From 4f198c32cb7e23b07bb1d722383d81b8ffaf4241 Mon Sep 17 00:00:00 2001
From: Emilien Macchi <emilien@redhat.com>
Date: Wed, 3 Jun 2020 16:12:52 -0400
Subject: [PATCH] Remove some deprecated services

- Docker isn't supported anymore.
- Clients are now installed by Ansible, not Puppet
- Neutron SRIOV host isn't supported and operators should deploy with
  sriov_pf network object in nic configs.
- firewall is now managed by Ansible, not Puppet

Change-Id: I2b6068a719563a53bc255dcce72a92465e7df468
---
 ci/environments/scenario000-standalone.yaml   |   1 -
 .../openstack-clients-baremetal-puppet.yaml   |  55 ----
 .../docker/docker-baremetal-ansible.yaml      | 267 ------------------
 .../docker-registry-baremetal-ansible.yaml    |  74 -----
 .../neutron/neutron-sriov-host-config.yaml    |  92 ------
 .../tripleo-firewall-baremetal-puppet.yaml    | 179 ------------
 environments/docker-uc-light.yaml             |  32 ---
 environments/docker.yaml                      |   9 -
 .../services-baremetal/neutron-sriov.yaml     |   1 -
 environments/services/neutron-ovn-sriov.yaml  |   1 -
 environments/services/neutron-sriov.yaml      |   1 -
 .../undercloud/undercloud-minion.yaml         |   1 -
 overcloud-resource-registry-puppet.j2.yaml    |   1 -
 roles/ComputeHCISriov.yaml                    |   1 -
 roles/ComputeOvsDpdkSriov.yaml                |   1 -
 roles/ComputeOvsDpdkSriovRT.yaml              |   1 -
 roles/ComputeSriov.yaml                       |   1 -
 roles/ComputeSriovIB.yaml                     |   1 -
 roles/ComputeSriovRT.yaml                     |   1 -
 sample-env-generator/undercloud-minion.yaml   |   1 -
 20 files changed, 721 deletions(-)
 delete mode 100644 deployment/deprecated/clients/openstack-clients-baremetal-puppet.yaml
 delete mode 100644 deployment/deprecated/docker/docker-baremetal-ansible.yaml
 delete mode 100644 deployment/deprecated/docker/docker-registry-baremetal-ansible.yaml
 delete mode 100644 deployment/deprecated/neutron/neutron-sriov-host-config.yaml
 delete mode 100644 deployment/deprecated/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
 delete mode 100644 environments/docker-uc-light.yaml
 delete mode 100644 environments/docker.yaml

diff --git a/ci/environments/scenario000-standalone.yaml b/ci/environments/scenario000-standalone.yaml
index 3fd1295eae..1e95d4f8a7 100644
--- a/ci/environments/scenario000-standalone.yaml
+++ b/ci/environments/scenario000-standalone.yaml
@@ -131,7 +131,6 @@ resource_registry:
   OS::TripleO::Services::NeutronOvsAgent: OS::Heat::None
   OS::TripleO::Services::NeutronSfcApi: OS::Heat::None
   OS::TripleO::Services::NeutronSriovAgent: OS::Heat::None
-  OS::TripleO::Services::NeutronSriovHostConfig: OS::Heat::None
   OS::TripleO::Services::NeutronVppAgent: OS::Heat::None
   OS::TripleO::Services::NovaAZConfig: OS::Heat::None
   OS::TripleO::Services::NovaApi: OS::Heat::None
diff --git a/deployment/deprecated/clients/openstack-clients-baremetal-puppet.yaml b/deployment/deprecated/clients/openstack-clients-baremetal-puppet.yaml
deleted file mode 100644
index fada9aa42f..0000000000
--- a/deployment/deprecated/clients/openstack-clients-baremetal-puppet.yaml
+++ /dev/null
@@ -1,55 +0,0 @@
-heat_template_version: rocky
-description: >
-  Install the OpenStack clients with puppet
-
-parameters:
-  ServiceNetMap:
-    default: {}
-    description: Mapping of service_name -> network name. Typically set
-                 via parameter_defaults in the resource registry.  This
-                 mapping overrides those in ServiceNetMapDefaults.
-    type: json
-  DefaultPasswords:
-    default: {}
-    type: json
-  RoleName:
-    default: ''
-    description: Role name on which the service is applied
-    type: string
-  RoleParameters:
-    default: {}
-    description: Parameters specific to the role
-    type: json
-  EndpointMap:
-    default: {}
-    description: Mapping of service endpoint -> protocol. Typically set
-                 via parameter_defaults in the resource registry.
