diff --git a/Dockerfile b/Dockerfile
index 8b7c4edd6..a250f6d2d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,16 +1,32 @@
+## Build iPXE w/ IPv6 Support
+## Note: we are pinning to a specific commit for reproducible builds.
+## Updated as needed.
+FROM docker.io/centos:centos7 AS builder
+RUN yum install -y gcc git make genisoimage xz-devel
+WORKDIR /tmp
+COPY . .
+RUN git clone http://git.ipxe.org/ipxe.git && \
+      cd ipxe && \
+      git checkout 3fe683ebab29afacf224e6b0921f6329bebcdca7 && \
+      cd src && \
+      sed -i -e "s/#undef.*NET_PROTO_IPV6/#define NET_PROTO_IPV6/g" config/general.h && \
+      make bin/undionly.kpxe bin-x86_64-efi/ipxe.efi bin-x86_64-efi/snponly.efi
+
 FROM docker.io/centos:centos7
 
 RUN yum install -y python-requests && \
     curl https://raw.githubusercontent.com/openstack/tripleo-repos/master/tripleo_repos/main.py | python - -b stein current-tripleo && \
     yum update -y && \
-    yum install -y openstack-ironic-api openstack-ironic-conductor crudini \
-        iproute iptables dnsmasq httpd qemu-img-ev iscsi-initiator-utils parted gdisk ipxe-bootimgs psmisc sysvinit-tools \
-        mariadb-server python2-chardet genisoimage && \
+    yum install -y python-gunicorn openstack-ironic-api openstack-ironic-conductor crudini \
+        iproute dnsmasq httpd qemu-img-ev iscsi-initiator-utils parted gdisk psmisc \
+        sysvinit-tools mariadb-server genisoimage python-ironic-prometheus-exporter && \
     yum clean all && \
     rm -rf /var/cache/{yum,dnf}/*
 
-RUN mkdir /tftpboot && \
-    cp /usr/share/ipxe/undionly.kpxe /usr/share/ipxe/ipxe.efi /tftpboot/
+RUN mkdir -p /tftpboot
+COPY --from=builder /tmp/ipxe/src/bin/undionly.kpxe /tftpboot
+COPY --from=builder /tmp/ipxe/src/bin-x86_64-efi/snponly.efi /tftpboot
+COPY --from=builder /tmp/ipxe/src/bin-x86_64-efi/ipxe.efi /tftpboot
 
 COPY ./ironic.conf /tmp/ironic.conf
 RUN crudini --merge /etc/ironic/ironic.conf < /tmp/ironic.conf && \
@@ -22,13 +38,15 @@ COPY ./rundnsmasq.sh /bin/rundnsmasq
 COPY ./runhttpd.sh /bin/runhttpd
 COPY ./runmariadb.sh /bin/runmariadb
 COPY ./configure-ironic.sh /bin/configure-ironic.sh
+COPY ./ironic-common.sh /bin/ironic-common.sh
 
 # TODO(dtantsur): remove these 2 scripts if we decide to
 # stop supporting running all 2 processes via one entry point.
 COPY ./runhealthcheck.sh /bin/runhealthcheck
 COPY ./runironic.sh /bin/runironic
 
-COPY ./dnsmasq.conf /etc/dnsmasq.conf
+COPY ./dnsmasq.conf.ipv4 /etc/dnsmasq.conf.ipv4
+COPY ./dnsmasq.conf.ipv6 /etc/dnsmasq.conf.ipv6
 COPY ./inspector.ipxe /tmp/inspector.ipxe
 COPY ./dualboot.ipxe /tmp/dualboot.ipxe
 
diff --git a/Dockerfile.ocp b/Dockerfile.ocp
index bbe79b28c..3ea58032b 100644
--- a/Dockerfile.ocp
+++ b/Dockerfile.ocp
@@ -2,7 +2,7 @@ FROM ubi8
 
