Professional Documents
Culture Documents
Lopsa Feb 2016
Lopsa Feb 2016
Lopsa Feb 2016
Chris Layton
R&D Linux System
Engineering @ ORNL
laytoncc@ORNL.gov
linux@misterx.org
http(s)://misterx.org/LOPSA_Feb_2016.pdf
Terminology
OOB/LOM
IPMI
${WHAT_VENDORS_CALL_THEIR_STUFF}
What is it!
- Sometimes called lights out management (LOM), Out of Band management is a way to access
A system independent of the main hardware's operating system.
- Usually a device running Linux serving some sort of remote access based around the IPMI
Standard .
IPMI
(Definition from Wikipedia)
HP iLO
Dell - iDRAC
Supermicro SIM
https://fsf.org/blogs/community/active-management-technology
AD auth/Two Factor
MORE
Tools
Tool
Short List
ipmitool (open - has hooks to add features on Dells via delloem flag)
very
Keep in mind tool can only do so much. To get more functionality learn and
use RAW commands!
racadm (Dell)
hponcfg (HP)
ribcl (HP)
Ipmicfg (Supermicro)
Alerting / Monitoring
And more.
Remote access
Virtual Console/Serial
Web Interface
VNC
Power Management
Virtual Media
And more...
The ones I listed just scratches the surface of what you can do!
MORE
282c282
192.168.1.62
216.37.64.99
0.0.0.0
216.37.64.1
Start Time
Finish Time
Reading
: 352.0 kWh
Statistic
Start Time
Peak Time
: on
: UNIMPLEMENTED
: UNIMPLEMENTED
Dell 6220
Power is
: on
: 123 Watts
: ---
: 381 Watts
:0
: no
: limit power via hardware
Excellent Question :
My answer :
In many , but not all instances, I find that the
more it deviates from the IPMI standard (aka
extra vendor special sauce) the greater the
need is to use vendor tools.
ComponentType = BIOS
ElementName = BIOS
FQDD = BIOS.Setup.1-1
InstallationDate = 2015-09-16T20:49:43Z
Current Version = 1.0.3
------------------------------------------------------------------​
ComponentType = FIRMWARE
ElementName = SAS2008 FW v0.94
FQDD = RAID.Mezzanine.1A-1
InstallationDate = 2015-09-16T20:02:51Z
Current Version = 00.00.00.00
------------------------------------------------------------------​
ComponentType = APPLICATION
ElementName = Lifecycle Controller
FQDD = USC.Embedded.1:LC.Embedded.1
InstallationDate = 2015-09-16T19:59:49Z
Current Version = 2.14.14.12
------------------------------------------------------------------​
ComponentType = APPLICATION
ElementName = Dell 32 Bit uEFI Diagnostics, version 4239, 4239A22, 4239.30
FQDD = Diagnostics.Embedded.1:LC.Embedded.1
InstallationDate = 2015-09-16T23:16:52Z
Current Version = 4239A22
------------------------------------------------------------------​
ComponentType = APPLICATION
ElementName = Dell OS Driver Pack, 15.05.10, A00
FQDD = DriverPack.Embedded.1:LC.Embedded.1
InstallationDate = 2015-09-16T23:16:52Z
Current Version = 15.05.10
------------------------------------------------------------------​
ComponentType = APPLICATION
ElementName = OS COLLECTOR 1.1, OSC_1.1, A00
FQDD = OSCollector.Embedded.1
InstallationDate = 2015-09-16T23:16:52Z
Current Version = OSC_1.1
------------------------------------------------------------------​
ComponentType = FIRMWARE
ElementName = System CPLD
FQDD = CPLD.Embedded.1
InstallationDate = 2015-09-16T19:59:49Z
Current Version = 1.0.0
Physical Connections
Also via
SoL
SSH
Raid Controller
BIOS
Many others...
