From c2c29970ff975839aa247cbdae4dc82f9be8b8b8 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Mon, 13 Jan 2014 10:50:00 -0500 Subject: [PATCH 1/4] Make IPMI 2.0 crypto dependencies mandatory Faced with an increasing population of IPMI 2 only devices, make the AES/CBC requirements mandatory as it is a common source of systems failing to work now. --- xCAT-server/lib/perl/xCAT/IPMI.pm | 28 ++++++++-------------------- 1 file changed, 8 insertions(+), 20 deletions(-) diff --git a/xCAT-server/lib/perl/xCAT/IPMI.pm b/xCAT-server/lib/perl/xCAT/IPMI.pm index 9252005ca..05577424b 100644 --- a/xCAT-server/lib/perl/xCAT/IPMI.pm +++ b/xCAT-server/lib/perl/xCAT/IPMI.pm @@ -66,14 +66,9 @@ else { 1; }; } -my $aessupport; -if ($ipmi2support) { - $aessupport = eval { - require Crypt::Rijndael; - require Crypt::CBC; - 1; - }; -} +use Crypt::Rijndael; +use Crypt::CBC; + sub hexdump { foreach (@_) { printf "%02X ",$_; @@ -383,10 +378,7 @@ sub open_rmcpplus_request { @sidbytes, 0,0,0,8,1,0,0,0, #table 13-17, request sha 1,0,0,8,1,0,0,0); #sha integrity - if ($aessupport) { - push @payload,(2,0,0,8,1,0,0,0); - } else { - push @payload,(2,0,0,8,0,0,0,0); + push @payload,(2,0,0,8,1,0,0,0); # aes } $self->{sessionestablishmentcontext} = STATE_OPENSESSION; $self->sendpayload(payload=>\@payload,type=>$payload_types{'rmcpplusopenreq'}); @@ -803,9 +795,7 @@ sub got_rakp4 { } $self->{sessionid} = $self->{pendingsessionid}; $self->{integrityalgo}='sha1'; - if ($aessupport) { - $self->{confalgo} = 'aes'; - } + $self->{confalgo} = 'aes'; $self->{sequencenumber}=1; $self->{sequencenumberbytes}=[1,0,0,0]; $self->{sessionestablishmentcontext} = STATE_ESTABLISHED; #will move on to relying upon session sequence number @@ -863,11 +853,9 @@ sub got_rakp2 { } $self->{sik} = hmac_sha1(pack("C*",@{$self->{randomnumber}},@{$self->{remoterandomnumber}},4,$ulength,@user),$self->{password}); $self->{k1} = hmac_sha1(pack("C*",1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1),$self->{sik}); - if ($aessupport) { - $self->{k2} = hmac_sha1(pack("C*",2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2),$self->{sik}); - my @aeskey = unpack("C*",$self->{k2}); - $self->{aeskey} = pack("C*",(splice @aeskey,0,16)); - } + $self->{k2} = hmac_sha1(pack("C*",2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2),$self->{sik}); + my @aeskey = unpack("C*",$self->{k2}); + $self->{aeskey} = pack("C*",(splice @aeskey,0,16)); $self->{sessionestablishmentcontext} = STATE_EXPECTINGRAKP4; $self->send_rakp3(); return 0; From d25680575d502eaa4cfa3f687a76ea46fe2c3692 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Tue, 4 Feb 2014 10:26:57 -0500 Subject: [PATCH 2/4] Correct } mistake in previous commit to IPMI.pm --- xCAT-server/lib/perl/xCAT/IPMI.pm | 1 - 1 file changed, 1 deletion(-) diff --git a/xCAT-server/lib/perl/xCAT/IPMI.pm b/xCAT-server/lib/perl/xCAT/IPMI.pm index 05577424b..fe2b1114a 100644 --- a/xCAT-server/lib/perl/xCAT/IPMI.pm +++ b/xCAT-server/lib/perl/xCAT/IPMI.pm @@ -379,7 +379,6 @@ sub open_rmcpplus_request { 0,0,0,8,1,0,0,0, #table 13-17, request sha 1,0,0,8,1,0,0,0); #sha integrity push @payload,(2,0,0,8,1,0,0,0); # aes - } $self->{sessionestablishmentcontext} = STATE_OPENSESSION; $self->sendpayload(payload=>\@payload,type=>$payload_types{'rmcpplusopenreq'}); } From 7f39eb7fe4d3ed257c967d97a8db7baacce29607 Mon Sep 17 00:00:00 2001 From: lissav Date: Wed, 5 Feb 2014 08:39:46 -0500 Subject: [PATCH 3/4] new zone table and zonename attribute --- perl-xCAT/xCAT/Schema.pm | 43 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 41 insertions(+), 2 deletions(-) diff --git a/perl-xCAT/xCAT/Schema.pm b/perl-xCAT/xCAT/Schema.pm index ae79728ec..235a60ee4 100755 --- a/perl-xCAT/xCAT/Schema.pm +++ b/perl-xCAT/xCAT/Schema.pm @@ -558,7 +558,7 @@ nodehm => { }, }, nodelist => { - cols => [qw(node groups status statustime appstatus appstatustime primarysn hidden updatestatus updatestatustime comments disable)], + cols => [qw(node groups status statustime appstatus appstatustime primarysn hidden