 RUN yum update -y && \
     yum install -y python3-gunicorn openstack-ironic-api openstack-ironic-conductor crudini \
-        iproute iptables dnsmasq httpd qemu-img parted gdisk ipxe-bootimgs psmisc procps-ng \
+        iproute dnsmasq httpd qemu-img parted gdisk ipxe-bootimgs psmisc procps-ng \
         mariadb-server ipxe-roms-qemu genisoimage python3-ironic-prometheus-exporter && \
     yum clean all && \
     rm -rf /var/cache/{yum,dnf}/*
diff --git a/configure-ironic.sh b/configure-ironic.sh
index 7b5bed76d..ad5d7c1eb 100755
--- a/configure-ironic.sh
+++ b/configure-ironic.sh
@@ -1,13 +1,7 @@
 #!/usr/bin/bash
 
-# Get environment settings and update ironic.conf
-PROVISIONING_INTERFACE=${PROVISIONING_INTERFACE:-"provisioning"}
-IRONIC_IP=$(ip -4 address show dev "$PROVISIONING_INTERFACE" | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | head -n 1)
-until [ ! -z "${IRONIC_IP}" ]; do
-  echo "Waiting for ${PROVISIONING_INTERFACE} interface to be configured"
-  sleep 1
-  IRONIC_IP=$(ip -4 address show dev "$PROVISIONING_INTERFACE" | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | head -n 1)
-done
+. /bin/ironic-common.sh
+
 HTTP_PORT=${HTTP_PORT:-"80"}
 MARIADB_PASSWORD=${MARIADB_PASSWORD:-"change_me"}
 NUMPROC=$(cat /proc/cpuinfo  | grep "^processor" | wc -l)
@@ -16,6 +10,8 @@ NUMWORKERS=$(( NUMPROC < 12 ? NUMPROC : 12 ))
 # Whether to enable fast_track provisioning or not
 IRONIC_FAST_TRACK=${IRONIC_FAST_TRACK:-true}
 
+wait_for_interface_or_ip
+
 cp /etc/ironic/ironic.conf /etc/ironic/ironic.conf_orig
 
 crudini --merge /etc/ironic/ironic.conf <<EOF
@@ -23,20 +19,21 @@ crudini --merge /etc/ironic/ironic.conf <<EOF
 my_ip = $IRONIC_IP
 
 [api]
+host_ip = ::
 api_workers = $NUMWORKERS
 
 [conductor]
-api_url = http://${IRONIC_IP}:6385
+api_url = http://${IRONIC_URL_HOST}:6385
 
 [database]
 connection = mysql+pymysql://ironic:${MARIADB_PASSWORD}@localhost/ironic?charset=utf8
 
 [deploy]
-http_url = http://${IRONIC_IP}:${HTTP_PORT}
+http_url = http://${IRONIC_URL_HOST}:${HTTP_PORT}
 fast_track = ${IRONIC_FAST_TRACK}
 
 [inspector]
-endpoint_override = http://${IRONIC_IP}:5050
+endpoint_override = http://${IRONIC_URL_HOST}:5050
 
 [mdns]
 interfaces = $IRONIC_IP
diff --git a/dnsmasq.conf b/dnsmasq.conf.ipv4
similarity index 91%
rename from dnsmasq.conf
rename to dnsmasq.conf.ipv4
index 64b059b9f..e8a3d9fb4 100644
--- a/dnsmasq.conf
+++ b/dnsmasq.conf.ipv4
@@ -6,7 +6,7 @@ tftp-root=/shared/tftpboot
 
 dhcp-match=ipxe,175
 # Client is already running iPXE; move to next stage of chainloading
-dhcp-boot=tag:ipxe,http://IRONIC_IP:HTTP_PORT/dualboot.ipxe
+dhcp-boot=tag:ipxe,http://IRONIC_URL_HOST:HTTP_PORT/dualboot.ipxe
 
