Have equiv optionally be restricted to a subset of nodes
so that node to node ssh may be enabled within subsets
without enabling across the board.
This is akin to 'zones' in xCAT, albeit a bit more flexible
and covering both users and administrative access.
If an OS queries for confluent, but will not have a viable address,
avoid replying to let more usable network paths prevail.
For example, one OS was coming up with 169.254 with no dhcp server,
and being told it could do well to talk to 172.29, which obviously
would not work.
Default username/password is no longer a
viable long term credentiol for XCC, have user
clearly be told to change and that they
shouldn't have to worry about the default
user and password.
If console.logging is not desired, but reconstituting the screen is,
provide 'memory' as a method to do that.
On slow disks this can significantly improve performance.
IPMI actions can be a bit sensitive. Introduce some serialization
for improved robustness in liue of better parallelism.
The ideal would be to have 128 per core/process in the end, but for now,
a pool for 128 concurrent operations in flight at a time.
Badly behaving 'desc.tmpl' servers exist in the world,
do not get tripped up or slowed down too much by
having aggressive timeout and making it parallel.
Most of the codebase presumes lower case uuid, but
the uuid mapping was preserving whatever case the
attribute was in, making it case sensitive.
In the normal discovery process, this was filled in
as lower case. However if id.uuid is filled in manually
with uppercase, this broke the node lookup by uuid.
On a mostly stable system, update_neigh will
continue to drive a significant portion of
background activity. Mitigate to only call if
circumstances suggest a need, or once every
30 seconds.
This is an optional capability that image payloads may use
to use the TPM2 to protect an apikey as an alternative to
arming a weak authentication invocation
One is to provide clear feedback when a nodename is requested
that was not previously defined, to make it more clear that
it is a requirement and/or guard against going too far while
the config function will be missing data it needs to complete
onboarding.
Another is to break if the request is trying to assign a node
to a different definition when it already exists under a different
name.
Trying to do so while guarding against errors and sanitizing input was more code and slower
than targeting the one possible cookie we might care about.
So the code is simpler and
the performance is better, and the effect of stray cookies are mitigated.
If an invalid cookie from another site breaks the cookie jar,
then sanitize it.
https://bugs.python.org/issue31456
Performance enhancement through setting a header in javascript in
lieu of cookie parsing seems a wise move for the future.
While our security guidelines preclude allowing host to know the password,
it is considered acceptable to do the out-of-band authentication configuration.
Have configbmc request a unicast remote configuration. This should handle authentication
as well as ensuring ongoing consistency between out of band and in-band configuration
methods.
Upon connection loss, even though confluent internally
decides it is done with it, it fails to close the session.
Catch a number of these scenarios and ensure the connection closes.