panicsel-developers Mailing List for Panicsel IPMI project
Brought to you by:
arcress
Menu
▾
▴
panicsel-developers — for Panic Handler Enhancements developers
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(9) |
Nov
(6) |
Dec
(6) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(3) |
Feb
(5) |
Mar
(12) |
Apr
(4) |
May
|
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(7) |
Oct
(3) |
Nov
|
Dec
(1) |
| 2004 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
(3) |
May
|
Jun
(7) |
Jul
(9) |
Aug
(3) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2005 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
|
Nov
|
Dec
|
|
From: Cress, A. R <and...@in...> - 2005-09-28 16:01:05
|
Santosh, =20 Please note that the panicsel project has been renamed to 'ipmiutil' as the web site says. Both projects are under the BSD license. All new development is occuring under the 'ipmiutil' name. =20 =20 So, at http://ipmiutil.sourceforge.net you can see that the COPYING file contains the BSD license text. This allows re-use of the source code in either open-source projects or in proprietary commercial projects. Care has been taken to avoid use of any Intel information that is not available in published documents (IPMI specification, Product TPS, etc.). =20 =20 Andy ________________________________ From: pan...@li... [mailto:pan...@li...] On Behalf Of Santosh Akhilesh Sent: Monday, September 26, 2005 2:00 AM To: pan...@li... Subject: [Panicsel-developers] FW: Hi Dear Webmaster =20 I am new to CGL community and evaluating the CGL OSS for the commercial usage. I wanted to know whether any patent claims on any of the technologies the panicsel is using and its licensing terms.=20 Can you kindly provide me this information? =20 Regards, Santosh Akhilesh =20 |
|
From: Santosh A. <san...@hu...> - 2005-09-26 05:58:46
|
Dear Webmaster I am new to CGL community and evaluating the CGL OSS for the commercial usage. I wanted to know whether any patent claims on any of the technologies the panicsel is using and its licensing terms. Can you kindly provide me this information? Regards, Santosh Akhilesh |
|
From: Cress, A. R <and...@in...> - 2004-08-17 23:18:00
|
A new panicsel 1.4.8 has been released, and the ipmiutil project is now
up and running, with ipmiutil-1.4.8.
Th ipmiutil project is an evolution from the panicsel IPMI project. It
contains various IPMI Management Utilities, and is more appropriately
named, since the kernel portion of the former panicsel project has been
separated out and merged with the OpenIPMI driver.
The ipmiutil and panicsel projects currently both have the same source
included, version 1.4.8. Future versions and changes will occur only to
the ipmiutil project, while the panicsel project will point to ipmiutil.
I will migrate users from the panicsel-developers mailing list to the
ipmiutil-developers mailing list, unless you let me know otherwise.
Andy Cress
Changes included in panicsel-1.4.8/ipmiutil-1.4.8:
07/23/04 ARcress ver 1.4.7
pefconfig v1.29 use lan_ch variable to set Alert Policy Table,
which fixes a problem for TIGPT1U platforms.
bmclanpet.mib new MIB file added for PET
bmclanaol.mib renamed from bmclan.mib for alert-on-LAN
08/05/04 ARcress ver 1.4.8
panicsel.spec redirect stderr to $tmpsel from pefconfig
command.
For SuSE, symlink snmpd.conf to common location.
Also added icmd & icmd.8 to rpm.
hwreset v1.9 implement special OS shutdown method for
Langleys,
make sure to show error if ccode !=3D 0
icmd v1.2 fix for mv driver type in ipmicmd.c (thanks Kevin
Gao)
doc/icmd.8 new man page added
doc/UserGuide added icmd description
added Use Cases for sensor thresholds and for
pefconfig with gpg decryption of password.
