This allows the FS to just live, uncompressed, in cache.
This is generally a bad idea, however:
- In a hypothetically super-tuned diskless image, the lack of double-cache can offset the lack of compression
- The image will have supreme read performance
- It will have the most deterministic memory behavior
By default, the squashfs file was being cached as well as the contents after extraction.
This is superfluous pressure on the cache of the OS.
However, it does help keep the image afloat through 'confignet', so
leave it on until onboot completes, then reclaim cache and disable further caching.
Modern SNMP devices may require AES.
Unfortunately, older ones may refuse AES.
For compatibility, continue to default to DES, but
allow AES to be indicated in attributes.
We use cryptography verification, but it's relatively new.
For compatibility, we fall back to fingerprint only.
This is pretty bad when inflicted on
unsuspecting users on autosign,
so skip autosign if cert validation
would break.
Rather than treat both as the same, since untethered has everything up front anyway, go ahead and extract the filesystem.
This makes the mount look more straightforward and makes it so deletion of files from
the image also frees ram.
For one, apply more rules from CA/B forum. This includes including KU and EKU extensions, marking basicConstraints critical, and
randomized serial numbers.
Also make the backdate and end date configurable, to allow
for the BMC certs to have a more palatable validity interval.
Begin expanding certutil to sign other certificates from external CSRs more easily.
Have certutil make the CA constraint critical.
Have the fingerprint based validator have a mechanism to check for properly signed certificate in lieu of exact match,
and update the stored fingerprint
on match.
Provide a means to request a custom subject when evaluating a
target.
Change redfish plugin to set that subject in the verifier.
The changes for getinstalldisk assumed functionality
in ESXi9. Target older
functional level for our purposes.
Also expand the fallback to cover cases where the disk interrogation fails.
Surprisingly frequently, the firmware stacks split right after the \x1b byte in
sending data down. Defer a dangling partial sequence until more data
comes in that should make it complete.
In the interest of interfering with terminal behavior as little as possible,
only apply the forced intensity if the background and foreground color are
identical and would make it otherwise literally impossible to read
when working as designed.
Terminals seem to expect 'bold or intensity' to imply intense color.
There are certain terminals that steadfastly refuse to do bold and intense. So implement the logic on behalf of
the remote terminal.
Commonly, UEFI setup menus request bold white text on white background. This fixes such menus to be readable by explicitly requesting intense white foreground rather than normal background. For example, the kitty terminal has no 'intense on bold feature.
For nodemedia, nodelicense, and nodefirmware, support
for expressions in filenames was
fouled when pass by
filehandle was added.
Restore this by adding all the files matching an expression.
