NAME¶
ipmi-config - IPMI configuration file details
DESCRIPTION¶
Before many IPMI tools can be used over a network, a machine's Baseboard
Management Controller (BMC) must be configured. The configuration can be quite
daunting for those who do not know much about IPMI. This manpage hopes to
provide enough information on BMC configuration so that you can configure the
BMC for your system. When appropriate, typical BMC configurations will be
suggested.
The following is an example configuration file partially generated by running
the
--checkout option with the
ipmi-config(8) command. This
configuration comes from the
core category of configuration values (the
default). This example configuration should be sufficient for most users after
the appropriate local IP and MAC addresses are input. Following this example,
separate sections of this manpage will discuss the different sections of the
configuration file in more detail with explanations of how the BMC can be
configured for different environments.
Note that many options may or may not be available on your particular machine.
For example, Serial-Over-Lan (SOL) is available only on IPMI 2.0 machines.
Therefore, if you are looking to configure an IPMI 1.5 machine, many of the
SOL or IPMI 2.0 related options will be be unavailable to you. The number of
configurable users may also vary for your particular machine.
The below configuration file and most of this manpage assume the user is
interested in configuring a BMC for use with IPMI over LAN. Various
configuration options from
ipmi-config(8) have been left out or skipped
because it is considered unnecessary. Future versions of this manpage will try
to include more information.
Section User1
## Give username
## Username NULL
## Give password or leave it blank to clear password
Password mypassword
## Possible values: Yes/No or blank to not set
Enable_User Yes
## Possible values: Yes/No
Lan_Enable_Ipmi_Msgs Yes
## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary/No_Access
Lan_Privilege_Limit Administrator
## Possible values: 0-17, 0 is unlimited; May be reset to 0 if not specified
## Lan_Session_Limit
## Possible values: Yes/No
SOL_Payload_Access Yes
EndSection
Section User2
## Give username
Username user2
## Give password or leave it blank to clear password
Password userpass
## Possible values: Yes/No or blank to not set
Enable_User No
## Possible values: Yes/No
Lan_Enable_Ipmi_Msgs No
## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary/No_Access
Lan_Privilege_Limit No_Access
## Possible values: 0-17, 0 is unlimited; May be reset to 0 if not specified
## Lan_Session_Limit
## Possible values: Yes/No
SOL_Payload_Access No
EndSection
Section Lan_Channel
## Possible values: Disabled/Pre_Boot_Only/Always_Available/Shared
Volatile_Access_Mode Always_Available
## Possible values: Yes/No
Volatile_Enable_User_Level_Auth Yes
## Possible values: Yes/No
Volatile_Enable_Per_Message_Auth Yes
## Possible values: Yes/No
Volatile_Enable_Pef_Alerting No
## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary/No_Access
Volatile_Channel_Privilege_Limit Administrator
## Possible values: Disabled/Pre_Boot_Only/Always_Available/Shared
Non_Volatile_Access_Mode Always_Available
## Possible values: Yes/No
Non_Volatile_Enable_User_Level_Auth Yes
## Possible values: Yes/No
Non_Volatile_Enable_Per_Message_Auth Yes
## Possible values: Yes/No
Non_Volatile_Enable_Pef_Alerting No
## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary/No_Access
Non_Volatile_Channel_Privilege_Limit Administrator
EndSection
Section Lan_Conf
## Possible values: Unspecified/Static/Use_DHCP/Use_BIOS/Use_Others
Ip_Address_Source Static
## Give valid IP Address
Ip_Address 192.168.1.100
## Give valid MAC Address
Mac_Address 00:0E:0E:FF:AA:12
## Give valid Subnet mask
Subnet_Mask 255.255.255.0
## Give valid IP Address
Default_Gateway_Ip_Address 192.168.1.1
## Give valid MAC Address
Default_Gateway_Mac_Address 00:0E:0E:FF:AA:18
## Give valid IP Address
Backup_Gateway_Ip_Address 192.168.1.2
## Give valid MAC Address
Backup_Gateway_Mac_Address 00:0E:0E:FF:AA:15
EndSection
Section Lan_Conf_Auth
## Possible values: Yes/No
Callback_Enable_Auth_Type_None No
## Possible values: Yes/No
Callback_Enable_Auth_Type_Md2 No
## Possible values: Yes/No
Callback_Enable_Auth_Type_Md5 No