-    type: json
-  ServiceData:
-    default: {}
-    description: Dictionary packing service data
-    type: json
-
-outputs:
-  role_data:
-    description: Role data for the OpenStack clients
-    value:
-      service_name: openstack_clients
-      step_config: |
-          include ::aodh::client
-          include ::barbican::client
-          include ::cinder::client
-          include ::designate::client
-          include ::glance::client
-          include ::gnocchi::client
-          include ::heat::client
-          include ::ironic::client
-          include ::keystone::client
-          include ::manila::client
-          include ::mistral::client
-          include ::neutron::client
-          include ::nova::client
-          include ::openstacklib::openstackclient
-          include ::sahara::client
-          include ::swift::client
-          include ::zaqar::client
diff --git a/deployment/deprecated/docker/docker-baremetal-ansible.yaml b/deployment/deprecated/docker/docker-baremetal-ansible.yaml
deleted file mode 100644
index 5f3e82d026..0000000000
--- a/deployment/deprecated/docker/docker-baremetal-ansible.yaml
+++ /dev/null
@@ -1,267 +0,0 @@
-heat_template_version: rocky
-
-description: >
-  Configures docker on the host
-
-parameters:
-  DockerInsecureRegistryAddress:
-    description: Optional. The IP Address and Port of an insecure docker
-                 namespace that will be configured in /etc/sysconfig/docker.
-                 The value can be multiple addresses separated by commas.
-    type: comma_delimited_list
-    default: []
-  DockerRegistryMirror:
-    description: Optional. Mirror to use for registry docker.io
-    default: ''
-    type: string
-  EndpointMap:
-    default: {}
-    description: Mapping of service endpoint -> protocol. Typically set
-                 via parameter_defaults in the resource registry.
-    type: json
-  ServiceData:
-    default: {}
-    description: Dictionary packing service data
-    type: json
-  ServiceNetMap:
-    default: {}
-    description: Mapping of service_name -> network name. Typically set
-                 via parameter_defaults in the resource registry.  This
-                 mapping overrides those in ServiceNetMapDefaults.
-    type: json
-  DefaultPasswords:
-    default: {}
-    type: json
-  RoleName:
-    default: ''
-    description: Role name on which the service is applied
-    type: string
-  RoleParameters:
-    default: {}
-    description: Parameters specific to the role
-    type: json
-  Debug:
-    type: boolean
-    default: false
-    description: Set to True to enable debugging on all services.
-  DockerDebug:
-    default: ''
-    description: Set to True to enable debugging Docker services.
-    type: string
-    constraints:
-      - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
-  DockerOptions:
-    default: '--log-driver=journald --signature-verification=false --iptables=false --live-restore'
-    description: Options that are used to startup the docker service.
-    type: string
-  DockerAdditionalSockets:
-    default: ['/var/lib/openstack/docker.sock']
-    description: Additional domain sockets for the docker daemon to bind to (useful for mounting
-                 into containers that launch other containers)
-    type: comma_delimited_list
-  DockerNetworkOptions:
-    default: '--bip=172.31.0.1/24'
-    description: More startup options, like CIDR for the default docker0 bridge (useful for the
-                 network configuration conflicts resolution)
-    type: string
-  DeploymentUser:
-    default: ''
-    description: User added to the docker group in order to use container commands.
-    type: string
-  DockerSkipUpdateReconfiguration:
-    default: false
-    type: boolean
-    description: Flag to disable docker reconfiguration during stack update.
-    tags:
-      - role_specific
-  ContainerImageRegistryLogin:
-    type: boolean
-    default: false
-    description: Flag to enable container registry login actions during the deployment.
-                 Setting this to true will cause login calls to be performed during the
-                 deployment.
-  ContainerImageRegistryCredentials:
-    type: json
-    hidden: true
-    default: {}
-    description: |
-      Mapping of image registry hosts to login credentials. Must be in the following example format
-
-        docker.io:
-          username: pa55word
-        '192.0.2.1:8787':
-          registry_username: password
-  SELinuxMode:
-    default: 'enforcing'
-    description: Configures SELinux mode
-    type: string
-    constraints:
-      - allowed_values: [ 'enforcing', 'permissive', 'disabled' ]
-parameter_groups:
-- label: deprecated
-  description: |
-   The following parameters are deprecated and will be removed. They should not
-   be relied on for new deployments. If you have concerns regarding deprecated
-   parameters, please contact the TripleO development team on IRC or the
-   OpenStack mailing list.
-  parameters:
-  - DockerAdditionalSockets
-
-resources:
-  # Merging role-specific parameters (RoleParameters) with the default parameters.
-  # RoleParameters will have the precedence over the default parameters.
