bmc-config (5) - Linux Manuals
bmc-config: BMC configuration file format and details
NAME
bmc-config - BMC configuration file format and detailsDESCRIPTION
Before many IPMI tools can be used over a network, a machine's Baseboard Management Controller (BMC) must be configured. The configuration of a BMC can be quite daunting for those who do not know much about IPMI. This manpage hopes to provide enough information on BMC configuration so that you can configure the BMC for your system. When appropriate, typical BMC configurations will be suggested.The following is an example BMC configuration file partially generated from the bmc-config(1) command. This example configuration should be sufficient for most users after the appropriate local IP and MAC addresses are input. Following this example, separate sections of this manpage will discuss the different sections of the BMC configuration file in more detail with explanations of how the BMC can be configured for different environments.
Note that many options may or may not be available on your particular machine. For example, Serial-Over-Lan (SOL) is available only on IPMI 2.0 machines. Therefore, if you are looking to configure an IPMI 1.5 machine, many of the SOL or IPMI 2.0 related options will be be unavailable to you. The number of configurable users may also vary for your particular machine.
The below configuration file and most of this manpage assume the user is interested in configuring a BMC for use with IPMI over LAN. Various configuration options from bmc-config(1) have been left out or skipped because it is considered unnecessary. Future versions of this manpage will try to include more information.
The username(s) you wish to configure the BMC with are defined with
Username. The first username under Section User1 is typically
the NULL username and cannot be modified. The password for the
username can be specified with Password. It can be left empty
to define a NULL password. Each user you wish to enable must be
enabled through the Enable_User configuration option. It is
recommended that all usernames have non-NULL passwords or be disabled
for security reasons.
Under IPMI 2.0 (including Serial-over-LAN), additional 20 byte
password support was added. Password20 can be used to set
longer passwords. Under most circumstances though, it isn't
necessary. In the above configuration, we have chosen not to set
Password20 by leaving it commented out. If your machine does
not support IPMI 2.0, this field will not be configurable.
Lan_Enable_Ipmi_Msgs is used to enable or disable IPMI over LAN
access for the user. This should be set to "Yes" to allow
IPMI over LAN tools to work.
Lan_Privilege_Limit specifies the maximum privilege level limit
the user is allowed. Different IPMI commands have different privilege
restrictions. For example, determining the power status of a machine
only requires the "User" privilege level. However, power cycling
requires the "Operator" privilege. Typically, you will want to assign
atleast one user with a privilege limit of "Administrator" so that all
system functions are available to atleast one user via IPMI over LAN.
Lan_Session_Limit specifies the number of simultaneous IPMI
sessions allowed for the user. Most users will wish to set this to
"0" to allow unlimited simultaneous IPMI sessions. This field is
considered optional by IPMI standards, and may result in errors when
attempting to configure it to a non-zero value. If errors to occur,
setting the value back to 0 should resolve problems.
SOL_Payload_Access specifies if a particular user is allowed to
connect with Serial-Over-LAN (SOL). This should be set to "Yes"
to allow this username to use SOL.
The example configuration above disables "User2" but enables the
default "NULL" (i.e. anonymous) user. Many IPMI tools (both
open-source and vendor) do not allow the user to input a username and
assume the NULL username by default. If the tools you are interested
in using allow usernames to be input, then it is recommended that one
of the non-NULL usernames be enabled and the NULL username disabled
for security reasons. It is recommeneded that you disable the NULL
username in section User1, so that users are required to specify a
username for IPMI over LAN communication.
Some motherboards may require a Username to be configured prior
to other fields being read/written. If this is the case, those fields
will be set to <username-not-set-yet>.
The Access_Mode parameter configures the availability of IPMI
over LAN on the system. Typically this should be set to
"Always_Available" to enable IPMI over LAN.
The Privilege_Limit sets the maximum privilege any user of the
system can have when performing IPMI over LAN. This should be set to
the maximum privilege level configured to a username. Typically, this
should be set to "Administrator".
Typically User_Level_Auth and Per_Message_Auth should be
set to "Yes" for additional security. Disabling User_Level_Auth
allows "User" privileged IPMI commands to be executed without
authentication. Disabling Per_Message_Auth allows fewer
individual IPMI messages to require authentication.
It is not required to setup the BMC IP_Address to be the same
P_Address used by your operating system for that network
interface. However, if you choose to use a different address, an
alternate ARP configuration may need to be setup.
To instead setup your BMC network information via DHCP, the field
IP_Address_Source should be configured with "Use_DHCP".
It is recommended that static IP addresses be configured for address
resolution reasons. See
Lan_Conf_Misc
below for a more detailed explanation.
