xCAT/xcat-core
2
0
Fork 0
mirror of https://github.com/xcat2/xcat-core.git synced 2025-05-29 09:13:08 +00:00
Code Issues Releases Wiki Activity

Merge pull request #6713 from gurevichmark/bmcdiscover_pw_change

Browse Source 
Add option to bmcdiscover command to change default BMC password
This commit is contained in:
besawn 2020-06-02 08:28:23 -04:00 committed by GitHub
commit 5bb801d97d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 77 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
docs/source/guides/admin-guides/references/man1/bmcdiscover.1.rst
View File

@ -23,7 +23,7 @@ SYNOPSIS
\ **bmcdiscover**\ [\ **-v | -**\ **-version**\ ]
\ **bmcdiscover**\ \ **-**\ **-range**\ \ *ip_ranges*\ [\ **-**\ **-sn**\ \ *SN_nodename*\ ] [\ **-s**\ \ *scan_method*\ ] [\ **-u**\ \ *bmc_user*\ ] [\ **-p**\ \ *bmc_passwd*\ ] [\ **-z**\ ] [\ **-w**\ ]
\ **bmcdiscover**\ \ **-**\ **-range**\ \ *ip_ranges*\ [\ **-**\ **-sn**\ \ *SN_nodename*\ ] [\ **-s**\ \ *scan_method*\ ] [\ **-u**\ \ *bmc_user*\ ] [\ **-p**\ \ *bmc_passwd*\ ] [\ **-n**\ \ *new_bmc_passwd*\ ] [\ **-z**\ ] [\ **-w**\ ]
***********
@ -37,7 +37,7 @@ The command uses \ **nmap**\ to scan active nodes over a specified IP range. T
\ **Note:**\ The scan method currently supported is \ **nmap**\ .
\ **Note:**\ Starting on January 1, 2020, some newly shipped systems will require the default BMC password to be changed before they can be managed by xCAT. \ **bmcdiscover**\ will not be able to discover such systems. Run \ */opt/xcat/share/xcat/scripts/BMC_change_password.sh*\ script to change the default password for BMCs in specified range, then rerun \ **bmcdiscover**\ with \ **-p "new bmc password"**\ flag to discover systems with the changed password.
\ **Note:**\ Starting on January 1, 2020, some newly shipped systems will require the default BMC password to be changed before they can be managed by xCAT. Use \ **bmcdiscover**\ with \ **-n**\ option to specify new BMC password.
*******
@ -88,6 +88,12 @@ OPTIONS
\ **-n|-**\ **-newbmcpw**\
New BMC user password.
\ **-h|-**\ **-help**\
Display usage message
@ -165,6 +171,14 @@ Output is similar to:
bmcdiscover -s nmap --range "10.4.22-23.100-254" -w -z
5. Discover the BMC with the specified IP address, change its default BMC password and display in xCAT stanza format:
.. code-block:: perl
bmcdiscover --range "10.4.22-23.100" -u root -p 0penBmc -n 0penBmc123 -z
********
SEE ALSO

