MAAS

[2.2] MAAS IPMI autodiscover should enable IPMI-over-LAN if disabled

Bug #1664822 reported by Andres Rodriguez on 2017-02-15

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	MAAS	Fix Released	Wishlist	Andres Rodriguez	MAAS 2.3.0alpha1
	2.2	Won't Fix	High	Andres Rodriguez

Bug Description

So during enlistment:

* we detect the IPMI details and enable network access if necessary
* we test that we can reach the BMC from a rack controller
* we add the secure MAAS credentials for the BMC
* we verify that we can test power
* then we consider the enlistment a success and record the machine
(otherwise, we note the failure and give reasons / pointers in the
GUI and log)

Related branches

~andreserl/maas:lp1664822_2

Merged into maas:master

Mike Pontillo (community): Approve on 2017-07-13

~andreserl/maas:lp1664822

Merged into maas:master

Mike Pontillo (community): Approve on 2017-07-12

Blake Rouse (community): Needs Information on 2017-07-12

Revision history for this message

Andres Rodriguez (andreserl) wrote on 2017-02-15:

To do this we need to compare the output of:

sudo bmc-config --checkout

In two situations:

1. When IPMI-over-LAN is enabled
2. When IPMI-over-LAN is disabled.

Andres Rodriguez (andreserl) on 2017-02-15

Changed in maas:
milestone:	none → 2.2.0
importance:	Undecided → Wishlist
status:	New → Triaged

Andres Rodriguez (andreserl) on 2017-02-16

Changed in maas:
milestone:	2.2.0 → next

Revision history for this message

Jim Tilander (p-jim-8) wrote on 2017-02-17:

Is the output of bmc-config supposed to be run on the actual machine being enlisted, and NOT the rack controller right?

Revision history for this message

Jim Tilander (p-jim-8) wrote on 2017-02-17:

Here is the diff from a Dell R630 machine:

# diff -C 10 with_lan_ipmi_enabled with_lan_ipmi_disabled

*** with_lan_ipmi_enabled 2017-02-17 17:01:39.523540446 +0000
--- with_lan_ipmi_disabled 2017-02-17 17:02:47.667937953 +0000
***************
*** 361,391 ****
  # To enable IPMI over LAN, typically "Access_Mode" should be set to
  # "Always_Available". "Channel_Privilege_Limit" should be set to the highest
  # privilege level any username was configured with. Typically, this is set to
  # "Administrator".
  #
  # "User_Level_Auth" and "Per_Message_Auth" are typically set to "Yes" for
  # additional security.
  #
  Section Lan_Channel
   ## Possible values: Disabled/Pre_Boot_Only/Always_Available/Shared
! Volatile_Access_Mode Always_Available
   ## Possible values: Yes/No
   Volatile_Enable_User_Level_Auth No
   ## Possible values: Yes/No
   Volatile_Enable_Per_Message_Auth No
   ## Possible values: Yes/No
   Volatile_Enable_Pef_Alerting No
   ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary
   Volatile_Channel_Privilege_Limit Administrator
   ## Possible values: Disabled/Pre_Boot_Only/Always_Available/Shared
! Non_Volatile_Access_Mode Always_Available
   ## Possible values: Yes/No
   Non_Volatile_Enable_User_Level_Auth No
   ## Possible values: Yes/No
   Non_Volatile_Enable_Per_Message_Auth No
   ## Possible values: Yes/No
   Non_Volatile_Enable_Pef_Alerting No
   ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary
   Non_Volatile_Channel_Privilege_Limit Administrator
  EndSection
  #
--- 361,391 ----
  # To enable IPMI over LAN, typically "Access_Mode" should be set to
  # "Always_Available". "Channel_Privilege_Limit" should be set to the highest
  # privilege level any username was configured with. Typically, this is set to
  # "Administrator".
  #
  # "User_Level_Auth" and "Per_Message_Auth" are typically set to "Yes" for
  # additional security.
  #
  Section Lan_Channel
   ## Possible values: Disabled/Pre_Boot_Only/Always_Available/Shared
! Volatile_Access_Mode Disabled
   ## Possible values: Yes/No
   Volatile_Enable_User_Level_Auth No
   ## Possible values: Yes/No
   Volatile_Enable_Per_Message_Auth No
   ## Possible values: Yes/No
   Volatile_Enable_Pef_Alerting No
   ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary
   Volatile_Channel_Privilege_Limit Administrator
   ## Possible values: Disabled/Pre_Boot_Only/Always_Available/Shared
! Non_Volatile_Access_Mode Disabled
   ## Possible values: Yes/No
   Non_Volatile_Enable_User_Level_Auth No
   ## Possible values: Yes/No
   Non_Volatile_Enable_Per_Message_Auth No
   ## Possible values: Yes/No
   Non_Volatile_Enable_Pef_Alerting No
   ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary
   Non_Volatile_Channel_Privilege_Limit Administrator
  EndSection
  #

Here is the diff from a Dell R630 machine:

