:8.5.6
 #!BuildTag: %%IMG_PREFIX%%frr:8.5.6-%RELEASE%
 #!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
--- a/frr-k8s-image/Dockerfile
+++ b/frr-k8s-image/Dockerfile
@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: Apache-2.0
 #!BuildTag: %%IMG_PREFIX%%frr-k8s:v%%frr-k8s_version%%
 #!BuildTag: %%IMG_PREFIX%%frr-k8s:v%%frr-k8s_version%%-%RELEASE%
 #!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
--- a/ironic-image/Dockerfile
+++ b/ironic-image/Dockerfile
@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.1
+#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.4
-#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.1-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.4-%RELEASE%
 #!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -19,11 +20,11 @@ RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes
 #!ArchExclusiveLine: x86_64
 RUN if [ "$(uname -m)" = "x86_64" ];then \
-      zypper --installroot /installroot --non-interactive install --no-recommends syslinux python311-devel python311 python311-pip python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 bind-utils procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic; \
+      zypper --installroot /installroot --non-interactive install --no-recommends syslinux python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi inotify-tools ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic openstack-ironic-inspector-api; \
    fi
 #!ArchExclusiveLine: aarch64
 RUN if [ "$(uname -m)" = "aarch64" ];then \
-      zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 bind-utils procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic; \
+      zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi inotify-tools ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic openstack-ironic-inspector-api; \
    fi
 # DATABASE
@@ -31,9 +32,7 @@ RUN mkdir -p /installroot/var/lib/ironic && \
  /installroot/usr/bin/sqlite3 /installroot/var/lib/ironic/ironic.sqlite "pragma journal_mode=wal" && \
  zypper --installroot /installroot --non-interactive remove sqlite3
 # build actual image
 FROM micro AS final
 MAINTAINER SUSE LLC (https://www.suse.com/)
 # Define labels according to https://en.opensuse.org/Building_derived_containers
 LABEL org.opencontainers.image.title="SLE Openstack Ironic Container Image"
@@ -41,8 +40,8 @@ LABEL org.opencontainers.image.description="Openstack Ironic based on the SLE Ba
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opencontainers.image.version="29.0.4.1"
+LABEL org.opencontainers.image.version="26.1.2.4"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:29.0.4.1-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:26.1.2.4-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -63,19 +62,14 @@ RUN echo 'alias mkisofs="xorriso -as mkisofs"' >> ~/.bashrc
 COPY mkisofs_wrapper /usr/bin/mkisofs
 RUN set -euo pipefail; chmod +x /usr/bin/mkisofs
 COPY auth-common.sh configure-ironic.sh ironic-common.sh rundnsmasq runhttpd runironic runlogwatch.sh tls-common.sh configure-nonroot.sh ironic-probe.j2 /bin/
 RUN set -euo pipefail; chmod +x /bin/auth-common.sh; chmod +x /bin/configure-ironic.sh; chmod +x /bin/ironic-common.sh; chmod +x /bin/rundnsmasq; chmod +x /bin/runhttpd; chmod +x /bin/runironic; chmod +x /bin/runlogwatch.sh; chmod +x /bin/tls-common.sh; chmod +x /bin/configure-nonroot.sh;
 RUN mkdir -p /tftpboot
 RUN mkdir -p $GRUB_DIR
-COPY scripts/ /bin/
+# No need to support the Legacy BIOS boot
-COPY configure-nonroot.sh /bin/
+#RUN cp /usr/share/syslinux/pxelinux.0 /tftpboot
-RUN set -euo pipefail; chmod +x /bin/configure-ironic.sh /bin/ironic-probe.sh /bin/rundatabase-upgrade /bin/rundnsmasq /bin/runhttpd /bin/runironic /bin/runlogwatch.sh /bin/runonline-data-migrations /bin/configure-nonroot.sh
+#RUN cp /usr/share/syslinux/chain.c32 /tftpboot/
 RUN mv /bin/ironic-probe.sh /bin/ironic-readiness
 RUN cp /bin/ironic-readiness /bin/ironic-liveness
 COPY ironic-config/inspector.ipxe.j2 ironic-config/httpd-ironic-api.conf.j2 \
     ironic-config/ipxe_config.template ironic-config/dnsmasq.conf.j2 \
     /tmp/
 # IRONIC #
 RUN cp /usr/share/ipxe/undionly.kpxe /tftpboot/undionly.kpxe
@@ -83,25 +77,31 @@ RUN cp /usr/share/ipxe/undionly.kpxe /tftpboot/undionly.kpxe
 RUN if [ "$(uname -m)" = "x86_64" ];then \
      cp /usr/share/ipxe/ipxe-x86_64.efi /tftpboot/ipxe.efi ;\
    fi
-#!ArchExclusiveLine: aarch64 
+#!ArchExclusiveLine: x86_64
 RUN if [ "$(uname -m)" = "aarch64" ]; then\ 
-      cp /usr/share/ipxe/snp-arm64.efi /tftpboot/ipxe.efi; cp /usr/share/ipxe/snp-arm64.efi /tftpboot/snp-arm64.efi; cp /usr/share/ipxe/snp-arm64.efi /tftpboot/snp.efi ;\
+     cp /usr/share/ipxe/snp-arm64.efi /tftpboot/ipxe.efi; cp /usr/share/ipxe/snp-arm64.efi /tftpboot/snp-arm64.efi; cp /usr/share/ipxe/snp-arm64.efi /tftpboot/snp.efi ;\
    fi
 COPY --from=base /tmp/esp-x86_64.img /tmp/uefi_esp-x86_64.img
 COPY --from=base /tmp/esp-aarch64.img /tmp/uefi_esp-arm64.img
-COPY ironic-config/ironic.conf.j2 ironic-config/network-data-schema-empty.json /etc/ironic/
+COPY ironic.conf.j2 /etc/ironic/
 COPY inspector.ipxe.j2 httpd-ironic-api.conf.j2 ipxe_config.template /tmp/
 COPY network-data-schema-empty.json /etc/ironic/
 # DNSMASQ
 COPY dnsmasq.conf.j2 /etc/
 # Custom httpd config, removes all but the bare minimum needed modules
 COPY httpd.conf.j2 /etc/httpd/conf/
 COPY httpd-modules.conf /etc/httpd/conf.modules.d/
 COPY apache2-vmedia.conf.j2 /etc/httpd-vmedia.conf.j2
 COPY apache2-ipxe.conf.j2 /etc/httpd-ipxe.conf.j2
 # Workaround
 # Removing the 010-ironic.conf file that comes with the package 
 RUN rm /etc/ironic/ironic.conf.d/010-ironic.conf
 # Custom httpd config, removes all but the bare minimum needed modules
 COPY ironic-config/httpd.conf.j2 /etc/httpd/conf/
 COPY ironic-config/httpd-modules.conf /etc/httpd/conf.modules.d/
 COPY ironic-config/apache2-vmedia.conf.j2 /tmp/httpd-vmedia.conf.j2
 COPY ironic-config/apache2-ipxe.conf.j2 /tmp/httpd-ipxe.conf.j2
 # configure non-root user and set relevant permissions
-RUN configure-nonroot.sh && rm -f /bin/configure-nonroot.sh
+RUN configure-nonroot.sh && \
  rm -f /bin/configure-nonroot.sh
--- a/ironic-image/ironic-config/apache2-ipxe.conf.j2
+++ b/ironic-image/ironic-config/apache2-ipxe.conf.j2
@@ -1,5 +1,4 @@
-Listen 0.0.0.0:{{ env.IPXE_TLS_PORT }}
+Listen {{ env.IPXE_TLS_PORT }}
 Listen [::]:{{ env.IPXE_TLS_PORT }}
 <VirtualHost *:{{ env.IPXE_TLS_PORT }}>
    ErrorLog /dev/stderr
--- a/ironic-image/ironic-config/apache2-vmedia.conf.j2
+++ b/ironic-image/ironic-config/apache2-vmedia.conf.j2
@@ -1,5 +1,4 @@
-Listen 0.0.0.0:{{ env.VMEDIA_TLS_PORT }}
+Listen {{ env.VMEDIA_TLS_PORT }}
 Listen [::]:{{ env.VMEDIA_TLS_PORT }}
 <VirtualHost *:{{ env.VMEDIA_TLS_PORT }}>
    ErrorLog /dev/stderr
@@ -11,12 +10,12 @@ Listen [::]:{{ env.VMEDIA_TLS_PORT }}
    SSLCertificateFile {{ env.IRONIC_VMEDIA_CERT_FILE }}
    SSLCertificateKeyFile {{ env.IRONIC_VMEDIA_KEY_FILE }}
-    <Directory "/shared/html/">
+    <Directory "/shared">
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
-    <Directory ~ "/shared/html/(redfish|ilo)/">
+
    <Directory "/shared/html">
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
--- a/ironic-image/auth-common.sh
+++ b/ironic-image/auth-common.sh
@@ -0,0 +1,59 @@
 #!/usr/bin/bash
 set -euxo pipefail
 export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
 # Backward compatibility
 if [[ "${IRONIC_DEPLOYMENT:-}" == "Conductor" ]]; then
    export IRONIC_EXPOSE_JSON_RPC=true
 else
    export IRONIC_EXPOSE_JSON_RPC="${IRONIC_EXPOSE_JSON_RPC:-false}"
 fi
 IRONIC_HTPASSWD_FILE=/etc/ironic/htpasswd
 if [[ -f "/auth/ironic/htpasswd" ]]; then
    IRONIC_HTPASSWD=$(</auth/ironic/htpasswd)
 fi
 export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
 configure_client_basic_auth()
 {
    local auth_config_file="/auth/$1/auth-config"
    local dest="${2:-/etc/ironic/ironic.conf}"
    if [[ -f "${auth_config_file}" ]]; then
        # Merge configurations in the "auth" directory into the default ironic configuration file
        crudini --merge "${dest}" < "${auth_config_file}"
    fi
 }
 configure_json_rpc_auth()
 {
    if [[ "${IRONIC_EXPOSE_JSON_RPC}" == "true" ]]; then
        if [[ -z "${IRONIC_HTPASSWD}" ]]; then
            echo "FATAL: enabling JSON RPC requires authentication"
            exit 1
        fi
        printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc"
    fi
 }
 configure_ironic_auth()
 {
    local config=/etc/ironic/ironic.conf
    # Configure HTTP basic auth for API server
    if [[ -n "${IRONIC_HTPASSWD}" ]]; then
        printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
        if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "false" ]]; then
            crudini --set "${config}" DEFAULT auth_strategy http_basic
            crudini --set "${config}" DEFAULT http_basic_auth_user_file "${IRONIC_HTPASSWD_FILE}"
        fi
    fi
 }
 write_htpasswd_files()
 {
    if [[ -n "${IRONIC_HTPASSWD:-}" ]]; then
        printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
    fi
 }
--- a/ironic-image/scripts/configure-ironic.sh
+++ b/ironic-image/scripts/configure-ironic.sh
@@ -3,7 +3,6 @@
 set -euxo pipefail
 IRONIC_EXTERNAL_IP="${IRONIC_EXTERNAL_IP:-}"
 export VMEDIA_TLS_PORT="${VMEDIA_TLS_PORT:-}"
 # Define the VLAN interfaces to be included in introspection report, e.g.
 #   all - all VLANs on all interfaces using LLDP information
@@ -20,11 +19,10 @@ export IRONIC_ENABLE_VLAN_INTERFACES=${IRONIC_ENABLE_VLAN_INTERFACES:-${IRONIC_I
 export HTTP_PORT=${HTTP_PORT:-80}
-if [[ "${IRONIC_USE_MARIADB}" == true ]]; then
+export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-true}
-    if [[ -z "${MARIADB_PASSWORD:-}" ]]; then
+
-        echo "FATAL: IRONIC_USE_MARIADB requires password, mount a secret under /auth/mariadb"
+if [[ "$IRONIC_USE_MARIADB" == "true" ]]; then
-        exit 1
+    MARIADB_PASSWORD=${MARIADB_PASSWORD}
    fi
    MARIADB_DATABASE=${MARIADB_DATABASE:-ironic}
    MARIADB_USER=${MARIADB_USER:-ironic}
    MARIADB_HOST=${MARIADB_HOST:-127.0.0.1}
@@ -34,9 +32,13 @@ if [[ "${IRONIC_USE_MARIADB}" == true ]]; then
    fi
 fi
-# zero makes it do cpu number detection on Ironic side
+# TODO(dtantsur): remove the explicit default once we get
-export NUMWORKERS=${NUMWORKERS:-0}
+# https://review.opendev.org/761185 in the repositories
-
+NUMPROC="$(grep -c "^processor" /proc/cpuinfo)"
 if [[ "$NUMPROC" -lt 4 ]]; then
    NUMPROC=4
 fi
 export NUMWORKERS=${NUMWORKERS:-$NUMPROC}
 # Whether to enable fast_track provisioning or not
 export IRONIC_FAST_TRACK=${IRONIC_FAST_TRACK:-true}
@@ -52,21 +54,11 @@ export IRONIC_IPA_COLLECTORS=${IRONIC_IPA_COLLECTORS:-default,logs}
 wait_for_interface_or_ip
 if [[ "$(echo "$LISTEN_ALL_INTERFACES" | tr '[:upper:]' '[:lower:]')" == "true" ]]; then
 export IRONIC_HOST_IP="::"
 elif [[ -n "${ENABLE_IPV6}" ]]; then
 export IRONIC_HOST_IP="$IRONIC_IPV6"
 else
 export IRONIC_HOST_IP="$IRONIC_IP"
 fi
 if [[ "${VMEDIA_TLS_PORT}" ]]; then
   export IRONIC_HTTPS_VMEDIA_URL="https://${IRONIC_URL_HOST}:${VMEDIA_TLS_PORT}"