doc/Makefile copy icmd.8 for make install
util/ipmimv.c handle alternate device filenames for some 2.6
kernels
showsel v1.24 add more decoding for Power events
---
Moving further versions to http://ipmiutil.sf.net
|
|
From: Cress, A. R <and...@in...> - 2004-08-09 15:21:07
|
Neil, Well, the utility should report this as an error, rather than ok. The status was ok, but the completion code =3D 0xcc indicates that the firmware said that the data field was invalid (the 0x05 byte, pertaining to the -o option). =20 In the IPMI spec in Table 22-4, the 0x05 value for chassis control says that this is a soft-shutdown via ACPI, and that it is optional. The Langley platform firmware doesn't implement this option. The way that ISM does an OS shutdown on this platform, is to do=20 "init 0" and set up a watchdog event for the IPMI reset with a=20 timeout that allows enough time for the shutdown to complete (about 50 sec). I guess I could've implemented that in hwreset, but I had thought that this=20 method would be more IPMI-generic. =20 Hmmm. The best thing would be to use the IPMI DeviceID to determine which method to use. Since we know that several platforms don't=20 implement this reset option intrinsically, we could detect the platform=20 type for those and use the other method. I'll put in that code. Andy -----Original Message----- From: pan...@li... [mailto:pan...@li...] On Behalf Of nei...@no... Sent: Monday, August 09, 2004 9:50 AM To: pan...@li... Subject: [Panicsel-developers] hwreset -o option Hi, When I try to use hwreset with the -o option on a langley server it reports that the IPMI reset succeeded ok but in fact no reset occurs. I'm unclear whether the "Invalid data field" in=20 the verbose output indicates a malformed ipmi request or a problem with the imb ipmi driver. Thanks, Neil root@xxx:/util/panicsel# ./hwreset -o hwreset ver 1.8 hwreset: powering down ... hwreset: IPMI_Reset ok root@icgsprobe:/util/panicsel# root@xxx:/util/panicsel# ./hwreset -ox hwreset ver 1.8 hwreset: powering down ... Driver type 1, rc =3D 0 ipmi_cmd_ia: request (len=3D13): 08 20 00 00 00 9c fc ff bf 06 00 00 00 req.data=3D0xbffffc9c, dlen=3D6: 05 80 00 48 00 00 ipmi_cmd_ia: sendImbRequest status=3D0, ccode=3D0 ipmi_cmd_ia: response (len=3D0): ipmi_cmd_ia: request (len=3D13): 02 20 00 00 00 9c fc ff bf 01 00 00 00 req.data=3D0xbffffc9c, dlen=3D1: 05 ipmi_cmd_ia: sendImbRequest status=3D0, ccode=3Dcc ipmi_cmd_ia: response (len=3D0): ccode cc: Invalid data field in request Cmd 2 code cc, resp[0] =3D 0, resp[1] =3D 0 hwreset: IPMI_Reset ok ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Panicsel-developers mailing list Pan...@li... https://lists.sourceforge.net/lists/listinfo/panicsel-developers |
|
From: <nei...@no...> - 2004-08-09 13:50:18
|
Hi, When I try to use hwreset with the -o option on a langley server it reports that the IPMI reset succeeded ok but in fact no reset occurs. I'm unclear whether the "Invalid data field" in=20 the verbose output indicates a malformed ipmi request or a problem with the imb ipmi driver. Thanks, Neil root@xxx:/util/panicsel# ./hwreset -o hwreset ver 1.8 hwreset: powering down ... hwreset: IPMI_Reset ok root@icgsprobe:/util/panicsel# root@xxx:/util/panicsel# ./hwreset -ox hwreset ver 1.8 hwreset: powering down ... Driver type 1, rc =3D 0 ipmi_cmd_ia: request (len=3D13): 08 20 00 00 00 9c fc ff bf 06 00 00 00 req.data=3D0xbffffc9c, dlen=3D6: 05 80 00 48 00 00 ipmi_cmd_ia: sendImbRequest status=3D0, ccode=3D0 ipmi_cmd_ia: response (len=3D0): ipmi_cmd_ia: request (len=3D13): 02 20 00 00 00 9c fc ff bf 01 00 00 00 req.data=3D0xbffffc9c, dlen=3D1: 05 ipmi_cmd_ia: sendImbRequest status=3D0, ccode=3Dcc ipmi_cmd_ia: response (len=3D0): ccode cc: Invalid data field in request Cmd 2 code cc, resp[0] =3D 0, resp[1] =3D 0 hwreset: IPMI_Reset ok |
|
From: Cress, A. R <and...@in...> - 2004-07-29 13:00:38
|
Oops, I didn't read your message carefully. I was replying to it as if you were asking about IA64. =20 I haven't yet tried the panicsel utilities on x86_64, but I don't expect any problems since they run fine on ia64. The IPMI KCS port is 0x8a2 only for IA64, so that also shouldn't be an issue. I'll be getting a platform to test x86_64 next month. =20 Andy -----Original Message----- From: Cress, Andrew R=20 Sent: Thursday, July 29, 2004 8:25 AM To: 'Walters, Brian D'; pan...@li... Subject: RE: [Panicsel-developers] panicsel for the x86_64 platform =09 =09 Brian, =20 The panicsel utilities do run on x86_64 platforms, such as Tiger 2, Tiger 4, etc. It does require a recompile of the utilities. =20 The main thing is that the IPMI KCS driver (whether OpenIPMI or Intel IMB, or other) needs to be loaded with the KCS port =3D 0x8a2 instead of the default 0xca2. =20 =20 I've tried it myself on Itanium-2 systems, as have several customers. If you have any specific issues, let me know. =20 Andy -----Original Message----- From: pan...@li... [mailto:pan...@li...] On Behalf Of Walters, Brian D Sent: Wednesday, July 28, 2004 8:07 PM To: pan...@li... Subject: [Panicsel-developers] panicsel for the x86_64 platform =09 =09 Hi, =20 Does anyone know if there is any work in progress on the x86_64 platform? =20 Thanks, -Brian Walters =20 |
|
From: Cress, A. R <and...@in...> - 2004-07-29 12:25:06
|
