The Open Compute Project

ipmitool 1.8.12 needs -C3 to work with lanplus

Bug #1176202 reported by Jason Sievert
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ipmitool
Unknown
Unknown
The Open Compute Project
Confirmed
Undecided
Unassigned
ipmitool (Debian)
Fix Released
Unknown
ipmitool (Fedora)
Fix Released
High
ipmitool (Ubuntu)
Fix Released
Medium
Robie Basak

Bug Description

With the new version of ipmitool, 1.8.12, you need to include a default option of -C3 for lanplus to work with OCP. Without -C3 ipmitool comes back with invalid role. Using -vvvvvvv to debug there is a difference in the open session request.

Without -C3

IPMI Request Match found
removed list entry seq=0x00 cmd=0x38
>> SENDING AN OPEN SESSION REQUEST

>> sending packet (48 bytes)
 06 00 ff 07 06 10 00 00 00 00 00 00 00 00 20 00
 00 00 00 00 a4 a3 a2 a0 00 00 00 08 01 00 00 00
 01 00 00 08 00 00 00 00 02 00 00 08 00 00 00 00

With -C3

IPMI Request Match found
removed list entry seq=0x00 cmd=0x38
>> SENDING AN OPEN SESSION REQUEST

>> sending packet (48 bytes)
 06 00 ff 07 06 10 00 00 00 00 00 00 00 00 20 00
 00 00 00 00 a4 a3 a2 a0 00 00 00 08 01 00 00 00
 01 00 00 08 01 00 00 00 02 00 00 08 01 00 00 00

Revision history for this message
In , Roland (roland-redhat-bugs) wrote :

Description of problem:
"ipmitool sol activate" can not open session. Tried with Intel S1200BT & S3420GP & S5520HC MoBos. It was work in 17 and works again if I downgrade to ipmitool-1.8.11-11.fc17.x86_64 on f18.

Version-Release number of selected component (if applicable):
ipmitool-1.8.12-5.fc18.x86_64

How reproducible:
100%

Steps to Reproduce:
1. IPMI_PASSWORD=*** ipmitool -I lanplus -U <username> -E -H <ipmi_lan_addr> sol activate

Actual results:
"Info: cannot activate SOL payload with encryption"

Additional info:
I compiled upstream (unpatched) packages from Sourceforge with my f18 and I found the problem is at upstream: ipmitool-1.8.12 fails, 1.8.11 works - same configure options and exactly same environment. I have not found a working setup or any workaround with 1.8.12.

Revision history for this message
In , Ales (ales-redhat-bugs) wrote :

Hello,

Could you please retry the ipmitool-1.8.12-5.fc18.x86_64 adding the option "-c 3" against the same hardware?

Thank you.

Revision history for this message
In , Ales (ales-redhat-bugs) wrote :

-C 3 (not -c 3) sorry for the confusion

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

ipmitool-1.8.12-6.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/ipmitool-1.8.12-6.fc18

Revision history for this message
In , Roland (roland-redhat-bugs) wrote :

Option "-C 3" works! Thanks!

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

ipmitool-1.8.12-6.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message
Jason Sievert (jsievert) wrote :

Debug output with -C3

summary: - ipmitool 1.8.12 needs -C3 to work with labplus
+ ipmitool 1.8.12 needs -C3 to work with lanplus
Revision history for this message
Jason Sievert (jsievert) wrote :

Debug output without -C3 option

Samantha Jian-Pielak (samantha-jian)
Changed in opencompute:
status: New → Confirmed
Revision history for this message
Samantha Jian-Pielak (samantha-jian) wrote :

ipmitool 1.8.11-5ubuntu1 works with lanplus interface without specifying -C3.

Revision history for this message
Samantha Jian-Pielak (samantha-jian) wrote :

listed cipher suites supported on the remote BMC

channel getciphers ipmi 0x1
ID IANA Auth Alg Integrity Alg Confidentiality Alg
3 N/A hmac_sha1 hmac_sha1_96 aes_cbc_128
8 N/A hmac_md5 hmac_md5_128 aes_cbc_128
17 N/A Unknown (0x03) Unknown (0x03) aes_cbc_128

current configuration on this channel
lan print
Set in Progress : Set Complete
Auth Type Support : MD5
Auth Type Enable : Callback :
                        : User : MD5
                        : Operator : MD5
                        : Admin : MD5
                        : OEM :
IP Address Source : DHCP Address
IP Address : 192.168.145.223
Subnet Mask : 255.255.255.0
MAC Address : 08:9e:01:62:af:cf
BMC ARP Control : ARP Responses Enabled, Gratuitous ARP Disabled
802.1q VLAN ID : Disabled
802.1q VLAN Priority : 0
RMCP+ Cipher Suites : 3,8,17
Cipher Suite Priv Max : aaaXXXXXXXXXXXX
                        : X=Cipher Suite Unused
                        : c=CALLBACK
                        : u=USER
                        : o=OPERATOR
                        : a=ADMIN
                        : O=OEM

Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

This sounds like a regression between 1.8.11-5ubuntu1 and 1.8.12 (please could you clarify the exact package version with the problem?). It seems likely to me that this has been carried through from an upstream regression. Or perhaps we've accidentally dropped a patch.

Please could you test the upstream version compiled from source, and file a bug upstream if appropriate? It would be better not to introduce a delta against upstream for this, so if this issues applies upstream and they can fix the issue, then that would be the best way to resolve this problem.

Marking Importance: Medium as a workaround is available.

tags: added: needs-upstream-report
Changed in ipmitool (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Samantha Jian-Pielak (samantha-jian) wrote :

It's been reported upstream:
Default lanplus ciphersuite is now 0 instead of 3 - ID: 3571371
http://sourceforge.net/tracker/index.php?func=detail&aid=3571371&group_id=95200&atid=610550

The resolution is to revert the change.
http://ipmitool.cvs.sourceforge.net/viewvc/ipmitool/ipmitool/lib/ipmi_main.c?r1=1.38&r2=1.39

Robie Basak (racb)
Changed in ipmitool (Ubuntu):
status: New → In Progress
assignee: nobody → Robie Basak (racb)
tags: removed: needs-upstream-report
Revision history for this message
Robie Basak (racb) wrote :

Thanks for tracking this down, Samantha.

I hadn't realised that we'd already synced with Debian in Saucy after they picked up our changes. I've filed a bug in Debian for a cherry-pick of this fix. We'll auto-sync as soon as Debian fixes the bug - that way we can stay synced.

If Debian haven't addressed the bug nearer Saucy release time, we can introduce an Ubuntu delta to fix this in time for release - please poke me if so and I'll get it done.

Changed in ipmitool (Ubuntu):
status: In Progress → Triaged
Revision history for this message
Robie Basak (racb) wrote :

I'm hesitant to suggest an SRU for this, since a fix would necessarily break users on Raring depending on -C0 as the default. Opinions welcome.

Bug Watch Updater (bug-watch-updater)
Changed in ipmitool (Debian):
status: Unknown → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ipmitool - 1.8.12-1ubuntu1

---------------
ipmitool (1.8.12-1ubuntu1) saucy; urgency=low

  * d/p/revert_default_cipher_suite_id: cherry-pick upstream reversion of
    regressed default protocol selection (LP: #1176202).
 -- Robie Basak <email address hidden> Thu, 01 Aug 2013 15:44:03 +0000

Changed in ipmitool (Ubuntu):
status: Triaged → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in ipmitool (Debian):
status: New → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in ipmitool (Fedora):
importance: Unknown → High
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.