12
xCAT-client/pods/man1/bmcdiscover.1.pod
View File

@ -8,7 +8,7 @@ B<bmcdiscover> [B<-?>|B<-h>|B<--help>]
B<bmcdiscover> [B<-v>|B<--version>]
B<bmcdiscover> B<--range> I<ip_ranges> [B<--sn> I<SN_nodename>] [B<-s> I<scan_method>] [B<-u> I<bmc_user>] [B<-p> I<bmc_passwd>] [B<-z>] [B<-w>]
B<bmcdiscover> B<--range> I<ip_ranges> [B<--sn> I<SN_nodename>] [B<-s> I<scan_method>] [B<-u> I<bmc_user>] [B<-p> I<bmc_passwd>] [B<-n> I<new_bmc_passwd>] [B<-z>] [B<-w>]
=head1 DESCRIPTION
@ -20,7 +20,7 @@ The command uses B<nmap> to scan active nodes over a specified IP range. The IP
B<Note:> The scan method currently supported is B<nmap>.
B<Note:> Starting on January 1, 2020, some newly shipped systems will require the default BMC password to be changed before they can be managed by xCAT. B<bmcdiscover> will not be able to discover such systems. Run I</opt/xcat/share/xcat/scripts/BMC_change_password.sh> script to change the default password for BMCs in specified range, then rerun B<bmcdiscover> with B<-p "new bmc password"> flag to discover systems with the changed password.
B<Note:> Starting on January 1, 2020, some newly shipped systems will require the default BMC password to be changed before they can be managed by xCAT. Use B<bmcdiscover> with B<-n> option to specify new BMC password.
=head1 OPTIONS
@ -54,6 +54,10 @@ BMC user name.
BMC user password.
=item B<-n|--newbmcpw>
New BMC user password.
=item B<-h|--help>
Display usage message
@ -102,6 +106,10 @@ Output is similar to:
bmcdiscover -s nmap --range "10.4.22-23.100-254" -w -z
5. Discover the BMC with the specified IP address, change its default BMC password and display in xCAT stanza format:
bmcdiscover --range "10.4.22-23.100" -u root -p 0penBmc -n 0penBmc123 -z
=head1 SEE ALSO
L<lsslp(1)|lsslp.1>