Brian, =20 The panicsel utilities do run on x86_64 platforms, such as Tiger 2, Tiger 4, etc. It does require a recompile of the utilities. =20 The main thing is that the IPMI KCS driver (whether OpenIPMI or Intel IMB, or other) needs to be loaded with the KCS port =3D 0x8a2 instead of the default 0xca2. =20 =20 I've tried it myself on Itanium-2 systems, as have several customers. If you have any specific issues, let me know. =20 Andy -----Original Message----- From: pan...@li... [mailto:pan...@li...] On Behalf Of Walters, Brian D Sent: Wednesday, July 28, 2004 8:07 PM To: pan...@li... Subject: [Panicsel-developers] panicsel for the x86_64 platform =09 =09 Hi, =20 Does anyone know if there is any work in progress on the x86_64 platform? =20 Thanks, -Brian Walters =20 |
|
From: Walters, B. D <bw1...@nc...> - 2004-07-29 00:07:14
|
Hi, Does anyone know if there is any work in progress on the x86_64 platform? Thanks, -Brian Walters |
|
From: Cress, A. R <and...@in...> - 2004-07-16 14:20:39
|
=20 A new version 1.4.6 of the panicsel IPMI utilities has been released. See http://panicsel.sf.net for CVS, rpm, or tar files. Here are the changes in this release: 07/14/04 ARCress ver 1.4.6 pefconfig.8 added more explanation with alert dest ip parameter. pefconfig v1.28 added parsing for community on trapsink line, show error message if GetDeviceID fails for WIN32. tmconfig v1.15 allow -p for user 1 if no username specified (fSetPsw), show error message if GetDeviceID fails for WIN32. sensor v1.19 added -a to reArm sensor UserGuide fix description of checksel Andy |
|
From: Cress, A. R <and...@in...> - 2004-07-15 13:10:35
|
Hugo, Yes, checksel is added to /etc/cron.daily by the panicsel rpm installation. I had gotten a number of requests to have a way to monitor the SEL to keep it from getting full. This is the best of several solutions, in that it saves the SEL records to the OS log regularly, so that clearing the log when it gets nearly full won't lose the history. If you do not want this, then deleting /etc/cron.daily/checksel is easy to do. Or, you could rebuild the rpm yourself, deleting that line from the spec file. It isn't straightforward to pass specific options like this from the rpm command line. =20 I noticed that the UserGuide describes this incorrectly. I'll fix that for the next version. Andy -----Original Message----- From: pan...@li... [mailto:pan...@li...] On Behalf Of Hugo CACOTE Sent: Thursday, July 15, 2004 6:02 AM To: pan...@li... Subject: [Panicsel-developers] /usr/share/panicsel/checksel Dear All, I would like to know if /usr/share/panicsel/checksel script is added to the crontab automatically at the time of the panicsel RPM installation ? If yes is there any not to automatically add this script to the crontab?? Thanks =20 Hugo Cacote ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=3D4721&alloc_id=3D10040&op=3Dclick _______________________________________________ Panicsel-developers mailing list Pan...@li... https://lists.sourceforge.net/lists/listinfo/panicsel-developers |
|
From: Hugo C. <hc...@ma...> - 2004-07-15 10:02:27
|
Dear All, I would like to know if /usr/share/panicsel/checksel script is added to the crontab automatically at the time of the panicsel RPM installation ? If yes is there any not to automatically add this script to the crontab?? Thanks Hugo Cacote |
|
From: Cress, A. R <and...@in...> - 2004-07-06 14:39:32
|
Vlado, That looks fine. In fact, since gnupg is already set up as standalone = utilities, it would be easy to script with the current version of = pefconfig as well. Andy -----Original Message----- From: Vlado Bahyl [mailto:Vla...@ce...]=20 Sent: Monday, July 05, 2004 3:49 AM To: Cress, Andrew R Cc: pan...@li... Subject: Re: [Panicsel-developers] IPMI password Dear Andy, thank you very much for considering our problem. What I in fact had in my mind was more software from = http://www.gnupg.org/ but as I am not really IPMI expert, I leave it to you to find out how to solve the problems described in my earlier e-mail. Cheers, Vlado -- _|________________________________________________________ | | | Vlado | Vla...@ce... | Bahyl | CERN-IT/FIO, CH-1211 Geneva 23, Switzerland | | (+41) 22 767 1884 According to Cress, Andrew R: > Vlado, >=20 > OK, so it sounds like OpenSSL.org's library would be a good choice, = with RSA or DSA. That could be integrated into pefconfig and tmconfig, = with some work. >=20 > I'll put this on the TODO list and schedule some time to implement it. = In the meantime, if you have/see any other utilities that do = encrypt/decrypt that you think would be good usage models, let me know. >=20 > Andy >=20 > -----Original Message----- > From: Vlado Bahyl [mailto:Vla...@ce...]=20 > Sent: Wednesday, June 30, 2004 7:25 AM > To: Cress, Andrew R > Cc: pan...@li...; Hugo Monteiro Cacote; = Tim Smith > Subject: Re: [Panicsel-developers] IPMI password >=20 >=20 > Dear Andy, >=20 > thank you very much for your reply and interest in this problem. >=20 > Hugo forwarded me the message, so please let me explain in more > details what we mean. >=20 > We have > 1000 nodes where we would like to enable IPMI. The exact > number of nodes in production fluctuates a lot as nodes have to be > repaired/reinstalled/replaced. > Because of that we use pull scenario, where each node fetches = configuration > it needs from a central place. >=20 > My idea with IPMI would be: >=20 > - 1 configuration server (=3D central place) would generate a key = pair > (=3D public and private key) > - this server would publish the public key to all client > - this server would also encrypt the IPMI password with the private = key >=20 > - many clients (where we want to have IPMI enabled) would