Hello, Taking advantage of this thread to try and understand current status and future plans, because new HW often require (at by default) the newer security protocols.
1. Regarding IPMI.pm – Any reason the patch below was not merged? Can you consider merging it now to allow support? 1. Ipmitool-xcat – We are using the latest package - ipmitool-xcat-1.8.18-4.x86_64 – but it still do not have Cipher Suite 17, although ipmitool-1.8.18 should have it (*). Any reason it is not in the xcat version? It seems that there are patches which add it (+the best-cipher, which is great) Am I missing something? Is there a way to take 1.8.19 and using it to build ipmitool-xcat? With the different patches and changes, I am sure I will miss something. RMCP+ Cipher Suites : 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 Cipher Suite Priv Max : XXaXXXXXXXXXXXX (*) I might be wrong, I am not 100% sure when it was introduced. THX in advance! Gilad Berman HPC Architect, Lenovo EMEA gber...@lenovo.com<mailto:gber...@lenovo.com> +972-522554262 [cid:image001.png@01D94B87.0AEF1890] From: Jarrod Johnson <jjohns...@lenovo.com> Sent: Thursday, 23 February 2023 20:44 To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net> Subject: Re: [xcat-user] [External] Re: ipmitool -I open vs lanplus vs lan Note that the ipmitool equivalent should be at least lanplus nowadays. Biggest risk I could see is that some firmware nowadays requires at least cipher suite 17, if ipmi is enabled at all. https://github.com/xcat2/xcat-core/commit/8d5df5d6cae07219e10d1a00538cafdb8e3bbf13<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fxcat2%2Fxcat-core%2Fcommit%2F8d5df5d6cae07219e10d1a00538cafdb8e3bbf13&data=05%7C01%7Cgberman%40lenovo.com%7C710d3444f8fd42479d7e08db15ce1465%7C5c7d0b28bdf8410caa934df372b16203%7C0%7C0%7C638127747081929887%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=IptQjTbzHCD23w97sF4qtBA2KG8cTtqGl1GE04zW6Pw%3D&reserved=0> [https://opengraph.githubassets.com/66d12043810f5539d598ab49b5452fc09d1d90759ae5ae218db3e6c74a55d91b/xcat2/xcat-core/commit/8d5df5d6cae07219e10d1a00538cafdb8e3bbf13]<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fxcat2%2Fxcat-core%2Fcommit%2F8d5df5d6cae07219e10d1a00538cafdb8e3bbf13&data=05%7C01%7Cgberman%40lenovo.com%7C710d3444f8fd42479d7e08db15ce1465%7C5c7d0b28bdf8410caa934df372b16203%7C0%7C0%7C638127747081929887%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=IptQjTbzHCD23w97sF4qtBA2KG8cTtqGl1GE04zW6Pw%3D&reserved=0> Implement HMAC-SHA256 in xCAT IPMI · xcat2/xcat-core@8d5df5d<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fxcat2%2Fxcat-core%2Fcommit%2F8d5df5d6cae07219e10d1a00538cafdb8e3bbf13&data=05%7C01%7Cgberman%40lenovo.com%7C710d3444f8fd42479d7e08db15ce1465%7C5c7d0b28bdf8410caa934df372b16203%7C0%7C0%7C638127747081929887%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=IptQjTbzHCD23w97sF4qtBA2KG8cTtqGl1GE04zW6Pw%3D&reserved=0> This will be compatible with some current implementations that do not have SHA-1. HMAC-SHA1 may be still secure, but SHA1 in any context *looks* bad even if it isn't. github.com That change to IPMI.pm might alleviate. Double check if ipmitool with -C 17 will work, and if that will work, you may need IPMI.pm to change to support SHA256 in the hmac. ________________________________ From: Mark Gurevich via xCAT-user <xcat-user@lists.sourceforge.net<mailto:xcat-user@lists.sourceforge.net>> Sent: Thursday, February 23, 2023 1:35 PM To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net<mailto:xcat-user@lists.sourceforge.net>> Cc: Mark Gurevich <gurev...@us.ibm.com<mailto:gurev...@us.ibm.com>> Subject: [External] Re: [xcat-user] ipmitool -I open vs lanplus vs lan xCAT uses raw ipmi commands to do ipmi communication. You can turn xCAT debug on with "chdef -t site clustersite xcatdebugmode=1" and then issue a command, like "rpower <node> stat" to see all the raw ipmi commands xCAT is sending. Use "chdef -t site clustersite xcatdebugmode=0" to turn debug off. -----Original Message----- From: Michael Green <mishagr...@gmail.com<mailto:mishagr...@gmail.com>> Sent: Thursday, February 23, 2023 1:08 PM To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net<mailto:xcat-user@lists.sourceforge.net>> Subject: [EXTERNAL] [xcat-user] ipmitool -I open vs lanplus vs lan Hello collective wisdom, What IPMI interface does xcat use? Is it lan or lanplus or open? (As in ipmitool -I ) Is it configurable? I have a bunch of new Dell servers in the lab that don't seem to communicate over lan or lanplus interface, only open and I have trouble provisioning them through xcat. I suspect it's because of lanplus not supported/missing from these servers. -- Regards, Michael _______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net<mailto:xCAT-user@lists.sourceforge.net> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fxcat-user&data=05%7C01%7Cjjohnson2%40lenovo.com%7Cb9b6b5f64d5e47f91cf908db15cce89f%7C5c7d0b28bdf8410caa934df372b16203%7C0%7C0%7C638127742055309654%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BHmEMMvgmId52mKnS1F40GTNMtmzDWrZZ9a18N9s1r4%3D&reserved=0<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fxcat-user&data=05%7C01%7Cgberman%40lenovo.com%7C710d3444f8fd42479d7e08db15ce1465%7C5c7d0b28bdf8410caa934df372b16203%7C0%7C0%7C638127747082086132%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=o8zJtftw52o2xD4%2BZ9qPwVZTM2SUDlz1MDaggMdx1DI%3D&reserved=0> _______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net<mailto:xCAT-user@lists.sourceforge.net> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fxcat-user&data=05%7C01%7Cjjohnson2%40lenovo.com%7Cb9b6b5f64d5e47f91cf908db15cce89f%7C5c7d0b28bdf8410caa934df372b16203%7C0%7C0%7C638127742055309654%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BHmEMMvgmId52mKnS1F40GTNMtmzDWrZZ9a18N9s1r4%3D&reserved=0<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fxcat-user&data=05%7C01%7Cgberman%40lenovo.com%7C710d3444f8fd42479d7e08db15ce1465%7C5c7d0b28bdf8410caa934df372b16203%7C0%7C0%7C638127747082086132%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=o8zJtftw52o2xD4%2BZ9qPwVZTM2SUDlz1MDaggMdx1DI%3D&reserved=0>
_______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