 fi
 # Hostname to use for the current conductor instance.
 export IRONIC_CONDUCTOR_HOST=${IRONIC_CONDUCTOR_HOST:-${IRONIC_URL_HOST}}
 export IRONIC_BASE_URL=${IRONIC_BASE_URL:-"${IRONIC_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_ACCESS_PORT}"}
 if [[ -n "$IRONIC_EXTERNAL_IP" ]]; then
    export IRONIC_EXTERNAL_CALLBACK_URL=${IRONIC_EXTERNAL_CALLBACK_URL:-"${IRONIC_SCHEME}://${IRONIC_EXTERNAL_IP}:${IRONIC_ACCESS_PORT}"}
    if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
@@ -82,9 +74,9 @@ if [[ -f "${IMAGE_CACHE_PREFIX}.kernel" ]] && [[ -f "${IMAGE_CACHE_PREFIX}.initr
    export IRONIC_DEFAULT_RAMDISK="${IMAGE_CACHE_PREFIX}.initramfs"
 fi
-if [[ -f "${IRONIC_CONF_DIR}/ironic.conf" ]]; then
+if [[ -f /etc/ironic/ironic.conf ]]; then
    # Make a copy of the original supposed empty configuration file
-    cp "${IRONIC_CONF_DIR}/ironic.conf" "${IRONIC_CONF_DIR}/ironic.conf.orig"
+    cp /etc/ironic/ironic.conf /etc/ironic/ironic.conf_orig
 fi
 # oslo.config also supports Config Opts From Environment, log them to stdout
@@ -92,6 +84,9 @@ echo 'Options set from Environment variables'
 env | grep "^OS_" || true
 mkdir -p /shared/html
 mkdir -p /shared/ironic_prometheus_exporter
 configure_json_rpc_auth
 if [[ -f /proc/sys/crypto/fips_enabled ]]; then
    ENABLE_FIPS_IPA=$(cat /proc/sys/crypto/fips_enabled)
@@ -99,17 +94,26 @@ if [[ -f /proc/sys/crypto/fips_enabled ]]; then
 fi
 # The original ironic.conf is empty, and can be found in ironic.conf_orig
-render_j2_config "/etc/ironic/ironic.conf.j2" \
+render_j2_config /etc/ironic/ironic.conf.j2 /etc/ironic/ironic.conf
    "${IRONIC_CONF_DIR}/ironic.conf"
-configure_json_rpc_auth
+configure_client_basic_auth ironic-rpc
 # Make sure ironic traffic bypasses any proxies
-export NO_PROXY="${NO_PROXY:-}"
+export NO_PROXY="${NO_PROXY:-},$IRONIC_IP"
-if [[ -n "$IRONIC_IPV6" ]]; then
+PROBE_CURL_ARGS=
-export NO_PROXY="${NO_PROXY},${IRONIC_IPV6}"
+if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
-fi
+    if [[ "${IRONIC_PRIVATE_PORT}" == "unix" ]]; then
-if [[ -n "$IRONIC_IP" ]]; then
+        PROBE_URL="http://127.0.0.1:6385"
-export NO_PROXY="${NO_PROXY},${IRONIC_IP}"
+        PROBE_CURL_ARGS="--unix-socket /shared/ironic.sock"
    else
        PROBE_URL="http://127.0.0.1:${IRONIC_PRIVATE_PORT}"
    fi
 else
        PROBE_URL="${IRONIC_BASE_URL}"
 fi
 export PROBE_CURL_ARGS
 export PROBE_URL
 PROBE_KIND=readiness render_j2_config /bin/ironic-probe.j2 /bin/ironic-readiness
 PROBE_KIND=liveness render_j2_config /bin/ironic-probe.j2 /bin/ironic-liveness
--- a/ironic-image/configure-nonroot.sh
+++ b/ironic-image/configure-nonroot.sh
@@ -1,70 +1,53 @@
 #!/usr/bin/bash
 # This script changes permissions to allow Ironic container to run as non-root
 # user. As the same image is used to run ironic, ironic-httpd, ironic-dsnmasq,
 # and ironic-log-watch via BMO's ironic k8s manifest, it has
 # to be configured to work with multiple different users and groups, while they
 # share files via bind mounts (/shared, /certs/*), which can only get one
 # group id as "fsGroup". Additionally, dnsmasq needs three capabilities to run
 # which we provide via "setcap", and "allowPrivilegeEscalation: true" in
 # manifest.
 set -eux
 # user and group are from ironic rpms (uid 997, gid 994)
 NONROOT_UID=10475
 NONROOT_GID=10475
-IRONIC_USER="ironic-suse"
+USER="ironic-suse"
 IRONIC_GROUP="ironic-suse"
-groupadd -r -g ${NONROOT_GID} ${IRONIC_GROUP}
+groupadd -r -g ${NONROOT_GID} ${USER}
 useradd -r -g ${NONROOT_GID} \
           -u ${NONROOT_UID} \
           -d /var/lib/ironic \
           -s /sbin/nologin \
-           ${IRONIC_USER}
+           ${USER}
-# most containers mount /shared but dnsmasq can live without it
+# create ironic's http_root directory
-mkdir -p /shared
+mkdir -p /shared/html
-mkdir -p /data
+chown "${NONROOT_UID}":"${NONROOT_GID}" /shared/html
 mkdir -p /conf
 chown "${IRONIC_USER}":"${IRONIC_GROUP}" /shared
 chown "${IRONIC_USER}":"${IRONIC_GROUP}" /data
 chown "${IRONIC_USER}":"${IRONIC_GROUP}" /conf
 # we'll bind mount shared ca and ironic certificate dirs here
 # that need to have correct ownership as the entire ironic in BMO
 # deployment shares a single fsGroup in manifest's securityContext
 mkdir -p /certs/ca
-chown "${IRONIC_USER}":"${IRONIC_GROUP}" /certs{,/ca}
+chown "${NONROOT_UID}":"${NONROOT_GID}" /certs{,/ca}
 chmod 2775 /certs{,/ca}
 # apache2 permission changes
-chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /etc/apache2
+chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/apache2
-chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /run
+chown -R "${NONROOT_UID}":"${NONROOT_GID}" /run
 # ironic and httpd related changes
 mkdir -p /etc/httpd/conf.d
-chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /etc/ironic /etc/httpd/conf /etc/httpd/conf.d /etc/httpd/conf.modules.d/
+chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/ironic /etc/httpd /etc/httpd
-chmod 2775 /etc/ironic /etc/httpd/conf /etc/httpd/conf.d /etc/httpd/conf.modules.d/
+chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/log
-#chmod 664 /etc/ironic/* /etc/httpd/conf/* /etc/httpd/conf.d/*
+chmod 2775 /etc/ironic /etc/httpd/conf /etc/httpd/conf.d
-chmod 664 /etc/ironic/* /etc/httpd/conf/* /etc/httpd/conf.modules.d/*
+chmod 664 /etc/ironic/* /etc/httpd/conf/* /etc/httpd/conf.d/*
-chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /var/lib/ironic
+chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ironic
 chmod 2775 /var/lib/ironic
 chmod 664 /var/lib/ironic/ironic.sqlite
 # dnsmasq, and the capabilities required to run it as non-root user
-chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /etc/dnsmasq.conf
+chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/dnsmasq.conf /var/lib/dnsmasq
-#handled at chart level
+chmod 2775 /var/lib/dnsmasq
-#setcap "cap_net_raw,cap_net_admin,cap_net_bind_service=+eip" /usr/sbin/dnsmasq
+touch /var/lib/dnsmasq/dnsmasq.leases
 chmod 664 /etc/dnsmasq.conf /var/lib/dnsmasq/dnsmasq.leases
 # ca-certificates permission changes
 touch /var/lib/ca-certificates/ca-bundle.pem.new
-chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /var/lib/ca-certificates/
+chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ca-certificates/
 chmod -R +w /var/lib/ca-certificates/
 # probes that are created before start
 touch /bin/ironic-{readi,live}ness
-chown root:"${IRONIC_GROUP}" /bin/ironic-{readi,live}ness
+chown root:"${NONROOT_GID}" /bin/ironic-{readi,live}ness
 chmod 775 /bin/ironic-{readi,live}ness
--- a/ironic-image/ironic-config/dnsmasq.conf.j2
+++ b/ironic-image/ironic-config/dnsmasq.conf.j2
@@ -3,7 +3,6 @@ bind-dynamic
 enable-tftp
 tftp-root=/shared/tftpboot
 log-queries
 dhcp-leasefile=/data/dnsmasq/dnsmasq.leases
 # Configure listening for DNS (0 disables DNS)
 port={{ env.DNS_PORT }}
@@ -32,11 +31,11 @@ dhcp-match=ipxe,175
 # Client is already running iPXE; move to next stage of chainloading
 {%- if env.IPXE_TLS_SETUP == "true"  %}
 # iPXE with (U)EFI
-dhcp-boot=tag:efi,tag:ipxe,{{ env.IRONIC_HTTP_URL }}/custom-ipxe/snponly.efi
+dhcp-boot=tag:efi,tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/custom-ipxe/snponly.efi
 # iPXE with BIOS
-dhcp-boot=tag:ipxe,{{ env.IRONIC_HTTP_URL }}/custom-ipxe/undionly.kpxe
+dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/custom-ipxe/undionly.kpxe
 {% else %}
-dhcp-boot=tag:ipxe,{{ env.IRONIC_HTTP_URL }}/boot.ipxe
+dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/boot.ipxe
 {% endif %}
 # Note: Need to test EFI booting
@@ -60,8 +59,8 @@ ra-param={{ env.PROVISIONING_INTERFACE }},0,0
 dhcp-vendorclass=set:pxe6,enterprise:343,PXEClient
 dhcp-userclass=set:ipxe6,iPXE
-dhcp-option=tag:pxe6,option6:bootfile-url,{{ env.IRONIC_TFTP_URL }}/snponly.efi
+dhcp-option=tag:pxe6,option6:bootfile-url,tftp://{{ env.IRONIC_URL_HOST }}/snponly.efi
-dhcp-option=tag:ipxe6,option6:bootfile-url,{{ env.IRONIC_HTTP_URL }}/boot.ipxe
+dhcp-option=tag:ipxe6,option6:bootfile-url,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/boot.ipxe
 # It can be used when setting DNS or GW variables.
 {%- if env["GATEWAY_IP"] is undefined %}
--- a/ironic-image/ironic-config/httpd-ironic-api.conf.j2
+++ b/ironic-image/ironic-config/httpd-ironic-api.conf.j2
@@ -12,21 +12,11 @@
 {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}
-Listen 0.0.0.0:{{ env.IRONIC_LISTEN_PORT }}
+Listen {{ env.IRONIC_LISTEN_PORT }}
 Listen [::]:{{ env.IRONIC_LISTEN_PORT }}
 <VirtualHost *:{{ env.IRONIC_LISTEN_PORT }}>
 {% else %}
-{% if env.ENABLE_IPV4 %}
+Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
-Listen {{ env.IRONIC_IP }}:{{ env.IRONIC_LISTEN_PORT }}
+ <VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}>
 {% endif %}
 {% if env.ENABLE_IPV6 %}
 Listen [{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}
 {% endif %}
 {% if env.IRONIC_URL_HOSTNAME is defined and env.IRONIC_URL_HOSTNAME|length %}
 <VirtualHost {{ env.IRONIC_URL_HOSTNAME }}:{{ env.IRONIC_LISTEN_PORT }}>
 {% else %}
 <VirtualHost {% if env.ENABLE_IPV4 %}{{ env.IRONIC_IP }}:{{ env.IRONIC_LISTEN_PORT }}{% endif %} {% if env.ENABLE_IPV6 %}[{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}{% endif %}>
 {% endif %}
 {% endif %}
    {% if env.IRONIC_PRIVATE_PORT == "unix" %}
@@ -55,7 +45,7 @@ Listen [{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}
         {% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %}
            AuthType Basic
            AuthName "Restricted area"
-            AuthUserFile {{ env.HTPASSWD_FILE }}
+            AuthUserFile "/etc/ironic/htpasswd"
            Require valid-user
         {% endif %}
    </Location>
--- a/ironic-image/ironic-config/httpd-modules.conf
+++ b/ironic-image/ironic-config/httpd-modules.conf
@@ -17,4 +17,4 @@ LoadModule authn_core_module /usr/lib64/apache2/mod_authn_core.so
 LoadModule auth_basic_module /usr/lib64/apache2/mod_auth_basic.so
 LoadModule authn_file_module /usr/lib64/apache2/mod_authn_file.so
 LoadModule authz_user_module /usr/lib64/apache2/mod_authz_user.so
-#LoadModule access_compat_module /usr/lib64/apache2/mod_access_compat.so
+LoadModule access_compat_module /usr/lib64/apache2/mod_access_compat.so
--- a/ironic-image/ironic-config/httpd.conf.j2
+++ b/ironic-image/ironic-config/httpd.conf.j2
@@ -1,16 +1,10 @@
-ServerRoot {{ env.HTTPD_DIR }}
+ServerRoot "/etc/httpd"
 {%- if env.LISTEN_ALL_INTERFACES | lower == "true" %}
-Listen 0.0.0.0:{{ env.HTTP_PORT }}
+Listen {{ env.HTTP_PORT }}
 Listen [::]:{{ env.HTTP_PORT }}
 {% else %}
-{% if env.ENABLE_IPV4 %}
+Listen {{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}
 Listen {{ env.IRONIC_IP }}:{{ env.HTTP_PORT }}
 {% endif %}
-{% if env.ENABLE_IPV6 %}
+Include conf.modules.d/*.conf
 Listen [{{ env.IRONIC_IPV6 }}]:{{ env.HTTP_PORT }}
 {% endif %}
 {% endif %}
 Include /etc/httpd/conf.modules.d/*.conf
 User ironic-suse
 Group ironic-suse
--- a/ironic-image/inspector.ipxe.j2
+++ b/ironic-image/inspector.ipxe.j2
@@ -0,0 +1,10 @@
 #!ipxe
 :retry_boot
 echo In inspector.ipxe
 imgfree
 # NOTE(dtantsur): keep inspection kernel params in [mdns]params in
 # ironic-inspector-image and configuration in configure-ironic.sh
 kernel --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent-${buildarch}.kernel ipa-insecure=1 ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
 initrd --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent-${buildarch}.initramfs || goto retry_boot
 boot
--- a/ironic-image/ironic-config/ipxe_config.template
+++ b/ironic-image/ironic-config/ipxe_config.template
--- a/ironic-image/ironic-common.sh
+++ b/ironic-image/ironic-common.sh
@@ -0,0 +1,107 @@
 #!/usr/bin/bash
 set -euxo pipefail
 IRONIC_IP="${IRONIC_IP:-}"
 PROVISIONING_INTERFACE="${PROVISIONING_INTERFACE:-}"
 PROVISIONING_IP="${PROVISIONING_IP:-}"
 PROVISIONING_MACS="${PROVISIONING_MACS:-}"
 IPXE_CUSTOM_FIRMWARE_DIR="${IPXE_CUSTOM_FIRMWARE_DIR:-/shared/custom_ipxe_firmware}"
 get_provisioning_interface()
 {
    if [[ -n "$PROVISIONING_INTERFACE" ]]; then
        # don't override the PROVISIONING_INTERFACE if one is provided
        echo "$PROVISIONING_INTERFACE"
        return
    fi
    local interface="provisioning"
    if [[ -n "${PROVISIONING_IP}" ]]; then
        if ip -br addr show | grep -qi " ${PROVISIONING_IP}/"; then
            interface="$(ip -br addr show | grep -i " ${PROVISIONING_IP}/" | cut -f 1 -d ' ' | cut -f 1 -d '@')"
        fi
    fi
    for mac in ${PROVISIONING_MACS//,/ }; do
        if ip -br link show up | grep -qi "$mac"; then
            interface="$(ip -br link show up | grep -i "$mac" | cut -f 1 -d ' ' | cut -f 1 -d '@')"
            break
        fi
    done
    echo "$interface"
 }
 PROVISIONING_INTERFACE="$(get_provisioning_interface)"
 export PROVISIONING_INTERFACE
 export LISTEN_ALL_INTERFACES="${LISTEN_ALL_INTERFACES:-true}"
 # Wait for the interface or IP to be up, sets $IRONIC_IP
 wait_for_interface_or_ip()
 {
    # If $PROVISIONING_IP is specified, then we wait for that to become available on an interface, otherwise we look at $PROVISIONING_INTERFACE for an IP
    if [[ -n "$PROVISIONING_IP" ]]; then
        # Convert the address using ipcalc which strips out the subnet. For IPv6 addresses, this will give the short-form address
        IRONIC_IP="$(ipcalc "${PROVISIONING_IP}" | grep "^Address:" | awk '{print $2}')"
        export IRONIC_IP
        until grep -F " ${IRONIC_IP}/" <(ip -br addr show); do
