stackhpc · priteau · Dec 1, 2025 · Nov 14, 2025 · Nov 17, 2025 · Nov 17, 2025
@@ -119,22 +119,24 @@ inspector_rule_ipmi_credentials:
   description: "Set IPMI driver_info if no credentials"
   conditions:
     - args:
-        value: "{node.driver_info.ipmi_username}"
-        regex: '\\{node\\.driver_info\\.ipmi_username\\}'
+        # If value matches itself as a regex, this is becaused interpolation
+        # failed which means the ipmi_username key was not set.
+        value: "{node.driver_info[ipmi_username]}"
+        regex: "{node\\.driver_info\\[ipmi_username\\]}"
       op: "matches"
     - args:
-        value: "{node.driver_info.ipmi_password}"
-        regex: '\\{node\\.driver_info\\.ipmi_password\\}'
+        value: "{node.driver_info[ipmi_password]}"
+        regex: "{node\\.driver_info\\[ipmi_password\\]}"
       op: "matches"
   sensitive: "true"
   actions:
     - op: "set-attribute"
       args:
-        path: "driver_info/ipmi_username"
+        path: "/driver_info/ipmi_username"
         value: "{{ inspector_rule_var_ipmi_username }}"
     - op: "set-attribute"
       args:
-        path: "driver_info/ipmi_password"
+        path: "/driver_info/ipmi_password"
         value: "{{ inspector_rule_var_ipmi_password }}"
 
 # Deployment kernel referenced by inspector rule.
@@ -145,13 +147,13 @@ inspector_rule_deploy_kernel:
   description: "Set deploy kernel"
   conditions:
     - args:
-        value: "{node.driver_info.deploy_kernel}"
-        regex: '\\{node\\.driver_info\\.deploy_kernel\\}'
+        value: "{node.driver_info[deploy_kernel]}"
+        regex: "{node\\.driver_info\\[deploy_kernel\\]}"
       op: "matches"
   actions:
     - op: "set-attribute"
       args:
-        path: "driver_info/deploy_kernel"
+        path: "/driver_info/deploy_kernel"
         value: "{{ inspector_rule_var_deploy_kernel }}"
 
 # Deployment ramdisk referenced by inspector rule.
@@ -162,13 +164,13 @@ inspector_rule_deploy_ramdisk:
   description: "Set deploy ramdisk"
   conditions:
     - args:
-        value: "{node.driver_info.deploy_ramdisk}"
-        regex: '\\{node\\.driver_info\\.deploy_ramdisk\\}'
+        value: "{node.driver_info[deploy_ramdisk]}"
+        regex: "{node\\.driver_info\\[deploy_ramdisk\\]}"
       op: "matches"
   actions:
     - op: "set-attribute"
       args:
-        path: "driver_info/deploy_ramdisk"
+        path: "/driver_info/deploy_ramdisk"
         value: "{{ inspector_rule_var_deploy_ramdisk }}"
 
 # Ironic inspector rule to set serial root device hint.
@@ -177,27 +179,29 @@ inspector_rule_root_hint_serial:
   conditions:
     - args:
         value: "{node.properties[root_device]}"
-        regex: "\\{node\\.properties\\[root_device\\]\\}"
+        regex: "{node\\.properties\\[root_device\\]}"
       op: "matches"
+    - args:
+        value: "{plugin_data[root_disk][serial]}"
+      op: "!is-empty"
   actions:
     - op: "set-attribute"
       args:
-        path: "properties/root_device/name"
-        value: "{plugin_data[root_disk][by_path]}"
-
+        path: "/properties/root_device/serial"
+        value: "{plugin_data[root_disk][serial]}"
 
 # Ironic inspector rule to set the interface on which the node PXE booted.
 inspector_rule_set_pxe_interface_mac:
   description: "Set node PXE interface MAC address"
   conditions:
     - args:
         value: "{plugin_data[boot_interface]}"
-        regex: "'\\{plugin_data\\[boot_interface\\]\\}'"
+        regex: "{plugin_data\\[boot_interface\\]}"
       op: "!matches"
   actions:
     - op: "set-attribute"
       args:
-        path: "extra/pxe_interface_mac"
+        path: "/extra/pxe_interface_mac"
         value: "{plugin_data[boot_interface]}"
 