The above example configuration supports MD2 and MD5
authentication for all users at the "User", "Operator", and
"Administrator" privilege levels. All authentication mechanisms have
been disabled for the "Callback" privilege level.
Generally speaking, you do not want to allow any user to authenticate
with None or Straight_Password for security reasons.
MD2 and MD5 are digital signature algorithms that can
minimally encrypt passwords. If you have chosen to support the NULL
username (enabled User1) and NULL passwords (NULL password for User1),
you will have to enable the None authentication fields above to
allow users to connect via None.
The key is used for two-key authentication in IPMI 2.0. In most
tools, when doing IPMI 2.0, the K_g can be optionally specified. It
is not required for IPMI 2.0 operation.
In the above example, we have elected to leave this field blank so the
K_g key is not used.
Normally, a client cannot resolve the ethernet MAC address without the
remote operating system running. However, IPMI over LAN would not
work when a machine is powered off or if the IP address used by the
operating system for that network interface differs from the BMC IP
Address. One way to work around this is through gratuitous ARPs.
Gratuitous ARPs are ARP packets generated by the BMC and sent out to
advertise the BMC's IP and MAC address. Other machines on the network
can store this information in their local ARP cache for later
IP/hostname resolution. This would allow IPMI over LAN to work when
the remote machine is powered off. The Enable_Gratuitous_Arps
option allows you to enable or disable this feature. The
Gratuitous_Arp_Interval option allows you to configure the
frequency at which gratuitous ARPs are sent onto the network.
Instead of gratuitous ARPs some BMCs are able to respond to ARP
requests, even when powered off. If offerred, this feature can be
enabled through the Enable_Arp_Response option.
Generally speaking, turning on gratuitous ARPs is acceptable.
However, it will increase traffic on your network.
If you are using IPMI on a large cluster, the gratuitous ARPs
may easily flood your network. They should be tuned to occur less
frequently or disabled. If disabled, the remote machine's MAC address
should be permanently stored in the local ARP cache through
arp(8).
See
bmc-watchdog(8)
for a method which allows gratuitous ARPs to be disabled when the
operating system is running, but enabled when the system is down.
Each cipher suite ID describes a combination of an authentication
algorithm, integrity algorithm, and encryption algorithm for IPMI 2.0.
The authentication algorithm is used for user authentication with the
BMC. The integrity algorithm is used for generating signatures on
IPMI packets. The confidentiality algorithm is used for encrypting
data. The configuration in this section enables certain cipher suite
IDs to be enabled or disabled, and the maximum privilege level a
username can authenticate with.
The following table shows the cipher suite ID to algorithms mapping:
0 - Authentication Algorithm = None; Integrity Algorithm = None; Confidentiality Algorithm = None
1 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm = None; Confidentiality Algorithm = None
2 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm = HMAC-SHA1-96; Confidentiality Algorithm = None
3 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm = HMAC-SHA1-96; Confidentiality Algorithm = AES-CBC-128
4 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm = HMAC-SHA1-96; Confidentiality Algorithm = xRC4-128
5 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm = HMAC-SHA1-96; Confidentiality Algorithm = xRC4-40
6 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = None; Confidentiality Algorithm = None
7 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = HMAC-MD5-128; Confidentiality Algorithm = None
8 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = HMAC-MD5-128; Confidentiality Algorithm = AES-CBC-128
9 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = HMAC-MD5-128; Confidentiality Algorithm = xRC4-128
10 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = HMAC-MD5-128; Confidentiality Algorithm = xRC4-40
11 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = MD5-128; Confidentiality Algorithm =
None
12 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = MD5-128; Confidentiality Algorithm =
AES-CBC-128
13 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = MD5-128; Confidentiality Algorithm = xRC4-128
14 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm = MD5-128; Confidentiality Algorithm = xRC4-40
Generally speaking, HMAC-SHA1 based algorithms are stronger than
HMAC-MD5, which are better than MD5-128 algorithms. AES-CBC-128
confidentiality algorithms are stronger than xRC4-128 algorithms,
which are better than xRC4-40 algorithms. Cipher suite ID 3 is
therefore typically considered the most secure. Some users may wish
to set cipher suite ID 3 to a privilege level and disable all
remaining cipher suite IDs.
The above example configuration has decided to allow any user with
"Administrator" privileges use any Cipher Suite algorithm suite which
requires an authentication, integrity, and confidentiality algorithm.
Typically, the maximum privilege level configured to a username should
be set for atleast one cipher suite ID. Typically, this is the
"Administrator" privilege.
A number of cipher suite IDs are optionally implemented, so the
available cipher suite IDs available your system may vary.
