IPMI101

From CSCWiki
Revision as of 05:03, 3 January 2016 by Jxpryde (talk | contribs)
Jump to navigation Jump to search

Guide to IPMI (IPMI 101)

IPMI is a necessary evil. Let’s learn to make the best of it.

Setting up IPMI

  1. Install ipmitool
# apt-get install ipmitool
  1. Load IPMI modules (they are included in most upstream kernels)

You may also need a kernel module specific to your motherboard’s manufacture as some BMC/LOMs do not conform to IPMI spec and thus need a translation layer.

# modprobe ipmi_*
  1. Locally connect to the /dev/ipmi interface
# ipmitool shell
> help
> mc info

Securing IPMI

Note that root on the machine is root on the BMC and vice versa.

  1. User administration

(re)set the password, rename the admin account to root and delete any extra users as they can have surprising privilege. You may have to use the BMC’s web interface delete accounts.

# ipmitool shell
> user list 1
ID Name ...
2  ADMIN ...
> user set password 2
User id 2: *******
User id 2: *******
> user set username 2 root
> user disable $other_user_ids
  1. Disable NULL password and cipher suite 0

Note that the $channel is usually 0 but can range from 0-10 and there can be multiple NICs and so multiple channels to fix.

# ipmitool shell
> lan print $channel
> lan set $channel auth ADMIN MD5
> lan set $channel auth CALLBACK MD5
> lan set $channel auth USER MD5
> lan set $channel auth OPERATOR MD5
> lan set $channel cipher_privs XXXaXXXXXXXXXXX
> lan print $channel

Configuring networking

Note once again that there are sometimes multiple channels, to find the correct channel it is helpful to use either trial and error and/or an ARP scanner to find the correct MAC address. Usually the channel is 0 but I have seen 1, 8 and 17. Especially when there are multiple NICs.

# ipmitool shell
> lan print $channel
> lan set $channel ipsrc static
> lan set $channel ipaddr 10.15.134.?
> lan set $channel defgw ipaddr 10.15.134.1
> lan set $channel netmask 255.255.255.0
// if you have vlan tagging enabled on the switch port, useful for a shared NIC
> lan set $channel vlan id 520

Configuring Serial over LAN

To enable serial over LAN you need to ensure that it is enabled in your BIOS or EFI setup utility and further note the baud rate. 115200 is used as an example below. Note that GRUB is the only boot loader that takes input via serial properly, in my experience. Syslinux failed horribly on corn-syrup.

In /etc/default/grub include:

GRUB_CMDLINE_LINUX="console=tty1 console=ttyS1,115200n8"

GRUB_TERMINAL_INPUT="console serial"
GRUB_TERMINAL_OUTPUT="console serial"
GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=1 --word=8 --parity=no --stop=1"

and then run:

// on debian based distros
// Yay, Debian magic :\
# update-grub
// on upstream packages (Arch, Fedora, etc.)
# grub-mkconfig -o /boot/grub/grub.cfg

# reboot