            echo "Waiting for ${IRONIC_IP} to be configured on an interface"
            sleep 1
        done
    else
        until [[ -n "$IRONIC_IP" ]]; do
            echo "Waiting for ${PROVISIONING_INTERFACE} interface to be configured"
            IRONIC_IP="$(ip -br add show scope global up dev "${PROVISIONING_INTERFACE}" | awk '{print $3}' | sed -e 's%/.*%%' | head -n 1)"
            export IRONIC_IP
            sleep 1
        done
    fi
    # If the IP contains a colon, then it's an IPv6 address, and the HTTP
    # host needs surrounding with brackets
    if [[ "$IRONIC_IP" =~ .*:.* ]]; then
        export IPV=6
        export IRONIC_URL_HOST="[$IRONIC_IP]"
    else
        export IPV=4
        export IRONIC_URL_HOST="$IRONIC_IP"
    fi
 }
 render_j2_config()
 {
    ls $1 # DEBUG
    python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1"
    python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1" > "$2"
    ls $2 # DEBUG
 }
 run_ironic_dbsync()
 {
    if [[ "${IRONIC_USE_MARIADB:-true}" == "true" ]]; then
        # It's possible for the dbsync to fail if mariadb is not up yet, so
        # retry until success
        until ironic-dbsync --config-file /etc/ironic/ironic.conf upgrade; do
            echo "WARNING: ironic-dbsync failed, retrying"
            sleep 1
        done
    else
        # SQLite does not support some statements. Fortunately, we can just create
        # the schema in one go if not already created, instead of going through an upgrade
        DB_VERSION="$(ironic-dbsync --config-file /etc/ironic/ironic.conf version)"
        if [[ "${DB_VERSION}" == "None" ]]; then
            ironic-dbsync --config-file /etc/ironic/ironic.conf create_schema
        fi
    fi
 }
 # Use the special value "unix" for unix sockets
 export IRONIC_PRIVATE_PORT=${IRONIC_PRIVATE_PORT:-unix}
 export IRONIC_ACCESS_PORT=${IRONIC_ACCESS_PORT:-6385}
 export IRONIC_LISTEN_PORT=${IRONIC_LISTEN_PORT:-$IRONIC_ACCESS_PORT}
 export IRONIC_ENABLE_DISCOVERY=${IRONIC_ENABLE_DISCOVERY:-${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}}
--- a/ironic-image/ironic-config/inspector.ipxe.j2
+++ b/ironic-image/ironic-config/inspector.ipxe.j2
@@ -1,10 +0,0 @@
 #!ipxe
 :retry_boot
 echo In inspector.ipxe
 imgfree
 # NOTE(dtantsur): keep inspection kernel params in [mdns]params in
 # ironic-inspector-image and configuration in configure-ironic.sh
 kernel --timeout 60000 {{ env.IRONIC_HTTP_URL }}/images/ironic-python-agent-${buildarch}.kernel ipa-insecure={{ env.IPA_INSECURE }} ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent-${buildarch}.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
 initrd --timeout 60000 {{ env.IRONIC_HTTP_URL }}/images/ironic-python-agent-${buildarch}.initramfs || goto retry_boot
 boot
--- a/ironic-image/ironic-probe.j2
+++ b/ironic-image/ironic-probe.j2
@@ -0,0 +1,9 @@
 #!/bin/bash
 set -eu -o pipefail
 curl -sSf {{ env.PROBE_CURL_ARGS }} "{{ env.PROBE_URL }}"
 # TODO(dtantsur): when PROBE_KIND==readiness, try the conductor and driver API
 # to make sure the conductor is ready. This requires having access to secrets
 # since these endpoints are authenticated.
--- a/ironic-image/ironic-config/ironic.conf.j2
+++ b/ironic-image/ironic-config/ironic.conf.j2
@@ -25,15 +25,8 @@ rpc_transport = none
 use_stderr = true
 # NOTE(dtantsur): the default md5 is not compatible with FIPS mode
 hash_ring_algorithm = sha256
 {% if env.ENABLE_IPV4 %}
 my_ip = {{ env.IRONIC_IP }}
 {% endif %}
 {% if env.ENABLE_IPV6 %}
 my_ipv6 = {{ env.IRONIC_IPV6 }}
 {% endif %}
 host = {{ env.IRONIC_CONDUCTOR_HOST }}
 tempdir = {{ env.IRONIC_TMP_DATA_DIR }}
 # If a path to a certificate is defined, use that first for webserver
 {% if env.WEBSERVER_CACERT_FILE %}
@@ -56,7 +49,6 @@ deploy_logs_local_path = /shared/log/ironic/deploy
 # retries here works around such problems without affecting the normal path.
 # See https://bugzilla.redhat.com/show_bug.cgi?id=1822763
 max_command_attempts = 30
 certificates_path = {{ env.IRONIC_GEN_CERT_DIR }}
 [api]
 {% if env.IRONIC_REVERSE_PROXY_SETUP == "true" %}
@@ -71,7 +63,7 @@ port = {{ env.IRONIC_PRIVATE_PORT }}
 {% endif %}
 public_endpoint = {{ env.IRONIC_BASE_URL }}
 {% else %}
-host_ip = {{ env.IRONIC_HOST_IP }}
+host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
 port = {{ env.IRONIC_LISTEN_PORT }}
 {% if env.IRONIC_TLS_SETUP == "true" %}
 enable_ssl_api = true
@@ -91,11 +83,7 @@ send_sensor_data = {{ env.SEND_SENSOR_DATA }}
 # Power state is checked every 60 seconds and BMC activity should
 # be avoided more often than once every sixty seconds.
 send_sensor_data_interval = 160
-{% if env.VMEDIA_TLS_PORT %}
+bootloader = {{ env.IRONIC_BOOT_BASE_URL }}/uefi_esp-{{ env.DEPLOY_ARCHITECTURE }}.img
 bootloader = {{ env.IRONIC_HTTPS_VMEDIA_URL }}/uefi_esp-{{ env.DEPLOY_ARCHITECTURE }}.img
 {% else %}
 bootloader = {{ env.IRONIC_HTTP_URL }}/uefi_esp-{{ env.DEPLOY_ARCHITECTURE }}.img
 {% endif %}
 verify_step_priority_override = management.clear_job_queue:90
 # We don't use this feature, and it creates an additional load on the database
 node_history = False
@@ -107,19 +95,16 @@ deploy_kernel = file://{{ env.IRONIC_DEFAULT_KERNEL }}
 {% if env.IRONIC_DEFAULT_RAMDISK is defined %}
 deploy_ramdisk = file://{{ env.IRONIC_DEFAULT_RAMDISK }}
 {% endif %}
 {% if env.DISABLE_DEEP_IMAGE_INSPECTION | lower == "true" %}
 disable_deep_image_inspection = True
 {% endif %}
 [database]
-{% if env.IRONIC_USE_MARIADB | lower == "true" %}
+{% if env.IRONIC_USE_MARIADB | lower == "false" %}
-connection = {{ env.MARIADB_CONNECTION }}
+connection = sqlite:////var/lib/ironic/ironic.sqlite
 {% else %}
 connection = {{ env.LOCAL_DB_URI }}
 # Synchronous mode is required for data integrity in case of operating system
 # crash. In our case we restart the container from scratch, so we can save some
 # IO by not doing syncs all the time.
 sqlite_synchronous = False
 {% else %}
 connection = {{ env.MARIADB_CONNECTION }}
 {% endif %}
 [deploy]
@@ -127,15 +112,15 @@ default_boot_option = local
 erase_devices_metadata_priority = 10
 erase_devices_priority = 0
 http_root = /shared/html/
-http_url = {% if env.VMEDIA_TLS_PORT %}{{ env.IRONIC_HTTPS_VMEDIA_URL }}{% else %}{{ env.IRONIC_HTTP_URL }}{% endif %}
+http_url = {{ env.IRONIC_BOOT_BASE_URL }}
 fast_track = {{ env.IRONIC_FAST_TRACK }}
 {% if env.IRONIC_BOOT_ISO_SOURCE %}
 ramdisk_image_download_source = {{ env.IRONIC_BOOT_ISO_SOURCE }}
 {% endif %}
 {% if env.IRONIC_EXTERNAL_HTTP_URL %}
 external_http_url = {{ env.IRONIC_EXTERNAL_HTTP_URL }}
-{% elif env.VMEDIA_TLS_PORT %}
+{% elif env.IRONIC_VMEDIA_TLS_SETUP == "true" %}
-external_http_url = {{ env.IRONIC_HTTPS_VMEDIA_URL }}
+external_http_url = https://{{ env.IRONIC_URL_HOST }}:{{ env.VMEDIA_TLS_PORT }}
 {% endif %}
 {% if env.IRONIC_EXTERNAL_CALLBACK_URL %}
 external_callback_url = {{ env.IRONIC_EXTERNAL_CALLBACK_URL }}
@@ -190,8 +175,8 @@ cipher_suite_versions = 3,17
 # unauthenticated connections from other processes in the same host since the
 # containers are in host networking.
 auth_strategy = http_basic
-http_basic_auth_user_file = {{ env.IRONIC_RPC_HTPASSWD_FILE }}
+http_basic_auth_user_file = /etc/ironic/htpasswd-rpc
-host_ip = {{ env.IRONIC_HOST_IP }}
+host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
 {% if env.IRONIC_TLS_SETUP == "true" %}
 use_ssl = true
 cafile = {{ env.IRONIC_CACERT_FILE }}
@@ -202,6 +187,11 @@ insecure = {{ env.IRONIC_INSECURE }}
 [nova]
 send_power_notifications = false
 [oslo_messaging_notifications]
 driver = prometheus_exporter
 location = /shared/ironic_prometheus_exporter
 transport_url = fake://
 [pxe]
 # NOTE(dtantsur): keep this value at least 3x lower than
 # [conductor]deploy_callback_timeout so that at least some retries happen.
@@ -211,7 +201,7 @@ images_path = /shared/html/tmp
 instance_master_path = /shared/html/master_images
 tftp_master_path = /shared/tftpboot/master_images
 tftp_root = /shared/tftpboot
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
 # This makes networking boot templates generated even for nodes using local
 # boot (the default), ensuring that they boot correctly even if they start
 # netbooting for some reason (e.g. with the noop management interface).
@@ -224,14 +214,14 @@ ipxe_config_template = /tmp/ipxe_config.template
 [redfish]
 use_swift = false
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
 [ilo]
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
 use_web_server_for_images = true
 [irmc]
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
 [service_catalog]
 endpoint_override = {{ env.IRONIC_BASE_URL }}
--- a/ironic-image/ironic-config/network-data-schema-empty.json
+++ b/ironic-image/ironic-config/network-data-schema-empty.json
--- a/ironic-image/scripts/rundnsmasq
+++ b/ironic-image/scripts/rundnsmasq
@@ -13,11 +13,7 @@ export DNS_PORT=${DNS_PORT:-0}
 wait_for_interface_or_ip
 if [[ "${DNS_IP:-}" == "provisioning" ]]; then
-    if [[ "${IPV}" == "4" ]]; then
+    export DNS_IP="$IRONIC_URL_HOST"
      export DNS_IP="${IRONIC_IP}"
    else
      export DNS_IP="[${IRONIC_IP}]"
    fi
 fi
 mkdir -p /shared/tftpboot
@@ -36,12 +32,12 @@ fi
 # Template and write dnsmasq.conf
 # we template via /tmp as sed otherwise creates temp files in /etc directory
 # where we can't write
-python3.11 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' <"/tmp/dnsmasq.conf.j2" >"${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"
+python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' </etc/dnsmasq.conf.j2 >/tmp/dnsmasq.conf
 for iface in $(echo "$DNSMASQ_EXCEPT_INTERFACE" | tr ',' ' '); do
-    sed -i -e "/^interface=.*/ a\except-interface=${iface}" "${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"
+    sed -i -e "/^interface=.*/ a\except-interface=${iface}" /tmp/dnsmasq.conf
 done
-cat "${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf" > "${DNSMASQ_CONF_DIR}/dnsmasq.conf"
+cat /tmp/dnsmasq.conf > /etc/dnsmasq.conf
-rm "${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"
+rm /tmp/dnsmasq.conf
-exec /usr/sbin/dnsmasq -d -q -C "${DNSMASQ_CONF_DIR}/dnsmasq.conf"
+exec /usr/sbin/dnsmasq -d -q -C /etc/dnsmasq.conf
--- a/ironic-image/scripts/runhttpd
+++ b/ironic-image/scripts/runhttpd
@@ -28,29 +28,25 @@ wait_for_interface_or_ip
 mkdir -p /shared/html
 chmod 0777 /shared/html
-INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}/v1/continue_inspection"
+IRONIC_BASE_URL="${IRONIC_SCHEME}://${IRONIC_URL_HOST}"
 INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}/v1/continue_inspection"
 if [[ "$IRONIC_FAST_TRACK" == "true" ]]; then
-    INSPECTOR_EXTRA_ARGS+=" ipa-api-url=${IRONIC_BASE_URL}"
+    INSPECTOR_EXTRA_ARGS+=" ipa-api-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}"
 fi
 export INSPECTOR_EXTRA_ARGS
 # Copy files to shared mount
 render_j2_config /tmp/inspector.ipxe.j2 /shared/html/inspector.ipxe
 cp /tmp/uefi_esp*.img /shared/html/
 # cp -r /etc/httpd/* "${HTTPD_DIR}"
 if [[ -f "${HTTPD_CONF_DIR}/httpd.conf" ]]; then
    mv "${HTTPD_CONF_DIR}/httpd.conf" "${HTTPD_CONF_DIR}/httpd.conf.example"
 fi
 # Render the core httpd config
-render_j2_config "/etc/httpd/conf/httpd.conf.j2" \
+render_j2_config /etc/httpd/conf/httpd.conf.j2 /etc/httpd/conf/httpd.conf
    "${HTTPD_CONF_DIR}/httpd.conf"
 if [[ "$IRONIC_TLS_SETUP" == "true" ]]; then
    if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
-        render_j2_config "/tmp/httpd-ironic-api.conf.j2" \
+        render_j2_config /tmp/httpd-ironic-api.conf.j2 /etc/httpd/conf.d/ironic.conf
            "${HTTPD_CONF_DIR_D}/ironic.conf"
    fi
 else
    export IRONIC_REVERSE_PROXY_SETUP="false" # If TLS is not used, we have no reason to use the reverse proxy
@@ -60,24 +56,33 @@ write_htpasswd_files
 # Render httpd TLS configuration for /shared/html/<redifsh;ilo>
 if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
-    render_j2_config "/tmp/httpd-vmedia.conf.j2" \
+    render_j2_config /etc/httpd-vmedia.conf.j2 /etc/httpd/conf.d/vmedia.conf
        "${HTTPD_CONF_DIR_D}/vmedia.conf"
 fi
 # Render httpd TLS configuration for /shared/html
 if [[ "$IPXE_TLS_SETUP" == "true" ]]; then
    mkdir -p /shared/html/custom-ipxe
    chmod 0777 /shared/html/custom-ipxe
-    render_j2_config "/tmp/httpd-ipxe.conf.j2" "${HTTPD_CONF_DIR_D}/ipxe.conf"
+    render_j2_config "/etc/httpd-ipxe.conf.j2" "/etc/httpd/conf.d/ipxe.conf"
    cp "${IPXE_CUSTOM_FIRMWARE_DIR}/undionly.kpxe" \
       "${IPXE_CUSTOM_FIRMWARE_DIR}/snponly.efi" \
       "/shared/html/custom-ipxe"
 fi
 # Set up inotify to kill the container (restart) whenever cert files for ironic api change
-configure_restart_on_certificate_update "${IRONIC_TLS_SETUP}" httpd "${IRONIC_CERT_FILE}"
+if [[ "$IRONIC_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
    # shellcheck disable=SC2034
    inotifywait -m -e delete_self "${IRONIC_CERT_FILE}" | while read -r file event; do
        kill -WINCH $(pgrep httpd)
    done &
 fi
 # Set up inotify to kill the container (restart) whenever cert of httpd for /shared/html/<redifsh;ilo> path change
-configure_restart_on_certificate_update "${IRONIC_VMEDIA_TLS_SETUP}" httpd "${IRONIC_VMEDIA_CERT_FILE}"
+if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
    # shellcheck disable=SC2034
    inotifywait -m -e delete_self "${IRONIC_VMEDIA_CERT_FILE}" | while read -r file event; do
        kill -WINCH $(pgrep httpd)
    done &
 fi
-exec /usr/sbin/httpd -DFOREGROUND -f "${HTTPD_CONF_DIR}/httpd.conf"