## Possible values: Yes/No
Callback_Enable_Auth_Type_Straight_Password No
## Possible values: Yes/No
Callback_Enable_Auth_Type_Oem_Proprietary No
## Possible values: Yes/No
User_Enable_Auth_Type_None No
## Possible values: Yes/No
User_Enable_Auth_Type_Md2 Yes
## Possible values: Yes/No
User_Enable_Auth_Type_Md5 Yes
## Possible values: Yes/No
User_Enable_Auth_Type_Straight_Password No
## Possible values: Yes/No
User_Enable_Auth_Type_Oem_Proprietary No
## Possible values: Yes/No
Operator_Enable_Auth_Type_None No
## Possible values: Yes/No
Operator_Enable_Auth_Type_Md2 Yes
## Possible values: Yes/No
Operator_Enable_Auth_Type_Md5 Yes
## Possible values: Yes/No
Operator_Enable_Auth_Type_Straight_Password No
## Possible values: Yes/No
Operator_Enable_Auth_Type_Oem_Proprietary No
## Possible values: Yes/No
Admin_Enable_Auth_Type_None No
## Possible values: Yes/No
Admin_Enable_Auth_Type_Md2 Yes
## Possible values: Yes/No
Admin_Enable_Auth_Type_Md5 Yes
## Possible values: Yes/No
Admin_Enable_Auth_Type_Straight_Password No
## Possible values: Yes/No
Admin_Enable_Auth_Type_Oem_Proprietary No
## Possible values: Yes/No
Oem_Enable_Auth_Type_None No
## Possible values: Yes/No
Oem_Enable_Auth_Type_Md2 No
## Possible values: Yes/No
Oem_Enable_Auth_Type_Md5 No
## Possible values: Yes/No
Oem_Enable_Auth_Type_Straight_Password No
## Possible values: Yes/No
Oem_Enable_Auth_Type_Oem_Proprietary No
EndSection
Section Lan_Conf_Security_Keys
## Give string or blank to clear. Max 20 chars
K_G
EndSection
Section Lan_Conf_Misc
## Possible values: Yes/No
Enable_Gratuitous_Arps Yes
## Possible values: Yes/No
Enable_Arp_Response No
## Give valid number. Intervals are 500 ms.
Gratuitous_Arp_Interval 4
EndSection
Section Rmcpplus_Conf_Privilege
## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
Maximum_Privilege_Cipher_Suite_Id_0 Unused
## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
Maximum_Privilege_Cipher_Suite_Id_1 Unused
## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
Maximum_Privilege_Cipher_Suite_Id_2 Unused
## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
Maximum_Privilege_Cipher_Suite_Id_3 Administrator
## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
Maximum_Privilege_Cipher_Suite_Id_4 Administrator
## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
Maximum_Privilege_Cipher_Suite_Id_5 Administrator
## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
Maximum_Privilege_Cipher_Suite_Id_6 Unused
## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
Maximum_Privilege_Cipher_Suite_Id_7 Unused
## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
Maximum_Privilege_Cipher_Suite_Id_8 Administrator
## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
Maximum_Privilege_Cipher_Suite_Id_9 Administrator
## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
Maximum_Privilege_Cipher_Suite_Id_10 Administrator
## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
Maximum_Privilege_Cipher_Suite_Id_11 Unused
## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
Maximum_Privilege_Cipher_Suite_Id_12 Administrator
## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
Maximum_Privilege_Cipher_Suite_Id_13 Administrator
## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
Maximum_Privilege_Cipher_Suite_Id_14 Administrator
EndSection
Section SOL_Conf
## Possible values: Yes/No
Enable_SOL Yes
## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary
SOL_Privilege_Level Administrator
## Possible values: Yes/No
Force_SOL_Payload_Authentication Yes
## Possible values: Yes/No
Force_SOL_Payload_Encryption Yes
## Give a valid integer. Each unit is 5ms
Character_Accumulate_Interval 50
## Give a valid number
Character_Send_Threshold 100
## Give a valid integer
SOL_Retry_Count 5
## Give a valid integer. Interval unit is 10ms
SOL_Retry_Interval 50
## Possible values: Serial/9600/19200/38400/57600/115200
Non_Volatile_Bit_Rate 115200
## Possible values: Serial/9600/19200/38400/57600/115200
Volatile_Bit_Rate 115200
EndSection
Section User1, User2, ...¶
The
User sections of the BMC configuration file are for username
configuration for IPMI over LAN communication. The number of users available
to be configured on your system will vary by manufacturer. With the exception
of the Username for User1, all sections are identical.
