OK, egg on face -- I had neglected to copy the tyan line in tabedit ipmi (same as all the other lines for gb and supermicro)
So, rpower now works fine, but rcons still has issues. The man page for ipmitool says -C 3 is default, but I suspect the code was changed and they forgot to update the man page. > On Jan 9, 2024, at 6:16 PM, Jarrod Johnson <jjohns...@lenovo.com> wrote: > > Interesting, wonder what the handshake on those would look like... > > The xCAT IPMI.pm tries to open the session with C17, and then when the answer > should come back with an error code, then it falls back to equivalent to C3. > Might be interested in a pcap of the attempt to see what is up. It > shouldn't possibly reply '0' if it thinks it's all good, but maybe it fails > to reply at all, which might trigger a timeout during that phase instead of a > fallback... > > I took at glance at ipmitool source and verified that redhat back to 8.x > either includes a new enough version or backports the 'auto-detect c17'. > > You could hard set things back to 3 across the board, however some newer > firmware will refuse to work with 3 (because any use of SHA-1 is hunted down, > regardless of whether the weakness actually applies, which in IPMI land the > SHA-1 weakness doesn't matter since it's in an HMAC). > > You could make an 'ipmic3' console backend and possibly make an 'ipmic3' > plugin that is a fork of c3 only for old systems that predate cipher suite 17 > support. I would like to see and try out auto-degrade on older systems, but > I may not be able to cover it. > From: David Johnson <david_john...@brown.edu> > Sent: Tuesday, January 9, 2024 5:41 PM > To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net> > Subject: Re: [xcat-user] [External] Ipmitool support for old BMC cipher suite > 3 > > We encountered the problem with rpower and gocons when we migrated our > cluster this morning from rhel7.9 to rhel9.2. Most nodes had no issue when I > moved the consoles from the old front end to the new one but one batch of > tyan gpu nodes timed out on rpower, and couldn’t make a connection with sol. > Googling revealed that some BMC firmware would reply that they offer suite > 17, but in fact they did not implement it. Have not looked for updated > firmware yet for these ten nodes, looking for an easier fix if possible. > -- ddj > Dave Johnson > >> On Jan 9, 2024, at 5:31 PM, Jarrod Johnson <jjohns...@lenovo.com> wrote: >> >> >> In what context do you find use of ipmitool with '-C'? I was checking the >> ipmi console backend and it doesn't seem to have that. >> >> rpower and such should try SHA256, fallback to SHA1 (equivalent to -C 3) >> >> The ipmi backend for conserver, if used, doesn't currently attempt a -C 17 >> that I see. Newer ipmitool should try 17 and fallback to 3, if that's the >> issue. >> From: David Johnson <david_john...@brown.edu> >> Sent: Tuesday, January 9, 2024 11:53 AM >> To: xcat-user@lists.sourceforge.net <xcat-user@lists.sourceforge.net> >> Subject: [External] [xcat-user] Ipmitool support for old BMC cipher suite 3 >> >> I’d like to know if there is an option somewhere in xcat to choose -C 3 for >> either selected elderly nodes that don’t support suite 17, or use -C 3 by >> default for the whole cluster? Thanks! >> -- ddj >> Dave Johnson >> >> _______________________________________________ >> xCAT-user mailing list >> xCAT-user@lists.sourceforge.net >> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fxcat-user&data=05%7C02%7Cjjohnson2%40lenovo.com%7Cd9dfc4515405458dcfe508dc115658f9%7C5c7d0b28bdf8410caa934df372b16203%7C0%7C0%7C638404309770277001%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=g7uQXqtymGyHV4M4KxJraoePWpw9aslYbAl6Cj0UCZk%3D&reserved=0 >> <https://lists.sourceforge.net/lists/listinfo/xcat-user> >> _______________________________________________ >> xCAT-user mailing list >> xCAT-user@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/xcat-user > _______________________________________________ > xCAT-user mailing list > xCAT-user@lists.sourceforge.net <mailto:xCAT-user@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/xcat-user
_______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