+exec /usr/sbin/httpd -DFOREGROUND -f /etc/httpd/conf/httpd.conf
--- a/ironic-image/runironic
+++ b/ironic-image/runironic
@@ -0,0 +1,23 @@
 #!/usr/bin/bash
 # This setting must go before configure-ironic since it has different defaults.
 export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-false}
 # shellcheck disable=SC1091
 . /bin/configure-ironic.sh
 # Ramdisk logs
 mkdir -p /shared/log/ironic/deploy
 run_ironic_dbsync
 if [[ "$IRONIC_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
    # shellcheck disable=SC2034
    inotifywait -m -e delete_self "${IRONIC_CERT_FILE}" | while read -r file event; do
        kill $(pgrep ironic)
    done &
 fi
 configure_ironic_auth
 exec /usr/bin/ironic
--- a/ironic-image/runironic-exporter
+++ b/ironic-image/runironic-exporter
@@ -0,0 +1,12 @@
 #!/usr/bin/bash
 # shellcheck disable=SC1091
 . /bin/configure-ironic.sh
 FLASK_RUN_HOST=${FLASK_RUN_HOST:-0.0.0.0}
 FLASK_RUN_PORT=${FLASK_RUN_PORT:-9608}
 export IRONIC_CONFIG="/etc/ironic/ironic.conf"
 exec gunicorn -b "${FLASK_RUN_HOST}:${FLASK_RUN_PORT}" -w 4 \
    ironic_prometheus_exporter.app.wsgi:application
--- a/ironic-image/runlogwatch.sh
+++ b/ironic-image/runlogwatch.sh
@@ -0,0 +1,19 @@
 #!/usr/bin/bash
 # Ramdisk logs path
 LOG_DIR="/shared/log/ironic/deploy"
 # The ironic container creates the directory, wait for
 # it to exist before running inotifywait or it can fail causing
 # a spurious restart
 while [ ! -d "${LOG_DIR}" ]; do
  echo "Waiting for ${LOG_DIR}"
  sleep 5
 done
 inotifywait -m "${LOG_DIR}" -e close_write |
    while read -r path _action file; do
        echo "************ Contents of ${path}/${file} ramdisk log file bundle **************"
        tar -xOzvvf "${path}/${file}" | sed -e "s/^/${file}: /"
        rm -f "${path}/${file}"
    done
--- a/ironic-image/scripts/auth-common.sh
+++ b/ironic-image/scripts/auth-common.sh
@@ -1,97 +0,0 @@
 #!/usr/bin/bash
 set -euxo pipefail
 export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
 # CUSTOM_CONFIG_DIR is also managed in the ironic-common.sh, in order to
 # keep auth-common and ironic-common separate (to stay consistent with the
 # architecture) part of the ironic-common logic had to be duplicated
 CUSTOM_CONFIG_DIR="${CUSTOM_CONFIG_DIR:-/conf}"
 IRONIC_CONF_DIR="${CUSTOM_CONFIG_DIR}/ironic"
 # Backward compatibility
 if [[ "${IRONIC_DEPLOYMENT:-}" == "Conductor" ]]; then
    export IRONIC_EXPOSE_JSON_RPC=true
 else
    export IRONIC_EXPOSE_JSON_RPC="${IRONIC_EXPOSE_JSON_RPC:-false}"
 fi
 IRONIC_HTPASSWD_FILE="${IRONIC_CONF_DIR}/htpasswd"
 export IRONIC_RPC_HTPASSWD_FILE="${IRONIC_HTPASSWD_FILE}-rpc"
 if [[ -f "/auth/ironic/htpasswd" ]]; then
    IRONIC_HTPASSWD=$(</auth/ironic/htpasswd)
 fi
 if [[ -f "/auth/ironic-rpc/htpasswd" ]]; then
    IRONIC_RPC_HTPASSWD=$(</auth/ironic-rpc/htpasswd)
 fi
 export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
 export IRONIC_RPC_HTPASSWD=${IRONIC_RPC_HTPASSWD:-${IRONIC_HTPASSWD}}
 if [[ -n "${MARIADB_PASSWORD:-}" ]]; then
    echo "WARNING: passing MARIADB_PASSWORD is deprecated, mount a secret under /auth/mariadb instead"
 elif [[ -f /auth/mariadb/password ]]; then
    MARIADB_PASSWORD=$(</auth/mariadb/password)
 fi
 if [[ -z "${MARIADB_USER:-}" ]] && [[ -f /auth/mariadb/username ]]; then
    MARIADB_USER=$(</auth/mariadb/username)
 fi
 IRONIC_CONFIG="${IRONIC_CONF_DIR}/ironic.conf"
 configure_json_rpc_auth()
 {
    if [[ "${IRONIC_EXPOSE_JSON_RPC}" != "true" ]]; then
        return
    fi
    local auth_config_file="/auth/ironic-rpc/auth-config"
    local username_file="/auth/ironic-rpc/username"
    local password_file="/auth/ironic-rpc/password"
    if [[ -f "${username_file}" ]] && [[ -f "${password_file}" ]]; then
        crudini --set "${IRONIC_CONFIG}" json_rpc username "$(<${username_file})"
        set +x
        crudini --set "${IRONIC_CONFIG}" json_rpc password "$(<${password_file})"
        set -x
    elif [[ -f "${auth_config_file}" ]]; then
        echo "WARNING: using auth-config is deprecated, mount a secret directly"
        # Merge configurations in the "auth" directory into the default ironic configuration file
        crudini --merge "${IRONIC_CONFIG}" < "${auth_config_file}"
    else
        echo "FATAL: no client-side credentials provided for JSON RPC"
        echo "HINT: mount a secret with username and password fields under /auth/ironic-rpc"
        exit 1
    fi
    if [[ -z "${IRONIC_RPC_HTPASSWD}" ]]; then
        if [[ -f "${username_file}" ]] && [[ -f "${password_file}" ]]; then
            htpasswd -c -i -B "${IRONIC_RPC_HTPASSWD_FILE}" "$(<${username_file})" <"${password_file}"
        else
            echo "FATAL: enabling JSON RPC requires authentication"
            echo "HINT: mount a secret with either username and password or htpasswd under /auth/ironic-rpc"
            exit 1
        fi
    else
        printf "%s\n" "${IRONIC_RPC_HTPASSWD}" > "${IRONIC_RPC_HTPASSWD_FILE}"
    fi
 }
 configure_ironic_auth()
 {
    # Configure HTTP basic auth for API server
    if [[ -n "${IRONIC_HTPASSWD}" ]]; then
        printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
        if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "false" ]]; then
            crudini --set "${IRONIC_CONFIG}" DEFAULT auth_strategy http_basic
            crudini --set "${IRONIC_CONFIG}" DEFAULT http_basic_auth_user_file "${IRONIC_HTPASSWD_FILE}"
        fi
    fi
 }
 write_htpasswd_files()
 {
    if [[ -n "${IRONIC_HTPASSWD:-}" ]]; then
        printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
    fi
 }
--- a/ironic-image/scripts/ironic-common.sh
+++ b/ironic-image/scripts/ironic-common.sh
@@ -1,295 +0,0 @@
 #!/usr/bin/bash
 set -euxo pipefail
 # Export IRONIC_IP to avoid needing to lean on IRONIC_URL_HOST for consumption in
 # e.g. dnsmasq configuration
 export IRONIC_IP="${IRONIC_IP:-}"
 IRONIC_IPV6="${IRONIC_IPV6:-}"
 PROVISIONING_INTERFACE="${PROVISIONING_INTERFACE:-}"
 PROVISIONING_IP="${PROVISIONING_IP:-}"
 PROVISIONING_MACS="${PROVISIONING_MACS:-}"
 IRONIC_URL_HOSTNAME="${IRONIC_URL_HOSTNAME:-}"
 IPXE_CUSTOM_FIRMWARE_DIR="${IPXE_CUSTOM_FIRMWARE_DIR:-/shared/custom_ipxe_firmware}"
 CUSTOM_CONFIG_DIR="${CUSTOM_CONFIG_DIR:-/conf}"
 CUSTOM_DATA_DIR="${CUSTOM_DATA_DIR:-/data}"
 export DNSMASQ_CONF_DIR="${CUSTOM_CONFIG_DIR}/dnsmasq"
 export DNSMASQ_DATA_DIR="${CUSTOM_DATA_DIR}/dnsmasq"
 export DNSMASQ_TEMP_DIR="${CUSTOM_CONFIG_DIR}/dnsmasq"
 export HTTPD_DIR="${CUSTOM_CONFIG_DIR}/httpd"
 export HTTPD_CONF_DIR="${HTTPD_DIR}/conf"
 export HTTPD_CONF_DIR_D="${HTTPD_DIR}/conf.d"
 export IRONIC_CONF_DIR="${CUSTOM_CONFIG_DIR}/ironic"
 export IRONIC_DB_DIR="${CUSTOM_DATA_DIR}/db"
 export IRONIC_GEN_CERT_DIR="${CUSTOM_DATA_DIR}/auto_gen_certs"
 export IRONIC_TMP_DATA_DIR="${CUSTOM_DATA_DIR}/tmp"
 export PROBE_CONF_DIR="${CUSTOM_CONFIG_DIR}/probes"
 mkdir -p "${IRONIC_CONF_DIR}" "${PROBE_CONF_DIR}" "${HTTPD_CONF_DIR}" \
    "${HTTPD_CONF_DIR_D}" "${DNSMASQ_CONF_DIR}" "${DNSMASQ_TEMP_DIR}" \
    "${IRONIC_DB_DIR}" "${IRONIC_GEN_CERT_DIR}" "${DNSMASQ_DATA_DIR}" \
    "${IRONIC_TMP_DATA_DIR}"
 export HTPASSWD_FILE="${IRONIC_CONF_DIR}/htpasswd"
 export LOCAL_DB_URI="sqlite:///${IRONIC_DB_DIR}/ironic.sqlite"
 export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-false}
 get_ip_of_hostname()
 {
    if [[ "$#" -ne 2 ]]; then
        echo "${FUNCNAME}: two parameters required, $# provided" >&2
        return 1
    fi
    case $2 in
        4)
            QUERY="a";;
        6)
            QUERY="aaaa";;
        *)
            echo "${FUNCNAME}: the second parameter should be [a|aaaa] for A and AAAA records"
            return 1;;
    esac
    local HOSTNAME=$1
    echo $(nslookup -type=${QUERY} "${HOSTNAME}" | tail -n2 | grep -w "Address:" | cut -d " " -f2)
 }
 get_interface_of_ip()
 {
    local IP_VERS=""
    if [[ "$#" -gt 2 ]]; then
        echo "${FUNCNAME}: too many parameters" >&2
        return 1
    fi
    if [[ "$#" -eq 2 ]]; then
        case $2 in
        4|6)
            local IP_VERS="-${2}"
            ;;
        *)
            echo "${FUNCNAME}: the second parameter should be [4|6] (or missing for both)" >&2
            return 2
            ;;
        esac
    fi
    local IP_ADDR=$1
    # Convert the address using ipcalc which strips out the subnet.
    # For IPv6 addresses, this will give the short-form address
    IP_ADDR="$(ipcalc "${IP_ADDR}" | grep "^Address:" | awk '{print $2}')"
    echo $(ip ${IP_VERS} -br addr show scope global | grep -i " ${IP_ADDR}/" | cut -f 1 -d ' ' | cut -f 1 -d '@')
 }
 get_ip_of_interface()
 {
    local IP_VERS=""
    if [[ "$#" -gt 2 ]]; then
        echo "${FUNCNAME}: too many parameters" >&2
        return 1
    fi
    if [[ "$#" -eq 2 ]]; then
        case $2 in
        4|6)
            local IP_VERS="-${2}"
            ;;
        *)
            echo "${FUNCNAME}: the second parameter should be [4|6] (or missing for both)" >&2
            return 2
            ;;
        esac
    fi
    local IFACE=$1
    echo $(ip ${IP_VERS} -br addr show scope global up dev ${IFACE} | awk '{print $3}' | sed -e 's%/.*%%' | head -n 1)
 }
 get_provisioning_interface()
 {
    if [[ -n "$PROVISIONING_INTERFACE" ]]; then
        # don't override the PROVISIONING_INTERFACE if one is provided
        echo "$PROVISIONING_INTERFACE"
        return
    fi
    local interface=""
    for mac in ${PROVISIONING_MACS//,/ }; do
        if ip -br link show up | grep -i "$mac" &>/dev/null; then
            interface="$(ip -br link show up | grep -i "$mac" | cut -f 1 -d ' ' | cut -f 1 -d '@')"
            break
        fi
    done
    echo "$interface"
 }
 PROVISIONING_INTERFACE="$(get_provisioning_interface)"
 export PROVISIONING_INTERFACE
 export LISTEN_ALL_INTERFACES="${LISTEN_ALL_INTERFACES:-true}"
 # Wait for the interface or IP to be up, sets $IRONIC_IP
 wait_for_interface_or_ip()
 {
    # If $PROVISIONING_IP is specified, then we wait for that to become
    # available on an interface, otherwise we look at $PROVISIONING_INTERFACE
    # for an IP
    if [[ -n "${PROVISIONING_IP}" ]]; then
        local IFACE_OF_IP=""
        until [[ -n "$IFACE_OF_IP" ]]; do
            echo "Waiting for ${PROVISIONING_IP} to be configured on an interface..."