 # Name of network interface to use for LLDP referenced by switch port
@@ -255,7 +259,7 @@ inspector_rule_lldp_switch_port_desc_to_name:
   actions:
     - op: "set-attribute"
       args:
-        path: "name"
+        path: "/name"
         value: "{{ _inspector_rule_switch_port_description_path }}"
 
 # Ironic inspector rule to save system vendor manufacturer data in the node's
@@ -264,17 +268,17 @@ inspector_rule_save_system_vendor_manufacturer:
   description: "Save system vendor manufacturer data in Ironic node metadata"
   conditions:
     - args:
-        value: "{inventory.system_vendor}"
-        regex: "\\{inventory\\.system_vendor\\}"
+        value: "{inventory[system_vendor]}"
+        regex: "{inventory\\[system_vendor\\]}"
       op: "!matches"
     - args:
-        value: "{inventory.system_vendor.manufacturer}"
-        regex: "\\{inventory\\.system_vendor\\.manufacturer\\}"
+        value: "{inventory[system_vendor][manufacturer]}"
+        regex: "{inventory\\[system_vendor\\]\\[manufacturer\\]}"
       op: "!matches"
   actions:
     - op: "set-attribute"
       args:
-        path: "extra/system_vendor/manufacturer"
+        path: "/extra/system_vendor/manufacturer"
         value: "{inventory[system_vendor][manufacturer]}"
 
 # Ironic inspector rule to save system vendor serial number in the node's
@@ -283,17 +287,17 @@ inspector_rule_save_system_vendor_serial_number:
   description: "Save system vendor serial number in Ironic node metadata"
   conditions:
     - args:
-        value: "{inventory.system_vendor}"
-        regex: "\\{inventory\\.system_vendor\\}"
+        value: "{inventory[system_vendor]}"
+        regex: "{inventory\\[system_vendor\\]}"
       op: "!matches"
     - args:
-        value: "{inventory.system_vendor.serial_number}"
-        regex: "\\{inventory\\.system_vendor\\.serial_number\\}"
+        value: "{inventory[system_vendor][serial_number]}"
+        regex: "{inventory\\[system_vendor\\]\\[serial_number\\]}"
       op: "!matches"
   actions:
     - op: "set-attribute"
       args:
-        path: "extra/system_vendor/serial_number"
+        path: "/extra/system_vendor/serial_number"
         value: "{inventory[system_vendor][serial_number]}"
 
 # Ironic inspector rule to save system vendor product name in the node's
@@ -302,17 +306,17 @@ inspector_rule_save_system_vendor_product_name:
   description: "Save system vendor product name in Ironic node metadata"
   conditions:
     - args:
-        value: "{inventory.system_vendor}"
-        regex: "\\{inventory\\.system_vendor\\}"
+        value: "{inventory[system_vendor]}"
+        regex: "{inventory\\[system_vendor\\]}"
       op: "!matches"
     - args:
-       value: "{inventory.system_vendor.product_name}"
-       regex: "\\{inventory\\.system_vendor\\.product_name\\}"
+       value: "{inventory[system_vendor][product_name]}"
+       regex: "{inventory\\[system_vendor\\]\\[product_name\\]}"
       op: "!matches"
   actions:
     - op: "set-attribute"
       args:
-        path: "extra/system_vendor/product_name"
+        path: "/extra/system_vendor/product_name"
         value: "{inventory[system_vendor][product_name]}"
 
 # Ironic inspector rule to save introspection data to the node.
@@ -322,11 +326,11 @@ inspector_rule_save_data:
   actions:
     - op: "set-attribute"
       args:
-        path: "extra/introspection_data/inventory"
+        path: "/extra/introspection_data/inventory"
         value: "{inventory}"
     - op: "set-attribute"
       args:
-        path: "extra/introspection_data/plugin_data"
+        path: "/extra/introspection_data/plugin_data"
         value: "{plugin_data}"
 
