GitLab

This enhances the power_ipmi module in three ways:

* Will now check for auth creds in the outets_remoteauth table.
  - Previously the module had credentials hard-wired.
  - Key role in table should be "ipmi-passwd".

* Makes it run in parallel for the set of outlets provided
  - via emutil::ParRun().

* HP Moonshot chassis iLO support.
  - Device (node) type == "ipmi-ms".
  - Outlet to ipmi address resolution.
  - Additional required ipmitool parameters ("lanplus" protocol).

* Supports KGKEY for session encryption.
  - KGKEYs can be placed in the DB ("ipmi-kgkey" role, key encoded in hex).

Note that the "status" command doesn't really work presently, but that's
OK since it wasn't ever hooked in.

Apparently at some point in the past, wire info for new nodes moved into
its own table rather than using the switch_* fields of new_interfaces.
For Geniracks or if a certain feature is set, then this new style is used.

However, newscript unconditionally assumed the new format and generated
incomplete entries for non-Geniracks. Newscript now makes the same checks
as newnode.

Move the taint clearing action so that it happens as the node exits
the "reloading" experiment (vs. when it goes into reloading).

Also add utility function to allow the node to get the exact details of
the image it is running ('imageinfo').

Some of the taint checks are rather heavy-handed presently.  Pretty much
any vector that could be used by the user to do something as root has
been severed right at the top of the relevant tmcd calls.

Calls affected:

manifest ('blackbox' and 'useronly' taintstates)
rpms ('blackbox' and 'useronly' taintstates)
tarballs ('blackbox' and 'useronly' taintstates)
blobs ('blackbox' and 'useronly' taintstates)
startupcmd ('blackbox' taintstate)
mounts ('blackbox' taintstate)
programs ('blackbox' taintstate)

Taint handling for the 'accounts' call was dealt with in a prior commit.

Also fix incorrect check for a dictionary entry that doesn't exist.

Conflicts:
	clientside/os/imagezip/ffs/disklabel.h
	config.h.in
	configure
	configure.ac

Just in case the default route is via a VLAN device.

value beyond reasonable size.

Update some comments and rename GetAllowedLeases to AllowedLeases.

Minor consistency updates.

Two types of global permissions are supported:

* Anonymous read-only (to support users without local accounts).
* Read-only for users with local accounts.

Global permissions are added to leases by way of entries of type "global"
in the lease_permissions table.  The lease mod tool still needs to be
updated to make use of the updated library support here.

The new GetAllowedLeases() method in Lease.pm was reworked - it became
clear that this was needed as I did the global RO permissions stuff.

Also adjust some of the existing lease enumeration functions to take
a lease type selector argument.  Here is the comment above the
new GetAllowedLeases() method:

 Return a list of leases for which a user OR entire project has access.

 Permissions are determined as follows:
 * The owner of a lease always has full (RW) access
 * Users in a project with group_root or above trust always have full (RW)
   access to leases associated with that project.
 * Explicitly granted per-user and per-project permissions are extracted
   from the lease_permissions tables.

 Arguments:
 * upid - User OR Project object to lookup lease access for.
 * type - Optional lease type selector.  Restrict results to this type
          of lease.

 Returns: Array of lease objects the given principal (user or project) has
          access to.  To each of these lease objects, an "allow_modify"
          boolean is set, accessible via $leaseobj->allow_modify().

Project leases are now per-group, so we build a sub authority certificate
for a remote dataset so that on the remote side, it is created inside the
group named by the project on the local side.

Many bug fixes.

to.