diff --git a/docker/bifrost/bifrost-base/Dockerfile.j2 b/docker/bifrost/bifrost-base/Dockerfile.j2
index 5aac6ef717..8106652c36 100644
--- a/docker/bifrost/bifrost-base/Dockerfile.j2
+++ b/docker/bifrost/bifrost-base/Dockerfile.j2
@@ -7,18 +7,34 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
 
 {% import "macros.j2" as macros with context %}
 
+{% set venv_path='/var/lib/kolla/venv' %}
+
 {{ macros.configure_user(name='bifrost') }}
 
 {# NOTE(mgoddard): EPEL required for nginx #}
 {{ macros.enable_extra_repos(['epel']) }}
 
 {% set bifrost_base_packages = [
-    'cpio',
+    'cpio'
 ] %}
 
+{% if base_package_type == 'rpm' %}
+    {% set bifrost_base_packages = bifrost_base_packages + [
+        'python3.12',
+        'python3.12-devel'
+    ] %}
+{% endif %}
+
 {{ macros.install_packages(bifrost_base_packages | customizable("packages")) }}
 
-ENV VENV /var/lib/kolla/venv
+{# Ensure we use Python 3.12 on RPM-based systems #}
+{% if base_package_type == 'rpm' %}
+RUN cd /usr/bin && \
+    rm -f python3 && \
+    ln -s python3.12 python3
+{% endif %}
+
+ENV VENV {{ venv_path }}
 
 {% set bifrost_base_pip_packages = [
     '/bifrost'
@@ -26,7 +42,16 @@ ENV VENV /var/lib/kolla/venv
 
 ADD bifrost-base-archive /bifrost-base-source
 COPY build_arg.yml /tmp/build_arg.yml
+
+RUN mkdir -p /requirements \
+    && curl -o /requirements/upper-constraints.txt ${UPPER_CONSTRAINTS_FILE:-https://releases.openstack.org/constraints/upper/{{ openstack_release }}} \
+    && python3 -m venv --system-site-packages {{ venv_path }} \
+    && KOLLA_DISTRO_PYTHON_VERSION=$(/usr/bin/python3 -c "import sys; print('{}.{}'.format(sys.version_info.major, sys.version_info.minor))") \
+    && cd {{ venv_path }}/lib \
+    && ln -s python${KOLLA_DISTRO_PYTHON_VERSION} {{ venv_path }}/lib/python3
+
 RUN ln -s bifrost-base-source/* bifrost \
+    && {{ macros.install_pip(['pip', 'wheel', 'setuptools']) }} \
     && {{ macros.install_pip(bifrost_base_pip_packages | customizable("pip_packages")) }}
 
 WORKDIR /bifrost
@@ -37,11 +62,10 @@ ENV ANSIBLE_GATHER_TIMEOUT=30
 {% block bifrost_ansible_install %}
 {%- if base_package_type == 'deb' %}
 RUN apt-get --error-on=any update && \
-    bash -c '$VENV/bin/pip install "ansible>=9,<10" && \
 {%- else %}
 RUN echo " " && \
-    bash -c '$VENV/bin/pip install "ansible>=8,<9" && \
 {%- endif %}
+    bash -c '$VENV/bin/pip install "ansible>=11,<12" && \
     $VENV/bin/ansible-galaxy collection install -r /bifrost/ansible-collections-requirements.yml && \
     $VENV/bin/ansible-playbook -vvvv -i /bifrost/playbooks/inventory/target \
     /bifrost/playbooks/install.yaml \
diff --git a/docker/ironic/ironic-pxe/Dockerfile.j2 b/docker/ironic/ironic-pxe/Dockerfile.j2
index f4a7734f9f..6a2131de6a 100644
--- a/docker/ironic/ironic-pxe/Dockerfile.j2
+++ b/docker/ironic/ironic-pxe/Dockerfile.j2
@@ -14,6 +14,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
         'grub2-efi-*64',
         'grub2-efi-aa64-modules',
         'ipxe-bootimgs',
+        'ipxe-bootimgs-aarch64',
         'mtools',
         'shim-*64',
         'tftp-server',
diff --git a/docker/ironic/ironic-pxe/extend_start.sh b/docker/ironic/ironic-pxe/extend_start.sh
index 54d6b1b21c..48504c6e62 100644
--- a/docker/ironic/ironic-pxe/extend_start.sh
+++ b/docker/ironic/ironic-pxe/extend_start.sh
@@ -43,7 +43,12 @@ function prepare_ipxe {
     # was ipxe.efi. Ensure that both exist, using symlinks where the files are
     # named differently to allow the original names to be used in ironic.conf.
     if [[ "${KOLLA_BASE_DISTRO}" =~ debian|ubuntu ]]; then
-        cp /usr/lib/ipxe/{undionly.kpxe,ipxe.efi,snponly.efi} ${TFTPBOOT_PATH}/
+        # NOTE(m-anson): ipxe-arm64.efi is not symlinked from /boot to
+        # /usr/lib/ipxe by the Ubuntu ipxe package, so fix that here.
+        if [[ -e /boot/ipxe-arm64.efi ]]; then
+            ln -s /boot/ipxe-arm64.efi /usr/lib/ipxe/
+        fi
+        cp /usr/lib/ipxe/{undionly.kpxe,ipxe*.efi,snponly.efi} ${TFTPBOOT_PATH}/
     elif [[ "${KOLLA_BASE_DISTRO}" =~ centos|rocky ]]; then
         cp /usr/share/ipxe/{undionly.kpxe,ipxe*.efi} ${TFTPBOOT_PATH}/
         if [[ ! -e ${TFTPBOOT_PATH}/ipxe.efi ]]; then
diff --git a/docker/neutron/neutron-l3-agent/Dockerfile.j2 b/docker/neutron/neutron-l3-agent/Dockerfile.j2
index 83a1598737..954057e50c 100644
--- a/docker/neutron/neutron-l3-agent/Dockerfile.j2
+++ b/docker/neutron/neutron-l3-agent/Dockerfile.j2
@@ -11,13 +11,14 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
    {% set neutron_l3_agent_packages = [
       'libreswan',
       'radvd',
-      'dibbler-client'
+      'dibbler-client',
    ] %}
 {% elif base_package_type == 'deb' %}
    {% set neutron_l3_agent_packages = [
       'strongswan',
       'radvd',
-      'dibbler-client'
+      'dibbler-client',
+      'libnetfilter-log1'
    ] %}
 {% endif %}
 