then fetch > the public key > - all these clients would then use this public key to decrypt the = IPMI > password and use it locally >=20 > The reason for this machinery is that: > - IPMI password can not be typed on such a big number of nodes > - IPMI password must not be sniffed on the network (otherwise = intruder > could get full control of all nodes) > - IPMI password should not be stored on the node as they occasionally > get hacked >=20 > Now - I do not know much about IPMI (Hugo is our local expert), but = would > the above scenario be feasible ? >=20 > Obviously, we can build all this ourselves, but it would be nice if = IPMI > tools would allow some options to specify: > - where the encrypted password is > - where the decryption (public) key is >=20 > Last, but not least: > - option where every machine would have a unique password is not = possible > because of the number of nodes and arguments above > - in addition I think it would be a nightmare to manage it >=20 > What do you think ? >=20 > Best regards, >=20 > Vlado >=20 > -- >=20 > _|________________________________________________________ > | | > | Vlado | Vla...@ce... > | Bahyl | CERN-IT/FIO, CH-1211 Geneva 23, Switzerland > | | (+41) 22 767 1884 >=20 >=20 > > -----Original Message----- > > From: Cress, Andrew R [mailto:and...@in...]=20 > > Sent: Tuesday, June 29, 2004 5:47 PM > > To: Hugo Monteiro Cacote; pan...@li... > > Subject: RE: [Panicsel-developers] IPMI password > >=20 > >=20 > > Hugo, > >=20 > > Hmmm. I really hadn't thought that this would be needed. > >=20 > > What I had thought would be enough to conceal the passwords and = centrally administer the passwords would be to use ssh keys for root = access, then run pefconfig -P $psw on each system via ssh. In order to = set the IPMI password via pefconfig, root access is required. The = passwords could be encrypted on the central system, and protected there, = so that they wouldn't be stored in a visible form, and would only be = visible from the ssh command line in progress.=20 > >=20 > > Are you worried about visibility over the LAN, or from a shell = command history, is that the issue? I guess that an option could be = added to pefconfig to pass an encrypted password, but how do you propose = that the key be passed in? > >=20 > > Andy > >=20 > > -----Original Message----- > > From: pan...@li... = [mailto:pan...@li...] On Behalf Of = Hugo CACOTE > > Sent: Tuesday, June 29, 2004 2:43 AM > > To: pan...@li... > > Subject: [Panicsel-developers] IPMI password > >=20 > >=20 > >=20 > > Dear all, > >=20 > > Is there any way to configure a BMC's IPMI password without using = the=20 > > plain text password? > >=20 > > I would like to distribute the passwords the IPMI on all the = machines (du=20 > > e to the number of machines going to each machine and configure this = > > information doesn't seems feasible) from a central point. Is there = any kind=20 > > of private key mechanism in the current version of panicsel = (pefconfig) or=20 > > in the next versions?? > >=20 > >=20 > > Thank you, > > Hugo Ca=E7ote=20 > >=20 > >=20 > > ------------------------------------------------------- > > This SF.Net email sponsored by Black Hat Briefings & Training. = Attend Black Hat Briefings & Training, Las Vegas July 24-29 -=20 > > digital self defense, top technical experts, no vendor pitches,=20 > > unmatched networking opportunities. Visit www.blackhat.com = _______________________________________________ > > Panicsel-developers mailing list = Pan...@li... > > https://lists.sourceforge.net/lists/listinfo/panicsel-developers |
|
From: Vlado B. <Vla...@ce...> - 2004-07-05 07:49:28
|
Dear Andy, thank you very much for considering our problem. What I in fact had in my mind was more software from http://www.gnupg.org/ but as I am not really IPMI expert, I leave it to you to find out how to solve the problems described in my earlier e-mail. Cheers, Vlado -- _|________________________________________________________ | | | Vlado | Vla...@ce... | Bahyl | CERN-IT/FIO, CH-1211 Geneva 23, Switzerland | | (+41) 22 767 1884 According to Cress, Andrew R: > Vlado, > > OK, so it sounds like OpenSSL.org's library would be a good choice, with RSA or DSA. That could be integrated into pefconfig and tmconfig, with some work. > > I'll put this on the TODO list and schedule some time to implement it. In the meantime, if you have/see any other utilities that do encrypt/decrypt that you think would be good usage models, let me know. > > Andy > > -----Original Message----- > From: Vlado Bahyl [mailto:Vla...@ce...] > Sent: Wednesday, June 30, 2004 7:25 AM > To: Cress, Andrew R > Cc: pan...@li...; Hugo Monteiro Cacote; Tim Smith > Subject: Re: [Panicsel-developers] IPMI password > > > Dear Andy, > > thank you very much for your reply and interest in this problem. > > Hugo forwarded me the message, so please let me explain in more > details what we mean. > > We have > 1000 nodes where we would like to enable IPMI. The exact > number of nodes in production fluctuates a lot as nodes have to be > repaired/reinstalled/replaced. > Because of that we use pull scenario, where each node fetches configuration > it needs from a central place. > > My idea with IPMI would be: > > - 1 configuration server (= central place) would generate a key pair > (= public and private key) > - this server would publish the public key to all client > - this server would also encrypt the IPMI password with the private key > > - many clients (where