diff --git a/xCAT-genesis-scripts/bin/bmcsetup b/xCAT-genesis-scripts/bin/bmcsetup index 7ef181c4e..c1651f364 100755 --- a/xCAT-genesis-scripts/bin/bmcsetup +++ b/xCAT-genesis-scripts/bin/bmcsetup @@ -300,222 +300,241 @@ done let idev=NUMBMCS-1 for bmcu in $BMCUS; do - if [ "$bmcu" = "" ]; then continue; fi -DISABLEUSERS="1 2 3 4" -if [ ! -z "$LOCKEDUSERS" ]; then - # Get the User Slots - USERSLOT=`ipmitool -d $idev user list $LANCHAN |grep -v ^ID|awk '{print $1 " " $2}'|grep -w "$BMCUS"|awk '{print $1}'` - if [ -z "$USERSLOT" ]; then - USERSLOT=4 + if [ "$bmcu" = "" ]; then + continue + fi + DISABLEUSERS="1 2 3 4" + if [ ! -z "$LOCKEDUSERS" ]; then + # Get the User Slots + USERSLOT=`ipmitool -d $idev user list $LANCHAN |grep -v ^ID|awk '{print $1 " " $2}'|grep -w "$BMCUS"|awk '{print $1}'` + if [ -z "$USERSLOT" ]; then + USERSLOT=4 + fi + else + USERSLOT=2 + fi + if [ "$ISITE" = 1 ]; then + allowcred.awk & + CREDPID=$! + while ! remoteimmsetup + do + logger -s -t $log_label -p local4.info "Waiting for xCAT remote configuration of service processor via CMM.." + done + kill $CREDPID fi -else - USERSLOT=2 -fi -if [ "$ISITE" = 1 ]; then - allowcred.awk & - CREDPID=$! - while ! remoteimmsetup - do - logger -s -t $log_label -p local4.info "Waiting for xCAT remote configuration of service processor via CMM.." - done - kill $CREDPID -fi -# Get the specified user -CURRENTUSER=`ipmitool -d $idev user list $LANCHAN|grep ^$USERSLOT|awk '{print $2}'` -DISABLEUSERS=`echo 1 2 3 4|sed -e s/$USERSLOT//` -logger -t $log_label -p local4.info "CURRENTUSER is $CURRENTUSER, DISABLEUSERS is $DISABLEUSERS" -for user in $DISABLEUSERS; do - # Disable the non-specified user - while ! ipmitool -d $idev user disable $user; do + # Get the specified user + CURRENTUSER=`ipmitool -d $idev user list $LANCHAN|grep ^$USERSLOT|awk '{print $2}'` + DISABLEUSERS=`echo 1 2 3 4|sed -e s/$USERSLOT//` + logger -t $log_label -p local4.info "CURRENTUSER=$CURRENTUSER, DISABLEUSERS=$DISABLEUSERS" + for user in $DISABLEUSERS; do + # Disable the non-specified user + while ! ipmitool -d $idev user disable $user; do + sleep 1 + let TRIES=TRIES+1 + if [ $TRIES -gt $TIMEOUT ]; then break; fi + done + TRIES=0 + done + TRIES=0 + # Enable the specified user + while ! ipmitool -d $idev user enable $USERSLOT; do sleep 1 let TRIES=TRIES+1 if [ $TRIES -gt $TIMEOUT ]; then break; fi done TRIES=0 -done -TRIES=0 -# Enable the specified user -while ! ipmitool -d $idev user enable $USERSLOT; do - sleep 1 - let TRIES=TRIES+1 - if [ $TRIES -gt $TIMEOUT ]; then break; fi -done -TRIES=0 -# Last param in ipmitool user priv is the channel to set it on. -# Penguin boxes are all channel 2 -# -# Get privilege for the specified user -# -CURRPRIV=`ipmitool -d $idev user list $LANCHAN|grep ^$USERSLOT|awk '{print $6}'` -logger -t $log_label -p local4.info "CURRPRIV is $CURRPRIV" -if [ "$CURRPRIV" != "ADMINISTRATOR" ]; then - # Set the ADMIN privilege for the specified user - while ! ipmitool -d $idev user priv $USERSLOT 4 $LANCHAN; do - sleep 1 - let TRIES=TRIES+1 - if [ $TRIES -gt $TIMEOUT ]; then break; fi - done + # Last param in ipmitool user priv is the channel to set it on. + # Penguin boxes are all channel 2 + # + # Get privilege for the specified user + # + CURRPRIV=`ipmitool -d $idev user list $LANCHAN|grep ^$USERSLOT|awk '{print $6}'` + logger -t $log_label -p local4.info "CURRPRIV=$CURRPRIV" + if [ "$CURRPRIV" != "ADMINISTRATOR" ]; then + # Set the ADMIN privilege for the specified user + while ! ipmitool -d $idev user priv $USERSLOT 4 $LANCHAN; do + sleep 1 + let TRIES=TRIES+1 + if [ $TRIES -gt $TIMEOUT ]; then break; fi + done + fi TRIES=0 -fi -TRIES=0 -# Enable the channel link for the specified user -while ! ipmitool -d $idev channel setaccess $LANCHAN $USERSLOT link=on; do - sleep 1 - let TRIES=TRIES+1 - if [ $TRIES -gt $TIMEOUT ]; then break; fi -done -TRIES=0 -if [ "$CURRENTUSER" != "$bmcu" ]; then - # Change the user name, if necessary - while ! ipmitool -d $idev user set name $USERSLOT $bmcu; do + # Enable the channel link for the specified user + while ! ipmitool -d $idev channel setaccess $LANCHAN $USERSLOT link=on; do sleep 1 let TRIES=TRIES+1 if [ $TRIES -gt $TIMEOUT ]; then break; fi done -fi -let idev=idev-1 + TRIES=0 + if [ "$CURRENTUSER" != "$bmcu" ]; then + # Change the user name, if necessary + while ! ipmitool -d $idev user set name $USERSLOT $bmcu; do + sleep 1 + let TRIES=TRIES+1 + if [ $TRIES -gt $TIMEOUT ]; then break; fi + done + fi + let idev=idev-1 done + let idev=NUMBMCS-1 for bmcp in $BMCPW; do if [ "$bmcp" = "" ]; then continue; fi -TRIES=0 -# Set the password for the specified user -while ! ipmitool -d $idev user set password $USERSLOT $bmcp; do - sleep 1 - let TRIES=TRIES+1 - if [ $TRIES -gt $TIMEOUT ]; then break; fi -done -TRIES=0 -logger -s -t $log_label -p local4.info "Set up following user table: " -# Display the user list -ipmitool -d $idev user list $LANCHAN -let idev=idev-1 + TRIES=0 + # Set the password for the specified user + while ! ipmitool -d $idev user set password $USERSLOT $bmcp; do + sleep 1 + let TRIES=TRIES+1 + if [ $TRIES -gt $TIMEOUT ]; then break; fi + done + TRIES=0 + logger -s -t $log_label -p local4.info "Set up following user table: " + # Display the user list + ipmitool -d $idev user list $LANCHAN + let idev=idev-1 done let idev=NUMBMCS while [ $idev -gt 0 ]; do -let idev=idev-1 - -logger -s -t $log_label -p local4.info "Enabling Channel $LANCHAN: " -# Set the non-volatile channel access: enable and privilege -while ! ipmitool -d $idev raw 0x6 0x40 $LANCHAN 0x42 0x44 > /dev/null; do - sleep 1 - let TRIES=TRIES+1 - if [ $TRIES -gt $TIMEOUT ]; then break; fi -done -TRIES=0 -# Set the volatile channel access: enable and privilege -while ! ipmitool -d $idev raw 0x6 0x40 $LANCHAN 0x82 0x84 > /dev/null; do - sleep 1 - let TRIES=TRIES+1 - if [ $TRIES -gt $TIMEOUT ]; then break; fi -done -if [ $TRIES -gt $TIMEOUT ]; then logger -s -t $log_label -p local4.err "ERROR"; else logger -s -t $log_label -p local4.info "OK"; fi -TRIES=0 - -logger -s -t $log_label -p local4.info "Enabling ARP responses: " -# enable the ARP response on the channel -while ! ipmitool -d $idev lan set $LANCHAN arp respond on > /dev/null; do - sleep 1 - let TRIES=TRIES+1 - echo -n "." - if [ $TRIES -gt $TIMEOUT ]; then break; fi -done -if [ $TRIES -gt $TIMEOUT ]; then logger -s -t $log_label -p local4.err "ERROR"; else logger -s -t $log_label -p local4.info "OK"; fi -TRIES=0 - -logger -s -t $log_label -p local4.info "Enabling IPMI v 1.5 MD5 LAN access:" -# Set the auth level to md5 for the channel -while ! ipmitool -d $idev lan set $LANCHAN auth admin md5 > /dev/null; do - sleep 1 - let TRIES=TRIES+1 - if [ $TRIES -gt $TIMEOUT ]; then break; fi -done -if [ $TRIES -gt $TIMEOUT ]; then logger -s -t $log_label -p local4.err "ERROR"; else logger -s -t $log_label -p local4.info "OK"; fi -TRIES=0 -if [ ! "$IPMIVER" == "1.5" ]; then - logger -s -t $log_label -p local4.info "Enabling IPMI v 2.0 LAN access: " - #the following goals: - #disable cipher suite 0 (if present, avoid password bypass) - #disable cipher suite 1 (if present, to avoid weaking Kg if used) - #enable cipher suite 2 (scenarios without perl Rijndael) - #enable cipher suite 3 - #ignore the rest - # - # Read the LAN info - # - ZEROIDX=$(ipmitool lan print $LANCHAN|grep ^RMCP+|cut -d: -f 2|sed -e 's/ //' -e 's/,/\n/g'|grep -n '%0$'|sed -e 's/:.*//') - ONEIDX=$(ipmitool lan print $LANCHAN|grep ^RMCP+|cut -d: -f 2|sed -e 's/ //' -e 's/,/\n/g'|grep -n '^1$'|sed -e 's/:.*//') - TWOIDX=$(ipmitool lan print $LANCHAN|grep ^RMCP+|cut -d: -f 2|sed -e 's/ //' -e 's/,/\n/g'|grep -n '^2$'|sed -e 's/:.*//') - THREEIDX=$(ipmitool lan print $LANCHAN|grep ^RMCP+|cut -d: -f 2|sed -e 's/ //' -e 's/,/\n/g'|grep -n '^3$'|sed -e 's/:.*//') - ACCESS=$(ipmitool lan print $LANCHAN|grep 'Cipher Suite Priv Max'|cut -d: -f 2|sed -e 's/ //g' -e 's/\(.\)/\1\n/g'|grep -v '^$') - NEWACCESS="" - logger -t $log_label -p local4.info "ZEROIDX is $ZEROIDX, ONEIDX is $ONEIDX, TWOIDX is $TWOIDX, THREEIDX is $THREEIDX, ACCESS is $ACCESS" - i=1 - for elem in $ACCESS; do - if [ $i = "$ZEROIDX" -o $i = "$ONEIDX" ]; then - NEWACCESS="$NEWACCESS"X - elif [ $i = "$TWOIDX" -o $i = "$THREEIDX" ]; then - #do not *downgrade* from OEM priv - if [ "$elem" != "O" ]; then NEWACCESS="$NEWACCESS"a; else NEWACCESS="$NEWACCESS"$elem; fi - else - NEWACCESS="$NEWACCESS"$elem - fi - i=$((i+1)) - done - # Set the cipher_privileges for the channel - if ipmitool lan set $LANCHAN cipher_privs $NEWACCESS > /dev/null; then - logger -s -t $log_label -p local4.info "OK" - else - logger -s -t $log_label -p local4.err "ERROR" - fi + let idev=idev-1 + logger -s -t $log_label -p local4.info "Enabling Channel $LANCHAN: " TRIES=0 - logger -s -t $log_label -p local4.info "Enabling SOL for channel $LANCHAN:" - # Enable the SOL for the channel - while ! ipmitool -d $idev raw 0xc 0x21 $LANCHAN 0x1 0x1 > /dev/null; do - sleep 1 - let TRIES=TRIES+1 - if [ $TRIES -gt $TIMEOUT ]; then break; fi - done - if [ $TRIES -gt $TIMEOUT ]; then logger -s -t $log_label -p local4.err "ERROR"; else logger -s -t $log_label -p local4.info "OK"; fi - TRIES=0 - - logger -s -t $log_label -p local4.info "Enabling SOL for $BMCUS:" - # Enable the SOL for the USER and set the payload 1 - while ! ipmitool -d $idev raw 6 0x4c $LANCHAN $USERSLOT 2 0 0 0 > /dev/null; do + # Set the non-volatile channel access: enable and privilege + while ! ipmitool -d $idev raw 0x6 0x40 $LANCHAN 0x42 0x44 > /dev/null; do sleep 1 let TRIES=TRIES+1 if [ $TRIES -gt $TIMEOUT ]; then break; fi done + TRIES=0 + # Set the volatile channel access: enable and privilege + while ! ipmitool -d $idev raw 0x6 0x40 $LANCHAN 0x82 0x84 > /dev/null; do + sleep 1 + let TRIES=TRIES+1 + if [ $TRIES -gt $TIMEOUT ]; then break; fi + done if [ $TRIES -gt $TIMEOUT ]; then - logger -s -t $log_label -p local4.err "ERROR Tried $TIMEOUT times, could not enable SOL for $BMCUS" + logger -s -t $log_label -p local4.err "ERROR - Setting the volatile channel access." + else + logger -s -t $log_label -p local4.info "OK" + fi + + logger -s -t $log_label -p local4.info "Enabling ARP responses: " + TRIES=0 + # enable the ARP response on the channel + while ! ipmitool -d $idev lan set $LANCHAN arp respond on > /dev/null; do + sleep 1 + let TRIES=TRIES+1 + echo -n . + if [ $TRIES -gt $TIMEOUT ]; then break; fi + done + if [ $TRIES -gt $TIMEOUT ]; then + logger -s -t $log_label -p local4.err "ERROR - Enabling ARP Responses." + else + logger -s -t $log_label -p local4.info "OK" + fi + + logger -s -t $log_label -p local4.info "Enabling IPMI v 1.5 MD5 LAN access:" + TRIES=0 + # Set the auth level to md5 for the channel + while ! ipmitool -d $idev lan set $LANCHAN auth admin md5 > /dev/null; do + sleep 1 + let TRIES=TRIES+1 + if [ $TRIES -gt $TIMEOUT ]; then break; fi + done + if [ $TRIES -gt $TIMEOUT ]; then + logger -s -t $log_label -p local4.err "ERROR - Enabling MD5 for the channel." else - logger -s -t $log_label -p local4.info "Enabling SOL for $BMCUS: OK" + logger -s -t $log_label -p local4.info "OK" fi -fi -# Cold reset the BMC -cold_reset_bmc ${XPROD} + if [ ! "$IPMIVER" == "1.5" ]; then + logger -s -t $log_label -p local4.info "Enabling IPMI v 2.0 LAN access: " + # the following goals: + # - disable cipher suite 0 (if present, avoid password bypass) + # - disable cipher suite 1 (if present, to avoid weaking Kg if used) + # - enable cipher suite 2 (scenarios without perl Rijndael) + # - enable cipher suite 3 + # - ignore the rest + # + # Read the LAN info + # + ZEROIDX=$(ipmitool lan print $LANCHAN|grep ^RMCP+|cut -d: -f 2|sed -e 's/ //' -e 's/,/\n/g'|grep -n '%0$'|sed -e 's/:.*//') + ONEIDX=$(ipmitool lan print $LANCHAN|grep ^RMCP+|cut -d: -f 2|sed -e 's/ //' -e 's/,/\n/g'|grep -n '^1$'|sed -e 's/:.*//') + TWOIDX=$(ipmitool lan print $LANCHAN|grep ^RMCP+|cut -d: -f 2|sed -e 's/ //' -e 's/,/\n/g'|grep -n '^2$'|sed -e 's/:.