1ipmiseld(8) ipmiseld ipmiseld(8)
2
3
4
6 ipmiseld - IPMI SEL logging daemon
7
9 ipmiseld [OPTION...]
10
12 The ipmiseld daemon polls the system event log (SEL) of specified hosts
13 and stores the logs into the local syslog. By default, the daemon can
14 also make best efforts to manage the remote SEL's buffer to ensure
15 events are never lost. Recent logging data will be cached to disk to
16 ensure that SEL events are not missed in the event the client or server
17 is rebooted.
18
19 Many of the options for this daemon are very similar to the ipmi-sel(8)
20 tool. It can be configured to log the local host, a remote host, or a
21 range of hosts to the local syslog. It can be configured via the com‐
22 mand line arguments listed below or via the
23 /etc/freeipmi//ipmiseld.conf configuration file.
24
25 Listed below are general IPMI options, tool specific options, trouble
26 shooting information, workaround information, examples, and known
27 issues. For a general introduction to FreeIPMI please see freeipmi(7).
28
30 The following options are general options for configuring IPMI communi‐
31 cation and executing general tool commands.
32
33 -D IPMIDRIVER, --driver-type=IPMIDRIVER
34 Specify the driver type to use instead of doing an auto selec‐
35 tion. The currently available outofband drivers are LAN and
36 LAN_2_0, which perform IPMI 1.5 and IPMI 2.0 respectively. The
37 currently available inband drivers are KCS, SSIF, OPENIPMI,
38 SUNBMC, and INTELDCMI.
39
40 --disable-auto-probe
41 Do not probe in-band IPMI devices for default settings.
42
43 --driver-address=DRIVER-ADDRESS
44 Specify the in-band driver address to be used instead of the
45 probed value. DRIVER-ADDRESS should be prefixed with "0x" for a
46 hex value and '0' for an octal value.
47
48 --driver-device=DEVICE
49 Specify the in-band driver device path to be used instead of the
50 probed path.
51
52 --register-spacing=REGISTER-SPACING
53 Specify the in-band driver register spacing instead of the
54 probed value. Argument is in bytes (i.e. 32bit register spacing
55 = 4)
56
57 --target-channel-number=CHANNEL-NUMBER
58 Specify the in-band driver target channel number to send IPMI
59 requests to.
60
61 --target-slave-address=SLAVE-ADDRESS
62 Specify the in-band driver target slave number to send IPMI
63 requests to.
64
65 -h IPMIHOST1,IPMIHOST2,..., --hostname=IPMIHOST1[:PORT],IPMI‐
66 HOST2[:PORT],...
67 Specify the remote host(s) to communicate with. Multiple host‐
68 names may be separated by comma or may be specified in a range
69 format; see HOSTRANGED SUPPORT below. An optional port can be
70 specified with each host, which may be useful in port forwarding
71 or similar situations.
72
73 -u USERNAME, --username=USERNAME
74 Specify the username to use when authenticating with the remote
75 host. If not specified, a null (i.e. anonymous) username is
76 assumed. The user must have atleast USER privileges in order for
77 this tool to operate fully.
78
79 -p PASSWORD, --password=PASSWORD
80 Specify the password to use when authenticationg with the remote
81 host. If not specified, a null password is assumed. Maximum
82 password length is 16 for IPMI 1.5 and 20 for IPMI 2.0.
83
84 -P, --password-prompt
85 Prompt for password to avoid possibility of listing it in
86 process lists.
87
88 -k K_G, --k-g=K_G
89 Specify the K_g BMC key to use when authenticating with the
90 remote host for IPMI 2.0. If not specified, a null key is
91 assumed. To input the key in hexadecimal form, prefix the string
92 with '0x'. E.g., the key 'abc' can be entered with the either
93 the string 'abc' or the string '0x616263'
94
95 -K, --k-g-prompt
96 Prompt for k-g to avoid possibility of listing it in process
97 lists.
98
99 --session-timeout=MILLISECONDS
100 Specify the session timeout in milliseconds. Defaults to 20000
101 milliseconds (20 seconds) if not specified.
102
103 --retransmission-timeout=MILLISECONDS
104 Specify the packet retransmission timeout in milliseconds.
105 Defaults to 1000 milliseconds (1 second) if not specified. The
106 retransmission timeout cannot be larger than the session time‐
107 out.