diff --git a/docker/nova/nova-libvirt/Dockerfile.j2 b/docker/nova/nova-libvirt/Dockerfile.j2
index 2cd88f0a79..f738fdc358 100644
--- a/docker/nova/nova-libvirt/Dockerfile.j2
+++ b/docker/nova/nova-libvirt/Dockerfile.j2
@@ -46,6 +46,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
         'libsasl2-modules-gssapi-mit',
         'libvirt-clients',
         'libvirt-daemon-system',
+        'mdevctl',
         'openvswitch-switch',
         'pm-utils',
         'python3-cephfs',
diff --git a/releasenotes/notes/aarch64-ipxe-51888a5972528d77.yaml b/releasenotes/notes/aarch64-ipxe-51888a5972528d77.yaml
new file mode 100644
index 0000000000..eb891b30c3
--- /dev/null
+++ b/releasenotes/notes/aarch64-ipxe-51888a5972528d77.yaml
@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    Adds aarch64 iPXE support to the ironic-pxe image, by adding
+    ``ipxe-bootimgs-aarch64`` RPM package to Rocky Linux ironic-pxe
+    images, and ensuring that an aarch64 iPXE binary is available
+    in Ubuntu ironic-pxe images. No support for aarch64 iPXE in
+    Debian images is included, as the distro packages do not
+    install an aarch64 binary.
diff --git a/releasenotes/notes/bifrost-ansible-11-d14b635f9f766675.yaml b/releasenotes/notes/bifrost-ansible-11-d14b635f9f766675.yaml
new file mode 100644
index 0000000000..c24477881a
--- /dev/null
+++ b/releasenotes/notes/bifrost-ansible-11-d14b635f9f766675.yaml
@@ -0,0 +1,4 @@
+---
+upgrade:
+  - |
+    Bifrost is now using Ansible 11.x.
diff --git a/releasenotes/notes/fix-fwaas-l3-log-aed85e0782dece8d.yaml b/releasenotes/notes/fix-fwaas-l3-log-aed85e0782dece8d.yaml
new file mode 100644
index 0000000000..2558b502f0
--- /dev/null
+++ b/releasenotes/notes/fix-fwaas-l3-log-aed85e0782dece8d.yaml
@@ -0,0 +1,10 @@
+---
+issues:
+  - |
+    libnetfilter_log, which is required in neutron-l3-agent when fwaas_v2_log
+    is enabled, is not available in official rpm repos and enabling this
+    feature on rpm platforms will prevent neutron-l3-agent from running.
+fixes:
+  - |
+    libnnetfilter_log has been added to deb platforms in order to support
+    the fwaas_v2_log feature in neutron l3 agent.