-  RoleParametersValue:
-    type: OS::Heat::Value
-    properties:
-      type: json
-      value:
-        map_replace:
-          - map_replace:
-            - DockerSkipUpdateReconfiguration: DockerSkipUpdateReconfiguration
-            - values: {get_param: [RoleParameters]}
-          - values:
-              DockerSkipUpdateReconfiguration: {get_param: DockerSkipUpdateReconfiguration}
-
-conditions:
-  insecure_registry_is_empty: {equals : [{get_param: DockerInsecureRegistryAddress}, []]}
-  service_debug_unset: {equals : [{get_param: DockerDebug}, '']}
-  selinux_enforcing: {equals : [{get_param: SELinuxMode}, 'enforcing']}
-
-outputs:
-  role_data:
-    description: Role data for the docker service
-    value:
-      service_name: docker
-      config_settings: {}
-      step_config: ''
-      host_prep_tasks:
-        - name: Install, Configure and Run Docker
-          block:
-          # NOTE(bogdando): w/a https://github.com/ansible/ansible/issues/42621
-          - set_fact: &docker_vars
-              container_registry_debug:
-                if:
-                  - service_debug_unset
-                  - {get_param: Debug }
-                  - {get_param: DockerDebug}
-              container_registry_deployment_user: {get_param: DeploymentUser}
-              container_registry_docker_options: {get_param: DockerOptions}
-              container_registry_additional_sockets: {get_param: DockerAdditionalSockets}
-              container_registry_insecure_registries:
-                if:
-                  - insecure_registry_is_empty
-                  - []
-                  - {get_param: DockerInsecureRegistryAddress}
-              container_registry_mirror: {get_param: DockerRegistryMirror}
-              container_registry_network_options: {get_param: DockerNetworkOptions}
-              container_registry_skip_reconfiguration: {get_attr: [RoleParametersValue, value, DockerSkipUpdateReconfiguration]}
-              container_registry_selinux:
-                if:
-                  - selinux_enforcing
-                  - true
-                  - false
-              container_registry_login: {get_param: ContainerImageRegistryLogin}
-              # default that is overwritten by the heat -> dict conversion
-              container_registry_logins: {}
-              container_registry_logins_json: {get_param: ContainerImageRegistryCredentials}
-          - name: Convert logins json to dict
-            set_fact:
-              container_registry_logins: "{{ container_registry_logins_json | from_json }}"
-            when:
-              - container_registry_logins_json is string
-              - container_registry_login | bool
-              - (container_registry_logins_json | length) > 0
-          - name: Set registry logins
-            set_fact:
-              container_registry_logins: "{{ container_registry_logins_json }}"
-            when:
-              - container_registry_logins_json is mapping
-              - container_registry_login | bool
-              - (container_registry_logins_json | length) > 0
-          - include_role:
-              name: container-registry
-              tasks_from: docker
-          - include_role:
-              name: container-registry
-              tasks_from: docker-login
-            when: container_registry_login|bool
-      deploy_steps_tasks:
-        - when:
-            - (step|int) == 1
-          block:
-            - name: Pre-fetch all the containers
-              become: true
-              shell: "docker pull {{ prefetch_image }}"
-              retries: 5
-              delay: 5
-              loop_control:
-                loop_var: prefetch_image
-              loop: "{{ lookup('file', tripleo_role_name + '/docker_config.yaml', errors='ignore') | default('{}', True) | from_yaml | recursive_get_key_from_dict(key='image') | unique }}"
-      service_config_settings:
-        neutron_l3:
-          docker_additional_sockets: {get_param: DockerAdditionalSockets}
-        neutron_dhcp:
-          docker_additional_sockets: {get_param: DockerAdditionalSockets}
-        ovn_metadata:
-          docker_additional_sockets: {get_param: DockerAdditionalSockets}
-      upgrade_tasks:
-        - block:
-            - name: Install docker packages on upgrade if missing
-              package: name=docker state=latest
-            - set_fact: *docker_vars
-            - name: Reconfigure Docker if needed
-              include_role:
-                name: container-registry
-                tasks_from: docker
-          when: step|int == 3
-      post_upgrade_tasks:
-        - name: Clean docker
-          when:
-            - step|int == 3
-            - container_cli == 'docker'
-          block:
-            - name: Check if docker has some data
-              stat:
-                path: /var/lib/docker
-              register: docker_path_stat
-            - name: Purge Docker
-              when: docker_path_stat.stat.exists
-              block:
-                - name: Ensure docker service is running
-                  systemd:
-                    name: docker
-                  register: docker_service_state
-                - name: Run docker system prune
-                  shell: docker system prune -a -f
-                  when: docker_service_state.status['SubState'] == 'running'
-      update_tasks:
-        - name: Restart Docker when needed
-          when: step|int == 2
-          block:
-          - set_fact: *docker_vars
-          - include_role:
-              name: container-registry
-              tasks_from: docker-update
-      post_update_tasks:
-        - name: Clean docker
-          when:
-            - step|int == 3
-            - container_cli == 'docker'
-          block:
-            - name: Check if docker has some data
-              stat:
-                path: /var/lib/docker
-              register: docker_path_stat
-            - name: Purge Docker
-              when: docker_path_stat.stat.exists
-              block:
-                - name: Ensure docker service is running
-                  systemd:
-                    name: docker
-                  register: docker_service_state
-                - name: Run docker image prune
-                  shell: docker image prune -f
-                  when: docker_service_state.status['SubState'] == 'running'
-                - name: Run docker volume prune
-                  shell: docker volume prune -f
-                  when: docker_service_state.status['SubState'] == 'running'
diff --git a/deployment/deprecated/docker/docker-registry-baremetal-ansible.yaml b/deployment/deprecated/docker/docker-registry-baremetal-ansible.yaml
deleted file mode 100644
index 2f98ad7f55..0000000000
--- a/deployment/deprecated/docker/docker-registry-baremetal-ansible.yaml
+++ /dev/null
@@ -1,74 +0,0 @@
-heat_template_version: rocky
-
-description: >
-  Configures docker-registry on a host.