The username(s) you wish to configure the BMC with are defined with
Username. The first username under Section User1 is typically the NULL
username and cannot be modified. The password for the username can be
specified with
Password. It can be left empty to define a NULL
password. Each user you wish to enable must be enabled through the
Enable_User configuration option. It is recommended that all usernames
have non-NULL passwords or be disabled for security reasons.
Lan_Enable_Ipmi_Msgs is used to enable or disable IPMI over LAN access
for the user. This should be set to "Yes" to allow IPMI over LAN
tools to work.
Lan_Privilege_Limit specifies the maximum privilege level limit the user
is allowed. Different IPMI commands have different privilege restrictions. For
example, determining the power status of a machine only requires the
"User" privilege level. However, power cycling requires the
"Operator" privilege. Typically, you will want to assign atleast one
user with a privilege limit of "Administrator" so that all system
functions are available to atleast one user via IPMI over LAN.
Lan_Session_Limit specifies the number of simultaneous IPMI sessions
allowed for the user. Most users will wish to set this to "0" to
allow unlimited simultaneous IPMI sessions. This field is considered optional
by IPMI standards, and may result in errors when attempting to configure it to
a non-zero value. If errors to occur, setting the value back to 0 should
resolve problems.
SOL_Payload_Access specifies if a particular user is allowed to connect
with Serial-Over-LAN (SOL). This should be set to "Yes" to allow
this username to use SOL.
The example configuration above disables "User2" but enables the
default "NULL" (i.e. anonymous) user. Many IPMI tools (both
open-source and vendor) do not allow the user to input a username and assume
the NULL username by default. If the tools you are interested in using allow
usernames to be input, then it is recommended that one of the non-NULL
usernames be enabled and the NULL username disabled for security reasons. It
is recommeneded that you disable the NULL username in section User1, so that
users are required to specify a username for IPMI over LAN communication.
Some motherboards may require a
Username to be configured prior to other
fields being read/written. If this is the case, those fields will be set to
<username-not-set-yet>.
Section Lan_Channel¶
The Lan_Channel section configures a variety of IPMI over LAN configuration
parameters. Both
Volatile and
Non_Volatile configurations can be
set.
Volatile configurations are immediately configured onto the BMC
and will have immediate effect on the system.
Non_Volatile
configurations are only available after the next system reset. Generally, both
the
Volatile and
Non_Volatile should be configured identically.
The
Access_Mode parameter configures the availability of IPMI over LAN on
the system. Typically this should be set to "Always_Available" to
enable IPMI over LAN.
The
Privilege_Limit sets the maximum privilege any user of the system can
have when performing IPMI over LAN. This should be set to the maximum
privilege level configured to a username. Typically, this should be set to
"Administrator".
Typically
User_Level_Auth and
Per_Message_Auth should be set to
"Yes" for additional security. Disabling
User_Level_Auth
allows "User" privileged IPMI commands to be executed without
authentication. Disabling
Per_Message_Auth allows fewer individual IPMI
messages to require authentication.
Section Lan_Conf¶
Those familiar with setting up networks should find most of the fields in this
section self explanatory. The example BMC configuration above illustrates the
setup of a static IP address. The field
IP_Address_Source is configured
with "Static". The IP address, subnet mask, and gateway IP addresses
of the machine are respecitvely configured with the
IP_Address,
Subnet_Mask,
Default_Gateway_Ip_Address, and
Backup_Gateway_Ip_Address fields. The respective MAC addresses for the
IP addresses are configured under
Mac_Address,
Default_Gateway_Mac_Address, and
Backup_Gateway_Mac_Address.
