Configuring IPMI under Linux using ipmitool

http://www.thomas-krenn.com/en/wiki/Configuring_IPMI_under_Linux_using_ipmitool

Configuring IPMI under Linux using ipmitool

 

 

Main Page > Network+Accessories > Remote Management > IPMI

Under Linux, the ipmitool command (http://ipmitool.sourceforge.net/) can be used for configuring IPMI for a server.

Contents

[hide] 

• 1 Hardware and Software Requirements
• 2 LAN Configuration
  • 2.1 ipmitool lan print 1
• 3 User Configuration
  • 3.1 Users at the USER Privilege Level

Hardware and Software Requirements

The following example will show how to configure IPMI on a Linux server. The /dev/ipmi0 device file must exist so that configuration can be carried out. If it does not exist, you can create it as follows:

• under SuSE, Red Hat or CentOS: /etc/init.d/ipmi start (requires the OpenIMPI package. The OpenIPMI-tools package will be required later, as well.)
• under Debian 4: /usr/share/ipmitool/ipmi.init.basic (If the error message, ipmi_kcs_drv not found, appears, you will have to comment the corresponding if-condition out, see also [1].)
• under Debian 5: modprobe ipmi_devintf; modprobe ipmi_si

The approach described below has been tested on an Intel SR2500 under CentOS 4 using ipmitool version 1.8.7. In principle, the configuration should be configured similarly on other systems with IPMI support.

LAN Configuration

The first IPMI LAN channel will now be configured. Thereby, the configured IP address can be accessed at the first LAN port for the server. For the default gateway, both its IP address and MAC address must be configured.

[root@sr2500 ~]# ipmitool lan set 1 ipsrc static
[root@sr2500 ~]# ipmitool lan set 1 ipaddr 192.168.1.211
Setting LAN IP Address to 192.168.1.211
[root@sr2500 ~]# ipmitool lan set 1 netmask 255.255.255.0
Setting LAN Subnet Mask to 255.255.255.0
[root@sr2500 ~]# ipmitool lan set 1 defgw ipaddr 192.168.1.254
Setting LAN Default Gateway IP to 192.168.1.254
[root@sr2500 ~]# ipmitool lan set 1 defgw macaddr 00:0e:0c:aa:8e:13
Setting LAN Default Gateway MAC to 00:0e:0c:aa:8e:13
[root@sr2500 ~]# ipmitool lan set 1 arp respond on
Enabling BMC-generated ARP responses
[root@sr2500 ~]# ipmitool lan set 1 auth ADMIN MD5
[root@sr2500 ~]# ipmitool lan set 1 access on

When configuring LANs, older versions of ipmitool would not automatically reset Set in Progress to Set Complete. This can be done manually using a raw command (regarding this, see http://www.mail-archive.com/ipmitool-devel@lists.sourceforge.net/msg00095.html)

[root@sr2500 ~]# ipmitool lan print 1
Set in Progress         : Set In Progress
[...]
[root@sr2500 ~]# ipmitool raw 0x0c 1 1 0 0

ipmitool lan print 1

You can check the configuration using ipmitool lan print 1.

[root@sr2500 ~]# ipmitool lan print 1
Set in Progress         : Set Complete
Auth Type Support       : NONE MD5 PASSWORD
Auth Type Enable        : Callback :
                        : User     :
                        : Operator :
                        : Admin    : MD5
                        : OEM      :
IP Address Source       : Static Address
IP Address              : 192.168.1.211
Subnet Mask             : 255.255.255.0
MAC Address             : 00:0e:0c:ea:92:a2
SNMP Community String   :
IP Header               : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10
BMC ARP Control         : ARP Responses Enabled, Gratuitous ARP Disabled
Gratituous ARP Intrvl   : 2.0 seconds
Default Gateway IP      : 192.168.1.254
Default Gateway MAC     : 00:0e:0c:aa:8e:13
Backup Gateway IP       : 0.0.0.0
Backup Gateway MAC      : 00:00:00:00:00:00
RMCP+ Cipher Suites     : None
Cipher Suite Priv Max   : XXXXXXXXXXXXXXX
                        :     X=Cipher Suite Unused
                        :     c=CALLBACK
                        :     u=USER
                        :     o=OPERATOR
                        :     a=ADMIN
                        :     O=OEM
[root@sr2500 ~]#

User Configuration

A user will now be setup with admin rights.

