Speaking of this phenomenon, in pyghmi I was working with the idea of
assigning a rough value for the various discrete sensors.
My effort is in the 'discrete_type_offsets' structure in:
https://github.com/stackforge/pyghmi/blob/master/pyghmi/ipmi/private/constants.py
It may be imperfect, so loo
ssh in and run ps axf|grep agetty. I wager you see two agettys running on
ttyS0.
I'll go further and speculate you were unaware of /etc/init/serial.conf in
RHEL6 and both your ttyS0.conf and that serial.conf together are causing
your woes. serial.conf starts on serial-console-available (based o
B Johnson/Raleigh/IBM@IBMUS
Cc: "ipmitool-devel@lists.sourceforge.net"
Date: 05/13/2014 10:36 AM
Subject:Re: [Ipmitool-devel] unauthenticated Get Channel Cipher Suites
command & possible bug…?
On May 13, 2014, at 7:09 AM, Jarrod B Johnson wr
Well, you mispasted the last valid record, but your explanation suggests
you originally parsed it correctly (c00c024381). The trailing zeroes are in
bad form and if not for the clear statement that there can only be one auth
algorithm it could be understood why ipmitool might get confused and be
he
me.
From: Hank Bruning
To: Jarrod B Johnson/Raleigh/IBM@IBMUS
Cc: Ross Amans ,
"ipmitool-devel@lists.sourceforge.net"
Date: 04/17/2014 05:11 PM
Subject:Re: [Ipmitool-devel] ipmitool sol vt100 support
It is much more complex that Jarrod says.
ipmitool isn't a terminal at all. The vt100 facet of it is whatever
terminal ipmitool is executed in (e.g. ipmitool inside gnome terminal,
xterm, konsole, whatever has no issues with function keys and other VT100
behaviors). If ipmitool does not work under your terminal type, it would
be the ter
Well, I will say that at least in one place, ipmitool assumes that the
system is little-endian. When iit goes to print GUID the GUID will come
out looking different whether the host is little or big endian. Of course
strictly speaking the IPMI format for DUID is not honored by anyone, but
the de
Last I looked, it did not. xCAT does support IPMI over IPv6. Of course,
the lan configuration parameters don't have any standard way to describe
IPv6 configuration, but once network configured in other ways, xCAT will do
IPMI to systems that support it (e.g. IBM's IMM)
From: Zdenek Styblik
htened privilege, but perhaps a way to remove
all access to a BMC which is less bad.
From: dan farmer
To: Jarrod B Johnson/Raleigh/IBM@IBMUS
Cc: "ipmitool-devel@lists.sourceforge.net"
Date: 02/19/2013 10:57 AM
Subject:Re: [Ipmitool-devel] ipmi configurat
, but I'll
take any opportunity to rehash that point.
From: dan farmer
To: Jarrod B Johnson/Raleigh/IBM@IBMUS
Cc: "ipmitool-devel@lists.sourceforge.net"
Date: 02/19/2013 10:57 AM
Subject:Re: [Ipmitool-devel] ipmi configuration security best practic
Seems mostly sensible.
-Gratuitious arp: agreed, but some BMC implementations cannot manage to get
ARP requests to the BMCs. I presume this is why such a request is in the
spec at all. I'd avoid such implementations like the plague for reasons
beyond security though, just be aware that if an im
FYI, in my experience, if you have to retry RAKP packets, many BMCs will
not produce sane behavior. E.g. if I send RAKP2, BMC receives and sends me
RAKP3 but network drops RAKP3, many BMCs will never ever accept a
retransmit of RAKP2. I've found that if you are in the RAKP stage, any
missed mess
Are we talking mass collection of ipmi data with respect to type of IPMI
data, number of IPMI elements aggregated into one thing, or data as it
changes over time? For example, the hardware management piece of xCAT does
many-server ipmi data gathering in one swoop, but generally feeds into
somethin
Another question is scaling, i.e. how many systems you intend to
interrogate concurrently, as well as what language you wrote your code in.
xCAT's IPMI stack would require that you use perl, but it can run an IPMI
request against arbitrarily many systems with a single process with a
single filehan
depends on the server vendor
From: Jeremy Li
To: ipmitool-devel@lists.sourceforge.net
Date: 03/04/2011 10:58 AM
Subject:[Ipmitool-devel] How to monitor energy consumption with
ipmitool?
