For console I’m still broken with both goconserver and ipmitool (w/o-C 3). I thought gocons came from confluent — is there a better way to do console now from confluent?
Well, I suspect it works when the amended result was posted that the xCAT fallback did function fine.
So it's a matter of ipmitool's fallback being perhaps too picky or is outright broken.
In xCAT/confluent we try 17 and if failed, just start over at 3.
ipmitool tries to more carefully decide what it's initial attempt will be based on advertised support (I think from a cursory glance). So I could imagine how a strange response to supported ciphers could steer ipmitool wrong when xcat/confluent can fare better.
Unfortunately on our side we deprecated use of ipmitool for console, so I'm a bit rusty in evaluation.
That’s a good question! We don’t currently have a Confluent system running anything newer than RHEL7 managing anything other than DSS-G equipment, but we’re planning to upgrade our management system to RHEL9 soon, or
alternatively could add an additional machine to one of the DSS-G clusters to see.
--
#BlackLivesMatter
____
|| \\UTGERS, |---------------------------*O*---------------------------
||_// the State | Ryan Novosielski - [email protected]
|| \\ University | Sr. Technologist - 973/972.0922 (2x0922) ~*~ RBHS Campus
|| \\ of NJ | Office of Advanced Research Computing - MSB A555B, Newark
`'
Curious, how does confluent ipmi interaction work against those systems? does it manage to successfully downgrade transparently?
From: Ryan Novosielski via xCAT-user <[email protected]>
Sent: Tuesday, January 9, 2024 5:37 PM
To: xCAT Users Mailing list <[email protected]>
Cc: Ryan Novosielski <[email protected]>
Subject: Re: [xcat-user] [External] Ipmitool support for old BMC cipher suite 3
I can confirm that that last part is not true:
root@fw01-hpc-hill:/home/novosirj 11:11 PM# ipmitool -U USERID -I lanplus -H master-imm chassis status
Password:
Error in open session response message : no matching cipher suite
Error: Unable to establish IPMI v2 / RMCP+ session
…and suspected as much since I had to learn anything about the cipher suites and -C. :-D
Maybe the version provided by RHEL derivatives has defaults or something? We’re on RHEL8/9 where we’re seeing it.
—
#BlackLivesMatter
____
|| \\UTGERS, |---------------------------*O*---------------------------
||_// the State | Ryan Novosielski - [email protected]
|| \\ University | Sr. Technologist - 973/972.0922 (2x0922) ~*~ RBHS Campus
|| \\ of NJ | Office of Advanced Research Computing - MSB A555B, Newark
`'
In what context do you find use of ipmitool with '-C'? I was checking the ipmi console backend and it doesn't seem to have that.
rpower and such should try SHA256, fallback to SHA1 (equivalent to -C 3)
The ipmi backend for conserver, if used, doesn't currently attempt a -C 17 that I see. Newer ipmitool should try 17 and fallback to 3, if that's the issue.
I’d like to know if there is an option somewhere in xcat to choose -C 3 for either selected elderly nodes that don’t support suite 17, or use -C 3 by default for the whole cluster? Thanks!
-- ddj
Dave Johnson
_______________________________________________
xCAT-user mailing list
[email protected]
https://apc01.safelinks.protection.outlook.com/?url="">
_______________________________________________
xCAT-user
mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/xcat-user
|
