Re: [xcat-user] 2.16.5 and rcons

[David Johnson]

I think I heard that the problem BMCs claim to support cipher suite 17 but actually don’t.    -- ddj Dave Johnson On May 18, 2024, at 7:47 AM, Markus Hilger <markus.hil...@megware.com> wrote:  Hi David, unfortunately, you can't. For rpower/rvitals/rinv/nodeset etc. xCAT uses its own IPMI implementation in Perl. Previously this was using -C 3 ciphers. The current upstream code will try -C 17 ciphers and fallback to -C 3. Check this: https://github.com/xcat2/xcat-core/pull/6391 ​Mit freundlichen Grüßen / Kind regards Markus Hilger   HPC Engineer   MEGWARE Computer Vertrieb und Service GmbH Tel:          +49 3722 528-47   Nordstraße 19 markus.hil...@megware.com   09247 Chemnitz-Röhrsdorf, Germany www.megware.com   Geschäftsführer: André Singer, Dr. Axel Auweter       Amtsgericht: Chemnitz HRB 584 Von: David Johnson <david_john...@brown.edu> Gesendet: Freitag, 17. Mai 2024 19:31 An: xCAT Users Mailing list <xcat-user@lists.sourceforge.net> Betreff: Re: [xcat-user] 2.16.5 and rcons   Ok, but how can one configure xcat to use some particular set of options for one set of nodes? We can get gocons to work almost everywhere, except one batch of tyan boxes from 2019.    -- ddj Dave Johnson On May 17, 2024, at 12:42 PM, Markus Hilger <markus.hil...@megware.com> wrote:  With the following command you can enable (a) / disable (X) certain ciphers: ipmitool -I lanplus -U XXX -P XXX -H <node>  lan set <channel> cipher_privs aaaaaaaaaaaaaaa This might be useful for some of you. ​Mit freundlichen Grüßen / Kind regards Markus Hilger   HPC Engineer   MEGWARE Computer Vertrieb und Service GmbH Tel:          +49 3722 528-47   Nordstraße 19 markus.hil...@megware.com   09247 Chemnitz-Röhrsdorf, Germany www.megware.com   Geschäftsführer: André Singer, Dr. Axel Auweter       Amtsgericht: Chemnitz HRB 584 Von: Ryan Novosielski via xCAT-user <xcat-user@lists.sourceforge.net> Gesendet: Dienstag, 14. Mai 2024 17:06 An: xCAT Users Mailing list <xcat-user@lists.sourceforge.net> Cc: Ryan Novosielski <novos...@rutgers.edu> Betreff: Re: [xcat-user] 2.16.5 and rcons   What has changed in later releases for RHEL-based OS is the behavior of ipmitool. I don’t know enough about the origins of the ipmitool that xCAT uses or how much it relies on the OS, but we have many systems that require -C 3 in order to connect on I believe both RHEL8 and RHEL9. -- #BlackLivesMatter ____ || \\UTGERS,     |---------------------------*O*--------------------------- ||_// the State  |         Ryan Novosielski - novos...@rutgers.edu || \\ University | Sr. Technologist - 973/972.0922 (2x0922) ~*~ RBHS Campus ||  \\    of NJ  | Office of Advanced Research Computing - MSB A555B, Newark      `' On May 14, 2024, at 07:51, Markus Hilger <markus.hil...@megware.com> wrote: Hi, this is really strange because the goconserver should be the very same for quite some time. goconserver-0.3.3-snap202011021058.x86_64.rpm With site.consoleondemand set to yes  the following happens: goconserver reads /var/lib/goconserver/nodes.json and spawns the following command: /opt/xcat/share/xcat/cons/ipmi <node> This will spawn: /opt/xcat/bin/ipmitool-xcat -I lanplus -U XXXXXX -P XXXXXX -H <node>.ipmi sol activate Can you please try to use the sol activate command manually and compare ipmitool-xcat vs. ipmitool? We might want to use ipmitool directly instead of ipmitool-xcat in /opt/xcat/share/xcat/cons/ipmi. Please also try with explicit cipher settings -C 3 -C 17 etc. ​Mit freundlichen Grüßen / Kind regards Markus Hilger   HPC Engineer   MEGWARE Computer Vertrieb und Service GmbH Tel:          +49 3722 528-47   Nordstraße 19 markus.hil...@megware.com   09247 Chemnitz-Röhrsdorf, Germany www.megware.com   Geschäftsführer: André Singer, Dr. Axel Auweter       Amtsgericht: Chemnitz HRB 584 Von: Calvin Sawyer <c.saw...@qmul.ac.uk> Gesendet: Montag, 13. Mai 2024 10:01 An: xcat-user@lists.sourceforge.net <xcat-user@lists.sourceforge.net> Betreff: [xcat-user] 2.16.5 and rcons   Hi We've just migrated to a fresh 2.16.5 in a Rocky9.3 VM using imports from the previous 2.16.3, which has been mostly successful. We can rinstall and perform most r-commands Our test cluster which this xcat manages is comprised of older hardware and is meant to serve as a dress rehearsal for upgrading similarly in our production cluster with newer-gen hardware For the most part, 2.16.5 has been working fine with the notable exception of rcons. Both system types in the test cluster work fine with rcons under 2.16.3 user CentOS7, but under 2.16.5: Flex System x240 and NeXtScale nx360 M5 respond on C3 only, C17 is inoperative (and verified using ipmitool) with error: Error: Unable to establish IPMI v2 / RMCP+ session Error in open session response message : no matching cipher suite Testing on other hardware is complicated by many accepting both C3 and C17 (dell iDrac is one). More contemporary IMM2 allows both cipher suites as well This leads me to think that rcons is still somewhere hardwired to C3.  We downloaded and patched IPMI.pm with the one from https://github.com/xcat2/xcat-core but the issue persists. However, I also don't understand exactly which system or xcat-specific components are involved in operation of goconserver or establishing an rcons connection to track down where the cipher suite is set Cal Sawyer ITS Research Platforms Manager Queen Mary University of London _______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user _______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user _______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user

_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user