From 1bfc949466d9fc556c236b06988dbb9aadb8faaa Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Thu, 12 Mar 2020 17:42:56 -0400 Subject: [PATCH] Add message when insecure is needed Practically speaking, this will be only choice for most people, but we must make sure that the user acknowledges the risk. --- confluent_server/confluent/discovery/protocols/pxe.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/confluent_server/confluent/discovery/protocols/pxe.py b/confluent_server/confluent/discovery/protocols/pxe.py index ad752a81..6a3d4d2c 100644 --- a/confluent_server/confluent/discovery/protocols/pxe.py +++ b/confluent_server/confluent/discovery/protocols/pxe.py @@ -23,6 +23,7 @@ # option 97 = UUID (wireformat) import confluent.config.configmanager as cfm +import confluent.log as log import ctypes import ctypes.util import eventlet.green.socket as socket @@ -302,9 +303,17 @@ def remap_nodes(nodeattribs, configmanager): def check_reply(node, info, packet, sock, cfg): cfd = cfg.get_node_attributes(node, ('deployment.*')) + profile = cfd.get(node, {}).get('deployment.pendingprofile', {}).get('value', None) + if not profile: + return insecuremode = cfd.get(node, {}).get('deployment.useinsecureprotocols', 'never') if insecuremode == 'never' and info['architecture'] != 'uefi-httpboot': - print('Ignoring request') + log.log( + {'info': 'Boot attempt by {0} detected in insecure mode, but ' + 'insecure mode is disabled. Set the attribute ' + '`deployment.useinsecureprotocols` to `firmware` or ' + '`always` to enable support, or use UEFI HTTP boot ' + 'with HTTPS.'.format(node)}) return print('Thinking about reply to {0}'.format(node))