MAAS

MAAS should not require an IPMI Administrator user to commission/deploy a node

Bug #1889788 reported by Victor Tapia
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Fix Released
High
Lee Trager
MAAS 2.9.0b1
2.7
Fix Released
High
Lee Trager
MAAS 2.7.3rc1
2.8
Fix Released
High
Lee Trager
MAAS 2.8.2rc1

Bug Description

According to the spec[1], for IPMI users is enough to have the Operator privilege level to handle the power and device boot order of a node. Downgrading the privilege level of the maas IPMI user from Administrator to Operator in an HP iLO4 makes the power on process, for both commissioning and deploying, fail in MAAS with the following error:

/usr/sbin/ipmi-config: privilege level cannot be obtained for this user

This issue appears because ipmi-chassis-config tries to run with an Administrator privilege level by default. Adding the '-l OPERATOR' parameter to the command line seems to fix this issue.

Also, the privilege level (Lan_Privilege_Limit) for the maas IPMI user is set to Administrator when it's created/updated. Is there a reason for that? For iLO4, setting the privilege level to Operator and the ipmi-chassis-config parameter makes the deployment work fine with the limited privilege level.

[1] https://www.intel.com/content/dam/www/public/us/en/documents/product-briefs/ipmi-second-gen-interface-spec-v2-rev1-1.pdf

Tags: sts seg

Related branches

~ltrager/maas:lp1889788_2.7
MAAS Lander: Approve
Lee Trager (community): Approve
Diff: 132 lines (+27/-7)
6 files modified
src/provisioningserver/drivers/power/ipmi.py (+10/-2)
src/provisioningserver/drivers/power/moonshot.py (+3/-1)
src/provisioningserver/drivers/power/seamicro.py (+3/-1)
src/provisioningserver/drivers/power/tests/test_ipmi.py (+5/-1)
src/provisioningserver/drivers/power/tests/test_moonshot.py (+3/-1)
src/provisioningserver/drivers/power/tests/test_seamicro.py (+3/-1)
~ltrager/maas:lp1889788_2.8
MAAS Lander: Approve
Lee Trager (community): Approve
Diff: 132 lines (+27/-7)
6 files modified
src/provisioningserver/drivers/power/ipmi.py (+10/-2)
src/provisioningserver/drivers/power/moonshot.py (+3/-1)
src/provisioningserver/drivers/power/seamicro.py (+3/-1)
src/provisioningserver/drivers/power/tests/test_ipmi.py (+5/-1)
src/provisioningserver/drivers/power/tests/test_moonshot.py (+3/-1)
src/provisioningserver/drivers/power/tests/test_seamicro.py (+3/-1)
~ltrager/maas:lp1889788_2.8
Superseded for merging into maas:master
Lee Trager (community): Approve
MAAS Lander: Pending (unittests) requested
~ltrager/maas:lp1889788
MAAS Lander: Approve
Adam Collard (community): Approve
Diff: 132 lines (+27/-7)
6 files modified
src/provisioningserver/drivers/power/ipmi.py (+10/-2)
src/provisioningserver/drivers/power/moonshot.py (+3/-1)
src/provisioningserver/drivers/power/seamicro.py (+3/-1)
src/provisioningserver/drivers/power/tests/test_ipmi.py (+5/-1)
src/provisioningserver/drivers/power/tests/test_moonshot.py (+3/-1)
src/provisioningserver/drivers/power/tests/test_seamicro.py (+3/-1)
Lee Trager (ltrager)
Changed in maas:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Lee Trager (ltrager)
Revision history for this message
Lee Trager (ltrager) wrote :

The ipmipower command uses OPERATOR by default while both ipmi-chassis-config and ipmitool use ADMIN by default. I've updated MAAS to always interact with IPMI BMC's using the OPERATOR level. For basic IPMI machines MAAS only uses the ipmipower command so most users won't be effected by this change. This does change the privilege level for both HP Moonshot/iLo and Seamicro users. We don't have either chassis in our CI so I can't test if this change works or breaks anything. Please test the attached branch and let me know if it solves this bug.

I'm not sure of the exact reason the MAAS IPMI user is created as admin. The code was written before I joined and there aren't comments explaining why. I will say from personal experience I've found it useful in debugging issues both in the MAAS CI and in the field. I can use the MAAS created IPMI user to access the console over IPMI and log into the BMC's web console to change BIOS settings.

I think we should discuss changing the privilege level separately.

Dominique Poulain (dominique-poulain)
tags: added: sts
MAAS Lander (maas-lander)
Changed in maas:
milestone: none → next
status: In Progress → Fix Committed
Revision history for this message
Lee Trager (ltrager) wrote :

I've backported this to 2.7 and 2.8. Please let me know if 2.4(bionic-updates) or 2.3(xenial-updates) need this as well.

Adam Collard (adam-collard)
Changed in maas:
milestone: next → 2.9.0b1
Revision history for this message
Victor Tapia (vtapia) wrote :

Thanks for the patch Lee, and sorry for the late reply. I tried to find moonshot and seamicro machines without success, but according to the moonshot documentation[1], both booting and setting the boot device should be achievable by operator users (haven't found anything about seamicro, but the company/brand died in 2015). I confirmed that 2.7 and 2.8 work fine with HP iLOs from different generations.

I'll open a different bug to discuss the creation of the maas user as an operator instead of an admin. Regarding backports, 2.4 and 2.3 are not needed unless the privilege level on user creation is changed for those releases.

[1]
https://techlibrary.hpe.com/docs/enterprise/servers/moonshot/webhelp/content/s_Set_node_boot_201303060333.html
https://techlibrary.hpe.com/docs/enterprise/servers/moonshot/webhelp/content/s_Set_node_power_201303060339.html

Lee Trager (ltrager)
Changed in maas:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.