It may be interesting to review a libpcap capture at the time of the attempt. I can probably more specifically ascertain the issue.
I'll make a few speculative guesses as what could theoretically be the problem. -BMC is demanding IPMI 2, but xCAT's ipmi2support is failing. Try: perl -e 'use Digest::SHA1; use Digest::HMAC_SHA1;'. If that works, then xCAT should be doing IPMI 2 by default if the BMC advertises it. I might should make those hard rpm dependencies, since they are in-distro for almost everyone. -xCAT is doing IPMI2 and BMC requires IPMI2, but it more specifically is requiring cipher suite 3 and xCAT's prereqs for that are missing. To test this, try ipmitool -I lanplus -C 2 <etc...>' and test for xCAT Cipher suite 3 by doing: perl -e 'use Crypt::Rijndael; use Crypt::CBC;' -Service processor can do IPMI 2, but does not support mutual authentication (protection against impersonating a BMC). ipmitool works because it doesn't bother to authenticate the BMC at all (which actually means rcons is hijackable so long as we use ipmitool). The most secure workaround to try in such a case is to search for 'ipmi2support' in /opt/xcat/lib/perl/xCAT/IPMI.pm. After 'Digest::HMAC_HA1->import()' there is a '1;'. Change that to '0;' to force IPMI 1.5 operation. *If* they don't support IPMI 2 mutual authentication, then 1.5 would be more secure. Note that doesn't mean that any functionality is lost, we still issue IPMI 2 version commands when support detected even if we use IPMI 1.5 protocol to convey them. If you were interested in explicitly testing that last case, you'd have to disable the check for matching authtype, the return statement commented as 'not thinking about packets that do not match our preferred auth type' would be that. I probably should add a site entry to disable IPMI 2 support. I could also more specifically relax the mutual authentication check, but I'd much rather the relatively few manufacturers that can't pass that fix their firmware since it's a much better security picture. From: Sten Wolf <[email protected]> To: [email protected], Date: 01/27/2013 08:07 PM Subject: [xcat-user] ipmi commands not working if used as "rXXX" comands, but work as ipmitool-xcat commands Hi, I'm encountering a strange issue with some SuperMicro machines, using xcat 2.7.6. All nodes are centos 6.3 (both MN and compute nodes). After configuring nodehm, ipmi tables the rpower/rinv/rinstall/rvitals commands do not work. They simply time out. using the same credentials with ipmitool-xcat returns correct results. # ipmitool-xcat -I lanplus -H ipmi05 -U ADMIN -P ADMIN power status Chassis Power is on while # rpower n05 status n05: Error: timeout Firewall and selinux both disabled. lsdef n05 confirms it's bmc is ipmi05. using xcatdebug -f enable -d enable also confirms the command is trying to connect to the ipmi address, with the correct username and password, but getting no reply. The only possible issue I could see is 'ipmiversion' => '1.5', I haven't tried ipmitool -I lan yet, but I wonder if this setting is user configurable in xcat? BTW - nodeset works correctly, if I power cycle the nodes manually, or with ipmitool, they install without further issues. ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user
<<inline: graycol.gif>>
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d
_______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user