Hi, everyone
I am a new user to ipmitool, how should i do if i want to kn
Speaking of SEL time, ipmitool may want to consider an approach like I implemented in xCAT.Frequently BMC time is wrong (either not set at all due to negligence or synced on POST to system hardware clock which might ambiguously be UTC or localtime depending on OS and config). Therefore, when I go
Well I would do that in-band. Like on OS running on the managed system so
you can get the info via KCS without lan or lanplus.
From: "Szabo, Steve G"
To: Jarrod B Johnson/Raleigh/IBM@IBMUS
Cc: "ipmitool-devel@lists.sourceforge.net"
Date: 01/21/2
As an FYI, if ipmitool lan print shows priv max as 'a', 'o', or 'O' be
aware a malicious user can go in and turn off your system and all that
without your password.
Are you talking about a way once authenticated to get the info or when
trying to establish a session? Since you can display the inf
ipmitool lan print 1
?
or whatever the channel number is for their lan
Cipher Suite Priv Max : uXX
Is mine.
This means:
0 is only allowed user
and 1,2,3,4 allowed admin
key appears lower in output.
From: "Szabo, Steve G"
To: "ipmitool-devel@lists.sourceforge.net"
Unfortunately, the IBM Bladecenter does not expose IPMI over LAN. This
comes from effort to maintain backwards compatibility with the days before
IPMI existed and trying to make the POWER and x86 systems all act the same
when in a chassis. Implementing remote management for CLI/scripting use
can
Also no idea about that system, but you may want to try 'ipmitool fru'. I
know at least our current systems will make the effort to make the DIMM SPD
info queryable via FRU.
From: Albert Chu
To: Asif Iqbal
Cc: "Ipmitool-devel@lists.sourceforge.net"
Date: 01/14/2011 12
As an aside, anyone know if anyone in IPMI spec land is going to define
those lan parameters as a standard?
If not already in flight, I might start a patch to at least change UDP to
UDP6 as possible for now.
From: "Schafer, Randy A"
To: "Ipmitool-devel@lists.sourceforge.net"
So two things:
-For any IPMI device that implements IPMI 2.0:
ipmitool lan print
Look for:
Cipher Suite Priv Max : XXX
If the first character is not X, then anyone can get in without having
accurate auth data. If IPMITOOL is somehow fanagling it to be cipher suite
zero when passe
It depends on the source. Ultimately, your system vendor should be able to
make the recommendation. If you accept the driver with your distribution
and firmware straight from the nic vendor, that could be (and in practice
has been) problematic. If you acquire it from your vendor's support site,
From: Rahul Nabar
To: Jarrod B Johnson/Raleigh/i...@ibmus
Cc: ipmitool-devel@lists.sourceforge.net,
Your BMC simply isn't responding to any traffic. BMCs are supposed to be
completely resilient to OS failures when done properly (not much apart from
things like power failures in non-redundant systems should be capable of
knocking out a quality IPMI implementation) . You need to look to your
sys
Looks like the BMC was misconfigured (incidently, which IBM model is in
play here?)
If you can run ipmitool on the system you are trying to manage:
# modprobe ipmi_si;modprobe ipmi_devintf;ipmitool lan print 1
Set in Progress : Set Complete
Auth Type Support : NONE MD2 MD5 PASSWORD
I sent an email about this a long time ago, but it looks like it was never
handled, so I decided to just send the patch I've been using.
(See attached file: ipmitool-solretryfix.patch)
I only tested this with getdeviceid timeout.
The current problem is explained at
http://www.mail-archive.com/ip
-|
|>
| To:|
|>
>-------------|
|Jarr
There is also perl code to do automated fru area 0 rewrite (i.e. to pull in
asset tag) from xCAT tables (essentially allowing a mass merge of CSV data
for arbitrarily many systems in one shot (including serial, model, and
asset tag data) to IPMI FRU area). It isn't well advertised as it won't
wor
ipmitool has a bug in that it attempts to inject an event that isn't quite
IPMI compliant (easy to overlook).