-
-parameters:
-  EndpointMap:
-    default: {}
-    description: Mapping of service endpoint -> protocol. Typically set
-                 via parameter_defaults in the resource registry.
-    type: json
-  ServiceData:
-    default: {}
-    description: Dictionary packing service data
-    type: json
-  ServiceNetMap:
-    default: {}
-    description: Mapping of service_name -> network name. Typically set
-                 via parameter_defaults in the resource registry.  This
-                 mapping overrides those in ServiceNetMapDefaults.
-    type: json
-  DefaultPasswords:
-    default: {}
-    type: json
-  RoleName:
-    default: ''
-    description: Role name on which the service is applied
-    type: string
-  RoleParameters:
-    default: {}
-    description: Parameters specific to the role
-    type: json
-  LocalContainerRegistry:
-    default: ''
-    description: The IP address used to bind the local container registry
-    type: string
-
-conditions:
-  local_container_registry_is_empty: {equals : [{get_param: LocalContainerRegistry}, '']}
-
-outputs:
-  role_data:
-    description: Role data for the docker registry service
-    value:
-      service_name: docker_registry
-      firewall_rules:
-        '155 docker-registry':
-          dport:
-            - 8787
-            - 13787
-      host_prep_tasks:
-        - name: Install, Configure and Run Docker Distribution
-          block:
-          # NOTE(bogdando): w/a https://github.com/ansible/ansible/issues/42621
-          - set_fact: &docker_vars
-              container_registry_host:
-                if:
-                - local_container_registry_is_empty
-                - {get_param: [EndpointMap, DockerRegistryInternal, host]}
-                - {get_param: LocalContainerRegistry}
-              container_registry_port: {get_param: [EndpointMap, DockerRegistryInternal, port]}
-          - include_role:
-              name: container-registry
-              tasks_from: docker-distribution
-      upgrade_tasks:
-        - block:
-            - name: Install docker packages on upgrade if missing
-              package: name=docker-distribution state=latest
-            - set_fact: *docker_vars
-            - name: Reconfigure Docker if needed
-              include_role:
-                name: container-registry
-                tasks_from: docker
-          when: step|int == 3
diff --git a/deployment/deprecated/neutron/neutron-sriov-host-config.yaml b/deployment/deprecated/neutron/neutron-sriov-host-config.yaml
deleted file mode 100644
index 9a50529207..0000000000
--- a/deployment/deprecated/neutron/neutron-sriov-host-config.yaml
+++ /dev/null
@@ -1,92 +0,0 @@
-heat_template_version: rocky
-
-description: >
-  OpenStack Neutron SR-IOV host configuration
-
-parameters:
-  ServiceData:
-    default: {}
-    description: Dictionary packing service data
-    type: json
-  ServiceNetMap:
-    default: {}
-    description: >
-      Mapping of service_name -> network name. Typically set via
-      parameter_defaults in the resource registry. This mapping overrides those
-      in ServiceNetMapDefaults.
-    type: json
-  DefaultPasswords:
-    default: {}
-    type: json
-  RoleName:
-    default: ''
-    description: Role name on which the service is applied
-    type: string
-  RoleParameters:
-    default: {}
-    description: Parameters specific to the role
-    type: json
-  EndpointMap:
-    default: {}
-    description: Mapping of service endpoint -> protocol. Typically set
-                 via parameter_defaults in the resource registry.
-    type: json
-  NeutronSriovNumVFs:
-    description: |
-      Provide the list of VFs to be reserved for each SR-IOV interface.
-      Format ["<interface_name1>:<numvfs1>:<mode>","<interface_name2>:<numvfs2>"]
-      Example ["eth1:4096:switchdev","eth2:128:legacy","eth3:30"]
-    type: comma_delimited_list
-    default: ""
-    tags:
-      - role_specific
-
-parameter_groups:
-- label: deprecated
-  description: |
-   The following parameters are deprecated and will be removed. They should not
-   be relied on for new deployments. If you have concerns regarding deprecated
-   parameters, please contact the TripleO development team on IRC or the
-   OpenStack mailing list.
-  parameters:
-  - NeutronSriovNumVFs
-
-resources:
-
-  NeutronBase:
-    type: ../../neutron/neutron-base.yaml
-    properties:
-      ServiceData: {get_param: ServiceData}
-      ServiceNetMap: {get_param: ServiceNetMap}
-      DefaultPasswords: {get_param: DefaultPasswords}
-      EndpointMap: {get_param: EndpointMap}
-      RoleName: {get_param: RoleName}
-      RoleParameters: {get_param: RoleParameters}
-
-  # Merging role-specific parameters (RoleParameters) with the default parameters.
-  # RoleParameters will have the precedence over the default parameters.