It is not required to setup the BMC
IP_Address to be the same
P_Address used by your operating system for that network interface.
However, if you choose to use a different address, an alternate ARP
configuration may need to be setup.
To instead setup your BMC network information via DHCP, the field
IP_Address_Source should be configured with "Use_DHCP".
It is recommended that static IP addresses be configured for address resolution
reasons. See
Lan_Conf_Misc below for a more detailed explanation.
Section Lan_Conf_Auth¶
This section determines what types of password authentication mechanisms are
allowed for users at different privilege levels under the IPMI 1.5 protocol.
The currently supported authentication methods for IPMI 1.5 are
None
(no username/password required),
Straight_Password (passwords are sent
in the clear),
MD2 (passwords are MD2 hashed), and
MD5
(passwords are MD5 hashed). Different usernames at different privilege levels
may be allowed to authenticate differently through this configuration. For
example, a username with "User" privileges may be allowed to
authenticate with a straight password, but a username with
"Administrator" privileges may be allowed only authenticate with
MD5.
The above example configuration supports
MD2 and
MD5
authentication for all users at the "User", "Operator",
and "Administrator" privilege levels. All authentication mechanisms
have been disabled for the "Callback" privilege level.
Generally speaking, you do not want to allow any user to authenticate with
None or
Straight_Password for security reasons.
MD2 and
MD5 are digital signature algorithms that can minimally encrypt
passwords. If you have chosen to support the NULL username (enabled User1) and
NULL passwords (NULL password for User1), you will have to enable the
None authentication fields above to allow users to connect via
None.
Section Lan_Conf_Security_Keys¶
This section supports configuration of the IPMI 2.0 (including Serial-over-LAN)
K_g key. If your machine does not support IPMI 2.0, this field will not be
configurable.
The key is used for two-key authentication in IPMI 2.0. In most tools, when
doing IPMI 2.0, the K_g can be optionally specified. It is not required for
IPMI 2.0 operation.
In the above example, we have elected to leave this field blank so the K_g key
is not used.
Section Lan_Conf_Misc¶
This section lists miscellaneous IPMI over LAN configuration options. These are
optional IPMI configuration options that are not implemented on all BMCs.
Normally, a client cannot resolve the ethernet MAC address without the remote
operating system running. However, IPMI over LAN would not work when a machine
is powered off or if the IP address used by the operating system for that
network interface differs from the BMC IP Address. One way to work around this
is through gratuitous ARPs. Gratuitous ARPs are ARP packets generated by the
BMC and sent out to advertise the BMC's IP and MAC address. Other machines on
the network can store this information in their local ARP cache for later
IP/hostname resolution. This would allow IPMI over LAN to work when the remote
machine is powered off. The
Enable_Gratuitous_Arps option allows you to
enable or disable this feature. The
Gratuitous_Arp_Interval option
allows you to configure the frequency at which gratuitous ARPs are sent onto
the network.
Instead of gratuitous ARPs some BMCs are able to respond to ARP requests, even
when powered off. If offerred, this feature can be enabled through the
Enable_Arp_Response option.
Generally speaking, turning on gratuitous ARPs is acceptable. However, it will
increase traffic on your network. If you are using IPMI on a large cluster,
the gratuitous ARPs may easily flood your network. They should be tuned to
occur less frequently or disabled. If disabled, the remote machine's MAC
address should be permanently stored in the local ARP cache through
arp(8).
See
bmc-watchdog(8) for a method which allows gratuitous ARPs to be
disabled when the operating system is running, but enabled when the system is
down.
Section Rmcpplus_Conf_Privilege¶
This section supports configuration of the IPMI 2.0 (including Serial-over-LAN)
cipher suite IDs. If your machine does not support IPMI 2.0, the fields will
not be configurable.
Each cipher suite ID describes a combination of an authentication algorithm,
integrity algorithm, and encryption algorithm for IPMI 2.0. The authentication
algorithm is used for user authentication with the BMC. The integrity
algorithm is used for generating signatures on IPMI packets. The
confidentiality algorithm is used for encrypting data. The configuration in
this section enables certain cipher suite IDs to be enabled or disabled, and
the maximum privilege level a username can authenticate with.