 # Redfish rules
@@ -335,50 +339,50 @@ inspector_rule_redfish_credentials:
   description: "Set Redfish driver_info if no credentials"
   conditions:
     - args:
-        value: "{node.driver_info.redfish_username}"
-        regex: "\\{node\\.driver_info\\.redfish_username\\}"
+        value: "{node.driver_info[redfish_username]}"
+        regex: "{node\\.driver_info\\[redfish_username\\]}"
       op: "matches"
     - args:
-        value: "{node.driver_info.redfish_password}"
-        regex: "\\{node\\.driver_info\\.redfish_password\\}"
+        value: "{node.driver_info[redfish_password]}"
+        regex: "{node\\.driver_info\\[redfish_password\\]}"
       op: "matches"
   sensitive: true
   actions:
     - op: "set-attribute"
       args:
-        path: "driver_info/redfish_username"
+        path: "/driver_info/redfish_username"
         value: "{{ inspector_rule_var_redfish_username }}"
     - op: "set-attribute"
       args:
-        path: "driver_info/redfish_password"
+        path: "/driver_info/redfish_password"
         value: "{{ inspector_rule_var_redfish_password }}"
 
 # Ironic inspector rule to set Redfish address.
 inspector_rule_redfish_address:
   description: "Set Redfish address"
   conditions:
     - args:
-        value: "{node.driver_info.redfish_address}"
-        regex: "\\{node\\.driver_info\\.redfish_address\\}"
+        value: "{node.driver_info[redfish_address]}"
+        regex: "{node\\.driver_info\\[redfish_address\\]}"
       op: "matches"
   actions:
     - op: "set-attribute"
       args:
-        path: "driver_info/redfish_address"
+        path: "/driver_info/redfish_address"
         value: "{inventory[bmc_address]}"
 
 # Ironic inspector rule to set Redfish certificate authority.
 inspector_rule_redfish_verify_ca:
   description: "Set Redfish Verify CA"
   conditions:
     - args:
-        value: "{node.driver_info.redfish_verify_ca}"
-        regex: "\\{node\\.driver_info\\.redfish_verify_ca\\}"
+        value: "{node.driver_info[redfish_verify_ca]}"
+        regex: "{node\\.driver_info\\[redfish_verify_ca\\]}"
       op: "matches"
   actions:
     - op: "set-attribute"
       args:
-        path: "driver_info/redfish_verify_ca"
+        path: "/driver_info/redfish_verify_ca"
         value: "{{ inspector_rule_var_redfish_verify_ca }}"
 
 # List of default ironic inspector rules.
@@ -421,4 +425,3 @@ inspector_rules: "{{ inspector_rules_default + inspector_rules_extra + (inspecto
 # Ansible group containing switch hosts to which the workaround should be
 # applied.
 inspector_dell_switch_lldp_workaround_group:
-
@@ -119,7 +119,7 @@
           become: True
       when: kayobe_virtualenv is not defined
 
-    - name: Ensure kolla-ansible virtualenv has docker SDK for python installed
+    - name: Ensure kayobe virtualenv has docker SDK for python installed
       pip:
         name: docker
         state: latest

@@ -69,7 +69,7 @@
         ping {{ remote_ip }} -c1 -M do {% if mtu %} -s {{ mtu | int - icmp_overhead_bytes }}{% endif %}
       with_items: "{{ network_interfaces }}"
       loop_control:
-        label: "{{ remote_host }} on {{ item }}"
+        label: "{{ remote_host | default('none', true) }} on {{ item }}"
       when:
         - remote_hosts | length > 0
         - remote_ip | length > 0
@@ -90,6 +90,6 @@
         # when check: remote_ip | length > 0, would pass, but remote_ip was ''
         # in the command.  Assumption was that this was being evaluated once
         # for the when clause and then again for the command. Bug?
-        remote_host: "{{ remote_hosts | random(seed=ansible_facts.date_time.iso8601) }}"
+        remote_host: "{{ remote_hosts | random(seed=ansible_facts.date_time.iso8601) if remote_hosts | length > 0 else '' }}"
         remote_ip: "{{ lookup('cached', 'vars', item ~ '_ips', default={})[remote_host] | default('', true) }}"
         mtu: "{{ item | net_mtu }}"
@@ -618,6 +618,47 @@ function overcloud_test_bounce_interface {
     run_kayobe overcloud host configure -t network
 }
 