-  RoleParametersValue:
-    type: OS::Heat::Value
-    properties:
-      type: json
-      value:
-        map_replace:
-          - map_replace:
-            - tripleo::host::sriov::number_of_vfs: NeutronSriovNumVFs
-            - values: {get_param: [RoleParameters]}
-          - values:
-              NeutronSriovNumVFs: {get_param: NeutronSriovNumVFs}
-
-outputs:
-  role_data:
-    description: Role data for the Neutron SR-IOV nic agent service.
-    value:
-      service_name: neutron_sriov_host_config
-      config_settings:
-        map_merge:
-          - get_attr: [NeutronBase, role_data, config_settings]
-          - get_attr: [RoleParametersValue, value]
-      step_config: |
-        include tripleo::host::sriov
-      metadata_settings:
-        get_attr: [NeutronBase, role_data, metadata_settings]
diff --git a/deployment/deprecated/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml b/deployment/deprecated/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
deleted file mode 100644
index 00c7af9941..0000000000
--- a/deployment/deprecated/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
+++ /dev/null
@@ -1,179 +0,0 @@
-heat_template_version: rocky
-
-description: >
-  TripleO Firewall settings
-
-parameters:
-  ServiceData:
-    default: {}
-    description: Dictionary packing service data
-    type: json
-  ServiceNetMap:
-    default: {}
-    description: Mapping of service_name -> network name. Typically set
-                 via parameter_defaults in the resource registry.  This
-                 mapping overrides those in ServiceNetMapDefaults.
-    type: json
-  DefaultPasswords:
-    default: {}
-    type: json
-  RoleName:
-    default: ''
-    description: Role name on which the service is applied
-    type: string
-  RoleParameters:
-    default: {}
-    description: Parameters specific to the role
-    type: json
-  EndpointMap:
-    default: {}
-    description: Mapping of service endpoint -> protocol. Typically set
-                 via parameter_defaults in the resource registry.
-    type: json
-  ManageFirewall:
-    default: true
-    description: Whether to manage IPtables rules.
-    type: boolean
-  PurgeFirewallRules:
-    default: false
-    description: Whether IPtables rules should be purged before setting up the new ones.
-    type: boolean
-
-conditions:
-  no_ctlplane:
-    equals:
-      - get_params: [ServiceData, net_cidr_map, ctlplane]
-      - Null
-
-outputs:
-  role_data:
-    description: Role data for the TripleO firewall settings
-    value:
-      service_name: tripleo_firewall
-      firewall_rules:
-        map_merge:
-          repeat:
-            for_each:
-              <%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]}
-            template:
-              '003 accept ssh from ctlplane subnet <%net_cidr%>':
-                source: <%net_cidr%>
-                proto: 'tcp'
-                dport: 22
-      config_settings:
-        tripleo::firewall::manage_firewall: {get_param: ManageFirewall}
-        tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
-      step_config: |
-        include tripleo::firewall
-
-      host_prep_tasks:
-        if:
-        - no_ctlplane
-        -
-          name: Ensure ctlplane subnet is set
-          fail:
-            msg: |
-              No CIDRs found in the ctlplane network tags.
-              Please refer to the documentation in order to
-              set the correct network tags in DeployedServerPortMap.
-        - null
-
-      deploy_steps_tasks:
-        - when: step|int == 0
-          block:
-            - name: create iptables service
-              copy:
-                dest: /etc/systemd/system/tripleo-iptables.service
-                content: |
-                  [Unit]
-                  Description=Initialize iptables
-                  Before=iptables.service
-                  AssertPathExists=/etc/sysconfig/iptables
-
-                  [Service]
-                  Type=oneshot
-                  ExecStart=/usr/sbin/iptables -t raw -nL
-                  Environment=BOOTUP=serial
-                  Environment=CONSOLETYPE=serial
-                  StandardOutput=syslog
-                  StandardError=syslog
-                  [Install]
-                  WantedBy=basic.target
-            - name: create ip6tables service
-              copy:
-                dest: /etc/systemd/system/tripleo-ip6tables.service
-                content: |
-                  [Unit]
-                  Description=Initialize ip6tables
-                  Before=ip6tables.service
-                  AssertPathExists=/etc/sysconfig/ip6tables
-
-                  [Service]
-                  Type=oneshot
-                  ExecStart=/usr/sbin/ip6tables -t raw -nL
-                  Environment=BOOTUP=serial
-                  Environment=CONSOLETYPE=serial
-                  StandardOutput=syslog
-                  StandardError=syslog
-                  [Install]
-                  WantedBy=basic.target
-            - name: enable tripleo-iptables service (and do a daemon-reload systemd)
-              systemd:
-                daemon_reload: yes
-                enabled: yes
-                name: tripleo-iptables.service
-            - name: enable tripleo-ip6tables service
-              systemd:
-                enabled: yes
-                name: tripleo-ip6tables.service
-      upgrade_tasks:
-        - when: step|int == 3
-          block:
-            - name: blank ipv6 rule before activating ipv6 firewall.
