Thursday, May 10, 2012

Enable IPMI Over LAN from the OS using FreeIPMI

Maybe you just heard about how wonderful it is to control your hardware remotely.  Maybe you forgot to configure IPMI Over LAN on a production system's BMC and you don't want to reboot.  Fear not!  Enabling IPMI Over LAN can (usually) be done from the OS using freeipmi.

If you aren't familiar with how to use freeipmi's bmc-config, please check out my post entitled freeipmi *-config tools primer.

Network Configuration

You will need to either set up DHCP or a static address.  This can be done in the Lan_Conf section of bmc-config.

# bmc-config -o -S Lan_Conf -f lan.bmc
# cat lan.bmc
Section Lan_Conf
    ## Possible values: Unspecified/Static/Use_DHCP/Use_BIOS/Use_Others
    IP_Address_Source                             Static
    ## Give valid IP address
    IP_Address                            192.168.123.45
    ## Give valid MAC address
    MAC_Address                        DE:AD:BE:EE:F0:00
    ## Give valid Subnet Mask
    Subnet_Mask                            255.255.255.0
    ## Give valid IP address
    Default_Gateway_IP_Address             192.168.123.1
    ## Give valid MAC address
    Default_Gateway_MAC_Address        00:00:00:00:00:00
    ## Give valid IP address
    Backup_Gateway_IP_Address                    0.0.0.0
    ## Give valid MAC address
    Backup_Gateway_MAC_Address         00:00:00:00:00:00
    ## Give valid unsigned number
    Vlan_id                                       1
    ## Possible values: Yes/No
    Vlan_Id_Enable                                No
    ## Give valid unsigned number
    Vlan_Priority                                 0
EndSection

This section should be mostly self-explanatory.  To switch to DHCP, change IP_Address_Source to "Use_DHCP".

You can update these values one at a time, such as:
# bmc-config -c -e Lan_Conf:IP_Address_Source=Use_DHCP

Or you can edit the file (lan.bmc in the example above) and commit the entire updated file:
# bmc-config -c -f lan.bmc

(In case you missed the note above and are confused about bmc-config syntax, check out my primer on using bmc-config.)

Lan_Channel

In order to actually enable IPMI over LAN, you need to make a few changes to the Lan_Channel section in bmc-config.

# bmc-config -o -S Lan_Channel -f lan_channel.bmc 
# cat lan_channel.bmc
Section Lan_Channel
    ## Possible values: Disabled/Pre_Boot_Only/Always_Available/Shared
    Volatile_Access_Mode                         Always_Available
    ## Possible values: Yes/No
    Volatile_Enable_User_Level_Auth              Yes
    ## Possible values: Yes/No
    Volatile_Enable_Per_Message_Auth             Yes
    ## Possible values: Yes/No
    Volatile_Enable_Pef_Alerting                 Yes
    ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary
    Volatile_Channel_Privilege_Limit             Administrator
    ## Possible values: Disabled/Pre_Boot_Only/Always_Available/Shared
    Non_Volatile_Access_Mode                     Always_Available
    ## Possible values: Yes/No
    Non_Volatile_Enable_User_Level_Auth          Yes
    ## Possible values: Yes/No
    Non_Volatile_Enable_Per_Message_Auth         Yes
    ## Possible values: Yes/No
    Non_Volatile_Enable_Pef_Alerting             Yes
    ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary
    Non_Volatile_Channel_Privilege_Limit         Administrator
EndSection


Long story short, your config should look something like that.  There are "Volatile" and "Non_Volatile" settings that mean what they sound like.  Set both to be the same.

Be sure to set Access_Mode to be "Always_Available".  I haven't tested it myself, but you may need to set it to "Shared" if the BMC shares a NIC with the OS.  This actually enables IPMI over LAN.  You almost certainly want to enable both sets of *_Auth settings.  Channel_Privilege_Limit should be set to the highest privilege level used, typically "Administrator".

Enable_Pef_Alerting isn't strictly required to be enabled.  It allows you to send SNMP traps and possibly other alerts when there is a hardware problem.

You probably just need to change these two settings, though there could be others:
# bmc-config -c -e \
Lan_Channel:Volatile_Access_Mode=Always_Available
# bmc-config -c -e \
Lan_Channel:Non_Volatile_Access_Mode=Always_Available

Configuring User/Password

Setting up a new user may not be necessary, but setting a password surely is.  It may currently be set to your vendor's default password.

For user configuration, we will look at the UserN sections of bmc-config.  Let's list all the relevant sections:

# bmc-config -L | grep User
User1
User2
...
User16
Lan_Conf_User_Security

Which user to use depends on your vendor.  For Dells, you use User2.  For the one type of HP system I tried, it is User9.