108
109 -a AUTHENTICATION-TYPE, --authentication-type=AUTHENTICATION-TYPE
110 Specify the IPMI 1.5 authentication type to use. The currently
111 available authentication types are NONE, STRAIGHT_PASSWORD_KEY,
112 MD2, and MD5. Defaults to MD5 if not specified.
113
114 -I CIPHER-SUITE-ID, --cipher-suite-id=CIPHER-SUITE-ID
115 Specify the IPMI 2.0 cipher suite ID to use. The Cipher Suite ID
116 identifies a set of authentication, integrity, and confidential‐
117 ity algorithms to use for IPMI 2.0 communication. The authenti‐
118 cation algorithm identifies the algorithm to use for session
119 setup, the integrity algorithm identifies the algorithm to use
120 for session packet signatures, and the confidentiality algorithm
121 identifies the algorithm to use for payload encryption. Defaults
122 to cipher suite ID 3 if not specified. The following cipher
123 suite ids are currently supported:
124
125 0 - Authentication Algorithm = None; Integrity Algorithm = None;
126 Confidentiality Algorithm = None
127
128 1 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
129 None; Confidentiality Algorithm = None
130
131 2 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
132 HMAC-SHA1-96; Confidentiality Algorithm = None
133
134 3 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
135 HMAC-SHA1-96; Confidentiality Algorithm = AES-CBC-128
136
137 6 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
138 None; Confidentiality Algorithm = None
139
140 7 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
141 HMAC-MD5-128; Confidentiality Algorithm = None
142
143 8 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
144 HMAC-MD5-128; Confidentiality Algorithm = AES-CBC-128
145
146 11 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
147 MD5-128; Confidentiality Algorithm = None
148
149 12 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
150 MD5-128; Confidentiality Algorithm = AES-CBC-128
151
152 15 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
153 = None; Confidentiality Algorithm = None
154
155 16 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
156 = HMAC_SHA256_128; Confidentiality Algorithm = None
157
158 17 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
159 = HMAC_SHA256_128; Confidentiality Algorithm = AES-CBC-128
160
161 -l PRIVILEGE-LEVEL, --privilege-level=PRIVILEGE-LEVEL
162 Specify the privilege level to be used. The currently available
163 privilege levels are USER, OPERATOR, and ADMIN. Defaults to
164 OPERATOR if not specified.
165
166 --config-file=FILE
167 Specify an alternate configuration file.
168
169 -W WORKAROUNDS, --workaround-flags=WORKAROUNDS
170 Specify workarounds to vendor compliance issues. Multiple work‐
171 arounds can be specified separated by commas. A special command
172 line flag of "none", will indicate no workarounds (may be useful
173 for overriding configured defaults). See WORKAROUNDS below for a
174 list of available workarounds.
175
176 --debug
177 Turn on debugging.
178
179 -?, --help
180 Output a help list and exit.
181
182 --usage
183 Output a usage message and exit.
184
185 -V, --version
186 Output the program version and exit.
187
189 The following options are specific to Ipmiseld.
190
191 -v Log verbose information. This option will log additional infor‐
192 mation. Most notably it will output additional hex codes to
193 given information on ambiguous SEL entries or SEL records. For
194 example, it will output Generator ID hex codes for sensors with‐
195 out names. Additional non-critical SEL errors or issues will
196 also be logged. Somewhat common errors, such as timeouts or
197 invalid hostnames, will output with increased verbosity.
198
199 -t SENSOR-TYPE-LIST, --sensor-types=SENSOR-TYPE-LIST
200 Specify sensor types of SEL events to log. By default, all sen‐
201 sor types are logged. A special command line type of "all", will
202 indicate all types should be shown (may be useful for overriding
203 configured defaults). Multiple types can be separated by commas
204 or spaces. Users may specify sensor types by string (see
205 --list-sensor-types in ipmi-sel(8)) or by number (decimal or
206 hex).
207
208 -T SENSOR-TYPE-LIST, --exclude-sensor-types=SENSOR-TYPE-LIST
209 Specify sensor types of SEL events to not log. By default, no
210 sensor types are filtered. A special command line type of
211 "none", will indicate no types should be excluded (may be useful
212 for overriding configured defaults). Multiple types can be sepa‐
213 rated by commas or spaces. Users may specify sensor types by
214 string (see --list-sensor-types in ipmi-sel(8)) or by number
215 (decimal or hex).
216
217 --system-event-only
218 Log only system event records (i.e. don't log OEM records).
219
220 --oem-event-only
221 Log only OEM event records (i.e. don't log system event
222 records).
223
224 --event-state-config-file=FILE
225 Specify an alternate event state configuration file.
226
227 --interpret-oem-data
228 Attempt to interpret OEM data, such as event data, sensor read‐
229 ings, or general extra info, etc. If an OEM interpretation is
230 not available, the default output will be generated. Correctness
231 of OEM interpretations cannot be guaranteed due to potential
232 changes OEM vendors may make in products, firmware, etc. See OEM
233 INTERPRETATION below for confirmed supported motherboard inter‐
234 pretations.