-              shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat</dev/null>/etc/sysconfig/ip6tables
-              args:
-                creates: /etc/sysconfig/ip6tables.n-o-upgrade
-            - name: cleanup unmanaged rules pushed by iptables-services
-              shell: |
-                iptables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \
-                  iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-                iptables -C INPUT -p icmp -j ACCEPT &>/dev/null && \
-                  iptables -D INPUT -p icmp -j ACCEPT
-                iptables -C INPUT -i lo -j ACCEPT &>/dev/null && \
-                  iptables -D INPUT -i lo -j ACCEPT
-                iptables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \
-                  iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-                iptables -C INPUT -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \
-                  iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
-                iptables -C FORWARD -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \
-                  iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
-
-                sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/iptables
-                sed -i '/^-A INPUT -p icmp -j ACCEPT$/d' /etc/sysconfig/iptables
-                sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/iptables
-                sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/iptables
-                sed -i '/^-A INPUT -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables
-                sed -i '/^-A FORWARD -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables
-
-                ip6tables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \
-                  ip6tables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-                ip6tables -C INPUT -p ipv6-icmp -j ACCEPT &>/dev/null && \
-                  ip6tables -D INPUT -p ipv6-icmp -j ACCEPT
-                ip6tables -C INPUT -i lo -j ACCEPT &>/dev/null && \
-                  ip6tables -D INPUT -i lo -j ACCEPT
-                ip6tables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \
-                  ip6tables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-                ip6tables -C INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT &>/dev/null && \
-                  ip6tables -D INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
-                ip6tables -C INPUT -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \
-                  ip6tables -D INPUT -j REJECT --reject-with icmp6-adm-prohibited
-                ip6tables -C FORWARD -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \
-                  ip6tables -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited
-
-                sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/ip6tables
-                sed -i '/^-A INPUT -p ipv6-icmp -j ACCEPT$/d' /etc/sysconfig/ip6tables
-                sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/ip6tables
-                sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/ip6tables
-                sed -i '/^-A INPUT -d fe80::\/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT$/d' /etc/sysconfig/ip6tables
-                sed -i '/^-A INPUT -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables
-                sed -i '/^-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables
diff --git a/environments/docker-uc-light.yaml b/environments/docker-uc-light.yaml
deleted file mode 100644
index 52efd80879..0000000000
--- a/environments/docker-uc-light.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-# A lightweight UC for pre-provisioned deployed servers
-resource_registry:
-  OS::TripleO::Services::Docker: ../deployment/deprecated/docker/docker-baremetal-ansible.yaml
-  # Default Neutron ML2 puppet plugin to use when NeutronCorePlugin is set to ML2
-  # FIXME(bogdando): can not be switched yet due to puppet-base issues
-  # see https://review.opendev.org/#/c/563443
-  OS::TripleO::Docker::NeutronMl2PluginBase: ../deployment/neutron/neutron-plugin-ml2.yaml
-
-  OS::TripleO::Services::ContainersLogrotateCrond: ../deployment/logrotate/logrotate-crond-container-puppet.yaml
-  OS::TripleO::Services::HeatApi: ../deployment/heat/heat-api-container-puppet.yaml
-  OS::TripleO::Services::HeatApiCfn: ../deployment/heat/heat-api-cfn-container-puppet.yaml
-  OS::TripleO::Services::HeatEngine: ../deployment/heat/heat-engine-container-puppet.yaml
-  OS::TripleO::Services::Keystone: ../deployment/keystone/keystone-container.yaml
-  OS::TripleO::Services::Memcached: ../deployment/memcached/memcached-container-puppet.yaml
-  OS::TripleO::Services::MistralApi: ../deployment/mistral/mistral-api-container-puppet.yaml
-  OS::TripleO::Services::MistralEngine: ../deployment/mistral/mistral-engine-container-puppet.yaml
-  OS::TripleO::Services::MistralExecutor: ../deployment/mistral/mistral-executor-container-puppet.yaml
-  OS::TripleO::Services::MySQL: ../deployment/database/mysql-container-puppet.yaml
-  OS::TripleO::Services::NeutronApi: ../deployment/neutron/neutron-api-container-puppet.yaml
-  OS::TripleO::Services::NeutronCorePlugin: ../deployment/neutron/neutron-plugin-ml2-container-puppet.yaml
-  OS::TripleO::Services::NeutronDhcpAgent: ../deployment/neutron/neutron-dhcp-container-puppet.yaml
-  OS::TripleO::Services::OsloMessagingRpc: ../deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml
-  OS::TripleO::Services::OsloMessagingNotify: ../deployment/rabbitmq/rabbitmq-messaging-notify-shared-puppet.yaml
-  OS::TripleO::Services::SwiftProxy: ../deployment/swift/swift-proxy-container-puppet.yaml
-  OS::TripleO::Services::SwiftRingBuilder: ../deployment/swift/swift-ringbuilder-container-puppet.yaml
-  OS::TripleO::Services::SwiftStorage: ../deployment/swift/swift-storage-container-puppet.yaml
-  OS::TripleO::Services::Zaqar: ../deployment/zaqar/zaqar-container-puppet.yaml
-
-parameter_defaults:
-  ZaqarMessageStore: 'swift'
-  ZaqarManagementStore: 'sqlalchemy'
-  MistralDockerGroup: true
diff --git a/environments/docker.yaml b/environments/docker.yaml
deleted file mode 100644
index 39f46982bf..0000000000
--- a/environments/docker.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-# DEPRECATED: Containerized deployments with Docker are deprecated. This file
-# will be removed in Train release.