we want to have IPMI enabled) would then fetch > the public key > - all these clients would then use this public key to decrypt the IPMI > password and use it locally > > The reason for this machinery is that: > - IPMI password can not be typed on such a big number of nodes > - IPMI password must not be sniffed on the network (otherwise intruder > could get full control of all nodes) > - IPMI password should not be stored on the node as they occasionally > get hacked > > Now - I do not know much about IPMI (Hugo is our local expert), but would > the above scenario be feasible ? > > Obviously, we can build all this ourselves, but it would be nice if IPMI > tools would allow some options to specify: > - where the encrypted password is > - where the decryption (public) key is > > Last, but not least: > - option where every machine would have a unique password is not possible > because of the number of nodes and arguments above > - in addition I think it would be a nightmare to manage it > > What do you think ? > > Best regards, > > Vlado > > -- > > _|________________________________________________________ > | | > | Vlado | Vla...@ce... > | Bahyl | CERN-IT/FIO, CH-1211 Geneva 23, Switzerland > | | (+41) 22 767 1884 > > > > -----Original Message----- > > From: Cress, Andrew R [mailto:and...@in...] > > Sent: Tuesday, June 29, 2004 5:47 PM > > To: Hugo Monteiro Cacote; pan...@li... > > Subject: RE: [Panicsel-developers] IPMI password > > > > > > Hugo, > > > > Hmmm. I really hadn't thought that this would be needed. > > > > What I had thought would be enough to conceal the passwords and centrally administer the passwords would be to use ssh keys for root access, then run pefconfig -P $psw on each system via ssh. In order to set the IPMI password via pefconfig, root access is required. The passwords could be encrypted on the central system, and protected there, so that they wouldn't be stored in a visible form, and would only be visible from the ssh command line in progress. > > > > Are you worried about visibility over the LAN, or from a shell command history, is that the issue? I guess that an option could be added to pefconfig to pass an encrypted password, but how do you propose that the key be passed in? > > > > Andy > > > > -----Original Message----- > > From: pan...@li... [mailto:pan...@li...] On Behalf Of Hugo CACOTE > > Sent: Tuesday, June 29, 2004 2:43 AM > > To: pan...@li... > > Subject: [Panicsel-developers] IPMI password > > > > > > > > Dear all, > > > > Is there any way to configure a BMC's IPMI password without using the > > plain text password? > > > > I would like to distribute the passwords the IPMI on all the machines (du > > e to the number of machines going to each machine and configure this > > information doesn't seems feasible) from a central point. Is there any kind > > of private key mechanism in the current version of panicsel (pefconfig) or > > in the next versions?? > > > > > > Thank you, > > Hugo Caçote > > > > > > ------------------------------------------------------- > > This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > digital self defense, top technical experts, no vendor pitches, > > unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ > > Panicsel-developers mailing list Pan...@li... > > https://lists.sourceforge.net/lists/listinfo/panicsel-developers |
|
From: Cress, A. R <and...@in...> - 2004-07-02 14:32:38
|
Vlado, OK, so it sounds like OpenSSL.org's library would be a good choice, with = RSA or DSA. That could be integrated into pefconfig and tmconfig, with = some work. I'll put this on the TODO list and schedule some time to implement it. = In the meantime, if you have/see any other utilities that do = encrypt/decrypt that you think would be good usage models, let me know. Andy -----Original Message----- From: Vlado Bahyl [mailto:Vla...@ce...]=20 Sent: Wednesday, June 30, 2004 7:25 AM To: Cress, Andrew R Cc: pan...@li...; Hugo Monteiro Cacote; Tim = Smith Subject: Re: [Panicsel-developers] IPMI password Dear Andy, thank you very much for your reply and interest in this problem. Hugo forwarded me the message, so please let me explain in more details what we mean. We have > 1000 nodes where we would like to enable IPMI. The exact number of nodes in production fluctuates a lot as nodes have to be repaired/reinstalled/replaced. Because of that we use pull scenario, where each node fetches = configuration it needs from a central place. My idea with IPMI would be: - 1 configuration server (=3D central place) would generate a key pair (=3D public and private key) - this server would publish the public key to all client - this server would also encrypt the IPMI password with the private key - many clients (where we want to have IPMI enabled) would then fetch the public key - all these clients would then use this public key to decrypt the IPMI password and use it locally The reason for this machinery is that: - IPMI password can not be typed on such a big number of nodes - IPMI password must not be sniffed on the network (otherwise intruder could get full control of all nodes) - IPMI password should not be stored on the node as they occasionally get hacked Now - I do not know much about IPMI (Hugo is our local expert), but = would the above scenario be feasible ? Obviously, we can build all this ourselves, but it would be nice if IPMI tools would allow some options to specify: - where the encrypted password is - where the decryption (public) key is Last, but not least: - option where every machine would have a unique password is not = possible because of the number of nodes and arguments above - in addition I think it would be a nightmare to manage it What do you think ? Best regards, Vlado -- _|________________________________________________________ | | | Vlado | Vla...