This section is for setting up Serial-Over-Lan (SOL) and will only be
available for configuration on those machines. SOL can be enabled
with the Enable_SOL field. The minimum privilege level required
for connecting with SOL is specified by SOL_Privilege_Level.
This should be set to the maximum privilege level configured to a
username that has SOL enabled. Typically, this is the "Administrator"
privilege. Authentication and Encryption can be forced or not using
the fields Force_SOL_Payload_Authentication and
Force_SOL_Payload_Encryption respectively. It is recommended
that these be set on. However, forced authentication and/or
encryption support depend on the cipher suite IDs supported.
The Character_Accumulate_Interval,
Character_Send_Threshold , SOL_Retry_Count and ,
SOL_Retry_Interval options are used to set SOL character output
speeds. Character_Accumulate_Interval determines how often
serial data should be regularly sent and
Character_Send_Threshold indicates the character count that if
passed, will force serial data to be sent. SOL_Retry_Count
indicates how many times packets must be retransmitted if
acknowledgements are not received. SOL_Retry_Interval indicates
the timeout interval. Generally, the manufacturer recommended numbers
will be sufficient. However, you may wish to experiment with these
values for faster SOL throughput.
The Non_Volatile_Bit_Rate and Volatile_Bit_Rate determine
the baudrate the BMC should use. This should match the baudrate set
in the BIOS and operating system, such as
agetty(8).
Generally speaking, both the Volatile and Non_Volatile
options should be set identically.
In addition to enabling SOL in this section, individual users most
also be capable of connecting with SOL. See the section
Section User1, User2, ...
above for details.
http://www.gnu.org/software/freeipmi/
##
##
##
Password mypassword
##
##
Enable_User Yes
##
Lan_Enable_Ipmi_Msgs Yes
##
Lan_Privilege_Limit Administrator
##
SOL_Payload_Access Yes
##
Username user2
##
Password userpass
##
##
##
Enable_User No
##
Lan_Enable_Ipmi_Msgs No
##
Lan_Privilege_Limit No_Access
##
Volatile_Access_Mode Always_Available
##
Volatile_Enable_User_Level_Auth Yes
##
Volatile_Enable_Per_Message_Auth Yes
##
Volatile_Enable_Pef_Alerting No
##
Volatile_Channel_Privilege_Limit Administrator
##
Non_Volatile_Access_Mode Always_Available
##
Non_Volatile_Enable_User_Level_Auth Yes
##
Non_Volatile_Enable_Per_Message_Auth Yes
##
Non_Volatile_Enable_Pef_Alerting No
##
Non_Volatile_Channel_Privilege_Limit Administrator
##
Ip_Address_Source Static
##
Ip_Address 192.168.1.100
##
Mac_Address 00:0E:0E:FF:AA:12
##
Subnet_Mask 255.255.255.0
##
Default_Gateway_Ip_Address 192.168.1.1
##
Default_Gateway_Mac_Address 00:0E:0E:FF:AA:18
##
Backup_Gateway_Ip_Address 192.168.1.2
##
Backup_Gateway_Mac_Address 00:0E:0E:FF:AA:15
##
Callback_Enable_Auth_Type_None No
##
Callback_Enable_Auth_Type_Md2 No
##
Callback_Enable_Auth_Type_Md5 No
##
Callback_Enable_Auth_Type_Straight_Password No
##
Callback_Enable_Auth_Type_Oem_Proprietary No
##
User_Enable_Auth_Type_None No
##
User_Enable_Auth_Type_Md2 Yes
##
User_Enable_Auth_Type_Md5 Yes
##
User_Enable_Auth_Type_Straight_Password No
##
User_Enable_Auth_Type_Oem_Proprietary No
##
Operator_Enable_Auth_Type_None No
##
Operator_Enable_Auth_Type_Md2 Yes
##
Operator_Enable_Auth_Type_Md5 Yes
##
Operator_Enable_Auth_Type_Straight_Password No
##
Operator_Enable_Auth_Type_Oem_Proprietary No
##
Admin_Enable_Auth_Type_None No
##
Admin_Enable_Auth_Type_Md2 Yes
##
Admin_Enable_Auth_Type_Md5 Yes
##
Admin_Enable_Auth_Type_Straight_Password No
##
Admin_Enable_Auth_Type_Oem_Proprietary No
##
Oem_Enable_Auth_Type_None No
##
Oem_Enable_Auth_Type_Md2 No
##
Oem_Enable_Auth_Type_Md5 No
##
Oem_Enable_Auth_Type_Straight_Password No
##
Oem_Enable_Auth_Type_Oem_Proprietary No
##
Enable_Gratuitous_Arps Yes
##
Enable_Arp_Response No
##
Gratuitous_Arp_Interval 4
##
Maximum_Privilege_Cipher_Suite_Id_0 Unused
##
Maximum_Privilege_Cipher_Suite_Id_1 Unused
##
Maximum_Privilege_Cipher_Suite_Id_2 Unused
##
Maximum_Privilege_Cipher_Suite_Id_3 Administrator