            IFACE_OF_IP="$(get_interface_of_ip "${PROVISIONING_IP}")"
            sleep 1
        done
        echo "Found $PROVISIONING_IP on interface \"${IFACE_OF_IP}\"!"
        export PROVISIONING_INTERFACE="$IFACE_OF_IP"
 	# If the IP contains a colon, then it's an IPv6 address
        if [[ "$PROVISIONING_IP" =~ .*:.* ]]; then
            export IRONIC_IPV6="$PROVISIONING_IP"
            export IRONIC_IP=""
        else
            export IRONIC_IP="$PROVISIONING_IP"
        fi
    elif [[ -n "${IRONIC_IP}" ]]; then
        if [[ "$IRONIC_IP" =~ .*:.* ]]; then
            export IRONIC_IPV6="$IRONIC_IP"
            export IRONIC_IP=""
        fi
    elif [[ -n "${PROVISIONING_INTERFACE}" ]]; then
        until [[ -n "$IRONIC_IPV6" ]] || [[ -n "$IRONIC_IP" ]]; do
            echo "Waiting for ${PROVISIONING_INTERFACE} interface to be configured..."
            IRONIC_IPV6="$(get_ip_of_interface "${PROVISIONING_INTERFACE}" 6)"
            sleep 1
            IRONIC_IP="$(get_ip_of_interface "${PROVISIONING_INTERFACE}" 4)"
            sleep 1
        done
        if [[ -n "$IRONIC_IPV6" ]]; then
            echo "Found $IRONIC_IPV6 on interface \"${PROVISIONING_INTERFACE}\"!"
 	    export IRONIC_IPV6
        fi
        if [[ -n "$IRONIC_IP" ]]; then
            echo "Found $IRONIC_IP on interface \"${PROVISIONING_INTERFACE}\"!"
 	    export IRONIC_IP
        fi
    elif [[ -n "$IRONIC_URL_HOSTNAME" ]]; then
        local IPV6_IFACE=""
        local IPV4_IFACE=""
        # we should get at least one IP address
        until [[ -n "$IPV6_IFACE" ]] || [[ -n "$IPV4_IFACE" ]]; do
            local IPV6_RECORD=""
            local IPV4_RECORD=""
            IPV6_RECORD="$(get_ip_of_hostname "${IRONIC_URL_HOSTNAME}" 6)"
            IPV4_RECORD="$(get_ip_of_hostname "${IRONIC_URL_HOSTNAME}" 4)"
            # We couldn't get any IP
            if [[ -z "$IPV4_RECORD" ]] && [[ -z "$IPV6_RECORD" ]]; then
                echo "${FUNCNAME}: no valid IP found for hostname ${IRONIC_URL_HOSTNAME}" >&2
                return 1
            fi
            echo "Waiting for ${IPV6_RECORD} to be configured on an interface"
            IPV6_IFACE="$(get_interface_of_ip "${IPV6_RECORD}" 6)"
            sleep 1
            echo "Waiting for ${IPV4_RECORD} to be configured on an interface"
            IPV4_IFACE="$(get_interface_of_ip "${IPV4_RECORD}" 4)"
            sleep 1
        done
        # Add some debugging output
        if [[ -n "$IPV6_IFACE" ]]; then
            echo "Found $IPV6_RECORD on interface \"${IPV6_IFACE}\"!"
            export IRONIC_IPV6="$IPV6_RECORD"
        fi
        if [[ -n "$IPV4_IFACE" ]]; then
            echo "Found $IPV4_RECORD on interface \"${IPV4_IFACE}\"!"
            export IRONIC_IP="$IPV4_RECORD"
        fi
        # Make sure both IPs are asigned to the same interface
        if [[ -n "$IPV6_IFACE" ]] && [[ -n "$IPV4_IFACE" ]] && [[ "$IPV6_IFACE" != "$IPV4_IFACE" ]]; then
            echo "Warning, the IPv4 and IPv6 addresses from \"${HOSTNAME}\" are assigned to different " \
            "interfaces (\"${IPV6_IFACE}\" and \"${IPV4_IFACE}\")" >&2
        fi
    else
        echo "Cannot determine an interface or an IP for binding and creating URLs"
        return 1
    fi
    # Define the URLs based on the what we have found,
    # prioritize IPv6 for IRONIC_URL_HOST
    if [[ -n "$IRONIC_IP" ]]; then
        export ENABLE_IPV4=yes
        export IRONIC_URL_HOST="$IRONIC_IP"
    fi
    if [[ -n "$IRONIC_IPV6" ]]; then
        export ENABLE_IPV6=yes
        export IRONIC_URL_HOST="[${IRONIC_IPV6}]" # The HTTP host needs surrounding with brackets
    fi
    # Once determined if we have IPv4 and/or IPv6, override the hostname if provided
    if [[ -n "$IRONIC_URL_HOSTNAME" ]]; then
        IRONIC_URL_HOST=$IRONIC_URL_HOSTNAME
    fi
    # Avoid having to construct full URL multiple times while allowing
    # the override of IRONIC_HTTP_URL for environments in which IRONIC_IP
    # is unreachable from hosts being provisioned.
    export IRONIC_HTTP_URL="${IRONIC_HTTP_URL:-http://${IRONIC_URL_HOST}:${HTTP_PORT}}"
    export IRONIC_TFTP_URL="${IRONIC_TFTP_URL:-tftp://${IRONIC_URL_HOST}}"
    export IRONIC_BASE_URL=${IRONIC_BASE_URL:-"${IRONIC_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_ACCESS_PORT}"}
 }
 render_j2_config()
 {
    python3.11 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1" > "$2"
 }
 run_ironic_dbsync()
 {
    if [[ "${IRONIC_USE_MARIADB}" == "true" ]]; then
        # It's possible for the dbsync to fail if mariadb is not up yet, so
        # retry until success
        until ironic-dbsync --config-file "${IRONIC_CONF_DIR}/ironic.conf" upgrade; do
            echo "WARNING: ironic-dbsync failed, retrying"
            sleep 1
        done
    else
        # SQLite does not support some statements. Fortunately, we can just
        # create the schema in one go if not already created, instead of going
        # through an upgrade
        cp "/var/lib/ironic/ironic.sqlite" "${IRONIC_DB_DIR}/ironic.sqlite"
        DB_VERSION="$(ironic-dbsync --config-file "${IRONIC_CONF_DIR}/ironic.conf" version)"
        if [[ "${DB_VERSION}" == "None" ]]; then
            ironic-dbsync --config-file "${IRONIC_CONF_DIR}/ironic.conf" create_schema
        fi
    fi
 }
 # Use the special value "unix" for unix sockets
 export IRONIC_PRIVATE_PORT=${IRONIC_PRIVATE_PORT:-unix}
 export IRONIC_ACCESS_PORT=${IRONIC_ACCESS_PORT:-6385}
 export IRONIC_LISTEN_PORT=${IRONIC_LISTEN_PORT:-$IRONIC_ACCESS_PORT}
 export IRONIC_ENABLE_DISCOVERY=${IRONIC_ENABLE_DISCOVERY:-${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}}
--- a/ironic-image/scripts/ironic-probe.sh
+++ b/ironic-image/scripts/ironic-probe.sh
@@ -1,23 +0,0 @@
 #!/bin/bash
 set -eu -o pipefail
 # shellcheck disable=SC1091
 . /bin/ironic-common.sh
 # shellcheck disable=SC1091
 . /bin/auth-common.sh
 PROBE_CURL_ARGS=
 if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
    if [[ "${IRONIC_PRIVATE_PORT}" == "unix" ]]; then
        PROBE_URL="http://127.0.0.1:6385"
        PROBE_CURL_ARGS="--unix-socket /shared/ironic.sock"
    else
        PROBE_URL="http://127.0.0.1:${IRONIC_PRIVATE_PORT}"
    fi
 else
        PROBE_URL="${IRONIC_BASE_URL}"
 fi
 # shellcheck disable=SC2086
 curl -sSf ${PROBE_CURL_ARGS} "${PROBE_URL}"
--- a/ironic-image/scripts/rundatabase-upgrade
+++ b/ironic-image/scripts/rundatabase-upgrade
@@ -1,10 +0,0 @@
 #!/usr/bin/bash
 set -euxo pipefail
 # shellcheck disable=SC1091
 . /bin/configure-ironic.sh
 # NOTE(dtantsur): no retries here: this script is supposed to be run as a Job
 # that is retried on failure.
 exec ironic-dbsync --config-file "${IRONIC_CONF_DIR}/ironic.conf" upgrade
--- a/ironic-image/scripts/runironic
+++ b/ironic-image/scripts/runironic
@@ -1,18 +0,0 @@
 #!/usr/bin/bash
 # shellcheck disable=SC1091
 . /bin/configure-ironic.sh
 # Ramdisk logs
 mkdir -p /shared/log/ironic/deploy
 # Allows skipping dbsync if it's done by an external job
 if [[ "${IRONIC_SKIP_DBSYNC:-false}" != true ]]; then
    run_ironic_dbsync
 fi
 configure_restart_on_certificate_update "${IRONIC_TLS_SETUP}" ironic "${IRONIC_CERT_FILE}"
 configure_ironic_auth
 exec /usr/bin/ironic --config-dir "${IRONIC_CONF_DIR}"
--- a/ironic-image/scripts/runlogwatch.sh
+++ b/ironic-image/scripts/runlogwatch.sh
@@ -1,17 +0,0 @@
 #!/usr/bin/bash
 # Ramdisk logs path
 LOG_DIR="/shared/log/ironic/deploy"
 mkdir -p "${LOG_DIR}"
 # shellcheck disable=SC2034
 python3.11 -m pyinotify --raw-format -e IN_CLOSE_WRITE -v "${LOG_DIR}" |
    while read -r event dir mask maskname filename filepath pathname wd; do
        #NOTE(elfosardo): a pyinotify event looks like this:
        # <Event dir=False mask=0x8 maskname=IN_CLOSE_WRITE name=mylogs.gzip path=/shared/log/ironic/deploy pathname=/shared/log/ironic/deploy/mylogs.gzip wd=1 >
        FILENAME=$(echo "${filename}" | cut -d'=' -f2-)
        echo "************ Contents of ${LOG_DIR}/${FILENAME} ramdisk log file bundle **************"
        tar -xOzvvf "${LOG_DIR}/${FILENAME}" | sed -e "s/^/${FILENAME}: /"
        rm -f "${LOG_DIR}/${FILENAME}"