@ce... | Bahyl | CERN-IT/FIO, CH-1211 Geneva 23, Switzerland | | (+41) 22 767 1884 > -----Original Message----- > From: Cress, Andrew R [mailto:and...@in...]=20 > Sent: Tuesday, June 29, 2004 5:47 PM > To: Hugo Monteiro Cacote; pan...@li... > Subject: RE: [Panicsel-developers] IPMI password >=20 >=20 > Hugo, >=20 > Hmmm. I really hadn't thought that this would be needed. >=20 > What I had thought would be enough to conceal the passwords and = centrally administer the passwords would be to use ssh keys for root = access, then run pefconfig -P $psw on each system via ssh. In order to = set the IPMI password via pefconfig, root access is required. The = passwords could be encrypted on the central system, and protected there, = so that they wouldn't be stored in a visible form, and would only be = visible from the ssh command line in progress.=20 >=20 > Are you worried about visibility over the LAN, or from a shell command = history, is that the issue? I guess that an option could be added to = pefconfig to pass an encrypted password, but how do you propose that the = key be passed in? >=20 > Andy >=20 > -----Original Message----- > From: pan...@li... = [mailto:pan...@li...] On Behalf Of = Hugo CACOTE > Sent: Tuesday, June 29, 2004 2:43 AM > To: pan...@li... > Subject: [Panicsel-developers] IPMI password >=20 >=20 >=20 > Dear all, >=20 > Is there any way to configure a BMC's IPMI password without using the=20 > plain text password? >=20 > I would like to distribute the passwords the IPMI on all the machines = (du=20 > e to the number of machines going to each machine and configure this=20 > information doesn't seems feasible) from a central point. Is there any = kind=20 > of private key mechanism in the current version of panicsel = (pefconfig) or=20 > in the next versions?? >=20 >=20 > Thank you, > Hugo Ca=E7ote=20 >=20 >=20 > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. Attend = Black Hat Briefings & Training, Las Vegas July 24-29 -=20 > digital self defense, top technical experts, no vendor pitches,=20 > unmatched networking opportunities. Visit www.blackhat.com = _______________________________________________ > Panicsel-developers mailing list = Pan...@li... > https://lists.sourceforge.net/lists/listinfo/panicsel-developers |
|
From: Vlado B. <Vla...@ce...> - 2004-06-30 11:25:06
|
Dear Andy,
thank you very much for your reply and interest in this problem.
Hugo forwarded me the message, so please let me explain in more
details what we mean.
We have > 1000 nodes where we would like to enable IPMI. The exact
number of nodes in production fluctuates a lot as nodes have to be
repaired/reinstalled/replaced.
Because of that we use pull scenario, where each node fetches configuration
it needs from a central place.
My idea with IPMI would be:
- 1 configuration server (= central place) would generate a key pair
(= public and private key)
- this server would publish the public key to all client
- this server would also encrypt the IPMI password with the private key
- many clients (where we want to have IPMI enabled) would then fetch
the public key
- all these clients would then use this public key to decrypt the IPMI
password and use it locally
The reason for this machinery is that:
- IPMI password can not be typed on such a big number of nodes
- IPMI password must not be sniffed on the network (otherwise intruder
could get full control of all nodes)
- IPMI password should not be stored on the node as they occasionally
get hacked
Now - I do not know much about IPMI (Hugo is our local expert), but would
the above scenario be feasible ?
Obviously, we can build all this ourselves, but it would be nice if IPMI
tools would allow some options to specify:
- where the encrypted password is
- where the decryption (public) key is
Last, but not least:
- option where every machine would have a unique password is not possible
because of the number of nodes and arguments above
- in addition I think it would be a nightmare to manage it
What do you think ?
Best regards,
Vlado
--
_|________________________________________________________
| |
| Vlado | Vla...@ce...
| Bahyl | CERN-IT/FIO, CH-1211 Geneva 23, Switzerland
| | (+41) 22 767 1884
> -----Original Message-----
> From: Cress, Andrew R [mailto:and...@in...]
> Sent: Tuesday, June 29, 2004 5:47 PM
> To: Hugo Monteiro Cacote; pan...@li...
> Subject: RE: [Panicsel-developers] IPMI password
>
>
> Hugo,
>
> Hmmm. I really hadn't thought that this would be needed.
>
> What I had thought would be enough to conceal the passwords and centrally administer the passwords would be to use ssh keys for root access, then run pefconfig -P $psw on each system via ssh. In order to set the IPMI password via pefconfig, root access is required. The passwords could be encrypted on the central system, and protected there, so that they wouldn't be stored in a visible form, and would only be visible from the ssh command line in progress.
>
> Are you worried about visibility over the LAN, or from a shell command history, is that the issue? I guess that an option could be added to pefconfig to pass an encrypted password, but how do you propose that the key be passed in?