+function overcloud_inspection_rule_dump {
+   echo "Listing inspection rules ..."
+   openstack baremetal inspection rule list
+   echo "Dumping inspection rules ..."
+   openstack baremetal inspection rule list -c UUID -f value | xargs -L 1 openstack baremetal inspection rule show
+}
+
+function overcloud_test_inspect {
+  set -eu
+  node=$1
+
+  environment_setup
+
+  source "${KOLLA_CONFIG_PATH:-/etc/kolla}/admin-openrc-system.sh"
+
+  overcloud_inspection_rule_dump
+
+  echo "Baremetal node: $node before inspection"
+  openstack baremetal node show "$node"
+
+  # NOTE(wszumski): Switch to using kayobe playbooks to manage and inspect
+  # when we switch to node registration
+
+  if [ "$(openstack baremetal node show -c provision_state -f value $node)"  != "manageable" ]; then
+      openstack baremetal node manage "$node" --wait
+  fi
+
+  # Run inspection
+  openstack baremetal node inspect "$node" --wait
+
+  echo "Baremetal node: $node after inspection"
+  openstack baremetal node show $node
+  openstack baremetal node inventory save $node
+
+  # Use Kayobe to save introspection data
+  run_kayobe baremetal compute introspection data save --limit "baremetal-compute,controllers[0]" --output-dir /tmp/baremetal-compute-inspection-data
+
+  # Move back to available
+  openstack baremetal node provide "$node" --wait
+}
+
 function overcloud_test {
     set -eu
 

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -eu
+set -o pipefail
+
+PARENT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+source "${PARENT}/functions"
+
+
+function main {
+    config_init
+    overcloud_test_inspect tk0
+}
+
+main
@@ -242,3 +242,21 @@ Stable Releases
 
 Stable branch releases should be made periodically for each supported stable
 branch, no less than once every 45 days.
+
+Transitioning to Unmaintained
+=============================
+
+When an OpenStack release transitions to `Unmaintained
+<https://docs.openstack.org/project-team-guide/stable-branches.html#maintenance-phases>`__,
+all references to ``stable/<openstack_release>`` need to be changed to
+``unmaintained/<openstack_release>``. This change needs to be made on the new
+unmaintained branch. For example, see
+https://review.opendev.org/c/openstack/kayobe/+/968298.
+
+Transitioning to End of Life (EOL)
+==================================
+
+When an OpenStack release transitions to `End of Life (EOL)
+<https://docs.openstack.org/project-team-guide/stable-branches.html#maintenance-phases>`__,
+upgrade jobs in later releases need to be removed. For example, see
+https://review.opendev.org/c/openstack/kayobe/+/968296.
@@ -48,6 +48,16 @@ Environment variable: ``ANSIBLE_VAULT_PASSWORD_FILE``
     password from a (plain text) file, with the path to that file being read
     from the environment.
 
+Whilst the kolla passwords file ``kolla/passwords.yml`` should remain encrypted
+at all times it can be useful to view the contents of this file to acquire a
+password for a given service.
+This can be done with ``ansible-vault view`` however if an absolute path is not
+provided it will cause the command to fail.
+Therefore, to make reading the contents of this file easier for administrators
+it is possible to use ``kayobe overcloud passwords view`` which will
+temporarily decrypt and display the contents of ``kolla/passwords.yml`` for the
+active kayobe environment.
+
 Limiting Hosts
 --------------