This will probably find the right user for you:
# for sec in `bmc-config -L |grep User`; do bmc-config -o -S $sec |grep Username | grep -qi 'root\|admin' && echo $sec; done

We'll assume that the user is User2.
# bmc-config -o -S User2
Section User2
    ## Give Username
    Username                                      root
    ## Give password or blank to clear. MAX 16 chars (20 chars if IPMI 2.0 supported).
    ## Password                                  
    ## Possible values: Yes/No or blank to not set
    Enable_User                                   Yes
    ## Possible values: Yes/No
    Lan_Enable_IPMI_Msgs                          Yes
    ## Possible values: Yes/No
    Lan_Enable_Link_Auth                          No
    ## Possible values: Yes/No
    Lan_Enable_Restricted_to_Callback             Yes
    ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary/No_Access
    Lan_Privilege_Limit                           Administrator
    ## Possible values: 0-17, 0 is unlimited; May be reset to 0 if not specified
    ## Lan_Session_Limit                         
    ## Possible values: Yes/No
    SOL_Payload_Access                            Yes
EndSection

That's the config for our Dells.  On our HP systems, it is this:
# bmc-config -o -S User9
Section User9
    ## Give Username
    Username                                      root
    ## Give password or blank to clear. MAX 16 chars (20 chars if IPMI 2.0 supported).
    ## Password                                  
    ## Possible values: Yes/No or blank to not set
    Enable_User                                   Yes
    ## Possible values: Yes/No
    Lan_Enable_IPMI_Msgs                          No
    ## Possible values: Yes/No
    Lan_Enable_Link_Auth                          No
    ## Possible values: Yes/No
    Lan_Enable_Restricted_to_Callback             No
    ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary/No_Access
    Lan_Privilege_Limit                           Administrator
    ## Possible values: 0-17, 0 is unlimited; May be reset to 0 if not specified
    ## Lan_Session_Limit                         
EndSection


To be completely honest, I'm unsure of the meaning of a few fields.  However, the really important ones are: Username, Password, Enable_User, and Lan_Privilege_Limit.

Username is the username.  Password is the password.  You may notice that the password field is commented out as a security feature.  If you are editing and committing this section as a file, be sure to uncomment the password line and add your password on the end.  Lan_Privilege_Limit should almost certainly be set to Administrator.

Change the password for User2:
# bmc-config -c -e "User2:Password=calvin"

Most vendors should also let you set other users, though you typically shouldn't change User1, the anonymous user.

Testing

Try something remote like:
# ipmi-sel -h $bmchostname_or_ip -u root -p "$psw"
# ipmi-sel -h $bmchostname_or_ip -u root -p "$psw" -D LAN_2_0

One of those two should work and return the system event log.  The 2.0 driver is necessary on some BMC versions since some no longer support the default 1.5 protocol.

Troubleshooting

This was only really tested on Dell systems and on one model of HP system.  If you encounter problems, play around with it for a while.  If you used vendor-specific tools to configure a server and it worked, try running diff on the output of "bmc-config -o" from the working server and a non-configured server.  That may point you in the right direction.

Feel free to leave a comment here if you're having trouble.  I'll try to respond quickly.  Also hit up the freeipmi-users mailing list

Conclusion

Have fun.  Go break stuff.
Posted by Ryan Cox at Thursday, May 10, 2012

2 comments:

  1. UnknownMay 23, 2013 at 10:35 AM

    If I understand correctly, in order to "Enable IPMI Over LAN from the OS using FreeIPMI" you must first have an IP address first, correct?

    The BMC must be manually configured to use a static, manually assigned IP address; or a DHCP server is required on the network to provide an IP address.

    I just want to make sure that bmc-config doesn't have a magic layer-2 capability to configure the BMC before an IP address is assigned.

    ReplyDelete
    Replies
    1. Ryan CoxMay 31, 2013 at 10:40 AM

      This guide was written under the assumption that the operating system is already installed on the server.

      "I just want to make sure that bmc-config doesn't have a magic layer-2 capability to configure the BMC before an IP address is assigned."
      I assume you're referring to a "magic" configuration option like some unconfigured hardware has where it listens for a special ping packet or something similar. Set some options with the ping command and the hardware configures itself with a new IP when it sees it.

      I haven't seen that option before on a BMC. I suppose a vendor could implement it but I haven't heard of it outside of PDUs or other embedded hardware.

      Delete

Please leave any comments, questions, or suggestions below. If you find a better approach than what I have documented in my posts, please list that as well. I also enjoy hearing when my posts are beneficial to others.

Subscribe to: Post Comments (Atom)