The following table shows the cipher suite ID to algorithms mapping:
0 - Authentication Algorithm = None; Integrity Algorithm = None; Confidentiality
Algorithm = None
1 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm = None;
Confidentiality Algorithm = None
2 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm = HMAC-SHA1-96;
Confidentiality Algorithm = None
3 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm = HMAC-SHA1-96;
Confidentiality Algorithm = AES-CBC-128
4 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm = HMAC-SHA1-96;
Confidentiality Algorithm = xRC4-128
5 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm = HMAC-SHA1-96;
Confidentiality Algorithm = xRC4-40
6 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = None;
Confidentiality Algorithm = None
7 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = HMAC-MD5-128;
Confidentiality Algorithm = None
8 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = HMAC-MD5-128;
Confidentiality Algorithm = AES-CBC-128
9 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = HMAC-MD5-128;
Confidentiality Algorithm = xRC4-128
10 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = HMAC-MD5-128;
Confidentiality Algorithm = xRC4-40
11 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = MD5-128;
Confidentiality Algorithm = None
12 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = MD5-128;
Confidentiality Algorithm = AES-CBC-128
13 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = MD5-128;
Confidentiality Algorithm = xRC4-128
14 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = MD5-128;
Confidentiality Algorithm = xRC4-40
Generally speaking, HMAC-SHA1 based algorithms are stronger than HMAC-MD5, which
are better than MD5-128 algorithms. AES-CBC-128 confidentiality algorithms are
stronger than xRC4-128 algorithms, which are better than xRC4-40 algorithms.
Cipher suite ID 3 is therefore typically considered the most secure. Some
users may wish to set cipher suite ID 3 to a privilege level and disable all
remaining cipher suite IDs.
The above example configuration has decided to allow any user with
"Administrator" privileges use any Cipher Suite algorithm suite
which requires an authentication, integrity, and confidentiality algorithm.
Typically, the maximum privilege level configured to a username should be set
for atleast one cipher suite ID. Typically, this is the
"Administrator" privilege.
A number of cipher suite IDs are optionally implemented, so the available cipher
suite IDs available your system may vary.
Section SOL_Conf¶
This section is for setting up Serial-Over-Lan (SOL) and will only be available
for configuration on those machines. SOL can be enabled with the
Enable_SOL field. The minimum privilege level required for connecting
with SOL is specified by
SOL_Privilege_Level. This should be set to the
maximum privilege level configured to a username that has SOL enabled.
Typically, this is the "Administrator" privilege. Authentication and
Encryption can be forced or not using the fields
Force_SOL_Payload_Authentication and
Force_SOL_Payload_Encryption respectively. It is recommended that these
be set on. However, forced authentication and/or encryption support depend on
the cipher suite IDs supported.
The
Character_Accumulate_Interval,
Character_Send_Threshold ,
SOL_Retry_Count and ,
SOL_Retry_Interval options are used to set
SOL character output speeds.
Character_Accumulate_Interval determines
how often serial data should be regularly sent and
Character_Send_Threshold indicates the character count that if passed,
will force serial data to be sent.
SOL_Retry_Count indicates how many
times packets must be retransmitted if acknowledgements are not received.
SOL_Retry_Interval indicates the timeout interval. Generally, the
manufacturer recommended numbers will be sufficient. However, you may wish to
experiment with these values for faster SOL throughput.
The
Non_Volatile_Bit_Rate and
Volatile_Bit_Rate determine the
baudrate the BMC should use. This should match the baudrate set in the BIOS
and operating system, such as
agetty(8). Generally speaking, both the
Volatile and
Non_Volatile options should be set identically.
In addition to enabling SOL in this section, individual users most also be
capable of connecting with SOL. See the section
Section User1, User2,
... above for details.
REPORTING BUGS¶
Report bugs to <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
SEE ALSO¶
freeipmi(7),
bmc-watchdog(8),
ipmi-config(8),
agetty(8)
http://www.gnu.org/software/freeipmi/