I just realized I forgot to submit this patch ever sorry
diff -urN ipmitool-1.8.11/lib/ipmi_event.c
ipmitool-1.8.11-eventfix/lib/ipmi_event.c
--- ipmitool-1.8.11/lib/ipmi_event.c
The IBM Bladecenter AMM does not support IPMI out-of-band at the moment.
Most modern x86 blades contained therein support in-band IPMI. Not all the
blades (notably the PPC blades) support IPMI. For out-of-band usage, the
protocols supported include the web interface, the CLI via either SMASH or
I have observed many BMCs that fail to implement that feature correctly.
However, in theory, it works. It works on all of the BMCs I test, but I
have seen some other vendor BMCs that do not work.
If console= line matches and /proc/sys/kernel/sysrq is 1, then ~B should
work to send a break and
One key distinction about cipher suite 0 is that you don't have to get the
password right for it to allow you to operate. Cipher suite 0 has no
authentication whatsoever.
You may want to double check that the password is configured correctly,
since getting it wrong won't impact suite 0.
|-
se are some ideas to play with, but that
second BMC may have some fundamentally grave security issues.
From: Fred Tyler
In IPMI 2, that is not true. Cipher suite 0 has no password hash or
plaintext.
Cipher suite 0, per spec, allows access to anyone who knows your usernames.
I can't imagine the point of it, but that's what it is.
From:
You have to change your BMCs to reject cipher suite 0. FYI, IBM servers
ship with it disabled for this very reason.
ipmitool lan set 1 cipher_privs XaaaXXX
should do it.
From: Fred Tyler
I have attached a patch that corrects the generator id used when a command
like 'ipmitool event 3' is issued in-band. Ipmitool tries to use 0x20
software id as the byte value, but per the IPMI table 5-4, 0x20 would have
to be bit shifted and have 1 added to be correct in this context.
(See atta
At IBM, the out-of-the-box output of ipmitool sol info 1 generally
indicates what speed of SOL we tested and feel comfortable with for a given
system. I don't know what other vendor's policies are. 19200 is the most
common setting among our currently shipping product. But even then,
ubiquitous
AFAIK, each ipmitool instance can only do one session. In terms of how
many ipmitool instances can communicate to a given BMC, that is entirely up
to the BMC, but a user session limit setting is generally available for the
BMC that some set to a default value that you can query.
So it semes that a number of different patches to solve the same problem
got accepted in aggregate and together created the opposite problem ;)
Before 1.8.9, SOL sessions dropped readily due to a misdirected keepalive
packet.
Now, an SOL session will never figure out it got dropped.
lanplus.c:
On the IBM Blade platform, you will probably never see out of band
access via IPMI to the BMCs. The BMCs for most operations communicate
via the Bladecenter internal RS485 bus to the Management Module. All
external access is arbitrated by that.
The BMCs do talk via LAN, however their authenticat
In this case, it may be his only way in, if the v20z is the same Newisys
box I worked with a while back (I think it is), his assessment that the
Service processor is not accessible in-band may be accurate. Their IPMI
support wasn't that great either at the time, but you could ssh into it
and do th
The only thing I see in relatively recent past is a one line change you
submitted four days ago... We are still using the Get Device ID for
keepalive, since it is a strategy that works on more BMCs, but it should
have been cleaned up, done a wireshark/ethereal capture with -C 0 to see
what's up?
The spec file doesn't seem to work right, rpmbuild -tb on it after
changing to a tar.gz fails with:
+ /usr/lib/rpm/brp-symlink
Processing files: ipmitool-1.8.8.90-1
error: File not found by
glob: /var/tmp/ipmitool-root/usr/share/ipmitool/*
RPM build errors:
File not found by glob: /var/tmp/ip
And finally, the ChangeLog in general probably should note some of the
differences. All I'm intimately aware of is the stuff I explicitly
tested (major SOL fixes).
On Wed, 2007-01-24 at 22:17 -0500, Jarrod B Johnson wrote:
> The spec file doesn't seem to work right, rpmbuild -t
ide
from likely minor spec file tweaks, it seems technically very solid.