##
Maximum_Privilege_Cipher_Suite_Id_4 Administrator
##
Maximum_Privilege_Cipher_Suite_Id_5 Administrator
##
Maximum_Privilege_Cipher_Suite_Id_6 Unused
##
Maximum_Privilege_Cipher_Suite_Id_7 Unused
##
Maximum_Privilege_Cipher_Suite_Id_8 Administrator
##
Maximum_Privilege_Cipher_Suite_Id_9 Administrator
##
Maximum_Privilege_Cipher_Suite_Id_10 Administrator
##
Maximum_Privilege_Cipher_Suite_Id_11 Unused
##
Maximum_Privilege_Cipher_Suite_Id_12 Administrator
##
Maximum_Privilege_Cipher_Suite_Id_13 Administrator
##
Maximum_Privilege_Cipher_Suite_Id_14 Administrator
##
Enable_SOL Yes
##
SOL_Privilege_Level Administrator
##
Force_SOL_Payload_Authentication Yes
##
Force_SOL_Payload_Encryption Yes
##
Character_Accumulate_Interval 50
##
Character_Send_Threshold 100
##
SOL_Retry_Count 5
##
SOL_Retry_Interval 50
##
Non_Volatile_Bit_Rate 115200
##
Volatile_Bit_Rate 115200
##
Power_Restore_Policy Restore_State_Ac_Apply
Section User1, User2, ...
The User sections of the BMC configuration file are for username
configuration for IPMI over LAN communication. The number of users
available to be configured on your system will vary by manufacturer.
With the exception of the Username for User1, all sections are
identical.
Section Lan_Channel
The Lan_Channel section configures a variety of IPMI over LAN
configuration parameters. Both Volatile and Non_Volatile
configurations can be set. Volatile configurations are
immediately configured onto the BMC and will have immediate effect on
the system. Non_Volatile configurations are only available
after the next system reset. Generally, both the Volatile and
Non_Volatile should be configured identically.
Section Lan_Conf
Those familiar with setting up networks should find most of the fields
in this section self explanatory. The example BMC configuration above
illustrates the setup of a static IP address. The field
IP_Address_Source is configured with "Static". The IP address,
subnet mask, and gateway IP addresses of the machine are respecitvely
configured with the IP_Address, Subnet_Mask,
Default_Gateway_Ip_Address, and Backup_Gateway_Ip_Address
fields. The respective MAC addresses for the IP addresses are
configured under Mac_Address, Default_Gateway_Mac_Address,
and Backup_Gateway_Mac_Address.
Section Lan_Conf_Auth
This section determines what types of password authentication
mechanisms are allowed for users at different privilege levels under
the IPMI 1.5 protocol. The currently supported authentication methods
for IPMI 1.5 are None (no username/password required),
Straight_Password (passwords are sent in the clear), MD2
(passwords are MD2 hashed), and MD5 (passwords are MD5 hashed).
Different usernames at different privilege levels may be allowed to
authenticate differently through this configuration. For example, a
username with "User" privileges may be allowed to authenticate with a
straight password, but a username with "Administrator" privileges may
be allowed only authenticate with MD5.
Section Lan_Conf_Security_Keys
This section supports configuration of the IPMI 2.0 (including
Serial-over-LAN) K_g key. If your machine does not support IPMI 2.0,
this field will not be configurable.
Section Lan_Conf_Misc
This section lists miscellaneous IPMI over LAN configuration options.
These are optional IPMI configuration options that are not
implemented on all BMCs.
Section Rmcpplus_Conf_Privilege
This section supports configuration of the IPMI 2.0 (including
Serial-over-LAN) cipher suite IDs. If your machine does not support
IPMI 2.0, the fields will not be configurable.
Section SOL_Conf
Section Misc
The Power_Restore_Policy determines the behavior of the machine
when AC power returns after a power loss. The behavior can be set to
always power on the machine ("On_State_AC_Apply"), power off the
machine ("Off_State_AC_Apply"), or return the power to the state that
existed before the power loss ("Restore_State_AC_Apply").
REPORTING BUGS
Report bugs to <freeipmi-users [at] gnu.org> or <freeipmi-devel [at] gnu.org>.
SEE ALSO
freeipmi(7), bmc-config(8), bmc-watchdog(8), agetty(8)