302 works for iPXE, but not for more limited UEFI
http client.
If we are dealing with UefiHttpBoot, check for a header
from nginx config and use X-Accel-Redirect to induce proxy side
redirect transparent to client.
Otherwise, give an error indicating the issue with the profile
name length and incompatibility with Apache capabilities.
When trying to set a node or group attribute, evaluate
length of any potential formatting specification to keep it under
8 characters.
This should prevent even temporary expansion over 10MB for an attribute
on the way to setting it.
Some profiles may want to have a fixed boot image,
and site specific content limited to the identity payload, or at
least the TLS so it could fetch the rest over https.
If an expression causes an inordinate amount of memory to be
used, then block it from continuing.
For now, we consider that an expression that expands beyond 16k. I
am unable to conceive of a use case where someone would want to
use an expression to derive more than 16k as it stands, as we don't
carry any particularly large opaque payloads right now.
The r8169 enjoys some popularity.
Also, we'd like to be able to try out diskless/cloning with
VMs, so vmxnet3 and virtio_net are handy to round that out.
For both proxmox and vmware, properly model the 'oldstate' feature.
For proxmox, further:
- Wait for power change to actually take effect
- Change reset to a cycle, to help nodesetboot actually work correctly.
This allows users to opt into disabling setting further profile changes.
Nodes may be 'unlocked' (normal), 'autolock' (will lock on next
completion), or 'locked' (unable to change the pending OS profile)
If a nic were aliased *and* the node had attributes
for ipv6 but used host resolution for ipv4 identity,
it was possible for PXE to pick the wrong way
to respond.
Instruct netutil to specifically consider only the matching family
for the PXE/HTTP boot context
If a confluent collective member is stopped, then the
HTTPS check passes. If we end up with a 503 indicating
the other end has a missing confluent, fall back to the loop
to check for other living collective members.
This provides nodeinventory (mac and -s most interestingly),
nodepower, nodesetboot (and by extension, nodedeploy -n),
and nodeconsole (console.method=vcenter).
localhost was added to ssh principals, but should not be used
as a candidate in syncfiles.
The syncfileclient should already be filtering this possibility,
but best to filter it everywhere that makes sense.
A node with private, unroutable addresses relative to
the deployment server may cause the deployment server
to select an unroutable address.
Address this with two strategies.
First, if any of the addresses appear local to the deployment server
networks, prefer those and filter out unroutable.
Secondly, if a node is purely remote, and thus all addresses routable,
then make all the addresses a candidate. However, since the
client can't possibly be using fe80::, we can replace the principal list
with just the clientip, provided it appears in the principal list.
If a node has not been asked to open any locally managed
video consoles before it was asked to open a peer managed console,
it would fail to start the needed vinz service.
Work around this by detecting that scenario and giving
the vinz subsystem a chance to fix itself.
Node attribute ntp.servers in nodeattrib ca now be used in stateless images
modified: confluent_osdeploy/el7-diskless/profiles/default/scripts/onboot.sh
modified: confluent_osdeploy/el8-diskless/profiles/default/scripts/onboot.sh
modified: confluent_osdeploy/el9-diskless/profiles/default/scripts/onboot.sh