updatestatus updatestatustime zonename comments disable)], keys => [qw(node)], tablespace =>'XCATTBS32K', table_desc => "The list of all the nodes in the cluster, including each node's current status and what groups it is in.", @@ -573,6 +573,7 @@ nodelist => { hidden => "Used to hide fsp and bpa definitions, 1 means not show them when running lsdef and nodels", updatestatus => "The current node update status. Valid states are synced, out-of-sync,syncing,failed.", updatestatustime => "The date and time when the updatestatus was updated.", + zonename => "The name of the zone to which the node is currently assigned. If undefined, then it is not assigned to any zone. ", comments => 'Any user-written notes.', disable => "Set to 'yes' or '1' to comment out this row.", }, @@ -1193,6 +1194,18 @@ performance => { disable => "Set to 'yes' or '1' to comment out this row.", }, }, +zone => { + cols => [qw(zonename sshkeydir defaultzone comments disable)], + keys => [qw(zonename)], + table_desc => 'Defines a cluster zone for nodes that share root ssh key access to each other.', + descriptions => { + zonename => 'The name of the zone.', + sshkeydir => 'Directory containing the shared root ssh RSA keys.', + defaultzone => 'If nodes are not assigned to any other zone, they will default to this zone. If value is set to yes or 1.', + comments => 'Any user-provided notes.', + disable => "Set to 'yes' or '1' to comment out this row.", + }, + }, eventlog => { cols => [qw(recid eventtime eventtype monitor monnode node application component id severity message rawdata comments disable)], @@ -1630,6 +1643,7 @@ foreach my $tabname (keys(%xCAT::ExtTab::ext_tabspec)) { rack => { attrs => [], attrhash => {}, objkey => 'rackname' }, osdistro=> { attrs => [], attrhash => {}, objkey => 'osdistroname' }, osdistroupdate=> { attrs => [], attrhash => {}, objkey => 'osupdatename' }, + zone=> { attrs => [], attrhash => {}, objkey => 'zonename' }, ); @@ -2612,7 +2626,11 @@ my @nodeattrs = ( {attr_name => 'updatestatustime', tabentry => 'nodelist.updatestatustime', access_tabentry => 'nodelist.node=attr:node', - }, + }, + {attr_name => 'zonename', + tabentry => 'nodelist.zonename', + access_tabentry => 'nodelist.node=attr:node', + }, {attr_name => 'usercomment', tabentry => 'nodelist.comments', access_tabentry => 'nodelist.node=attr:node', @@ -3066,6 +3084,27 @@ push(@{$defspec{node}->{'attrs'}}, @nodeattrs); access_tabentry => 'rack.rackname=attr:rackname', }, ); +#################### +# zone table # +#################### +@{$defspec{zone}->{'attrs'}} = ( + {attr_name => 'zonename', + tabentry => 'zone.zonename', + access_tabentry => 'zone.zonename=attr:zonename', + }, + {attr_name => 'sshkeydir', + tabentry => 'zone.sshkeydir', + access_tabentry => 'zone.zonename=attr:zonename', + }, + {attr_name => 'defaultzone', + tabentry => 'zone.defaultzone', + access_tabentry => 'zone.zonename=attr:zonename', + }, + {attr_name => 'usercomment', + tabentry => 'zone.comments', + access_tabentry => 'zone.zonename=attr:zonename', + }, + ); ######################### # route data object # ######################### From 56556bdeec338013578324f4735423c133affa05 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Fri, 7 Feb 2014 17:37:56 -0500 Subject: [PATCH 4/4] Fix xCAT init script status reporting xCAT in some cases was reporting improper status for certain scenarios. Risk being inaccure if no pid file exists so that it is accurate when it does exist. --- xCAT-server/etc/init.d/xcatd | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/xCAT-server/etc/init.d/xcatd b/xCAT-server/etc/init.d/xcatd index 282f360a5..493582c2c 100755 --- a/xCAT-server/etc/init.d/xcatd +++ b/xCAT-server/etc/init.d/xcatd @@ -37,7 +37,12 @@ RHFailure() } MStatus() { - ps ax|grep -v grep|grep xcatd: > /dev/null 2>&1 + PID=`cat /var/run/xcatd.pid` + if [ -z "$PID" ]; then + echo "xCAT service is not running" + return 3 + fi + ps $PID|grep xcatd: > /dev/null 2>&1 if [ "$?" = "0" ]; then RVAL=0 echo "xCAT service is running"