 # Note: Need to test EFI booting
 dhcp-match=set:efi,option:client-arch,7
diff --git a/dnsmasq.conf.ipv6 b/dnsmasq.conf.ipv6
new file mode 100644
index 000000000..64b1ebcb3
--- /dev/null
+++ b/dnsmasq.conf.ipv6
@@ -0,0 +1,21 @@
+interface=PROVISIONING_INTERFACE
+bind-dynamic
+enable-tftp
+tftp-root=/shared/tftpboot
+log-dhcp
+
+enable-ra
+ra-param=PROVISIONING_INTERFACE,10
+
+dhcp-vendorclass=set:pxe6,enterprise:343,PXEClient
+dhcp-range=DHCP_RANGE
+dhcp-userclass=set:ipxe6,iPXE
+dhcp-option=tag:pxe6,option6:bootfile-url,tftp://IRONIC_URL_HOST/snponly.efi
+dhcp-option=tag:ipxe6,option6:bootfile-url,http://IRONIC_URL_HOST:HTTP_PORT/dualboot.ipxe
+
+# Disable listening for DNS
+port=0
+
+# Disable default router(s) and DNS over provisioning network
+dhcp-option=3
+dhcp-option=6
diff --git a/ironic-common.sh b/ironic-common.sh
new file mode 100644
index 000000000..5478bcb6d
--- /dev/null
+++ b/ironic-common.sh
@@ -0,0 +1,32 @@
+PROVISIONING_INTERFACE=${PROVISIONING_INTERFACE:-"provisioning"}
+
+# Wait for the interface or IP to be up, sets $IRONIC_IP
+function wait_for_interface_or_ip() {
+  # If $PROVISIONING_IP is specified, then we wait for that to become available on an interface, otherwise we look at $PROVISIONING_INTERFACE for an IP
+  if [ ! -z "${PROVISIONING_IP}" ];
+  then
+    IRONIC_IP=""
+    until [ ! -z "${IRONIC_IP}" ]; do
+      echo "Waiting for ${PROVISIONING_IP} to be configured on an interface"
+      IRONIC_IP=$(ip -br addr show | grep "${PROVISIONING_IP}" | grep -Po "[^\s]+/[0-9]+" | sed -e 's%/.*%%' | head -n 1)
+      sleep 1
+    done
+  else
+    until [ ! -z "${IRONIC_IP}" ]; do
+      echo "Waiting for ${PROVISIONING_INTERFACE} interface to be configured"
+      IRONIC_IP=$(ip -br addr show dev $PROVISIONING_INTERFACE | grep -Po "[^\s]+/[0-9]+" | grep -e "^fd" -e "\." | sed -e 's%/.*%%' | head -n 1)
+      sleep 1
+    done
+  fi
+
+  # If the IP contains a colon, then it's an IPv6 address, and the HTTP
+  # host needs surrounding with brackets
+  if [[ "$IRONIC_IP" =~ .*:.* ]]
+  then
+    IPV=6
+    IRONIC_URL_HOST="[$IRONIC_IP]"
+  else
+    IPV=4
+    IRONIC_URL_HOST=$IRONIC_IP
+  fi
+}
diff --git a/rundnsmasq.sh b/rundnsmasq.sh
index ef30cae6c..1bf13613a 100755
--- a/rundnsmasq.sh
+++ b/rundnsmasq.sh
@@ -1,42 +1,30 @@
 #!/usr/bin/bash
 
-PROVISIONING_INTERFACE=${PROVISIONING_INTERFACE:-"provisioning"}
+. /bin/ironic-common.sh
 
 HTTP_PORT=${HTTP_PORT:-"80"}
 DHCP_RANGE=${DHCP_RANGE:-"172.22.0.10,172.22.0.100"}
 DNSMASQ_EXCEPT_INTERFACE=${DNSMASQ_EXCEPT_INTERFACE:-"lo"}
 
-PROVISIONING_IP=$(ip -4 address show dev "$PROVISIONING_INTERFACE" | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | head -n 1)
-until [ ! -z "${PROVISIONING_IP}" ]; do
-  echo "Waiting for ${PROVISIONING_INTERFACE} interface to be configured"
-  sleep 1
-  PROVISIONING_IP=$(ip -4 address show dev "$PROVISIONING_INTERFACE" | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | head -n 1)
-done
+wait_for_interface_or_ip
 
 mkdir -p /shared/tftpboot
 mkdir -p /shared/html/images
 mkdir -p /shared/html/pxelinux.cfg
-mkdir -p /shared/log/dnsmasq
 