58
xCAT-server/lib/xcat/plugins/bmcdiscover.pm
View File

@ -49,14 +49,14 @@ my $bmc_pass;
my $openbmc_user;
my $openbmc_pass;
my $done_num = 0;
$::P9_WITHERSPOON_MFG_ID = "42817";
$::P9_WITHERSPOON_PRODUCT_ID = "16975";
$::P9_MIHAWK_MFG_ID = "42817";
$::P9_MIHAWK_PRODUCT_ID = "1";
$::P9_AC922_MFG_ID = "42817"; #Witherspoon
$::P9_AC922_PRODUCT_ID = "16975";
$::P9_IC922_MFG_ID = "42817"; #Mihawk
$::P9_IC922_PRODUCT_ID = "1";
$::CHANGE_PW_REQUIRED="The password provided for this account must be changed before access is granted";
$::NO_SESSION="Unable to establish IPMI v2 / RMCP";
$::CHANGE_PW_INSTRUCTIONS_1="Run script '/opt/xcat/share/xcat/scripts/BMC_change_password.sh' to change default password";
$::CHANGE_PW_INSTRUCTIONS_2="Rerun 'bmcdiscover' command with '-p new_bmc_password' flag";
$::CHANGE_PW_INSTRUCTIONS_1="Rerun 'bmcdiscover' command with '-p default_bmc_password -n new_bmc_password' flag";
$::PW_PAM_VALIDATION="password value failed PAM validation checks";
$::NO_MFG_OR_PRODUCT_ID="Zeros returned for Manufacturer id and Product id";
%::VPDHASH = ();
my %node_in_list = ();
@ -203,7 +203,7 @@ sub bmcdiscovery_usage {
push @{ $rsp->{data} }, "Usage:";
push @{ $rsp->{data} }, "\tbmcdiscover [-?|-h|--help]";
push @{ $rsp->{data} }, "\tbmcdiscover [-v|--version]";
push @{ $rsp->{data} }, "\tbmcdiscover --range ip_range <ip_range> [--sn <SN_nodename>] [-s <scan_method>] [-u <bmc_user>] [-p <bmc_passwd>] [-z] [-w]\n";
push @{ $rsp->{data} }, "\tbmcdiscover --range ip_range <ip_range> [--sn <SN_nodename>] [-s <scan_method>] [-u <bmc_user>] [-p <bmc_passwd>] [-n <new_bmc_passwd>] [-z] [-w]\n";
xCAT::MsgUtils->message("I", $rsp, $::CALLBACK);
return 0;
@ -248,6 +248,7 @@ sub bmcdiscovery_processargs {
'check' => \$::opt_C,
'bmcuser|u=s' => \$::opt_U,
'bmcpasswd|p=s' => \$::opt_P,
'newbmcpw|n=s' => \$::opt_N,
'ipsource' => \$::opt_S,
'version|v' => \$::opt_v,
't' => \$::opt_T,
@ -749,6 +750,7 @@ sub scan_process {
# Set child process default, if not the function runcmd may return error
$SIG{CHLD} = 'DEFAULT';
TRY_TO_DISCOVER:
my $bmcusername;
my $bmcpassword;
$bmcusername = "-U $bmc_user" if ($bmc_user);
@ -767,8 +769,8 @@ sub scan_process {
}
if ($mc_info =~ /Manufacturer ID\s*:\s*(\d+)\s*Manufacturer Name.+\s*Product ID\s*:\s*(\d+)/) {
xCAT::MsgUtils->trace(0, "D", "$log_label Found ${$live_ip}[$i] Manufacturer ID: $1 Product ID: $2");
if (($1 eq $::P9_WITHERSPOON_MFG_ID and $2 eq $::P9_WITHERSPOON_PRODUCT_ID) or
($1 eq $::P9_MIHAWK_MFG_ID and $2 eq $::P9_MIHAWK_PRODUCT_ID)) {
if (($1 eq $::P9_AC922_MFG_ID and $2 eq $::P9_AC922_PRODUCT_ID) or
($1 eq $::P9_IC922_MFG_ID and $2 eq $::P9_IC922_PRODUCT_ID)) {
bmcdiscovery_openbmc(${$live_ip}[$i], $opz, $opw, $request_command,$parent_fd,$2);
$is_openbmc = 1;
$is_ipmi = 0;
@ -781,8 +783,8 @@ sub scan_process {
}
else {
# System replied to mc info but not with either
# $::P9_WITHERSPOON_MFG_ID and $::P9_WITHERSPOON_PRODUCT_ID, or
# $::P9_MIHAWK_MFG_ID and $::P9_MIHAWK_PRODUCT_ID,
# $::P9_AC922_MFG_ID and $::P9_AC922_PRODUCT_ID, or
# $::P9_IC922_MFG_ID and $::P9_IC922_PRODUCT_ID,
# assume IPMI
$is_openbmc = 0;
$is_ipmi = 1;
@ -804,10 +806,32 @@ sub scan_process {
my $redfish_session_cmd = "curl -sD - --data '{\"UserName\":\"$openbmc_user\",\"Password\":\"$openbmc_pass\"}' -k -X POST https://${$live_ip}[$i]/redfish/v1/SessionService/Sessions";
my $redfish_session_info = xCAT::Utils->runcmd($redfish_session_cmd, -1);
if ($redfish_session_info =~ /$::CHANGE_PW_REQUIRED/) {
# RedFish session replied that password change is needed. Print instructions and exit
# RedFish session replied that password change is needed.
xCAT::MsgUtils->message("I", { data => ["${$live_ip}[$i]: $::CHANGE_PW_REQUIRED"] }, $::CALLBACK);
xCAT::MsgUtils->message("I", { data => ["$::CHANGE_PW_INSTRUCTIONS_1"] }, $::CALLBACK);
xCAT::MsgUtils->message("I", { data => ["$::CHANGE_PW_INSTRUCTIONS_2"] }, $::CALLBACK);
if ($::opt_N) {
# New password was passed in, use it to change the default (AC922 or IC922)
my $password_change_cmd = "curl -s -u $openbmc_user:$openbmc_pass --data '{\"Password\":\"$::opt_N\"}' -k -X PATCH https://${$live_ip}[$i]/redfish/v1/AccountService/Accounts/$openbmc_user";
my $password_changed = xCAT::Utils->runcmd($password_change_cmd, -1);
if (! $password_changed) {
# No output from change password command, assume success
xCAT::MsgUtils->message("I", { data => ["${$live_ip}[$i]: Password changed."] }, $::CALLBACK);
$openbmc_pass = $::opt_N; # Set new password
$bmc_pass = $::opt_N; # Set new password
goto TRY_TO_DISCOVER; # Attempt discover with changed password
}
elsif ($password_changed =~ /$::PW_PAM_VALIDATION/) {
# Output from change password command indicates pw validation error
xCAT::MsgUtils->message("I", { data => ["Can not change password - $::PW_PAM_VALIDATION"] }, $::CALLBACK);
}
else {
# Some unexpected output changing the password - report error and show output
xCAT::MsgUtils->message("I", { data => ["Unable to change password - $password_changed"] }, $::CALLBACK);
}
}
else {
# New password was not passed in, print instruction message and exit
xCAT::MsgUtils->message("I", { data => ["$::CHANGE_PW_INSTRUCTIONS_1"] }, $::CALLBACK);
}
}
}
}
@ -1357,7 +1381,11 @@ sub bmcdiscovery_openbmc{
$node_data .= ",$serial";
if ($::opt_P) {
if ($::opt_U) {
$node_data .= ",$::opt_U,$::opt_P";
if ($::opt_N) {
$node_data .= ",$::opt_U,$::opt_N"; # Display the new changed password
} else {
$node_data .= ",$::opt_U,$::opt_P";
}
} else {
$node_data .= ",,$::opt_P";
}

