I want to add some additional information regarding ipmitool and xCAT.
ipmitool
from latest ipmitool man page:
-C <ciphersuite>
The remote server authentication, integrity, and encryption
algorithms to use for IPMIv2.0 lanplus con‐
nections. See table 22-20 in the IPMI v2.0
specification. The default is 17 which specifies
RAKP-HMAC-SHA256 authentication, HMAC-SHA256-128 integrity, and
AES-CBC-128 encryption algorithms.
NOTE: In ipmitool 1.8.18 and earlier the default was 3, which was
insecure and was not supported by
some more recent BMC implementations.
EL8/9 distros are still using ipmitool 1.8.18.
Despite the man page saying cipher 3 is default in ipmitool 1.8.18, ipmitool
will always try to use the best cipher suite available as Jarrod mentioned. You
can check this with verbosity: -v
ipmitool shows something like: "Using best available cipher suite 17"
xCAT
Current xCAT IPMI cmds (rpower/rvitals/rinv/rsetboot etc.) do not try cipher
suite 17. Right now, cipher suite 3 is hardcoded.
For xCAT to default to cipher suite 17 and fallback to cipher suite 3 you need
to merge this PR: https://github.com/xcat2/xcat-core/pull/6391
Note: Lenovo's xCAT version is different. It has been using cipher suite 17 by
default for quite some time.
You can easily check if your xCAT version supports cipher suite 17 with:
# C17 supported, with fallback to C3
[root@xcat ~]# grep sha256 /opt/xcat/lib/perl/xCAT/IPMI.pm
Digest::SHA->import(qw/sha1 hmac_sha256/);
Digest::SHA->import(qw/sha1 hmac_sha256/);
$self->{hshfn} = \&hmac_sha256;
0, 0, 0, 8, 3, 0, 0, 0, #table 13-17, request sha256
1, 0, 0, 8, 4, 0, 0, 0); #sha256 integrity
# C17 unsupported, using C3
[root@xcat ~]# grep sha256 /opt/xcat/lib/perl/xCAT/IPMI.pm
[root@xcat ~]#
The next xCAT release will most likely come with cipher suite 17 support.
Mit freundlichen Grüßen / Kind regards
Markus Hilger
HPC Engineer
MEGWARE Computer Vertrieb und Service GmbH
Tel: +49 3722 528-47
Nordstraße 19
markus.hil...@megware.com<mailto:markus.hil...@megware.com>
09247 Chemnitz-Röhrsdorf, Germany
www.megware.com<http://www.megware.com/>
Geschäftsführer: André Singer, Axel Auweter
Amtsgericht: Chemnitz HRB 584
________________________________
Von: Don Avart <dav...@redlineperf.com>
Gesendet: Mittwoch, 10. Januar 2024 17:24
An: xCAT Users Mailing list <xcat-user@lists.sourceforge.net>
Betreff: Re: [xcat-user] [External] Ipmitool support for old BMC cipher suite 3
Jarrod,
Would/could goconserver from Confluent be brought into xCAT relatively easily?
----
Don Avart
CTO
RedLine Performance Solutions, LLC
(703) 634-5686
dav...@redlineperf.com
On Jan 10, 2024, at 11:09 AM, Jarrod Johnson <jjohns...@lenovo.com> wrote:
gocons is 'goconserver'. confluent has a baked in console handler for ipmi
that is written in python.
One could imagine a modification to the ipmitool invocation to try default and
add -C 3 if it fails (exits within a second or so)
________________________________
From: David Johnson <david_john...@brown.edu>
Sent: Wednesday, January 10, 2024 11:02 AM
To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net>
Subject: Re: [xcat-user] [External] Ipmitool support for old BMC cipher suite 3
For console I’m still broken with both goconserver and ipmitool (w/o
-C 3). I thought gocons came from confluent — is there a better way to do
console now from confluent?
-- ddj
Dave Johnson
On Jan 10, 2024, at 10:44 AM, Jarrod Johnson <jjohns...@lenovo.com> wrote:
Well, I suspect it works when the amended result was posted that the xCAT
fallback did function fine.
So it's a matter of ipmitool's fallback being perhaps too picky or is outright
broken.
In xCAT/confluent we try 17 and if failed, just start over at 3.
ipmitool tries to more carefully decide what it's initial attempt will be based
on advertised support (I think from a cursory glance). So I could imagine how
a strange response to supported ciphers could steer ipmitool wrong when
xcat/confluent can fare better.