 # Copy files to shared mount
-cp /usr/share/ipxe/undionly.kpxe /usr/share/ipxe/ipxe.efi /shared/tftpboot
+cp /tftpboot/undionly.kpxe /tftpboot/ipxe.efi /tftpboot/snponly.efi /shared/tftpboot
+
+# Copy IPv4 or IPv6 config
+cp /etc/dnsmasq.conf.ipv$IPV /etc/dnsmasq.conf
 
 # Use configured values
-sed -i -e s/IRONIC_IP/${PROVISIONING_IP}/g -e s/HTTP_PORT/${HTTP_PORT}/g \
+sed -i -e s/IRONIC_URL_HOST/${IRONIC_URL_HOST}/g -e s/HTTP_PORT/${HTTP_PORT}/g \
        -e s/DHCP_RANGE/${DHCP_RANGE}/g -e s/PROVISIONING_INTERFACE/${PROVISIONING_INTERFACE}/g \
        /etc/dnsmasq.conf
 for iface in $( echo "$DNSMASQ_EXCEPT_INTERFACE" | tr ',' ' '); do
     sed -i -e "/^interface=.*/ a\except-interface=${iface}" /etc/dnsmasq.conf
 done
 
-# Allow access to dhcp and tftp server for pxeboot
-for port in 67 69 ; do
-    if ! iptables -C INPUT -i "$PROVISIONING_INTERFACE" -p udp --dport "$port" -j ACCEPT 2>/dev/null ; then
-        iptables -I INPUT -i "$PROVISIONING_INTERFACE" -p udp --dport "$port" -j ACCEPT
-    fi
-done
-
-/usr/sbin/dnsmasq -d -q -C /etc/dnsmasq.conf 2>&1 | tee /shared/log/dnsmasq/dnsmasq.log &
 /bin/runhealthcheck "dnsmasq" &>/dev/null &
-sleep infinity
-
+exec /usr/sbin/dnsmasq -d -q -C /etc/dnsmasq.conf
diff --git a/runhealthcheck.sh b/runhealthcheck.sh
index 38d2d5a18..735400f10 100755
--- a/runhealthcheck.sh
+++ b/runhealthcheck.sh
@@ -15,7 +15,7 @@ while true ; do
 
     elif [ $1 = "dnsmasq" ] ; then
        DNSMASQPID=$(pidof dnsmasq)
-       fuser 67/udp |& grep -w "$DNSMASQPID"
+       fuser 67/udp 547/udp |& grep -w "$DNSMASQPID"
 
     elif [ $1 = "ironic" ] ; then
        curl -s http://localhost:6385 > /dev/null || ( echo "Can't contact ironic-api" && exit 1 )
diff --git a/runhttpd.sh b/runhttpd.sh
index 98fc32492..aa226c59b 100755
--- a/runhttpd.sh
+++ b/runhttpd.sh
@@ -1,13 +1,10 @@
 #!/usr/bin/bash
 
-PROVISIONING_INTERFACE=${PROVISIONING_INTERFACE:-"provisioning"}
+. /bin/ironic-common.sh
+
 HTTP_PORT=${HTTP_PORT:-"80"}
-HTTP_IP=$(ip -4 address show dev "$PROVISIONING_INTERFACE" | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | head -n 1)
-until [ ! -z "${HTTP_IP}" ]; do
-  echo "Waiting for ${PROVISIONING_INTERFACE} interface to be configured"
-  sleep 1
-  HTTP_IP=$(ip -4 address show dev "$PROVISIONING_INTERFACE" | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | head -n 1)
-done
+
+wait_for_interface_or_ip
 
 mkdir -p /shared/html
 chmod 0777 /shared/html
@@ -17,31 +14,16 @@ cp /tmp/inspector.ipxe /shared/html/inspector.ipxe
 cp /tmp/dualboot.ipxe /shared/html/dualboot.ipxe
 
 # Use configured values
-sed -i -e s/IRONIC_IP/${HTTP_IP}/g -e s/HTTP_PORT/${HTTP_PORT}/g /shared/html/inspector.ipxe
+sed -i -e s/IRONIC_IP/${IRONIC_URL_HOST}/g -e s/HTTP_PORT/${HTTP_PORT}/g /shared/html/inspector.ipxe
 