235
236 --entity-sensor-names
237 Output sensor names prefixed with their entity id and instance
238 number when appropriate. This may be necessary on some mother‐
239 boards to help identify what sensors are referencing. For exam‐
240 ple, a motherboard may have multiple sensors named 'TEMP'. The
241 entity id and instance number may help clarify which sensor
242 refers to "Processor 1" vs. "Processor 2".
243
244 --non-abbreviated-units
245 Output non-abbreviated units (e.g. 'Amps' instead of 'A'). May
246 aid in disambiguation of units (e.g. 'C' for Celsius or
247 Coulombs).
248
249 --event-state-filter=FILTERSTRING
250 Specify event states to be filtered out and not logged. Possible
251 inputs are NOMINAL, WARNING, CRITICAL, and NA. Multiple states
252 can be listed separted by comma. The special case string of
253 "none" will indicate no event states should be excluded (may be
254 useful for overriding configured defaults).
255
256 --warning-threshold=PERCENTINT
257 Specify SEL fullness warning threshold as an integer percentage.
258 When the SEL is past this percentage full, a warning will be
259 output indicating that SEL is nearly full. Specify 0 to disable
260 warning logs. Defaults to 80.
261
262 --clear-threshold=PERCENTINT
263 Specify SEL fullness clear threshold as an integer percentage.
264 When the SEL is past this percentage full, ipmiseld will attempt
265 to clear the SEL. Specify 0 to disable clearing. When the SEL is
266 full, it will be the responsibility of the user to clear the SEL
267 manually if clearing is disabled. Defaults to 0. If specified to
268 a non-zero value, be careful that the clearing of the SEL could
269 affect other applications that monitor the SEL, such as monitor‐
270 ing applications that use ipmi-sel(8) or libipmimonitoring(3).
271
272 --system-event-format=FORMATSTRING
273 Specify the format of the log output when a SEL system event is
274 encountered. Defaults to "SEL System Event: %d, %t, %s, %I, %E"
275 if logging locally, "SEL System Event(%h): %d, %t, %s, %I, %E"
276 if logging outofband or with hostranges. See SEL LOG FORMAT
277 STRING below for formatting details.
278
279 --oem-timestamped-event-format=FORMATSTRING
280 Specify the format of the log output when a SEL OEM timestamped
281 event is encountered. Defaults to "SEL OEM Event: %d, %t, %I,
282 %o" if logging locally, "SEL OEM Event(%h): %d, %t, %I, %o" if
283 logging outofband or with hostranges.. See SEL LOG FORMAT STRING
284 below for formatting details.
285
286 --oem-non-timestamped-event-format=FORMATSTRING
287 Specify the format of the log output when a SEL OEM non-times‐
288 tamped event is encountered. Defaults to "SEL OEM Event: %I, %o"
289 if logging locally, "SEL OEM Event(%h): %I, %o" if logging out‐
290 ofband or with hostranges.. See SEL LOG FORMAT STRING below for
291 formatting details.
292
293 --poll-interval=SECONDS
294 Specify the poll interval to check the SEL for new events.
295 Defaults to 300 seconds (i.e. 5 minutes).
296
297 --log-facility=STRING
298 Specify the log facility to use. Defaults to LOG_DAEMON. Legal
299 inputs are LOG_DAEMON, LOG_USER, LOG_LOCAL0, LOG_LOCAL1,
300 LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6,
301 LOG_LOCAL7.
302
303 --log-priority=STRING
304 Specify the log priority to use. Defaults to LOG_ERR. Legal
305 inputs are LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING,
306 LOG_NOTICE, LOG_INFO, LOG_DEBUG.
307
308 --cache-directory=DIRECTORY
309 Specify an alternate cache directory location for ipmiseld to
310 use. The cache directory will be used to cache a wide variety of
311 data, including the SDR and recent logging information to ensure
312 log entries are not missed on reboots and other system failures.
313
314 --ignore-sdr
315 Ignore SDR related processing. May lead to incomplete or less
316 useful information being output, however it will allow function‐
317 ality for systems without SDRs or when the correct SDR cannot be
318 loaded.
319
320 --re-download-sdr
321 Re-download the SDR on start even if it is not out of date. This
322 may help work around systems that do not properly timestamp SDR
323 modification times.
324
325 --clear-sel
326 On startup, clear any SEL being monitored. May be useful the
327 first time running ipmiseld to avoid warning messages or SEL
328 clears until a long time in the future.
329
330 --threadpool-count=NUM
331 Specify the number of threads for parallel SEL polling. This
332 option is very similar to the --fanout option in ipmi-sel(8) but
333 the threads are created only once on initialization for faster
334 processing. Defaults to 8, however the threadpool count will
335 always be decreased if the number of nodes specified is less
336 than the number of threads.