*//') + THREEIDX=$(ipmitool lan print $LANCHAN|grep ^RMCP+|cut -d: -f 2|sed -e 's/ //' -e 's/,/\n/g'|grep -n '^3$'|sed -e 's/:.*//') + ACCESS=$(ipmitool lan print $LANCHAN|grep 'Cipher Suite Priv Max'|cut -d: -f 2|sed -e 's/ //g' -e 's/\(.\)/\1\n/g'|grep -v '^$') + logger -t $log_label -p local4.info "ZEROIDX is $ZEROIDX, ONEIDX is $ONEIDX, TWOIDX is $TWOIDX, THREEIDX is $THREEIDX, ACCESS is $ACCESS" + NEWACCESS="" + i=1 + for elem in $ACCESS; do + if [ $i = "$ZEROIDX" -o $i = "$ONEIDX" ]; then + NEWACCESS="$NEWACCESS"X + elif [ $i = "$TWOIDX" -o $i = "$THREEIDX" ]; then + #do not *downgrade* from OEM priv + if [ "$elem" != "O" ]; then NEWACCESS="$NEWACCESS"a; else NEWACCESS="$NEWACCESS"$elem; fi + else + NEWACCESS="$NEWACCESS"$elem + fi + i=$((i+1)) + done + # Set the cipher_privileges for the channel + if ipmitool lan set $LANCHAN cipher_privs $NEWACCESS > /dev/null; then + logger -s -t $log_label -p local4.info "OK" + else + logger -s -t $log_label -p local4.info "ERROR - Setting cipher privileges for the channel." + fi -# update the node status to 'bmcready' -for parm in `cat /proc/cmdline`; do - key=`echo $parm|awk -F= '{print $1}'` - if [ "$key" = "xcatd" ]; then - XCATMASTER=`echo $parm|awk -F= '{print $2}'|awk -F: '{print $1}'` + logger -s -t $log_label -p local4.info "Enabling SOL for channel $LANCHAN:" + TRIES=0 + # Enable the SOL for the channel + while ! ipmitool -d $idev raw 0xc 0x21 $LANCHAN 0x1 0x1 > /dev/null; do + sleep 1 + let TRIES=TRIES+1 + if [ $TRIES -gt $TIMEOUT ]; then break; fi + done + if [ $TRIES -gt $TIMEOUT ]; then + logger -s -t $log_label -p local4.info "ERROR - Enabling SOL for the channel: $LANCHAN" + else + logger -s -t $log_label -p local4.info "OK" + fi + + TRIES=0 + logger -s -t $log_label -p local4.info "Enabling SOL for $BMCUS:" + # Enable the SOL for the USER and set the payload 1 + while ! ipmitool -d $idev raw 6 0x4c $LANCHAN $USERSLOT 2 0 0 0 > /dev/null; do + sleep 1 + let TRIES=TRIES+1 + if [ $TRIES -gt $TIMEOUT ]; then break; fi + done + if [ $TRIES -gt $TIMEOUT ]; then + logger -s -t $log_label -p local4.info "ERROR - Enabling SOL for BMC User: $BMCUS" + else + echo "OK" + fi fi -done -if [ ! -z "$XCATMASTER" ]; then - updateflag.awk $XCATMASTER 3002 "installstatus bmcready" -fi -logger -s -t $log_label -p local4.info "Lighting Identify Light" -while : - # Identify the server by turning on the LED light - do ipmitool -d $idev raw 0 4 10 > /dev/null - sleep 7 -done & + # Cold reset the BMC + cold_reset_bmc ${XPROD} + + # update the node status to 'bmcready' + for parm in `cat /proc/cmdline`; do + key=`echo $parm|awk -F= '{print $1}'` + if [ "$key" = "xcatd" ]; then + XCATMASTER=`echo $parm|awk -F= '{print $2}'|awk -F: '{print $1}'` + fi + done + if [ ! -z "$XCATMASTER" ]; then + updateflag.awk $XCATMASTER 3002 "installstatus bmcready" + fi + + logger -s -t $log_label -p local4.info "Lighting Identify Light" + while : + # Identify the server by turning on the LED light + do ipmitool -d $idev raw 0 4 10 > /dev/null + sleep 7 + done & done