Jarrod, Would/could goconserver from Confluent be brought into xCAT relatively easily? ---- Don Avart CTO RedLine Performance Solutions, LLC (703) 634-5686 dav...@redlineperf.com
> On Jan 10, 2024, at 11:09 AM, Jarrod Johnson <jjohns...@lenovo.com> wrote: > > gocons is 'goconserver'. confluent has a baked in console handler for ipmi > that is written in python. > > One could imagine a modification to the ipmitool invocation to try default > and add -C 3 if it fails (exits within a second or so) > From: David Johnson <david_john...@brown.edu> > Sent: Wednesday, January 10, 2024 11:02 AM > To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net> > Subject: Re: [xcat-user] [External] Ipmitool support for old BMC cipher suite > 3 > > For console I’m still broken with both goconserver and ipmitool (w/o > -C 3). I thought gocons came from confluent — is there a better way to do > console now from confluent? > -- ddj > Dave Johnson > >> On Jan 10, 2024, at 10:44 AM, Jarrod Johnson <jjohns...@lenovo.com> wrote: >> >> >> Well, I suspect it works when the amended result was posted that the xCAT >> fallback did function fine. >> >> So it's a matter of ipmitool's fallback being perhaps too picky or is >> outright broken. >> >> In xCAT/confluent we try 17 and if failed, just start over at 3. >> >> ipmitool tries to more carefully decide what it's initial attempt will be >> based on advertised support (I think from a cursory glance). So I could >> imagine how a strange response to supported ciphers could steer ipmitool >> wrong when xcat/confluent can fare better. >> >> Unfortunately on our side we deprecated use of ipmitool for console, so I'm >> a bit rusty in evaluation. >> From: Ryan Novosielski <novos...@rutgers.edu> >> Sent: Tuesday, January 9, 2024 10:23 PM >> To: Jarrod Johnson <jjohns...@lenovo.com> >> Cc: xCAT Users Mailing list <xcat-user@lists.sourceforge.net> >> Subject: Re: [xcat-user] [External] Ipmitool support for old BMC cipher >> suite 3 >> >> That’s a good question! We don’t currently have a Confluent system running >> anything newer than RHEL7 managing anything other than DSS-G equipment, but >> we’re planning to upgrade our management system to RHEL9 soon, or >> alternatively could add an additional machine to one of the DSS-G clusters >> to see. >> >> -- >> #BlackLivesMatter >> ____ >> || \\UTGERS, |---------------------------*O*--------------------------- >> ||_// the State | Ryan Novosielski - novos...@rutgers.edu >> || \\ University | Sr. Technologist - 973/972.0922 (2x0922) ~*~ RBHS Campus >> || \\ of NJ | Office of Advanced Research Computing - MSB A555B, Newark >> `' >> >>> On Jan 9, 2024, at 18:16, Jarrod Johnson <jjohns...@lenovo.com> wrote: >>> >>> Curious, how does confluent ipmi interaction work against those systems? >>> does it manage to successfully downgrade transparently? >>> From: Ryan Novosielski via xCAT-user <xcat-user@lists.sourceforge.net> >>> Sent: Tuesday, January 9, 2024 5:37 PM >>> To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net> >>> Cc: Ryan Novosielski <novos...@rutgers.edu> >>> Subject: Re: [xcat-user] [External] Ipmitool support for old BMC cipher >>> suite 3 >>> >>> I can confirm that that last part is not true: >>> >>> root@fw01-hpc-hill:/home/novosirj 11:11 PM# ipmitool -U USERID -I lanplus >>> -H master-imm chassis status >>> Password: >>> Error in open session response message : no matching cipher suite >>> >>> Error: Unable to establish IPMI v2 / RMCP+ session >>> >>> …and suspected as much since I had to learn anything about the cipher >>> suites and -C. :-D >>> >>> Maybe the version provided by RHEL derivatives has defaults or something? >>> We’re on RHEL8/9 where we’re seeing it. >>> >>> — >>> #BlackLivesMatter >>> ____ >>> || \\UTGERS, |---------------------------*O*--------------------------- >>> ||_// the State | Ryan Novosielski - novos...@rutgers.edu >>> || \\ University | Sr. Technologist - 973/972.0922 (2x0922) ~*~ RBHS Campus >>> || \\ of NJ | Office of Advanced Research Computing - MSB A555B, >>> Newark >>> `' >>> >>>> On Jan 9, 2024, at 16:24, Jarrod Johnson <jjohns...@lenovo.com> wrote: >>>> >>>> In what context do you find use of ipmitool with '-C'? I was checking >>>> the ipmi console backend and it doesn't seem to have that. >>>> >>>> rpower and such should try SHA256, fallback to SHA1 (equivalent to -C 3) >>>> >>>> The ipmi backend for conserver, if used, doesn't currently attempt a -C 17 >>>> that I see. Newer ipmitool should try 17 and fallback to 3, if that's the >>>> issue. >>>> >>>> From: David Johnson <david_john...@brown.edu >>>> <mailto:david_john...@brown.edu>> >>>> Sent: Tuesday, January 9, 2024 11:53 AM >>>> To: xcat-user@lists.sourceforge.net >>>> <mailto:xcat-user@lists.sourceforge.net> <xcat-user@lists.sourceforge.net >>>> <mailto:xcat-user@lists.sourceforge.net>> >>>> Subject: [External] [xcat-user] Ipmitool support for old BMC cipher suite 3 >>>> >>>> I’d like to know if there is an option somewhere in xcat to choose -C 3 >>>> for either selected elderly nodes that don’t support suite 17, or use -C 3 >>>> by default for the whole cluster? Thanks! >>>> -- ddj >>>> Dave Johnson >>>> >>>> _______________________________________________ >>>> xCAT-user mailing list >>>> xCAT-user@lists.sourceforge.net <mailto:xCAT-user@lists.sourceforge.net> >>>> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fxcat-user&data=05%7C02%7Cjjohnson2%40lenovo.com%7Cd9dfc4515405458dcfe508dc115658f9%7C5c7d0b28bdf8410caa934df372b16203%7C0%7C0%7C638404309770277001%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=g7uQXqtymGyHV4M4KxJraoePWpw9aslYbAl6Cj0UCZk%3D&reserved=0 >>>> <https://lists.sourceforge.net/lists/listinfo/xcat-user> >>>> _______________________________________________ >>>> xCAT-user mailing list >>>> xCAT-user@lists.sourceforge.net <mailto:xCAT-user@lists.sourceforge.net> >>>> https://lists.sourceforge.net/lists/listinfo/xcat-user >> >> _______________________________________________ >> xCAT-user mailing list >> xCAT-user@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/xcat-user > _______________________________________________ > xCAT-user mailing list > xCAT-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xcat-user
_______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user