-sed -i 's/^Listen .*$/Listen '"$HTTP_PORT"'/' /etc/httpd/conf/httpd.conf
+sed -i 's/^Listen .*$/Listen [::]:'"$HTTP_PORT"'/' /etc/httpd/conf/httpd.conf
 sed -i -e 's|\(^[[:space:]]*\)\(DocumentRoot\)\(.*\)|\1\2 "/shared/html"|' \
     -e 's|<Directory "/var/www/html">|<Directory "/shared/html">|' \
     -e 's|<Directory "/var/www">|<Directory "/shared">|' /etc/httpd/conf/httpd.conf
 
-# Remove log files from last deployment
-rm -rf /shared/log/httpd
-
-mkdir -p /shared/log/httpd
-
-# Make logs available in shared mount
-touch /shared/log/httpd/access_log
-ln -s /shared/log/httpd/access_log /var/log/httpd/access_log
-touch /shared/log/httpd/error_log
-ln -s /shared/log/httpd/error_log /var/log/httpd/error_log
-
-# Allow external access
-if ! iptables -C INPUT -i "$PROVISIONING_INTERFACE" -p tcp --dport "$HTTP_PORT" -j ACCEPT 2>/dev/null ; then
-    iptables -I INPUT -i "$PROVISIONING_INTERFACE" -p tcp --dport "$HTTP_PORT" -j ACCEPT
-fi
-
-/usr/sbin/httpd &
+# Log to std out/err
+sed -i -e 's%^ \+CustomLog.*%    CustomLog /dev/stderr combined%g' /etc/httpd/conf/httpd.conf
+sed -i -e 's%^ErrorLog.*%ErrorLog /dev/stderr%g' /etc/httpd/conf/httpd.conf
 
 /bin/runhealthcheck "httpd" "$HTTP_PORT" &>/dev/null &
-sleep infinity
-
+exec /usr/sbin/httpd -DFOREGROUND
diff --git a/runironic-api.sh b/runironic-api.sh
index 790a4298e..c181a1c6b 100755
--- a/runironic-api.sh
+++ b/runironic-api.sh
@@ -2,10 +2,4 @@
 
 . /bin/configure-ironic.sh
 
-# Allow access to Ironic
-if ! iptables -C INPUT -i "$PROVISIONING_INTERFACE" -p tcp -m tcp --dport 6385 -j ACCEPT > /dev/null 2>&1; then
-    iptables -I INPUT -i "$PROVISIONING_INTERFACE" -p tcp -m tcp --dport 6385 -j ACCEPT
-fi
-
-exec /usr/bin/ironic-api --config-file /etc/ironic/ironic.conf \
-    --log-file /shared/log/ironic/ironic-api.log
+exec /usr/bin/ironic-api --config-file /etc/ironic/ironic.conf
diff --git a/runironic-conductor.sh b/runironic-conductor.sh
index 5401b927f..413caac46 100755
--- a/runironic-conductor.sh
+++ b/runironic-conductor.sh
@@ -2,14 +2,6 @@
 
 . /bin/configure-ironic.sh
 
-# Allow access to mDNS
-if ! iptables -C INPUT -i $PROVISIONING_INTERFACE -p udp --dport 5353 -j ACCEPT > /dev/null 2>&1; then
-    iptables -I INPUT -i $PROVISIONING_INTERFACE -p udp --dport 5353 -j ACCEPT
-fi
-if ! iptables -C OUTPUT -p udp --dport 5353 -j ACCEPT > /dev/null 2>&1; then
-    iptables -I OUTPUT -p udp --dport 5353 -j ACCEPT
-fi
-
 # Ramdisk logs
 mkdir -p /shared/log/ironic/deploy
 
@@ -20,5 +12,4 @@ until ironic-dbsync --config-file /etc/ironic/ironic.conf upgrade; do
   sleep 1
 done
 