    done
--- a/ironic-image/scripts/runonline-data-migrations
+++ b/ironic-image/scripts/runonline-data-migrations
@@ -1,10 +0,0 @@
 #!/usr/bin/bash
 set -euxo pipefail
 # shellcheck disable=SC1091
 . /bin/configure-ironic.sh
 # NOTE(dtantsur): no retries here: this script is supposed to be run as a Job
 # that is retried on failure.
 exec ironic-dbsync --config-file "${IRONIC_CONF_DIR}/ironic.conf" online_data_migrations
--- a/ironic-image/scripts/tls-common.sh
+++ b/ironic-image/scripts/tls-common.sh
@@ -95,21 +95,3 @@ if [[ -f "$MARIADB_CACERT_FILE" ]]; then
 else
    export MARIADB_TLS_ENABLED="false"
 fi
 configure_restart_on_certificate_update()
 {
    local enabled="$1"
    local service="$2"
    local cert_file="$3"
    local signal="TERM"
    if [[ "${enabled}" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
        if [[ "${service}" == httpd ]]; then
            signal="WINCH"
        fi
        python3 -m pyinotify --raw-format -e IN_DELETE_SELF -v "${cert_file}" |
            while read -r; do
                pkill "-${signal}" "${service}"
            done &
    fi
 }
--- a/ironic-ipa-downloader-image/Dockerfile
+++ b/ironic-ipa-downloader-image/Dockerfile
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.8
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.7
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.8-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.7-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -18,11 +18,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
 LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="3.0.8"
+LABEL org.opencontainers.image.version="3.0.6"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.8-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.7-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -33,6 +33,8 @@ LABEL com.suse.release-stage="released"
 COPY --from=base /installroot /
 RUN cp /getopt /usr/bin/
 RUN cp /srv/tftpboot/openstack-ironic-image/initrd*.zst /tmp
 RUN cp /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel /tmp
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/
--- a/ironic-ipa-downloader-image/Dockerfile.aarch64
+++ b/ironic-ipa-downloader-image/Dockerfile.aarch64
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.8
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.7
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.8-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.7-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -18,11 +18,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
 LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="3.0.8"
+LABEL org.opencontainers.image.version="3.0.6"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.8-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.7-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -33,6 +33,8 @@ LABEL com.suse.release-stage="released"
 COPY --from=base /installroot /
 RUN cp /getopt /usr/bin/
 RUN cp /srv/tftpboot/openstack-ironic-image/initrd*.zst /tmp
 RUN cp /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel /tmp
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/
--- a/ironic-ipa-downloader-image/Dockerfile.x86_64
+++ b/ironic-ipa-downloader-image/Dockerfile.x86_64
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.8
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.7
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.8-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.7-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -18,11 +18,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
 LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="3.0.8"
+LABEL org.opencontainers.image.version="3.0.6"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.8-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.7-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -33,6 +33,8 @@ LABEL com.suse.release-stage="released"
 COPY --from=base /installroot /
 RUN cp /getopt /usr/bin/
 RUN cp /srv/tftpboot/openstack-ironic-image/initrd*.zst /tmp
 RUN cp /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel /tmp
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/
--- a/ironic-ipa-downloader-image/get-resource.sh
+++ b/ironic-ipa-downloader-image/get-resource.sh
@@ -6,8 +6,6 @@ export http_proxy=${http_proxy:-$HTTP_PROXY}
 export https_proxy=${https_proxy:-$HTTPS_PROXY}
 export no_proxy=${no_proxy:-$NO_PROXY}
 IMAGES_BASE_PATH="/srv/tftpboot/openstack-ironic-image"
 if [ -d "/tmp/ironic-certificates" ]; then
  sha256sum /tmp/ironic-certificates/* > /tmp/certificates.sha256
  if cmp "/shared/certificates.sha256" "/tmp/certificates.sha256"; then
@@ -28,14 +26,14 @@ if [ -z "${IPA_BASEURI}" ]; then
  IMAGE_CHANGED=1
  # SLES BASED IPA - ironic-ipa-ramdisk-x86_64 and ironic-ipa-ramdisk-aarch64 packages
  mkdir -p /shared/html/images
-  if [ -f ${IMAGES_BASE_PATH}/initrd-x86_64.zst ]; then
+  if [ -f /tmp/initrd-x86_64.zst ]; then
-    cp ${IMAGES_BASE_PATH}/initrd-x86_64.zst /shared/html/images/ironic-python-agent-x86_64.initramfs
+    cp /tmp/initrd-x86_64.zst /shared/html/images/ironic-python-agent-x86_64.initramfs
-    cp ${IMAGES_BASE_PATH}/openstack-ironic-image.x86_64*.kernel /shared/html/images/ironic-python-agent-x86_64.kernel
+    cp /tmp/openstack-ironic-image.x86_64*.kernel /shared/html/images/ironic-python-agent-x86_64.kernel
  fi
  # Use arm64 as destination for iPXE compatibility
-  if [ -f ${IMAGES_BASE_PATH}/initrd-aarch64.zst ]; then
+  if [ -f /tmp/initrd-aarch64.zst ]; then
-    cp ${IMAGES_BASE_PATH}/initrd-aarch64.zst /shared/html/images/ironic-python-agent-arm64.initramfs
+    cp /tmp/initrd-aarch64.zst /shared/html/images/ironic-python-agent-arm64.initramfs
-    cp ${IMAGES_BASE_PATH}/openstack-ironic-image.aarch64*.kernel /shared/html/images/ironic-python-agent-arm64.kernel
+    cp /tmp/openstack-ironic-image.aarch64*.kernel /shared/html/images/ironic-python-agent-arm64.kernel
  fi
  cp /tmp/images.sha256 /shared/images.sha256
--- a/kube-rbac-proxy-image/Dockerfile
+++ b/kube-rbac-proxy-image/Dockerfile
@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: Apache-2.0
 #!BuildTag: %%IMG_PREFIX%%kube-rbac-proxy:%%kube-rbac-proxy_version%%
 #!BuildTag: %%IMG_PREFIX%%kube-rbac-proxy:%%kube-rbac-proxy_version%%-%RELEASE%
 #!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
--- a/kubectl-image/Dockerfile
+++ b/kubectl-image/Dockerfile
@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%kubectl:1.33.4
+#!BuildTag: %%IMG_PREFIX%%kubectl:1.32.4
-#!BuildTag: %%IMG_PREFIX%%kubectl:1.33.4-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%kubectl:1.32.4-%RELEASE%
 #!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -15,11 +16,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE kubectl image"
 LABEL org.opencontainers.image.description="kubectl on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="1.33.4"
+LABEL org.opencontainers.image.version="1.32.4"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%kubectl:1.33.4-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%kubectl:1.32.4-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
--- a/kubectl/kubectl.spec
+++ b/kubectl/kubectl.spec
@@ -1,7 +1,7 @@
 %global debug_package %{nil}
 Name: kubectl
-Version: 1.33.4
+Version: 1.32.4
 Release: 0
 Summary: Command-line utility for interacting with a Kubernetes cluster
--- a/kubectl/kubectl_1.32.4.orig.tar.gz
+++ b/kubectl/kubectl_1.32.4.orig.tar.gz
--- a/kubectl/kubectl_1.33.4.orig.tar.gz
+++ b/kubectl/kubectl_1.33.4.orig.tar.gz
--- a/kubevirt-chart/Chart.yaml
+++ b/kubevirt-chart/Chart.yaml
@@ -1,9 +1,9 @@
-#!BuildTag: %%CHART_PREFIX%%kubevirt:%%CHART_MAJOR%%.0.1_up0.6.0-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%kubevirt:%%CHART_MAJOR%%.0.0_up0.5.0-%RELEASE%
-#!BuildTag: %%CHART_PREFIX%%kubevirt:%%CHART_MAJOR%%.0.1_up0.6.0
+#!BuildTag: %%CHART_PREFIX%%kubevirt:%%CHART_MAJOR%%.0.0_up0.5.0
 apiVersion: v2
-appVersion: 1.5.2
+appVersion: 1.4.0
 description: A Helm chart for KubeVirt
 icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/kubevirt/icon/color/kubevirt-icon-color.svg
 name: kubevirt
 type: application
-version: "%%CHART_MAJOR%%.0.1+up0.6.0"
+version: "%%CHART_MAJOR%%.0.0+up0.5.0"
--- a/kubevirt-chart/crds/kubevirt.yaml
+++ b/kubevirt-chart/crds/kubevirt.yaml
@@ -593,13 +593,6 @@ spec:
                            If set to true, migrations will still start in pre-copy, but switch to post-copy when
                            CompletionTimeoutPerGiB triggers. Defaults to false
                          type: boolean
                        allowWorkloadDisruption:
                          description: |-
                            AllowWorkloadDisruption indicates that the migration shouldn't be
                            canceled after acceptableCompletionTime is exceeded. Instead, if
                            permitted, migration will be switched to post-copy or the VMI will be
                            paused to allow the migration to complete
                          type: boolean
                        bandwidthPerMigration:
                          anyOf:
                            - type: integer
@@ -612,8 +605,8 @@ spec:
                        completionTimeoutPerGiB:
                          description: |-
                            CompletionTimeoutPerGiB is the maximum number of seconds per GiB a migration is allowed to take.
-                            If the timeout is reached, the migration will be either paused, switched
+                            If a live-migration takes longer to migrate than this value multiplied by the size of the VMI,
-                            to post-copy or cancelled depending on other settings. Defaults to 150
+                            the migration will be cancelled, unless AllowPostCopy is true. Defaults to 150
                          format: int64
                          type: integer
                        disableTLS:
@@ -971,17 +964,17 @@ spec:
                          type: object
                      type: object
                    vmRolloutStrategy:
-                      description: |-
+                      description: VMRolloutStrategy defines how changes to a VM object
-                        VMRolloutStrategy defines how live-updatable fields, like CPU sockets, memory,
+                        propagate to its VMI
                        tolerations, and affinity, are propagated from a VM to its VMI.
                      enum:
                        - Stage
                        - LiveUpdate
                      nullable: true
                      type: string
                    vmStateStorageClass:
-                      description: VMStateStorageClass is the name of the storage class
+                      description: |-
-                        to use for the PVCs created to preserve VM state, like TPM.
+                        VMStateStorageClass is the name of the storage class to use for the PVCs created to preserve VM state, like TPM.
                        The storage class must support RWX in filesystem mode.
                      type: string
                    webhookConfiguration:
                      description: |-
@@ -3857,13 +3850,6 @@ spec:
                            If set to true, migrations will still start in pre-copy, but switch to post-copy when
                            CompletionTimeoutPerGiB triggers. Defaults to false
                          type: boolean
                        allowWorkloadDisruption:
                          description: |-
                            AllowWorkloadDisruption indicates that the migration shouldn't be
                            canceled after acceptableCompletionTime is exceeded. Instead, if
                            permitted, migration will be switched to post-copy or the VMI will be
                            paused to allow the migration to complete
                          type: boolean
                        bandwidthPerMigration:
                          anyOf:
                            - type: integer
@@ -3876,8 +3862,8 @@ spec:
                        completionTimeoutPerGiB:
                          description: |-
                            CompletionTimeoutPerGiB is the maximum number of seconds per GiB a migration is allowed to take.
-                            If the timeout is reached, the migration will be either paused, switched
+                            If a live-migration takes longer to migrate than this value multiplied by the size of the VMI,
-                            to post-copy or cancelled depending on other settings. Defaults to 150
+                            the migration will be cancelled, unless AllowPostCopy is true. Defaults to 150
                          format: int64
                          type: integer
                        disableTLS:
@@ -4235,17 +4221,17 @@ spec:
                          type: object
                      type: object
                    vmRolloutStrategy:
-                      description: |-
+                      description: VMRolloutStrategy defines how changes to a VM object
-                        VMRolloutStrategy defines how live-updatable fields, like CPU sockets, memory,
+                        propagate to its VMI
                        tolerations, and affinity, are propagated from a VM to its VMI.
                      enum:
                        - Stage
                        - LiveUpdate
                      nullable: true
                      type: string
                    vmStateStorageClass:
-                      description: VMStateStorageClass is the name of the storage class
+                      description: |-
-                        to use for the PVCs created to preserve VM state, like TPM.
+                        VMStateStorageClass is the name of the storage class to use for the PVCs created to preserve VM state, like TPM.
                        The storage class must support RWX in filesystem mode.
                      type: string
                    webhookConfiguration:
                      description: |-
--- a/kubevirt-chart/templates/kubevirt-operator.yaml
+++ b/kubevirt-chart/templates/kubevirt-operator.yaml
@@ -608,7 +608,6 @@ rules:
    resources:
      - virtualmachinesnapshots
      - virtualmachinesnapshots/status
      - virtualmachinesnapshots/finalizers
      - virtualmachinesnapshotcontents
      - virtualmachinesnapshotcontents/status
      - virtualmachinesnapshotcontents/finalizers
@@ -661,18 +660,15 @@ rules:
      - kubevirt.io
    resources:
      - virtualmachines/finalizers
      - virtualmachineinstances/finalizers
    verbs:
      - update
  - apiGroups:
      - subresources.kubevirt.io
    resources:
      - virtualmachines/stop
      - virtualmachineinstances/addvolume
      - virtualmachineinstances/removevolume
      - virtualmachineinstances/freeze
      - virtualmachineinstances/unfreeze
      - virtualmachineinstances/reset
      - virtualmachineinstances/softreboot
      - virtualmachineinstances/sev/setupsession
      - virtualmachineinstances/sev/injectlaunchsecret
@@ -776,14 +772,6 @@ rules:
    verbs:
      - list
      - watch
  - apiGroups:
      - batch
    resources:
      - jobs
    verbs:
      - create
      - get
      - delete
  - apiGroups:
      - kubevirt.io
    resources:
@@ -895,7 +883,6 @@ rules:
      - virtualmachineinstances/freeze
      - virtualmachineinstances/unfreeze
      - virtualmachineinstances/softreboot
      - virtualmachineinstances/reset
      - virtualmachineinstances/sev/setupsession
      - virtualmachineinstances/sev/injectlaunchsecret
    verbs:
@@ -915,6 +902,7 @@ rules:
      - virtualmachines/restart
      - virtualmachines/addvolume
      - virtualmachines/removevolume
      - virtualmachines/migrate
      - virtualmachines/memorydump
    verbs:
      - update
@@ -931,6 +919,7 @@ rules:
      - virtualmachineinstances
      - virtualmachineinstancepresets
      - virtualmachineinstancereplicasets
      - virtualmachineinstancemigrations
    verbs:
      - get
      - delete
@@ -940,14 +929,6 @@ rules:
      - list
      - watch
      - deletecollection
  - apiGroups:
      - kubevirt.io
    resources:
      - virtualmachineinstancemigrations
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - snapshot.kubevirt.io
    resources:
@@ -1051,7 +1032,6 @@ rules:
      - virtualmachineinstances/freeze
      - virtualmachineinstances/unfreeze
      - virtualmachineinstances/softreboot
      - virtualmachineinstances/reset
      - virtualmachineinstances/sev/setupsession
      - virtualmachineinstances/sev/injectlaunchsecret
    verbs:
@@ -1071,6 +1051,7 @@ rules:
      - virtualmachines/restart
      - virtualmachines/addvolume
      - virtualmachines/removevolume
      - virtualmachines/migrate
      - virtualmachines/memorydump
    verbs:
      - update
@@ -1087,6 +1068,7 @@ rules:
      - virtualmachineinstances
      - virtualmachineinstancepresets
      - virtualmachineinstancereplicasets
      - virtualmachineinstancemigrations
    verbs:
      - get
      - delete
@@ -1095,14 +1077,6 @@ rules:
      - patch
      - list
      - watch
  - apiGroups:
      - kubevirt.io
    resources:
      - virtualmachineinstancemigrations
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - snapshot.kubevirt.io
    resources:
@@ -1281,25 +1255,6 @@ rules:
      - get
      - list
      - watch
  - apiGroups:
      - subresources.kubevirt.io
    resources:
      - virtualmachines/migrate
    verbs:
      - update
  - apiGroups:
      - kubevirt.io
    resources:
      - virtualmachineinstancemigrations
    verbs:
      - get
      - delete
      - create
      - update
      - patch
      - list
      - watch
      - deletecollection
  - apiGroups:
      - authentication.k8s.io
    resources:
@@ -1345,8 +1300,6 @@ spec:
    type: RollingUpdate
  template:
    metadata:
      annotations:
        openshift.io/required-scc: restricted-v2
      labels:
        kubevirt.io: virt-operator
        name: virt-operator
--- a/kubevirt-chart/values.yaml
+++ b/kubevirt-chart/values.yaml
@@ -1,6 +1,6 @@
 operator:
-  image: registry.suse.com/suse/sles/15.7/virt-operator
+  image: registry.suse.com/suse/sles/15.6/virt-operator
-  version: 1.5.2-150700.3.5.2
+  version: 1.4.0-150600.5.15.1
  replicas: 2
  pullPolicy: IfNotPresent
  affinity:
@@ -40,7 +40,7 @@ kubevirt:
  monitorAccount: ""
  monitorNamespace: ""
-hookImage: registry.rancher.com/rancher/kubectl:v1.33.1
+hookImage: registry.rancher.com/rancher/kubectl:v1.30.10
 hookRestartPolicy: OnFailure
 hookSecurityContext:
  seccompProfile:
--- a/kubevirt-dashboard-extension-chart/Chart.yaml
+++ b/kubevirt-dashboard-extension-chart/Chart.yaml
@@ -12,10 +12,10 @@ annotations:
  catalog.cattle.io/ui-extensions-version: '>= 3.0.2 < 4.0.0'
  catalog.cattle.io/kube-version: '>= v1.26.0-0'
 apiVersion: v2
-appVersion: 304.0.3+up1.3.2
+appVersion: 303.0.2+up1.3.2
 description: 'SUSE Edge: KubeVirt extension for Rancher Dashboard'
 name: kubevirt-dashboard-extension
 type: application
-version: "%%CHART_MAJOR%%.0.3+up1.3.2"
+version: "%%CHART_MAJOR%%.0.2+up1.3.2"
 icon: >-
  https://raw.githubusercontent.com/cncf/artwork/master/projects/kubevirt/icon/color/kubevirt-icon-color.svg
--- a/kubevirt-dashboard-extension-chart/templates/cr.yaml
+++ b/kubevirt-dashboard-extension-chart/templates/cr.yaml
@@ -8,7 +8,7 @@ spec:
  plugin:
    name: {{ include "extension-server.fullname" . }}
    version: {{ (semver (default .Chart.AppVersion .Values.plugin.versionOverride)).Original }}
-    endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/kubevirt-dashboard-extension/304.0.3+up1.3.2
+    endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/kubevirt-dashboard-extension/303.0.2+up1.3.2
    noCache: {{ .Values.plugin.noCache }}
    noAuth: {{ .Values.plugin.noAuth }}
    metadata: {{ include "extension-server.pluginMetadata" . | indent 6 }}
--- a/metal3-chart/Chart.yaml
+++ b/metal3-chart/Chart.yaml
@@ -1,28 +1,28 @@
-#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.14_up0.12.4
+#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.8_up0.11.6
-#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.14_up0.12.4-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.8_up0.11.6-%RELEASE%
 apiVersion: v2
-appVersion: 0.12.4
+appVersion: 0.11.6
 dependencies:
 - alias: metal3-baremetal-operator
  name: baremetal-operator
  repository: file://./charts/baremetal-operator
-  version: 0.10.3
+  version: 0.9.2
 - alias: metal3-ironic
  name: ironic
  repository: file://./charts/ironic
-  version: 0.11.2
+  version: 0.10.5
 - alias: metal3-mariadb
  condition: global.enable_mariadb
  name: mariadb
  repository: file://./charts/mariadb
-  version: 0.6.1
+  version: 0.6.0
 - alias: metal3-media
  condition: global.enable_metal3_media_server
  name: media
  repository: file://./charts/media
-  version: 0.6.5
+  version: 0.6.2
 description: A Helm chart that installs all of the dependencies needed for Metal3
 icon: https://github.com/cncf/artwork/raw/master/projects/metal3/icon/color/metal3-icon-color.svg
 name: metal3
 type: application
-version: "%%CHART_MAJOR%%.0.14+up0.12.4"
+version: "%%CHART_MAJOR%%.0.8+up0.11.6"
--- a/metal3-chart/charts/baremetal-operator/Chart.yaml
+++ b/metal3-chart/charts/baremetal-operator/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: 0.10.2
+appVersion: 0.9.1
 description: A Helm chart for baremetal-operator, used by Metal3
 name: baremetal-operator
 type: application
-version: 0.10.3
+version: 0.9.2
--- a/metal3-chart/charts/baremetal-operator/crds/customresource-baremetalhosts.yaml
+++ b/metal3-chart/charts/baremetal-operator/crds/customresource-baremetalhosts.yaml
@@ -202,11 +202,6 @@ spec:
                description: Description is a human-entered text used to help identify
                  the host.