>
> Andy
>
> -----Original Message-----
> From: pan...@li... [mailto:pan...@li...] On Behalf Of Hugo CACOTE
> Sent: Tuesday, June 29, 2004 2:43 AM
> To: pan...@li...
> Subject: [Panicsel-developers] IPMI password
>
>
>
> Dear all,
>
> Is there any way to configure a BMC's IPMI password without using the
> plain text password?
>
> I would like to distribute the passwords the IPMI on all the machines (du
> e to the number of machines going to each machine and configure this
> information doesn't seems feasible) from a central point. Is there any kind
> of private key mechanism in the current version of panicsel (pefconfig) or
> in the next versions??
>
>
> Thank you,
> Hugo Caçote
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit www.blackhat.com _______________________________________________
> Panicsel-developers mailing list Pan...@li...
> https://lists.sourceforge.net/lists/listinfo/panicsel-developers
|
|
From: Cress, A. R <and...@in...> - 2004-06-29 15:47:07
|
Hugo, Hmmm. I really hadn't thought that this would be needed. What I had thought would be enough to conceal the passwords and = centrally administer the passwords would be to use ssh keys for root = access, then run pefconfig -P $psw on each system via ssh. In order to = set the IPMI password via pefconfig, root access is required. The = passwords could be encrypted on the central system, and protected there, = so that they wouldn't be stored in a visible form, and would only be = visible from the ssh command line in progress.=20 Are you worried about visibility over the LAN, or from a shell command = history, is that the issue? I guess that an option could be added to pefconfig to pass an encrypted = password, but how do you propose that the key be passed in? Andy -----Original Message----- From: pan...@li... = [mailto:pan...@li...] On Behalf Of = Hugo CACOTE Sent: Tuesday, June 29, 2004 2:43 AM To: pan...@li... Subject: [Panicsel-developers] IPMI password Dear all, Is there any way to configure a BMC's IPMI password without using the=20 plain text password? I would like to distribute the passwords the IPMI on all the machines = (du=20 e to the number of machines going to each machine and configure this=20 information doesn't seems feasible) from a central point. Is there any = kind=20 of private key mechanism in the current version of panicsel (pefconfig) = or=20 in the next versions?? Thank you, Hugo Ca=E7ote=20 ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 -=20 digital self defense, top technical experts, no vendor pitches,=20 unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Panicsel-developers mailing list Pan...@li... https://lists.sourceforge.net/lists/listinfo/panicsel-developers |
|
From: Hugo C. <hc...@ma...> - 2004-06-29 07:58:04
|
Dear all, Is there any way to configure a BMC's IPMI password without using the plain text password? I would like to distribute the passwords the IPMI on all the machines (du e to the number of machines going to each machine and configure this information doesn't seems feasible) from a central point. Is there any kind of private key mechanism in the current version of panicsel (pefconfig) or in the next versions?? Thank you, Hugo Caçote |
|
From: Cress, A. R <and...@in...> - 2004-06-10 15:55:43
|
Panicsel 1.4.5 is now released. It includes more efficient use of the
/dev/ipmi0 device, and several changes for WIN32 platforms.
Specifically:
06/10/04 ARCress ver 1.4.5
ipmimv.c only open/close device once per application for
mv/openipmi driver, rely on each app calling ipmi_close.
*.c changes for ipmi_close, changes for WIN32
doc/mk.bat added, sample build script for WIN32
sensor v1.18 fixed sresp in GetSDR for WIN32
showsel v1.22 added ReportEvent for -w option with WIN32
v1.23 use gmtime instead of localtime for WIN32
pefconfig v1.27 added channel access params for ia64, added WIN32
|
|
From: Cress, A. R <and...@in...> - 2004-06-03 14:48:59
|
Hugo, Yes, pefconfig is intended to configure the BMC LAN traps via SNMP. It = will automatically look in your /etc/snmp/snmpd.conf file for an alert = destination. If there isn't one there, you would need to specify it via = the -A command line option. Also, tmconfig is used to set up the serial port parameters.=20 =20 To set up Serial Over LAN on a TIGPR2U platform, for instance: 1) Make sure BIOS Console Redirection is enabled. 2) Run tmconfig to set basic serial parameters. 3) Run pefconfig to enable the LAN linkage. pefconfig will report a = message like "SeupSerialOverLan: ret =3D 0" if this feature was set up = successfully. Andy -----Original Message----- From: pan...@li... = [mailto:pan...@li...] On Behalf Of = Hugo Monteiro Cacote Sent: Tuesday, June 01, 2004 5:04 AM To: pan...@li... Subject: [Panicsel-developers] PEF setting Dear All, Can I use the panic_sel utilities in particular pefconfig to configure = the=20 BMC PEF in order to send alert to the LAN (SNMP traps). I'm I also able = to=20 configure Serial over LAN using the tmconfig utility ?? Thank you, Hugo Ca=E7ote =20 ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. = Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3D3149&alloc_id=3D8166&op=3Dclick _______________________________________________ Panicsel-developers mailing list Pan...@li... https://lists.sourceforge.net/lists/listinfo/panicsel-developers |
|
From: Cress, A. R <and...@in...> - 2004-06-03 14:39:51
|
Adam,
This isn't a command-line parameter, but you would make the change in
the util/pefconfig.c file for the pefconfig utility.