-
-# Environment that enables Docker.
-resource_registry:
-  OS::TripleO::Services::Docker: ../deployment/deprecated/docker/docker-baremetal-ansible.yaml
-
-parameter_defaults:
-  ContainerCli: docker
\ No newline at end of file
diff --git a/environments/services-baremetal/neutron-sriov.yaml b/environments/services-baremetal/neutron-sriov.yaml
index 3f7e36be7a..43f2e4361e 100644
--- a/environments/services-baremetal/neutron-sriov.yaml
+++ b/environments/services-baremetal/neutron-sriov.yaml
@@ -1,7 +1,6 @@
 # A Heat environment that can be used to enable SR-IOV support in neutron.
 resource_registry:
   OS::TripleO::Services::NeutronSriovAgent: ../../deployment/neutron/neutron-sriov-agent-container-puppet.yaml
-  OS::TripleO::Services::NeutronSriovHostConfig: ../../deployment/deprecated/neutron/neutron-sriov-host-config.yaml
 
 parameter_defaults:
   NeutronMechanismDrivers: ['sriovnicswitch','openvswitch']
diff --git a/environments/services/neutron-ovn-sriov.yaml b/environments/services/neutron-ovn-sriov.yaml
index 98222b668d..9b6b3e5b74 100644
--- a/environments/services/neutron-ovn-sriov.yaml
+++ b/environments/services/neutron-ovn-sriov.yaml
@@ -8,7 +8,6 @@
 
 resource_registry:
   OS::TripleO::Services::NeutronSriovAgent: ../../deployment/neutron/neutron-sriov-agent-container-puppet.yaml
-  OS::TripleO::Services::NeutronSriovHostConfig: ../../deployment/deprecated/neutron/neutron-sriov-host-config.yaml
 
 parameter_defaults:
   NeutronMechanismDrivers: ['sriovnicswitch','ovn']
diff --git a/environments/services/neutron-sriov.yaml b/environments/services/neutron-sriov.yaml
index 3f7e36be7a..43f2e4361e 100644
--- a/environments/services/neutron-sriov.yaml
+++ b/environments/services/neutron-sriov.yaml
@@ -1,7 +1,6 @@
 # A Heat environment that can be used to enable SR-IOV support in neutron.
 resource_registry:
   OS::TripleO::Services::NeutronSriovAgent: ../../deployment/neutron/neutron-sriov-agent-container-puppet.yaml
-  OS::TripleO::Services::NeutronSriovHostConfig: ../../deployment/deprecated/neutron/neutron-sriov-host-config.yaml
 
 parameter_defaults:
   NeutronMechanismDrivers: ['sriovnicswitch','openvswitch']
diff --git a/environments/undercloud/undercloud-minion.yaml b/environments/undercloud/undercloud-minion.yaml
index fa56e34814..165aef7fc7 100644
--- a/environments/undercloud/undercloud-minion.yaml
+++ b/environments/undercloud/undercloud-minion.yaml
@@ -160,7 +160,6 @@ resource_registry:
   OS::TripleO::Services::NeutronOvsAgent: OS::Heat::None
   OS::TripleO::Services::NeutronSfcApi: OS::Heat::None
   OS::TripleO::Services::NeutronSriovAgent: OS::Heat::None
-  OS::TripleO::Services::NeutronSriovHostConfig: OS::Heat::None
   OS::TripleO::Services::NeutronVppAgent: OS::Heat::None
   OS::TripleO::Services::NovaAZConfig: OS::Heat::None
   OS::TripleO::Services::NovaApi: OS::Heat::None
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index c41ebc48f6..a43e506b84 100644
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -165,7 +165,6 @@ resource_registry:
   OS::TripleO::Services::Pacemaker: deployment/pacemaker/pacemaker-baremetal-puppet.yaml
   OS::TripleO::Services::PacemakerRemote: deployment/pacemaker/pacemaker-remote-baremetal-puppet.yaml
   OS::TripleO::Services::NeutronSriovAgent: OS::Heat::None
-  OS::TripleO::Services::NeutronSriovHostConfig: OS::Heat::None
   OS::TripleO::Services::NeutronMlnxAgent: OS::Heat::None
   OS::TripleO::Services::NeutronAgentsIBConfig: OS::Heat::None
   OS::TripleO::Services::OsloMessagingRpc: deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml
diff --git a/roles/ComputeHCISriov.yaml b/roles/ComputeHCISriov.yaml
index a256911adf..164ed69658 100644