Unfortunately on our side we deprecated use of ipmitool for console, so I'm a
bit rusty in evaluation.
________________________________
From: Ryan Novosielski <novos...@rutgers.edu>
Sent: Tuesday, January 9, 2024 10:23 PM
To: Jarrod Johnson <jjohns...@lenovo.com>
Cc: xCAT Users Mailing list <xcat-user@lists.sourceforge.net>
Subject: Re: [xcat-user] [External] Ipmitool support for old BMC cipher suite 3
That’s a good question! We don’t currently have a Confluent system running
anything newer than RHEL7 managing anything other than DSS-G equipment, but
we’re planning to upgrade our management system to RHEL9 soon, or alternatively
could add an additional machine to one of the DSS-G clusters to see.
--
#BlackLivesMatter
____
|| \\UTGERS, |---------------------------*O*---------------------------
||_// the State | Ryan Novosielski - novos...@rutgers.edu
|| \\ University | Sr. Technologist - 973/972.0922 (2x0922) ~*~ RBHS Campus
|| \\ of NJ | Office of Advanced Research Computing - MSB A555B, Newark
`'
On Jan 9, 2024, at 18:16, Jarrod Johnson <jjohns...@lenovo.com> wrote:
Curious, how does confluent ipmi interaction work against those systems? does
it manage to successfully downgrade transparently?
________________________________
From: Ryan Novosielski via xCAT-user <xcat-user@lists.sourceforge.net>
Sent: Tuesday, January 9, 2024 5:37 PM
To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net>
Cc: Ryan Novosielski <novos...@rutgers.edu>
Subject: Re: [xcat-user] [External] Ipmitool support for old BMC cipher suite 3
I can confirm that that last part is not true:
root@fw01-hpc-hill:/home/novosirj 11:11 PM# ipmitool -U USERID -I lanplus -H
master-imm chassis status
Password:
Error in open session response message : no matching cipher suite
Error: Unable to establish IPMI v2 / RMCP+ session
…and suspected as much since I had to learn anything about the cipher suites
and -C. :-D
Maybe the version provided by RHEL derivatives has defaults or something? We’re
on RHEL8/9 where we’re seeing it.
—
#BlackLivesMatter
____
|| \\UTGERS, |---------------------------*O*---------------------------
||_// the State | Ryan Novosielski - novos...@rutgers.edu
|| \\ University | Sr. Technologist - 973/972.0922 (2x0922) ~*~ RBHS Campus
|| \\ of NJ | Office of Advanced Research Computing - MSB A555B, Newark
`'
On Jan 9, 2024, at 16:24, Jarrod Johnson <jjohns...@lenovo.com> wrote:
In what context do you find use of ipmitool with '-C'? I was checking the
ipmi console backend and it doesn't seem to have that.
rpower and such should try SHA256, fallback to SHA1 (equivalent to -C 3)
The ipmi backend for conserver, if used, doesn't currently attempt a -C 17 that
I see. Newer ipmitool should try 17 and fallback to 3, if that's the issue.
________________________________
From: David Johnson <david_john...@brown.edu<mailto:david_john...@brown.edu>>
Sent: Tuesday, January 9, 2024 11:53 AM
To: xcat-user@lists.sourceforge.net<mailto:xcat-user@lists.sourceforge.net>
<xcat-user@lists.sourceforge.net<mailto:xcat-user@lists.sourceforge.net>>
Subject: [External] [xcat-user] Ipmitool support for old BMC cipher suite 3
I’d like to know if there is an option somewhere in xcat to choose -C 3 for
either selected elderly nodes that don’t support suite 17, or use -C 3 by
default for the whole cluster? Thanks!
-- ddj
Dave Johnson
_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net<mailto:xCAT-user@lists.sourceforge.net>
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fxcat-user&data=05%7C02%7Cjjohnson2%40lenovo.com%7Cd9dfc4515405458dcfe508dc115658f9%7C5c7d0b28bdf8410caa934df372b16203%7C0%7C0%7C638404309770277001%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=g7uQXqtymGyHV4M4KxJraoePWpw9aslYbAl6Cj0UCZk%3D&reserved=0<https://lists.sourceforge.net/lists/listinfo/xcat-user>
_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net<mailto:xCAT-user@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/xcat-user
_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user
_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user
_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user