Record relevant status and settings in CMDB
If anything fails stop and notify admin via LCD flash or similar
(racadm)
676 root
0 SW< [cryptodev_queue]
689 root
3828 S /bin/sh
721 root
0 SW [kjournald]
722 root
0 SW [kjournald]
723 root
0 SW [kjournald]
726 root
0 SW [kjournald]
740 root
0 SW [kkcs]
783 root
0 SWN [jffs2_gcd_mtd7]
843 root
0 SW [dell_fpdrv thre]
848 root
0 SW< [bond0]
905 root
1776 S /sbin/watchdog
934 messageb 2840 S /usr/bin/dbus-daemon --system
--address=systemd: --n
1000 root
0 SW< [loop7]
1004 root
0 SW< [kdmflush]
1005 root
0 SW< [kcryptd_io]
1006 root
0 SW< [kcryptd]
1012 root
0 SW [kjournald]
1031 root
0 SW [kjournald]
1099 root 11488 S /sbin/aim
1102 root 14492 S /usr/sbin/dsm_sa_datamgrd
1103 root 12408 S /avct/sbin/os
1104 root
6096 S /usr/bin/syscallagent
1108 root 14364 S /usr/sbin/dsm_sa_popproc lclpop
1109 root 52760 S {SoftTimer} /bin/fullfw
1142 root 14188 S /usr/sbin/dsm_sa_popproc lmpop
1285 root 12020 S /avct/sbin/pm
1288 root 14212 S /usr/sbin/dsm_sa_snmpd
1289 root
0 SW [MSD-0]
1338 root 13840 S /usr/sbin/dsm_sa_eventmgrd
1351 root
2232 S /sbin/syslogd -m 0
1354 root 12112 S /usr/bin/fmgr
1426 root 11636 S /usr/bin/tm
1766 root
0 SW [MSD1-0]
1818 root
0 SW< [sh_pbi_wq]
1822 root
0 SW [UsbEventMonitor]
1823 root
0 SW [PchDeviceRemova]
1957 root 34420 S {START} /avct/sbin/osinet
1961 root
6204 S /sbin/vfk
1967 root
3824 S {dhclient_daemon} /bin/sh
/sbin/dhclient_daemon
1968 root
1888 S /usr/sbin/ifplugd -i bond0 -afqIn
-u0 -d0 -miff
1974 root
8148 S /bin/ipmi_gateway
1986 root
6792 S /bin/fb_vnc_server
1990 root
9396 S /bin/fb_source
1996 root
8072 S /usr/sbin/raclogd
2020 root
9324 S /bin/jdaemon
2066 root 20276 S /sbin/avct_server
2070 root
7516 S /sbin/vkvm_pm
2163 root
6612 S /sbin/sshd -g 60
2214 root 16356 S /bin/maserserver
2215 root
3752 S {cfgbkup.sh} /bin/sh
/etc/sysapps_script/cfgscripts/
2220 root
4820 S /usr/sbin/mrcached
2249 root
3752 S /sbin/crond -b
2291 root 26604 S /usr/local/bin/appweb
--config /var/run/appweb.conf
2398 root
9288 S /bin/mctpd
2411 root 30996 S /usr/sbin/ipmiextd
2422 root 24072 S /usr/sbin/dsm_sa_popproc
iracpop
::
::
::
::
Next Hop
::
::
::
::
Genmask
Flags MSS Window irtt Iface
0.0.0.0
UG
00
0 bond0
255.255.255.0 U
00
0 bond0
OOM situations (see code at end for example memory check for Dells)
Local OS tools locking up that interact with the OOB/ LoM
device
Security
Security
If you have
Port 49152
On your network
And you have SM
Systems you could
be Compromised!
From a Competitor
From a Hacker
Uses power cycle and SoL to reboot machine into single user
mode (you password grub right?!)
Just scratching the surface of the nasty things a OOB hack can
do to your system!
Securing OOB
Easy
Use lanplus (AKA IPMI V2..its been around since 2004ish) for connections
Check OOB Firmware with same frequency as hardware and always for major exploits!
Moderate
If no proxy is present and network is not confirmed secure consider lock down with ipmi firewall if all
devices support
Ensure you are using a strong cipher in client and lock weak ones out at OOB device (bmcconfig)
Log and audit traffic leaving your management network. Very few reasons it should!
Include OOB devices in security audits/reports (NMAP NSE is a good tool to help with this!)