In util/pefconfig.c, around line 1899, you see:
LanRecord.data[0] =3D 0x04; /* grat arp interval*/
ret =3D SetLanEntry(11, &LanRecord, 1);
From the IPMI 1.5 spec, Table 19-4, page 232, we can interpret LAN
Parameter 11 as
the Gratuitous ARP Interval in 500 millisecond increments, 0-based.
So, the default setting above of 4, yields a 2 second ARP interval. You
can change it as you like.
Andy
-----Original Message-----
From: Adam Hock [mailto:ah...@at...]=20
Sent: Tuesday, June 01, 2004 2:56 PM
To: Cress, Andrew R
Subject: pancsel question
Andrew,
How do I change the rate at which the BMC arp's using the pancsel=20
software suite ?
Thanks
Adam
|
|
From: Hugo M. C. <hc...@ma...> - 2004-06-01 09:04:23
|
Dear All, Can I use the panic_sel utilities in particular pefconfig to configure the BMC PEF in order to send alert to the LAN (SNMP traps). I'm I also able to configure Serial over LAN using the tmconfig utility ?? Thank you, Hugo Caçote |
|
From: Cress, A. R <and...@in...> - 2004-04-30 19:58:49
|
A new version of the panicsel package (1.4.4) has been released.=20
Below are the changes from the previous version:
showsel v1.21 added threshold OK descriptions,
change header (time is local, not GMT)
sensor v1.17 added -r option for raw SDR output
ipmimv.c increased timeout from 5 sec to 10 sec
pefconfig v1.25 fixed lan_ch detection for some /dev/ipmi0 cases
Andy
|
|
From: Cress, A. R <and...@in...> - 2004-04-23 15:30:54
|
Marco,
I haven't tested the panicsel IPMI utilities on those architectures,
because I don't have hardware for them, but it should work, if the
platforms support IPMI. =20
There isn't any kernel dependency, other than having an IPMI driver, and
kernel 2.6.4 has the OpenIPMI driver included, so that should work fine.
I have tested it on earlier versions of 2.5 and 2.6 and it worked ok.
The /dev/ipmi0 device node will have to be created though, after the
modules are loaded, like this:
maj=3D`cat /proc/devices |awk '/ipmidev/{print $1}'`
/bin/mknod /dev/ipmi0 $maj 0 =20
Andy
-----Original Message-----
From: Marco Caverzaghi [mailto:Mar...@it...]=20
Sent: Friday, April 23, 2004 10:58 AM
To: ar...@us...
Cc: Mar...@it...
Subject: Two questions about Panicsel-IPMI portability
Dear Mr. Andy Cress,
I'm interested in Panicsel-IPMI Open Source Project.
I've a question about the architecture portability of Panicsel-IPMI
1.4.3: does it run on the PowerPc architecture, Motorola PQII-MPC8280
processor ?
And another question about the Linux kernel portability of Panicsel-IPMI
1.4.3: does it run on Vanilla 2.6.4 kernel ?
Thanks in advance,
Best Regards,
Marco Caverzaghi
System Engineer
Italtel SPA
|
|
From: Cress, A. R <and...@in...> - 2004-04-08 20:13:15
|
Folks,
A new version of the panicsel package (1.4.3) has been released. Below
are the changes for 1.4.2 and 1.4.3. More descriptions in showsel, and
some changes for mini-BMC as well. =20
The panicsel-1.4.3 rpm now installs the 'checksel' script into
/etc/cron.daily so that
the new firmware SEL records get copied to the Linux syslog each day,
and
then if the SEL is full, it is cleared. This brings together 'showsel
-w'=20
and 'showsel -c' functions. The old SEL records are preserved in=20
the syslog, so this is ok, and enterprise admins should be looking to
one
common syslog location anyway. =20
Andy
03/23/04 ARCress ver 1.4.2
showsel v1.19 ClockSync description changed
wdt v1.4 fixed cc=3D0xcc if pretimeout not zero.
pefconfig v1.24 changed default pefnum for mBMC to 10
sensor v1.16 Added SDR type 3 parsing for mBMC,
Added check for superuser, more mBMC logic
04/08/04 ARCress ver 1.4.3
checksel New script using showsel to write to syslog and clear
if low
showsel v1.20 change pattern matching for thresholds,
added sens_desc for ID Button
added sens_desc for HSC, System Events, Power,
Inter.
|
|
From: Cress, A. R <and...@in...> - 2004-02-24 20:55:22
|
A new version of the panicsel package (1.4.1) has been released. Below
are the changes. Some of the utilities have been successfully ported to
Windows now.
Support for mBMC platforms has also been added.
Andy
02/20/04 ARCress ver 1.4.1
imbapi.c added WIN32 flags
imb_api.h added WIN32 flags
ipmicmd.c added WIN32 flags
alarms v1.2 added mBMC code, Chesnee disk LEDs, & WIN32
showsel v1.18 added WIN32 flags, added header display
sensor v1.13 changed field order, added header display
* check for sdr sz below min, added WIN32.
|