13
xCAT-server/share/xcat/scripts/BMC_change_password.sh
View File

@ -22,6 +22,9 @@ if [ $# -le 3 ]; then
Change the default root or ADMIN password of the BMC to the one
specified by '-n' flag. Use the same password when discovering new
BMCs, by passing it with '[-p|--bmcpasswd]' option to 'bmcdiscover' command.
Note: Starting with xCAT 2.16, the changing of default BMC passwords
can also be done with '-n' option for 'bmcdiscover' command.
"
echo "Usage:"
echo " $0 -r <ip_ranges> -n <new BMC Password> "
@ -63,8 +66,8 @@ UNAUTHORIZED="Unauthorized"
for name in `cat /tmp/$$.ip.list`
do
## Look for Witherspoon first
SYSTEM_TYPE="Witherspoon"
## Look for OpenBMC (Witherspoon or Mihawk) first
SYSTEM_TYPE="OpenBMC"
PasswordChangeNeeded=`curl -sD - --data '{"UserName":"'"$WITHERSPOON_DEFAULT_USER"'","Password":"'"$WITHERSPOON_DEFAULT_PW"'"}' -k -X POST https://$name/redfish/v1/SessionService/Sessions`
if [[ "$PasswordChangeNeeded" =~ "$CHANGE_PW_REQUIRED" ]]; then
@ -74,7 +77,7 @@ do
echo "$name: Can not change password for $SYSTEM_TYPE system - $PW_PAM_VALIDATION"
elif [[ -z "$PasswordChanged" ]]; then
# If no output, password change was successful
echo "$name: Password for $SYSTEM_TYPE system changed. It might take up to 5 minutes for the BMC to update."
echo "$name: Password for $SYSTEM_TYPE system changed."
else
# Some unexpected output changing the password - report error and show output
echo "$name: Unable to change password for $SYSTEM_TYPE system - $PasswordChanged"
@ -83,8 +86,8 @@ do
continue
fi
## Look for Boston next
SYSTEM_TYPE="Boston"
## Look for IPMI managed (Boston) next
SYSTEM_TYPE="IPMI"
PasswordChangeNeeded=`curl -sD - --data '{"UserName":"'"$BOSTON_DEFAULT_USER"'","Password":"'"$BOSTON_DEFAULT_PW"'"}' -k -X POST https://$name/redfish/v1/SessionService/Sessions`
if [[ "$PasswordChangeNeeded" =~ "$CHANGE_PW_REQUIRED" ]]; then
echo "$name: Password change needed for $SYSTEM_TYPE system"