Andrew Latham

Note to self, a full post on IPMITool would be good.

When on-boarding new hardware always configure the IPMI devices properly. You can use tools to interface with the IPMI devices and configure defaults that will add local administrator accounts. Tools like IPMITools have options to download existing settings or upload/set new settings. Tools like OpenStack [2] Ironic and various other stacks are enabling this in fantastic ways. Don't limit access to systems management devices with fear, enable access so that team members can get useful information quickly. An example of why you want to share access would be:

ipmitool -I lan -U lathama -f ipmifile -H 192.168.15.206 sensor
CPU Core1 Temp   | 76.000     | degrees C  | ok    | 0.000     | 0.000     | 0.000     | 95.000    | 98.000    | 100.000                                                                                                              
CPU Core2 Temp   | 76.000     | degrees C  | ok    | 0.000     | 0.000     | 0.000     | 95.000    | 98.000    | 100.000                                                                                                              
CPU SoC Temp     | 75.000     | degrees C  | ok    | 0.000     | 0.000     | 0.000     | 95.000    | 98.000    | 100.000                                                                                                              
System Temp      | 23.000     | degrees C  | ok    | -9.000    | -7.000    | -5.000    | 80.000    | 85.000    | 90.000                                                                                                               
Peripheral Temp  | 24.000     | degrees C  | ok    | -9.000    | -7.000    | -5.000    | 80.000    | 85.000    | 90.000                                                                                                               
FAN 1            | 1600.000   | RPM        | ok    | 400.000   | 576.000   | 784.000   | 33856.000 | 34225.000 | 34596.000                                                                                                            
FAN 2            | na         |            | na    | na        | na        | na        | na        | na        | na                                                                                                                   
FAN 3            | na         |            | na    | na        | na        | na        | na        | na        | na                                                                                                                   
Vcore            | 0.992      | Volts      | ok    | 0.776     | 0.800     | 0.824     | 1.352     | 1.376     | 1.400                                                                                                                
VDIMM            | 1.568      | Volts      | ok    | 1.288     | 1.312     | 1.336     | 1.656     | 1.680     | 1.704                                                                                                                
+5 V             | 5.024      | Volts      | ok    | 4.416     | 4.448     | 4.480     | 5.536     | 5.568     | 5.600                                                                                                                
+5VSB            | 4.992      | Volts      | ok    | 4.416     | 4.448     | 4.480     | 5.536     | 5.568     | 5.600     
+12 V            | 12.296     | Volts      | ok    | 10.600    | 10.653    | 10.706    | 13.250    | 13.303    | 13.356    
+3.3 V           | 3.288      | Volts      | ok    | 2.880     | 2.904     | 2.928     | 3.648     | 3.672     | 3.696     
+3.3VSB          | 3.264      | Volts      | ok    | 2.880     | 2.904     | 2.928     | 3.648     | 3.672     | 3.696     
VBAT             | 0.624      | Volts      | nr    | 2.880     | 2.904     | 2.928     | 3.648     | 3.672     | 3.696     
+1.05 V          | 1.072      | Volts      | ok    | 0.808     | 0.816     | 0.824     | 1.264     | 1.288     | 1.312     
Chassis Intru    | 0x0        | discrete   | 0x0000| na        | na        | na        | na        | na        | na        
PS Status        | 0x1        | discrete   | 0x0100| na        | na        | na        | na        | na        | na   

or

# ipmitool -I lan -U lathama -f ipmifile -H 192.168.15.206 sdr
CPU Core1 Temp   | 76 degrees C      | ok
CPU Core2 Temp   | 76 degrees C      | ok
CPU SoC Temp     | 74 degrees C      | ok
System Temp      | 22 degrees C      | ok
Peripheral Temp  | 24 degrees C      | ok
FAN 1            | 1600 RPM          | ok
FAN 2            | no reading        | ns
FAN 3            | no reading        | ns
Vcore            | 0.99 Volts        | ok
VDIMM            | 1.57 Volts        | ok
+5 V             | 5.02 Volts        | ok
+5VSB            | 4.99 Volts        | ok
+12 V            | 12.30 Volts       | ok
+3.3 V           | 3.29 Volts        | ok
+3.3VSB          | 3.26 Volts        | ok
VBAT             | 0.62 Volts        | nr
+1.05 V          | 1.07 Volts        | ok
Chassis Intru    | 0x00              | ok
PS Status        | 0x01              | ok

In this case I have a Supermicro system where I have an account configured for my normal username and I have rights to administer the device. After the users are added then the default username can have the password changed to a more secure default or removed. On-boarding is an ordered process and software is here to help us do these ordered processes over and over again.

If you are interested in the details you can read the specs on new IPMI devices at Intel [3] for example. Section 22.30 will show you how the system deals with passwords for example.

ipmitool -I lan -U ADMIN -H host-ipmi.domain.net user set name 3 operations
ipmitool -I lan -U ADMIN -H host-ipmi.domain.net channel setaccess 1 3 link=on ipmi=on privilege=4

Older IPMI only handle 16 char passwords

ipmitool -I lan -U ADMIN -H host-ipmi.domain.net user set password 3 16 abcdefghijklmnop

New 2.0 IPMI handles 20 char passwords

ipmitool -I lan -U ADMIN -H host-ipmi.domain.net user set password 3 20 abcdefghijklmnopqrst

Lastly Enable

ipmitool -I lan -U ADMIN -H host-ipmi.domain.net user enable 3

Complete example with output

# ipmitool -I lan -U lathama -f ipmifile -H 192.168.15.206 user set name 5 operations
# ipmitool -I lan -U lathama -f ipmifile -H 192.168.15.206 user set password 5 HardPassword
Set User Password command successful (user 5)
# ipmitool -I lan -U lathama -f ipmifile -H 192.168.15.206 channel setaccess 1 5 privilege=4 link=on ipmi=on
Set User Access (channel 1 id 5) successful.
# ipmitool -I lan -U lathama -f ipmifile -H 192.168.15.206 user test 5 16 HardPassword
Success
# ipmitool -I lan -U lathama -f ipmifile -H 192.168.15.206 user enable 5
#

Keep in mind there is a huge amount of options an all are very important. It is worth while to review the information in detail.

  1. https://sourceforge.net/projects/ipmitool/
  2. https://wiki.openstack.org/wiki/Ironic
  3. https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/ipmi-intelligent-platform-mgt-interface-spec-2nd-gen-v2-0-spec-update.pdf