                type: string
              disablePowerOff:
                description: |-
                  When set to true, power off of the node will be disabled,
                  instead, a reboot will be used in place of power on/off
                type: boolean
              externallyProvisioned:
                description: |-
                  ExternallyProvisioned means something else has provisioned the
--- a/metal3-chart/charts/baremetal-operator/templates/_helpers.tpl
+++ b/metal3-chart/charts/baremetal-operator/templates/_helpers.tpl
@@ -61,19 +61,3 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
 {{/*
 Create the URL to use for connecting to the Ironic servers (e.g. API, cache)
 */}}
 {{- define "baremetal-operator.ironicHttpHost" -}}
 {{- $hostIP := include "metal3.hostIP" . -}}
 {{- with .Values.global }}
 {{- if .provisioningHostname }}
 {{- .provisioningHostname }}
 {{- else if regexMatch ".*:.*" $hostIP}}
 {{- print "[" $hostIP "]" }}
 {{- else }}
 {{- $hostIP }}
 {{- end }}
 {{- end }}
 {{- end }}
--- a/metal3-chart/charts/baremetal-operator/templates/configmap-ironic.yaml
+++ b/metal3-chart/charts/baremetal-operator/templates/configmap-ironic.yaml
@@ -1,10 +1,10 @@
  {{- $enableTLS := .Values.global.enable_tls }}
  {{- $enableVMediaTLS := .Values.global.enable_vmedia_tls }}
  {{- $protocol := ternary "https" "http" $enableTLS }}
-  {{- $ironicHost := include "baremetal-operator.ironicHttpHost" . | required "Missing host information for BMO to connect to Ironic" }}
+  {{- $ironicIP := .Values.global.ironicIP | default "" }}
-  {{- $ironicApiHost := print $ironicHost ":6385" }}
+  {{- $ironicApiHost := print $ironicIP ":6385" }}
-  {{- $ironicBootHost := print $ironicHost ":6180" }}
+  {{- $ironicBootHost := print $ironicIP ":6180" }}
-  {{- $ironicCacheHost := print $ironicHost ":6180" }}
+  {{- $ironicCacheHost := print $ironicIP ":6180" }}
  {{- $deployArch := .Values.global.deployArchitecture }}
 apiVersion: v1
@@ -12,8 +12,8 @@ data:
  IRONIC_ENDPOINT: "{{ $protocol }}://{{ $ironicApiHost }}/v1/"
  # Switch VMedia to HTTP if enable_vmedia_tls is false
  {{- if and $enableTLS $enableVMediaTLS }}
-    {{- $ironicBootHost = print $ironicHost ":" .Values.global.vmediaTLSPort }}
+    {{- $ironicBootHost = print $ironicIP ":" .Values.global.vmediaTLSPort }}
-    {{- $ironicCacheHost = print $ironicHost ":" .Values.global.vmediaTLSPort }}
+    {{- $ironicCacheHost = print $ironicIP ":" .Values.global.vmediaTLSPort }}
    {{- $protocol = "https" }}
  RESTART_CONTAINER_CERTIFICATE_UPDATED: "true"
  {{- else }}
@@ -23,11 +23,13 @@ data:
  CACHEURL: "{{ $protocol }}://{{ $ironicCacheHost }}/images"
  DEPLOY_KERNEL_URL: "{{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent-{{ $deployArch }}.kernel"
  DEPLOY_RAMDISK_URL: "{{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent-{{ $deployArch }}.initramfs"
  DEPLOY_KERNEL_URL_X86_64: "{{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent-x86_64.kernel"
  DEPLOY_RAMDISK_URL_X86_64: "{{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent-x86_64.initramfs"
  DEPLOY_BOOTLOADER_URL_X86_64: "{{ $protocol }}://{{ $ironicBootHost }}/uefi_esp-x86_64.img"
  DEPLOY_KERNEL_URL_AARCH64: "{{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent-arm64.kernel"
  DEPLOY_RAMDISK_URL_AARCH64: "{{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent-arm64.initramfs"
  DEPLOY_BOOTLOADER_URL_AARCH64: "{{ $protocol }}://{{ $ironicBootHost }}/uefi_esp-arm64.img"
  DEPLOY_ARCHITECTURE: "{{ $deployArch }}"
  {{- if .Values.baremetaloperator.externalHttpIPv6 }}
  {{- $port := ternary .Values.global.vmediaTLSPort .Values.baremetaloperator.httpPort $enableVMediaTLS }}
  IRONIC_EXTERNAL_URL_V6: "{{ $protocol }}://[{{ .Values.baremetaloperator.externalHttpIPv6 }}]:{{ $port }}"
  {{- end }}
 kind: ConfigMap
 metadata:
  name: baremetal-operator-ironic
--- a/metal3-chart/charts/baremetal-operator/templates/metrics_service.yaml
+++ b/metal3-chart/charts/baremetal-operator/templates/metrics_service.yaml
@@ -6,7 +6,6 @@ metadata:
    control-plane: controller-manager
  name: {{ include "baremetal-operator.fullname" . }}-controller-manager-metrics-service
 spec:
  ipFamilyPolicy: PreferDualStack
  ports:
  - name: https
    port: 8443
--- a/metal3-chart/charts/baremetal-operator/templates/service-webhook.yaml
+++ b/metal3-chart/charts/baremetal-operator/templates/service-webhook.yaml
@@ -5,7 +5,6 @@ metadata:
    {{- include "baremetal-operator.labels" . | nindent 4 }}
  name: {{ include "baremetal-operator.fullname" . }}-webhook-service
 spec:
  ipFamilyPolicy: PreferDualStack
  ports:
  - port: 443
    targetPort: 9443
--- a/metal3-chart/charts/baremetal-operator/values.yaml
+++ b/metal3-chart/charts/baremetal-operator/values.yaml
@@ -84,8 +84,3 @@ affinity: {}
 baremetaloperator:
  httpPort: "6180"
  # IPv6 used for accessing the Ironic HTTP server for BMCs with an IPv6 only address.
  # It should not be used in conjunction with 'provisioningHostname' unless BMCs do not
  # support hostnames.
  externalHttpIPv6: ""
--- a/metal3-chart/charts/ironic/Chart.yaml
+++ b/metal3-chart/charts/ironic/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: 29.0.4
+appVersion: 26.1.2
 description: A Helm chart for Ironic, used by Metal3
 name: ironic
 type: application
-version: 0.11.2
+version: 0.10.5
--- a/metal3-chart/charts/ironic/templates/_helpers.tpl
+++ b/metal3-chart/charts/ironic/templates/_helpers.tpl
@@ -83,50 +83,3 @@ Get ironic CA volumeMounts
  readOnly: true
 {{- end }}
 {{- end }}
 {{/*
 Get the formatted "External" hostname or IP based URL
 */}}
 {{- define "ironic.externalHttpUrl" }}
 {{- $host := ternary (include "metal3.hostIP" .) .Values.global.externalHttpHost (empty .Values.global.externalHttpHost) }}
 {{- if regexMatch ".*:.*" $host }}
 {{- $host = print "[" $host "]" }}
 {{- end }}
 {{- $protocol := "http" }}
 {{- $port := "6180" }}
 {{- if .Values.global.enable_vmedia_tls }}
 {{- $protocol = "https" }}
 {{- $port = .Values.global.vmediaTLSPort | default "6185" }}
 {{- end }}
 {{- print $protocol "://" $host ":" $port }}
 {{- end }}
 {{/*
 Get the command to use for Liveness and Readiness probes
 */}}
 {{- define "ironic.probeCommand" }}
 {{- $host := "127.0.0.1" }}
 {{- if eq .Values.listenOnAll false }}
 {{- $host = coalesce .Values.global.provisioningIP .Values.global.ironicIP .Values.global.provisioningHostname }}
 {{- if regexMatch ".*:.*" $host }}
 {{- $host = print "[" $host "]" }}
 {{- end }}
 {{- end }}
 {{- print "curl -sSfk https://" $host ":6385" }}
 {{- end }}
 {{/*
 Create the subjectAltNames section to be set on the Certificate
 */}}
 {{- define "ironic.subjectAltNames" -}}
 {{- with .Values.global }}
 {{- if .provisioningHostname }}
 dnsNames:
 - {{ .provisioningHostname }}
 {{- end -}}
 {{- if or .ironicIP .provisioningIP }}
 ipAddresses:
  - {{ coalesce .provisioningIP .ironicIP }}
 {{- end }}
 {{- end }}
 {{- end }}
--- a/metal3-chart/charts/ironic/templates/certificates.yaml
+++ b/metal3-chart/charts/ironic/templates/certificates.yaml
@@ -6,7 +6,8 @@ metadata:
 spec:
  commonName: ironic-ca
  isCA: true
-  {{- include "ironic.subjectAltNames" . | indent 2 }}
+  ipAddresses:
  - {{ .Values.global.ironicIP }}
  issuerRef:
    kind: Issuer
    name: selfsigned-issuer
@@ -18,7 +19,8 @@ metadata:
  name: ironic-cert
 spec:
  commonName: ironic-cert
-  {{- include "ironic.subjectAltNames" . | indent 2 }}
+  ipAddresses:
  - {{ .Values.global.ironicIP }}
  issuerRef:
    kind: Issuer
    name: ca-issuer
@@ -31,7 +33,8 @@ metadata:
  name: ironic-vmedia-cert
 spec:
  commonName: ironic-vmedia-cert
-  {{- include "ironic.subjectAltNames" . | indent 2 }}
+  ipAddresses:
  - {{ .Values.global.ironicIP }}
  issuerRef:
    kind: Issuer
    name: ca-issuer
--- a/metal3-chart/charts/ironic/templates/configmap.yaml
+++ b/metal3-chart/charts/ironic/templates/configmap.yaml
@@ -1,13 +1,21 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: ironic
+  name: ironic-bmo
  labels:
    {{- include "ironic.labels" . | nindent 4 }}
 data:
  {{- $enableTLS := .Values.global.enable_tls }}
  {{- $enableVMediaTLS := .Values.global.enable_vmedia_tls }}
  {{- $protocol := ternary "https" "http" $enableTLS }}
  {{- $ironicIP := .Values.global.ironicIP | default "" }}
  {{- $ironicApiHost := print $ironicIP ":6385" }}
  {{- $ironicBootHost := print $ironicIP ":6180" }}
  {{- $ironicCacheHost := print $ironicIP ":6180" }}
  {{- $deployArch := .Values.global.deployArchitecture }}
  {{- if  ( .Values.global.enable_dnsmasq ) }}
  DNSMASQ_BOOT_SERVER_ADDRESS: {{ $ironicBootHost }}
  DNSMASQ_DNS_SERVER_ADDRESS: {{ .Values.global.dnsmasqDNSServer }}
  DNSMASQ_DEFAULT_ROUTER: {{ .Values.global.dnsmasqDefaultRouter }}
  DHCP_RANGE: {{ .Values.global.dhcpRange }}
@@ -17,21 +25,40 @@ data:
  {{- end }}
  HTTP_PORT: "6180"
  PREDICTABLE_NIC_NAMES: "{{ .Values.global.predictableNicNames }}"
-  IRONIC_EXTERNAL_HTTP_URL: {{ include "ironic.externalHttpUrl" . }}
+  USE_IRONIC_INSPECTOR: "false"
  IRONIC_API_BASE_URL: {{ $protocol }}://{{ $ironicApiHost }}
  IRONIC_API_HOST: {{ $ironicApiHost }}
  IRONIC_API_HTTPD_SERVER_NAME: {{ $ironicApiHost }}
  IRONIC_ENDPOINT: {{ $protocol }}://{{ $ironicApiHost }}/v1/
  # Switch VMedia to HTTP if enable_vmedia_tls is false
  {{- if and $enableTLS $enableVMediaTLS }}
    {{- $ironicBootHost = print $ironicIP ":" .Values.global.vmediaTLSPort }}
    {{- $ironicCacheHost = print $ironicIP ":" .Values.global.vmediaTLSPort }}
    {{- $protocol = "https" }}
  {{- else }}
    {{- $protocol = "http" }}
  {{- end }}
  IRONIC_EXTERNAL_HTTP_URL: {{ $protocol }}://{{ $ironicCacheHost }}
  CACHEURL: {{ $protocol }}://{{ $ironicCacheHost }}/images
  DEPLOY_KERNEL_URL: {{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent-{{ $deployArch }}.kernel
  DEPLOY_RAMDISK_URL: {{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent-{{ $deployArch }}.initramfs
  DEPLOY_ARCHITECTURE: {{ $deployArch }}
  IRONIC_BOOT_BASE_URL: {{ $protocol }}://{{ $ironicBootHost }}
  IRONIC_VMEDIA_HTTPD_SERVER_NAME: {{ $ironicBootHost }}
  ENABLE_PXE_BOOT: "{{ .Values.global.enable_pxe_boot }}"
  {{- if .Values.global.provisioningInterface }}
  PROVISIONING_INTERFACE: {{ .Values.global.provisioningInterface }}
  {{- end }}
  {{- if .Values.global.provisioningIP }}
-  PROVISIONING_IP: {{ include "metal3.hostIP" . }}
+  PROVISIONING_IP: {{ .Values.global.provisioningIP }}
  {{- else if .Values.global.ironicIP }}
  IRONIC_IP: {{ include "metal3.hostIP" . }}
  {{- else if .Values.global.provisioningHostname }}
  IRONIC_URL_HOSTNAME: {{ .Values.global.provisioningHostname }}
  {{- end }}
  IRONIC_ILO_USE_SWIFT: "false"
  IRONIC_ILO_USE_WEB_SERVER_FOR_IMAGES: "true"
  IRONIC_FAST_TRACK: "true"
-  LISTEN_ALL_INTERFACES: "{{ .Values.listenOnAll }}"
+  LISTEN_ALL_INTERFACES: "true"
  {{- if .Values.global.ironicIP }}
  IRONIC_IP: {{ .Values.global.ironicIP }}
  {{- end }}
  {{- if  ( .Values.global.enable_tls ) }}
  RESTART_CONTAINER_CERTIFICATE_UPDATED: "true"
  IRONIC_KERNEL_PARAMS: {{ .Values.global.ironicKernelParams }} tls.enabled=true
--- a/metal3-chart/charts/ironic/templates/deployment.yaml
+++ b/metal3-chart/charts/ironic/templates/deployment.yaml
@@ -39,10 +39,10 @@ spec:
        - /bin/runhttpd
        envFrom:
        - configMapRef:
-            name: ironic
+            name: ironic-bmo
        livenessProbe:
          exec:
-            command: ["sh", "-c", "{{ include "ironic.probeCommand" . }}"]