[root@sr2500 ~]# ipmitool user set name 2 admin
[root@sr2500 ~]# ipmitool user set password 2
Password for user 2:
Password for user 2:
[root@sr2500 ~]# ipmitool channel setaccess 1 2 link=on ipmi=on callin=on privilege=4
[root@sr2500 ~]# ipmitool user enable 2
[root@sr2500 ~]#

The server can now be controlled by this user as described in Using ipmitool for Remote Control of Servers.

Users at the USER Privilege Level

If a user should only be used for querying sensor data, a custom privilege level can be setup for that. This user does not then have any rights for activating or deactivating the server, for example. A user named monitor will be created for this in the following example:

[root@sr2500 ~]# ipmitool user set name 3 monitor
[root@sr2500 ~]# ipmitool user set password 3
Password for user 3:
Password for user 3:
[root@sr2500 ~]# ipmitool channel setaccess 1 3 link=on ipmi=on callin=on privilege=2
[root@sr2500 ~]# ipmitool user enable 3
[root@sr2500 ~]# ipmitool channel getaccess 1 3
Maximum User IDs     : 15
Enabled User IDs     : 2

User ID              : 3
User Name            : monitor
Fixed Name           : No
Access Available     : call-in / callback
Link Authentication  : enabled
IPMI Messaging       : enabled
Privilege Level      : USER
[root@sr2500 ~]#

The importance of the various privilege numbers will be displayed when ipmitool channel is called without any additional parameters:

[root@sr2500 ~]# ipmitool channel
Channel Commands: authcap   <channel number> <max privilege>
                  getaccess <channel number> [user id]
                  setaccess <channel number> <user id> [callin=on|off] [ipmi=on|off] [link=on|off] [privilege=level]
                  info      [channel number]
                  getciphers <ipmi | sol> [channel]

Possible privilege levels are:
   1   Callback level
   2   User level
   3   Operator level
   4   Administrator level
   5   OEM Proprietary level
  15   No access
[root@sr2500 ~]#

The user just created (named 'monitor') has been assigned the USER privilege level. So that LAN access is allowed for this user, you must activate MD5 authentication for LAN access for this user group (USER privilege level):

[root@sr2500 ~]# ipmitool lan set 1 auth USER MD5
[root@sr2500 ~]#

MD5 will now also be listed as User Auth Type Enable for LAN Channel 1:

[root@sr2500 ~]# ipmitool lan print 1
Set in Progress         : Set Complete
Auth Type Support       : NONE MD5 PASSWORD
Auth Type Enable        : Callback :
                        : User     : MD5
                        : Operator :
                        : Admin    : MD5
                        : OEM      :
IP Address Source       : Static Address
IP Address              : 192.168.1.211
Subnet Mask             : 255.255.255.0
MAC Address             : 00:0e:0c:ea:92:a2
SNMP Community String   :
IP Header               : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10
BMC ARP Control         : ARP Responses Enabled, Gratuitous ARP Disabled
Gratituous ARP Intrvl   : 2.0 seconds
Default Gateway IP      : 192.168.1.254
Default Gateway MAC     : 00:0e:0c:aa:8e:13
Backup Gateway IP       : 0.0.0.0
Backup Gateway MAC      : 00:00:00:00:00:00
RMCP+ Cipher Suites     : 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14
Cipher Suite Priv Max   : XXXXXXXXXXXXXXX
                        :     X=Cipher Suite Unused
                        :     c=CALLBACK
                        :     u=USER
                        :     o=OPERATOR
                        :     a=ADMIN
                        :     O=OEM
[root@sr2500 ~]#

Please specify the option "-L USER" for ipmitool when using a user with USER privilege. Otherwise you will get an error message stating:

Activate Session error: Requested privilege level exceeds limit

---

Author: Werner Fischer