Skip to content

Baseboard Management Controller (BMC) access

Access to management interfaces

For working on the BMCs, access to the management interfaces (e.g. IPMI) is required. Such access is restricted to a set of trusted devices. See also OTG0157291 and OTG0157614 for further information.

Getting access to the BMC

For accessing the BMC of a device one has three options:

Access through aiadm.cern.ch

Administrators may use aiadm machines as a trusted proxy. To give your browser access you may:

  1. Set up a SOCKS proxy using an ssh client: 
    ssh -D 8090 <username>@aiadm.cern.ch
  2. Configure your web browser to use it by specifying 127.0.0.1 as the SOCKS host and 8090 as the port in its network connection settings.

Access through cerntshomeless

Follow the steps at KB0006557 to set up terminal server access, but specify cernts-homeless instead of cernts. Note that, in the future, you may instead use the cerntsmgmt cluster. Then access the BMC interfaces through this cluster as usual.

Have your device added to the set of trusted endpoints

  1. Open SNOW ticket with 3rd line Network Service to obtain fixed IP (Wi-Fi, wired, both). For Wi-Fi, indicate “CERN” or "CERN-Campus” SSID. If the latter, note that you will need to ask for a change again later.

  2. Add that device to the corresponding LANDB set (e.g. IT FA MGMT ACCESS, IT DB MANAGEMENT) or contact Stefan to get that added to the IT CC MGMT BYPASS LIST.

Working with the BMC

With OpenStack Ironic, the access model to the underlying hardware changes from the way it works currently when managing physical machines. With Ironic, Foreman is not aware of BMC credentials of the machine as Foreman itself does not distinguish if the node created with ai-bs is a physical or a virtual one.

In most cases when you have a proper image prepared and uploaded, you shouldn't need to access the BMC console as it is up to the Bare Metal Service to perform the whole installation process.

Nonetheless, if you still need to access the BMC console of a Physical Instance provisioned with OpenStack, you can get the BMC credentials via the OpenStack API, with the following command:

$ openstack console url show $YOUR_INSTANCE_NAME -f json

This will show you the URL that will allow you to access the remote console, as well as the BMC credentials for the console login. It also outputs pre-formatted commands as shown below for convenience: 

{
  "url": {
    "url": "https://cd6428773-490-1-ipmi.cern.ch",
    "username": "uuuuu",
    "password": "ppppp",
    "ipmitool_chassis_power_status": "ipmitool -I lanplus -U uuuuu -P ppppp -H cd6428773-490-1-ipmi.cern.ch chassis power status",
    "ipmitool_mc_reset_cold": "ipmitool -I lanplus -U uuuuu -P ppppp -H cd6428773-490-1-ipmi.cern.ch mc reset cold"
  },
  "type": "novnc"
}

This could be simplified to: 

$ openstack console url show $YOUR_INSTANCE_NAME -f json | jq .url.ipmitool_mc_reset_cold | tr -d '"'
ipmitool -I lanplus -U uuuuu -P ppppp -H cd6428773-490-1-ipmi.cern.ch mc reset cold

More recent nodes do not rely on IPMI as the protocol to communicate with the BMCs anymore, but have moved to its designated successor called Redfish. The output of the above command changes for these nodes:

{
  "url": {
    "url": "https://dl7872442-253825-3-ipmi.cern.ch",
    "username": "uuuuu",
    "password": "ppppp",
    "system_id": "/redfish/v1/Systems/253825-3",
    "power_status": "rf_power_reset.py --user uuuuu --password ppppp --rhost https://dl7872442-253825-3-ipmi.cern.ch --info",
    "get_sel": "rf_logs.py --details --user uuuuu --password ppppp --rhost https://dl7872442-253825-3-ipmi.cern.ch",
    "power_reset": "rf_power_reset.py --user uuuuu --password ppppp --rhost https://dl7872442-253825-3-ipmi.cern.ch --type"

  }
  "type": "novnc"
}

The URL, username and password still allow you to access the console of the node, just as before. The commands to interact with a Redfish endpoint, however, change and require the installation of the Redfish Tacklebox:

$ pip3 install redfish_utilities

Please abstain yourself from executing IPMI power operations (power on, off, etc.) bypassing OpenStack. OpenStack nova will try to enforce the power state it has in its database, sometimes resulting in unexpected behaviours (e.g. if a node is powered off, and it gets powered on via IPMI or physically pressing the button, OpenStack nova will enforce the node to be down).

In case you need to power on/off the physical node, just use the openstack server start and openstack server stop commands.