+            command: ["sh", "-c", "curl -sSfk https://127.0.0.1:6385"]
          failureThreshold: 10
          initialDelaySeconds: 30
          periodSeconds: 30
@@ -60,7 +60,7 @@ spec:
        {{- end }}
        readinessProbe:
          exec:
-            command: ["sh", "-c", "{{ include "ironic.probeCommand" . }}"]
+            command: ["sh", "-c", "curl -sSfk https://127.0.0.1:6385"]
          failureThreshold: 10
          initialDelaySeconds: 30
          periodSeconds: 30
@@ -97,7 +97,7 @@ spec:
        - /bin/runironic
        envFrom:
        - configMapRef:
-            name: ironic
+            name: ironic-bmo
        env:
        {{- if .Values.global.enable_basicAuth }}
        - name: IRONIC_HTPASSWD
@@ -170,7 +170,7 @@ spec:
        - /bin/rundnsmasq
        envFrom:
        - configMapRef:
-            name: ironic
+            name: ironic-bmo
        livenessProbe:
          exec:
            command:
--- a/metal3-chart/charts/ironic/templates/service.yaml
+++ b/metal3-chart/charts/ironic/templates/service.yaml
@@ -10,7 +10,6 @@ metadata:
  {{- end }}
 spec:
  type: {{ .Values.service.type }}
  ipFamilyPolicy: PreferDualStack
  ports:
  {{- $enableTLS := .Values.global.enable_tls }}
  {{- $enableVMediaTLS := .Values.global.enable_vmedia_tls }}
--- a/metal3-chart/charts/ironic/values.yaml
+++ b/metal3-chart/charts/ironic/values.yaml
@@ -32,12 +32,6 @@ global:
  # IP Address assigned to network interface on provisioning network
  provisioningIP: ""
  # Fully Qualified Domain Name used by Ironic for both binding (to the
  # associated IPv4 and/or IPv6 addresses) and exposing the API, dnsmask and
  # media, also used by BMO. Note, this is the only way to enable a fully
  # working dual-stack configuration.
  provisioningHostname: ""
  # Whether the NIC names should be predictable or not
  predictableNicNames: "true"
@@ -58,17 +52,15 @@ global:
 replicaCount: 1
 listenOnAll: true
 images:
  ironic:
    repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic
    pullPolicy: IfNotPresent
-    tag: 29.0.4.1
+    tag: 26.1.2.4
  ironicIPADownloader:
    repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic-ipa-downloader
    pullPolicy: IfNotPresent
-    tag: 3.0.8
+    tag: 3.0.7
 nameOverride: ""
 fullnameOverride: ""
--- a/metal3-chart/charts/mariadb/Chart.yaml
+++ b/metal3-chart/charts/mariadb/Chart.yaml
@@ -3,4 +3,4 @@ appVersion: "10.11"
 description: A Helm chart for MariaDB, used by Metal3
 name: mariadb
 type: application
-version: 0.6.1
+version: 0.6.0
--- a/metal3-chart/charts/mariadb/templates/service.yaml
+++ b/metal3-chart/charts/mariadb/templates/service.yaml
@@ -5,11 +5,10 @@ metadata:
  labels:
    {{- include "mariadb.labels" . | nindent 4 }}
 spec:
  ipFamilyPolicy: PreferDualStack
  type: {{ .Values.service.type }}
  selector:
    {{- include "mariadb.selectorLabels" . | nindent 4 }}
  ports:
  {{- with .Values.service.ports }}
    {{- toYaml . | nindent 2 }}
-  {{- end }}
+  {{- end }}
--- a/metal3-chart/charts/media/Chart.yaml
+++ b/metal3-chart/charts/media/Chart.yaml
@@ -3,4 +3,4 @@ appVersion: 1.16.0
 description: A Helm chart for Media, used by Metal3
 name: media
 type: application
-version: 0.6.5
+version: 0.6.2
--- a/metal3-chart/charts/media/templates/service.yaml
+++ b/metal3-chart/charts/media/templates/service.yaml
@@ -5,7 +5,6 @@ metadata:
  labels:
    {{- include "media.labels" . | nindent 4 }}
 spec:
  ipFamilyPolicy: PreferDualStack
  type: {{ .Values.service.type }}
  ports:
    - port: {{ .Values.service.port }}
--- a/metal3-chart/charts/media/values.yaml
+++ b/metal3-chart/charts/media/values.yaml
@@ -24,7 +24,7 @@ replicaCount: 1
 image:
  repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic
  pullPolicy: IfNotPresent
-  tag: 29.0.4.1
+  tag: 26.1.2.4
 imagePullSecrets: []
 nameOverride: ""
--- a/metal3-chart/templates/_helpers.tpl
+++ b/metal3-chart/templates/_helpers.tpl
@@ -60,18 +60,3 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
 {{/*
 Produce the correct IP or hostname for Ironic provisioning
 */}}
 {{- define "metal3.hostIP" -}}
 {{- with .Values.global }}
 {{- if and .provisioningHostname (or .provisioningIP .ironicIP) }}
 {{  fail "Please provide either provisioningHostname or provisioningIP or ironicIP" }}
 {{- end }}
 {{- if and .provisioningIP .ironicIP }}
 {{  fail "Please provide either ironicIP or provisioningIP" }}
 {{- end }}
 {{- coalesce .provisioningIP .ironicIP }}
 {{- end }}
 {{- end }}
--- a/metal3-chart/values.yaml
+++ b/metal3-chart/values.yaml
@@ -60,15 +60,6 @@ global:
  # IP Address assigned to network interface on provisioning network
  provisioningIP: ""
  # Fully Qualified Domain Name used by Ironic for both binding (to the 
  # associated IPv4 and/or IPv6 addresses) and exposing the API, dnsmask and
  # media, also used by BMO. Note, this is the only way to enable a fully
  # working dual-stack configuration.
  provisioningHostname: ""
  # Hostname or IP for accessing the Ironic API server from a non-provisioning network
  externalHttpHost: ""
  # Name for the MariaDB service
  databaseServiceName: metal3-mariadb
--- a/metallb-controller-image/Dockerfile
+++ b/metallb-controller-image/Dockerfile
@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: Apache-2.0
 #!BuildTag: %%IMG_PREFIX%%metallb-controller:v%%metallb-controller_version%%
 #!BuildTag: %%IMG_PREFIX%%metallb-controller:v%%metallb-controller_version%%-%RELEASE%
 #!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
--- a/metallb-speaker-image/Dockerfile
+++ b/metallb-speaker-image/Dockerfile
@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: Apache-2.0
 #!BuildTag: %%IMG_PREFIX%%metallb-speaker:v%%metallb-speaker_version%%
 #!BuildTag: %%IMG_PREFIX%%metallb-speaker:v%%metallb-speaker_version%%-%RELEASE%
 #!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
--- a/nessie-image/Dockerfile
+++ b/nessie-image/Dockerfile
@@ -1,31 +0,0 @@
 # SPDX-License-Identifier: Apache-2.0
 #!BuildTag: %%IMG_PREFIX%%nessie:%%nessie_version%%
 #!BuildTag: %%IMG_PREFIX%%nessie:%%nessie_version%%-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-base:$SLE_VERSION
 # labelprefix=com.suse.application.nessie
 LABEL org.opencontainers.image.title="nessie"
 LABEL org.opencontainers.image.description="Nessie diagnostic tool for SUSE Kubernetes environments"
 LABEL org.opencontainers.image.version="%%nessie_version%%"
 LABEL org.opencontainers.image.authors="George Agriogiannis <george.agriogiannis2@suse.com>"
 LABEL org.opencontainers.image.url="https://github.com/suse-edge/support-tools/tree/main/nessie"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%nessie:%%nessie_version%%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"
 LABEL com.suse.release-stage="released"
 # endlabelprefix
 RUN zypper --non-interactive refresh && \
    zypper --non-interactive install --no-recommends nessie && \
    zypper clean
 WORKDIR /tmp
 ENTRYPOINT ["/usr/bin/nessie"]
--- a/nessie-image/_service
+++ b/nessie-image/_service
@@ -1,19 +0,0 @@
 <services>
  <service mode="buildtime" name="kiwi_metainfo_helper"/>
  <service mode="buildtime" name="docker_label_helper"/>
  <service name="replace_using_package_version" mode="buildtime">
    <param name="file">Dockerfile</param>
    <param name="regex">%%nessie_version%%</param>
    <param name="package">nessie</param>
    <param name="parse-version">patch</param>
  </service>
  <service name="replace_using_env" mode="buildtime">
    <param name="file">Dockerfile</param>
    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
    <param name="var">IMG_PREFIX</param>
    <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
    <param name="var">IMG_REPO</param>
    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
    <param name="var">SUPPORT_LEVEL</param>
  </service>
 </services>
--- a/nessie/_service
+++ b/nessie/_service
@@ -1,26 +0,0 @@
 <services>
  <service name="obs_scm">
    <param name="url">https://github.com/suse-edge/support-tools</param>
    <param name="scm">git</param>
    <param name="revision">nessie-v1.0.0</param>
    <param name="version">_auto_</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="changesgenerate">enable</param>
    <param name="changesauthor">george.agriogiannis2@suse.com</param>
    <param name="match-tag">nessie-v*</param>
    <param name="versionrewrite-pattern">nessie-v(\d+\.\d+\.\d+)</param>
    <param name="versionrewrite-replacement">\1</param>
    <param name="subdir">nessie</param>
    <param name="exclude">.git</param>
    <param name="without-version">yes</param>
    <param name="filename">nessie</param>
  </service>
  <service mode="buildtime" name="tar">
    <param name="obsinfo">nessie.obsinfo</param>
  </service>
  <service mode="buildtime" name="recompress">
    <param name="file">*.tar</param>
    <param name="compression">gz</param>
  </service>
  <service mode="buildtime" name="set_version" />
 </services>
--- a/nessie/nessie.spec
+++ b/nessie/nessie.spec
@@ -1,80 +0,0 @@
 #
 # spec file for package nessie
 #
 # Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
 # upon. The license for this file, and modifications and additions to the
 # file, is the same license as for the pristine package itself (unless the
 # license for the pristine package is not an Open Source License, in which
 # case the license is the MIT License). An "Open Source License" is a
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 Name:           nessie
 # Version will be set automatically by factory's set_version service
 Version:        1.0.0
 Release:        0
 Summary:        Node Environment Support Script for Inspection and Export
 License:        Apache-2.0
 Group:          System/Management
 URL:            https://github.com/suse-edge/support-tools/tree/main/nessie
 Source0:        %{name}-%{version}.tar.gz
 BuildArch:      noarch
 # Build dependencies
 BuildRequires:  python3-devel
 # Runtime dependencies
 Requires:       python3
 Requires:       python3-kubernetes
 Requires:       python3-PyYAML
 Requires:       helm
 Requires:       systemd
 # Optional dependencies for enhanced functionality
 Recommends:     util-linux
 %description
 Nessie (Node Environment Support Script for Inspection and Export) is a
 comprehensive diagnostic tool for SUSE Kubernetes environments. It collects
 logs, configurations, and system information from Kubernetes clusters for
 troubleshooting and support purposes.
 Key features:
 - Collects system service logs and Kubernetes pod logs
 - Gathers cluster configurations and Helm releases
 - Retrieves node metrics and component versions
 - Supports RKE2 and K3s environments
 - Fault-tolerant with configurable options
 - Can be run directly or as a container
 The tool is designed specifically for SUSE Edge environments and integrates
 well with SUSE Linux Micro, RKE2, and K3s distributions.
 %prep
 %autosetup
 %build
 # Validate Python syntax
 python3 -m py_compile nessie.py
 %install
 # Install the main script
 install -D -m 0755 nessie.py %{buildroot}%{_bindir}/nessie
 # Install documentation files
 install -D -m 0644 README.md %{buildroot}%{_docdir}/%{name}/README.md
 install -D -m 0644 LICENSE %{buildroot}%{_docdir}/%{name}/LICENSE
 %files
 %{_bindir}/nessie
 %dir %{_docdir}/%{name}
 %doc %{_docdir}/%{name}/README.md
 %license %{_docdir}/%{name}/LICENSE
 %changelog
--- a/1
+++ b/1
--- a/1
+++ b/1
--- a/1
+++ b/1
--- a/1
+++ b/1
--- a/Show More
+++ b/Show More