On Wed, 2007-01-24 at 22:17 -0500, Jarrod B Johnson wrote:
> The spec file doesn't seem to work right, rpmbuild -tb on it after
> changing to a tar.gz fails with:
> + /usr/lib/rpm/brp-symlink
> Processing fi
AIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Jarrod B
> Johnson
> Envoyé : Friday, January 12, 2007 9:53 AM
> À : Arkadiusz Miskiewicz
> Cc : ipmitool-devel@lists.sourceforge.net
> Objet : Re: [Ipmitool-devel] new release?
>
> The one bug I now about is the one I'
The one bug I now about is the one I've submitted a patch for a couple
of times that backs off an earlier change that broke things for at least
IBM BMCs (and by spec), but implemented a fix for their targeted bug
that plays nice with the IPMI spec without ambiguity. (the earlier
change worked for s
I see no recent CVS activity. Anyone kicking out there? Does someone
who can grant write access want to give it to me?
Also, anyone volunteered to be maintainer long enough to at least get
1.8.9 released and make sure no one gets broke by it?
On Wed, 2006-12-20 at 18:27 -0500, Jarrod B Johnson
Here is the full patch that includes my previous patch and reverts
ipmi_sol.c to 1.46 to work in the more well-tested (and working with IBM
BMCs) way, but not screw up when SOL data comes during get device id
keepalive. I decided to package it all up and send it since ipmitool
cvs hasn't appeared
Fair warning, ipmitool cvs still has not reverted the November 14th
change that breaks, notably, SOL with IBM BMCs, probably among others.
So unfortunately, simply releasing the current CVS tree will have one
with a problem where ipmitool exhausts retries every 30 seconds and
stalls the sol connec
On Fri, 2006-12-01 at 18:06 -0500, Miguel wrote:
> I am an ipmitool newbie.
>
> My questions must be FAQs, but I was unable to locate the answers.
>
> Dell PowerEdge 850 running BMC version 1.52 ... the latest firmware.
>
> playing around with basic 'power chassis' commands (status, on, off, sof
>
> Yes, I submitted a patch a while back to the list, but it was missing a
> couple of steps to make it complete. I'll put together a single
> complete patch against lanplus.c and send it in a few after I do basic
> testing on it, so I'd wait for that, but the answer i
ined to the lanplus keepalive function.
> Thanks!
> Jean-Michel Audet
On Wed, 2006-11-22 at 10:51 -0500, Jarrod B Johnson wrote:
> On Mon, 2006-11-13 at 13:55 -0800, Al Chu wrote:
> > Hi Jean,
> >
> > > Here is what I propose. Instead of using a getDeviceId for the
>
On Mon, 2006-11-13 at 13:55 -0800, Al Chu wrote:
> Hi Jean,
>
> > Here is what I propose. Instead of using a getDeviceId for the
> > keepalive mechanism, we could use a simple empty SOL transmit. (Valid
> > sequence number, no acknowledge, length of 0). This will trig no work
> > on the BMC si
I figured out what would be a problem with my patch. Since in this
case, ipmi_lanplus_recv_sol is not called, the keepalive call to input
handler is not preceeded by a call to ack_sol_packet and
check_sol_packet_for_new_data. I haven't yet, but adding those two
calls I think would be safe for the
On Mon, 2006-11-13 at 13:55 -0800, Al Chu wrote:
> Hi Jean,
>
> > Here is what I propose. Instead of using a getDeviceId for the
> > keepalive mechanism, we could use a simple empty SOL transmit. (Valid
> > sequence number, no acknowledge, length of 0). This will trig no work
> > on the BMC si
True, you see a problem (btw, running CVS you should have seen less of
one, and another note I'm sending will have a patch), but your BMC seems
to have a bug as well. I followed through the incorrect flow in the CVS
tree and the only bad thing that should've happened now could possibly
be ipmitool
Try CVS, known segfault crashes in 1.8.8, and generally bad sol
behavior.
On Fri, 2006-11-03 at 13:01 -0800, David A. Ranch wrote:
> Hello Everyone,
>
> I'm using a natively compiled ipmitool 1.8.8 on multiple Linux OSes and
> When using Serial over LAN (sol), I've found that if I type very
> q
60 matches
Mail list logo