# diff -C 10  with_lan_ipmi_enabled with_lan_ipmi_disabled

*** with_lan_ipmi_enabled	2017-02-17 17:01:39.523540446 +0000
--- with_lan_ipmi_disabled	2017-02-17 17:02:47.667937953 +0000
***************
*** 361,391 ****
  # To enable IPMI over LAN, typically "Access_Mode" should be set to
  # "Always_Available". "Channel_Privilege_Limit" should be set to the highest
  # privilege level any username was configured with. Typically, this is set to
  # "Administrator".
  #
  # "User_Level_Auth" and "Per_Message_Auth" are typically set to "Yes" for
  # additional security.
  #
  Section Lan_Channel
  	## Possible values: Disabled/Pre_Boot_Only/Always_Available/Shared
! 	Volatile_Access_Mode                          Always_Available
  	## Possible values: Yes/No
  	Volatile_Enable_User_Level_Auth               No
  	## Possible values: Yes/No
  	Volatile_Enable_Per_Message_Auth              No
  	## Possible values: Yes/No
  	Volatile_Enable_Pef_Alerting                  No
  	## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary
  	Volatile_Channel_Privilege_Limit              Administrator
  	## Possible values: Disabled/Pre_Boot_Only/Always_Available/Shared
! 	Non_Volatile_Access_Mode                      Always_Available
  	## Possible values: Yes/No
  	Non_Volatile_Enable_User_Level_Auth           No
  	## Possible values: Yes/No
  	Non_Volatile_Enable_Per_Message_Auth          No
  	## Possible values: Yes/No
  	Non_Volatile_Enable_Pef_Alerting              No
  	## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary
  	Non_Volatile_Channel_Privilege_Limit          Administrator
  EndSection
  #
--- 361,391 ----
  # To enable IPMI over LAN, typically "Access_Mode" should be set to
  # "Always_Available". "Channel_Privilege_Limit" should be set to the highest
  # privilege level any username was configured with. Typically, this is set to
  # "Administrator".
  #
  # "User_Level_Auth" and "Per_Message_Auth" are typically set to "Yes" for
  # additional security.
  #
  Section Lan_Channel
  	## Possible values: Disabled/Pre_Boot_Only/Always_Available/Shared
! 	Volatile_Access_Mode                          Disabled
  	## Possible values: Yes/No
  	Volatile_Enable_User_Level_Auth               No
  	## Possible values: Yes/No
  	Volatile_Enable_Per_Message_Auth              No
  	## Possible values: Yes/No
  	Volatile_Enable_Pef_Alerting                  No
  	## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary
  	Volatile_Channel_Privilege_Limit              Administrator
  	## Possible values: Disabled/Pre_Boot_Only/Always_Available/Shared
! 	Non_Volatile_Access_Mode                      Disabled
  	## Possible values: Yes/No
  	Non_Volatile_Enable_User_Level_Auth           No
  	## Possible values: Yes/No
  	Non_Volatile_Enable_Per_Message_Auth          No
  	## Possible values: Yes/No
  	Non_Volatile_Enable_Pef_Alerting              No
  	## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary
  	Non_Volatile_Channel_Privilege_Limit          Administrator
  EndSection
  #

Revision history for this message

Andres Rodriguez (andreserl) wrote on 2017-03-28:

Hi Jim,

Thanks for the diff. I'm gonna try to figure out how much configuration would actually be needed to enable IPMI-over-LAN. Once I have the correct config, it should be straightforward to get it done automatically on enlistment/commissioning.

Andres Rodriguez (andreserl) on 2017-05-22

Changed in maas:
milestone:	next → 2.2.1

Andres Rodriguez (andreserl) on 2017-06-20

Changed in maas:
milestone:	2.2.1 → 2.2.x

Andres Rodriguez (andreserl) on 2017-07-08

Changed in maas:
milestone:	2.2.x → 2.3.0
assignee:	nobody → Andres Rodriguez (andreserl)

Revision history for this message

Andres Rodriguez (andreserl) wrote on 2017-07-11:

A proposed solution is available in: https://bugs.launchpad.net/maas/+bug/1703535

Changed in maas:
status:	Triaged → In Progress

Revision history for this message

Marcus Wellnitz (mwellnitz) wrote on 2017-07-11:

Is it possible to backport it to the Ubuntu LTS (16.04) repository?

MAAS Lander (maas-lander) on 2017-07-12

Changed in maas:
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-07-13:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in maas (Ubuntu):
status:	New → Confirmed

Revision history for this message

Andres Rodriguez (andreserl) wrote on 2017-07-13:

This fix will be made available in 2.2.2 which will be backported to Xenial!

no longer affects:

maas (Ubuntu)

Andres Rodriguez (andreserl) on 2017-07-28

Changed in maas:
milestone:	2.3.0 → 2.3.0alpha1

Andres Rodriguez (andreserl) on 2017-08-02

Changed in maas:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1703535

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.