You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Part of #4109 (Phase 1b). Owners: golang-engineer + staff-engineer. Depends on Phase 1 (Deployer iface) and the Phase 0 tokenized-serve design.
Wire the new Deployer into the rest of AuroraBoot and build the secure ISO-serve.
Scope
Tokenized single-file ISO-serve helper (Phase 0 spec): 256-bit crypto/rand token = one deployment = one file; served via http.ServeContent (Range-capable) with no http.Dir/path-join; TTL = deploy budget + margin; revoke on terminal state/eject; its own http.Server (neverDefaultServeMux; do not reuse pkg/ops/network.go ServeArtifacts). New --redfish-serve-url / --redfish-serve-addr (default derived from AuroraBootURL, override allowed; never silently bind 0.0.0.0). Opt-in --redfish-serve-tls.
Rewire both call sites to the new Deployer: internal/cmd/redfish.go (CLI) and pkg/handlers/deploy.gorunRedfishDeploy (server), plus pkg/hardware/inspector.go.
Encrypt BMCTarget.Password at rest — AES-256-GCM with a local DEK at data/secrets/bmc-key (0600); encrypt/decrypt in the store adapter. (Folds in the wider-review plaintext-password finding.)
Real cancellable deploy context + a run registry for cancellation; startup reconciler that marks orphaned Active deployments terminal after a restart.
Part of #4109 (Phase 1b). Owners: golang-engineer + staff-engineer. Depends on Phase 1 (
Deployeriface) and the Phase 0 tokenized-serve design.Wire the new
Deployerinto the rest of AuroraBoot and build the secure ISO-serve.Scope
crypto/randtoken = one deployment = one file; served viahttp.ServeContent(Range-capable) with nohttp.Dir/path-join; TTL = deploy budget + margin; revoke on terminal state/eject; its ownhttp.Server(neverDefaultServeMux; do not reusepkg/ops/network.go ServeArtifacts). New--redfish-serve-url/--redfish-serve-addr(default derived fromAuroraBootURL, override allowed; never silently bind0.0.0.0). Opt-in--redfish-serve-tls.Deployer:internal/cmd/redfish.go(CLI) andpkg/handlers/deploy.gorunRedfishDeploy(server), pluspkg/hardware/inspector.go.BMCTarget.Passwordat rest — AES-256-GCM with a local DEK atdata/secrets/bmc-key(0600); encrypt/decrypt in the store adapter. (Folds in the wider-review plaintext-password finding.)Activedeployments terminal after a restart.store.Deploymentprogress/step events (InsertMedia → SetBoot → Reset → Task %), replacing the fabricated status.--password-file/--password-stdin/env; document the--passwordflag as insecure.Security acceptance criteria (from Phase 0)
../traversal cannot escape the single bound file; token revoked after terminal state.--image-url/endpointpointing at loopback/link-local/metadata (127.0.0.1,169.254.169.254,::1,fe80::/10) is rejected; configured serve host allowed; resolve-and-pin IP (anti-rebind).BMCTarget.Passwordround-trips as ciphertext (DB column never holds plaintext).Activerows.