Complicated
Get OOB configuration under configuration management and enforce changes there.
Hardware Determination
Sensors
Power Control
Speaking of Standardization..
Configuration Management
Snmp
Traps
RCA
Hardware failures
Temp spikes
Active Users
Network Utilization
BTU
System Watts
System Power is ON
Hardware Vendor via OUIDB (detecting all vendors is a work in progress)
SoL is responding
If vendor default logins are in use
Can run one report or all via flags
===============================================
= IPMI REPORT FOR IP 192.168.1.50 POWER:On =
= Script Version : 0.8
=
= Report System Date :01/24/2016 02:32:56 =
= IPMITOOL VERSION: 1.8.11
=
= IPMI Date :
01/24/2016 15:57:46 =
= MAC System Vendor (VIA OUIDB) : SuperMicro =
!!Login Defaults Present : Supermicro!!
===============================================
=
FRU Output
=
===============================================
FRU Device Description : Builtin FRU Device (ID 0)
Board Mfg Date
: Sun Dec 31 19:00:00 1995
Board Mfg
: Supermicro
Board Serial
:
Product Serial
:
===============================================
=
System Power
: on
Power Overload
: false
Power Interlock
: inactive
: false
:
: inactive
: false
Cooling/Fan Fault
: false
===============================================
=
===============================================
=
Lan Print Output
=
==============================================
===============================================
= OPTIONS : always-on,previous,always-off
===============================================
Supported chassis power policy: always-off
===============================================
=
MC Info Output
===============================================
---- Management Controller Info---Device ID
: 32
Device Revision
:1
Firmware Revision
: 3.16
IPMI Version
: 2.0
Manufacturer ID
: 47488
Manufacturer Name
Product ID
: Unknown (0xB980)
: 2566 (0x0a06)
Product Name
: Unknown (0xA06)
Device Available
: yes
: no
: enabled
: disabled
: disabled
: enabled
OEM 0
: disabled
OEM 1
: disabled
OEM 2
: disabled
BIOS/POST (0x02)
Stopped
6553 sec
6553 sec
In Closing
https://www.mankier.com/1/ipmi_sim
https://gist.github.com/bot11/a34ff0008cae75bd662d
Questions, Statements ,
Comments ?
http://gitlab.misterx.org/snippets/3
# A quick hack for me to clean up (a lot) later and intergrate into DRAC monitoring perhaps...
# Yeah ..that regex foo is weak....but it works for now ..its on the long list of things to improve here.
# This gets VSZ from the process list running on the idrac
# Requires racadm from Dell, awk, DRAC on remote system.
# Set Vars
TOTAL=0
HOST=
USER=
PASSWORD=
# Walk the process list on the DRAC Device
for b in $(/opt/dell/srvadmin/bin/racadm5 -r ${HOST} -u ${USER} -p ${PASSWORD} racdump | egrep '[0-9]+ [a-z].*[09].*[a-z]' | awk '{print $3}'); do
let TOTAL=${TOTAL}+b;
done
#print out totals
echo "${TOTAL} KB"
echo $(awk "BEGIN {printf ${TOTAL}/1024 } ") "MB"
# example output
# >sh /bin/drac_memory.sh
# 769132 KB
# 751.105 MB
Useful Links
My Reporting Script :
http://gitlab.misterx.org/MisterX/OOB_Tools/blob/master/ipmi_print.sh
Example Reports from My Script :
http://gitlab.misterx.org/MisterX/OOB_Tools/tree/master/Report_Examples
Slides : http(s)://misterx.org/LOPSA_Feb_2016.pdf
HP Redfish API
http://www8.hp.com/us/en/products/servers/proliant/restful-interface-tool.html
IPMI Security : https://github.com/zenfish/ipmi
Dell Out-Of-Band Enhancements (G13 systems)
http://en.community.dell.com/techcenter/extras/m/white_papers/20440944/download
IPMI Interface Spec (great for hacking together RAW commands)
http://www.intel.com/content/www/us/en/servers/ipmi/ipmi-second-gen-interface-specv2-rev1-1.html