--- a/roles/ComputeHCISriov.yaml
+++ b/roles/ComputeHCISriov.yaml
@@ -41,7 +41,6 @@
     - OS::TripleO::Services::MySQLClient
     - OS::TripleO::Services::NeutronBgpVpnBagpipe
     - OS::TripleO::Services::NeutronSriovAgent
-    - OS::TripleO::Services::NeutronSriovHostConfig
     - OS::TripleO::Services::NeutronVppAgent
     - OS::TripleO::Services::NovaCompute
     - OS::TripleO::Services::NovaLibvirt
diff --git a/roles/ComputeOvsDpdkSriov.yaml b/roles/ComputeOvsDpdkSriov.yaml
index d15cdccd95..3bb9477882 100644
--- a/roles/ComputeOvsDpdkSriov.yaml
+++ b/roles/ComputeOvsDpdkSriov.yaml
@@ -39,7 +39,6 @@
     - OS::TripleO::Services::MySQLClient
     - OS::TripleO::Services::NeutronBgpVpnBagpipe
     - OS::TripleO::Services::NeutronSriovAgent
-    - OS::TripleO::Services::NeutronSriovHostConfig
     - OS::TripleO::Services::NovaAZConfig
     - OS::TripleO::Services::NovaCompute
     - OS::TripleO::Services::NovaLibvirt
diff --git a/roles/ComputeOvsDpdkSriovRT.yaml b/roles/ComputeOvsDpdkSriovRT.yaml
index 435f060689..83daf01392 100644
--- a/roles/ComputeOvsDpdkSriovRT.yaml
+++ b/roles/ComputeOvsDpdkSriovRT.yaml
@@ -41,7 +41,6 @@
     - OS::TripleO::Services::MySQLClient
     - OS::TripleO::Services::NeutronBgpVpnBagpipe
     - OS::TripleO::Services::NeutronSriovAgent
-    - OS::TripleO::Services::NeutronSriovHostConfig
     - OS::TripleO::Services::NovaAZConfig
     - OS::TripleO::Services::NovaCompute
     - OS::TripleO::Services::NovaLibvirt
diff --git a/roles/ComputeSriov.yaml b/roles/ComputeSriov.yaml
index 96ee949cd4..af2b86f317 100644
--- a/roles/ComputeSriov.yaml
+++ b/roles/ComputeSriov.yaml
@@ -39,7 +39,6 @@
     - OS::TripleO::Services::MySQLClient
     - OS::TripleO::Services::NeutronBgpVpnBagpipe
     - OS::TripleO::Services::NeutronSriovAgent
-    - OS::TripleO::Services::NeutronSriovHostConfig
     - OS::TripleO::Services::NeutronVppAgent
     - OS::TripleO::Services::NovaAZConfig
     - OS::TripleO::Services::NovaCompute
diff --git a/roles/ComputeSriovIB.yaml b/roles/ComputeSriovIB.yaml
index 3b6630d737..fcb9414464 100644
--- a/roles/ComputeSriovIB.yaml
+++ b/roles/ComputeSriovIB.yaml
@@ -39,7 +39,6 @@
     - OS::TripleO::Services::MySQLClient
     - OS::TripleO::Services::NeutronBgpVpnBagpipe
     - OS::TripleO::Services::NeutronSriovAgent
-    - OS::TripleO::Services::NeutronSriovHostConfig
     - OS::TripleO::Services::NeutronMlnxAgent
     - OS::TripleO::Services::NeutronVppAgent
     - OS::TripleO::Services::NovaCompute
diff --git a/roles/ComputeSriovRT.yaml b/roles/ComputeSriovRT.yaml
index 42d9d216ab..75bbf64eac 100644
--- a/roles/ComputeSriovRT.yaml
+++ b/roles/ComputeSriovRT.yaml
@@ -41,7 +41,6 @@
     - OS::TripleO::Services::MySQLClient
     - OS::TripleO::Services::NeutronBgpVpnBagpipe
     - OS::TripleO::Services::NeutronSriovAgent
-    - OS::TripleO::Services::NeutronSriovHostConfig
     - OS::TripleO::Services::NeutronVppAgent
     - OS::TripleO::Services::NovaAZConfig
     - OS::TripleO::Services::NovaCompute
diff --git a/sample-env-generator/undercloud-minion.yaml b/sample-env-generator/undercloud-minion.yaml
index beaed65dce..fee336d45f 100644
--- a/sample-env-generator/undercloud-minion.yaml
+++ b/sample-env-generator/undercloud-minion.yaml
@@ -180,7 +180,6 @@ environments:
       OS::TripleO::Services::NeutronOvsAgent: OS::Heat::None
       OS::TripleO::Services::NeutronSfcApi: OS::Heat::None
       OS::TripleO::Services::NeutronSriovAgent: OS::Heat::None
-      OS::TripleO::Services::NeutronSriovHostConfig: OS::Heat::None
       OS::TripleO::Services::NeutronVppAgent: OS::Heat::None
       OS::TripleO::Services::NovaApi: OS::Heat::None
       OS::TripleO::Services::NovaAZConfig: OS::Heat::None