-exec /usr/bin/ironic-conductor --config-file /etc/ironic/ironic.conf \
-    --log-file /shared/log/ironic/ironic-conductor.log
+exec /usr/bin/ironic-conductor --config-file /etc/ironic/ironic.conf
diff --git a/runironic.sh b/runironic.sh
index 3a05226ef..2be9ec556 100755
--- a/runironic.sh
+++ b/runironic.sh
@@ -2,19 +2,6 @@
 
 . /bin/configure-ironic.sh
 
-# Allow access to Ironic
-if ! iptables -C INPUT -i "$PROVISIONING_INTERFACE" -p tcp -m tcp --dport 6385 -j ACCEPT > /dev/null 2>&1; then
-    iptables -I INPUT -i "$PROVISIONING_INTERFACE" -p tcp -m tcp --dport 6385 -j ACCEPT
-fi
-
-# Allow access to mDNS
-if ! iptables -C INPUT -i $PROVISIONING_INTERFACE -p udp --dport 5353 -j ACCEPT > /dev/null 2>&1; then
-    iptables -I INPUT -i $PROVISIONING_INTERFACE -p udp --dport 5353 -j ACCEPT
-fi
-if ! iptables -C OUTPUT -p udp --dport 5353 -j ACCEPT > /dev/null 2>&1; then
-    iptables -I OUTPUT -p udp --dport 5353 -j ACCEPT
-fi
-
 ironic-dbsync --config-file /etc/ironic/ironic.conf upgrade
 
 # Remove log files from last deployment
@@ -22,8 +9,8 @@ rm -rf /shared/log/ironic
 
 mkdir -p /shared/log/ironic
 
-/usr/bin/ironic-conductor --log-file /shared/log/ironic/ironic-conductor.log &
-/usr/bin/ironic-api --log-file  /shared/log/ironic/ironic-api.log &
+/usr/bin/ironic-conductor &
+/usr/bin/ironic-api &
 
 /bin/runhealthcheck "ironic" &>/dev/null &
 
diff --git a/runmariadb.sh b/runmariadb.sh
index 07a96b010..5bf22556f 100755
--- a/runmariadb.sh
+++ b/runmariadb.sh
@@ -4,23 +4,16 @@ DATADIR="/var/lib/mysql"
 MARIADB_PASSWORD=${MARIADB_PASSWORD:-"change_me"}
 MARIADB_CONF_FILE="/etc/my.cnf.d/mariadb-server.cnf"
 
+ln -sf /proc/self/fd/1 /var/log/mariadb/mariadb.log
+
 if [ ! -d "${DATADIR}/mysql" ]; then
     crudini --set "$MARIADB_CONF_FILE" mysqld max_connections 64
     crudini --set "$MARIADB_CONF_FILE" mysqld max_heap_table_size 1M
     crudini --set "$MARIADB_CONF_FILE" mysqld innodb_buffer_pool_size 5M
     crudini --set "$MARIADB_CONF_FILE" mysqld innodb_log_buffer_size 512K
-    crudini --set "$MARIADB_CONF_FILE" mysqld general_log_file /shared/log/mariadb/mariadb.log
 
     mysql_install_db --datadir="$DATADIR"
 
-    mkdir -p /shared/log/mariadb
-    touch /shared/log/mariadb/mariadb.log
-    chmod 664 /shared/log/mariadb/mariadb.log
-    chown -R mysql /shared/log/mariadb
-
-    sed -i 's/var\/log\/mariadb\/mariadb\.log/shared\/log\/mariadb\/mariadb\.log/g' \
-          /etc/my.cnf.d/mariadb-server.cnf
-
     chown -R mysql "$DATADIR"
 
     cat > /tmp/configure-mysql.sql <<-EOSQL
@@ -32,8 +25,9 @@ CREATE DATABASE IF NOT EXISTS  ironic ;
 FLUSH PRIVILEGES ;
 EOSQL
 
-    exec mysqld_safe --init-file /tmp/configure-mysql.sql
+    # mysqld_safe closes stdout/stderr if no bash options are set ($- == '')
+    # turn on tracing to prevent this
+    exec bash -x /usr/bin/mysqld_safe --init-file /tmp/configure-mysql.sql
 else
-    exec mysqld_safe
+    exec bash -x /usr/bin/mysqld_safe
 fi
-