337
338 --test-run
339 Do not daemonize, output the current SEL of configured hosts as
340 a test of current settings and configuration. SEL entries will
341 be output to stdout instead of syslog.
342
343 --foreground
344 Run daemon in the foreground. SEL entries will be output to std‐
345 out instead of syslog.
346
348 The output format of log messages can be adjusted via the --sys‐
349 tem-event-format, --oem-timestamped-event-format and --oem-non-times‐
350 tamped-event-format options. Options such as --interpret-oem-data,
351 --entity-sensor-names, and --non-abbreviated-units can further adjust
352 the output format. The following conversion directives will allow the
353 user to output specifics of each SEL event that occurs.
354
355 For System, OEM timestamped, and OEM non-timestamped events
356
357 %h - target host, useful if logging from multiple hosts
358
359 %i - record ID in decimal
360
361 %I - event state interpretation (NOMINAL, WARNING, or CRITICAL)
362
363 For System and OEM timestamped events
364
365 %t - time in format H:M:S using 24 hour clock
366
367 %d - date in format D-M-YEAR
368
369 For System events
370
371 %T - sensor type
372
373 %s - sensor name
374
375 %e - event data 1 string
376
377 %f - event data 2 string [2]
378
379 %h - event data 3 string
380
381 %c - combined event data 2 and event data 3 string
382
383 %p - event data 2 previous state string
384
385 %S - event data 2 severity string
386
387 %E - combined event data 1, 2, and 3 string
388
389 %k - event direction
390
391 For OEM timestamped events
392
393 %m - manufacturer id
394
395 For OEM timestamped and OEM non-timestamped events
396
397 %o - oem data in hex
398
399 %O - OEM supplied string describing the event (depends on manufacturer)
400
402 Multiple hosts can be input either as an explicit comma separated lists
403 of hosts or a range of hostnames in the general form: prefix[n-m,l-
404 k,...], where n < m and l < k, etc. The later form should not be con‐
405 fused with regular expression character classes (also denoted by []).
406 For example, foo[19] does not represent foo1 or foo9, but rather repre‐
407 sents a degenerate range: foo19.
408
409 This range syntax is meant only as a convenience on clusters with a
410 prefixNN naming convention and specification of ranges should not be
411 considered necessary -- the list foo1,foo9 could be specified as such,
412 or by the range foo[1,9].
413
414 Some examples of range usage follow:
415 foo[01-05] instead of foo01,foo02,foo03,foo04,foo05
416 foo[7,9-10] instead of foo7,foo9,foo10
417 foo[0-3] instead of foo0,foo1,foo2,foo3
418
419 As a reminder to the reader, some shells will interpret brackets ([ and
420 ]) for pattern matching. Depending on your shell, it may be necessary
421 to enclose ranged lists within quotes.
422
423 In-band IPMI Communication will be used when the host "localhost" is
424 specified. This allows the user to add the localhost into the hos‐
425 tranged output.
426
428 Most often, IPMI problems are due to configuration problems.
429
430 IPMI over LAN problems involve a misconfiguration of the remote
431 machine's BMC. Double check to make sure the following are configured
432 properly in the remote machine's BMC: IP address, MAC address, subnet
433 mask, username, user enablement, user privilege, password, LAN privi‐
434 lege, LAN enablement, and allowed authentication type(s). For IPMI 2.0
435 connections, double check to make sure the cipher suite privilege(s)
436 and K_g key are configured properly. The ipmi-config(8) tool can be
437 used to check and/or change these configuration settings.
438
439 Inband IPMI problems are typically caused by improperly configured
440 drivers or non-standard BMCs.
441
442 In addition to the troubleshooting tips below, please see WORKAROUNDS
443 below to also if there are any vendor specific bugs that have been dis‐
444 covered and worked around.
445
446 Listed below are many of the common issues for error messages. For
447 additional support, please e-mail the <freeipmi-users@gnu.org> mailing
448 list.
449
450 "username invalid" - The username entered (or a NULL username if none
451 was entered) is not available on the remote machine. It may also be
452 possible the remote BMC's username configuration is incorrect.
453
454 "password invalid" - The password entered (or a NULL password if none
455 was entered) is not correct. It may also be possible the password for
456 the user is not correctly configured on the remote BMC.
457
458 "password verification timeout" - Password verification has timed out.
459 A "password invalid" error (described above) or a generic "session
460 timeout" (described below) occurred. During this point in the protocol
461 it cannot be differentiated which occurred.
462
463 "k_g invalid" - The K_g key entered (or a NULL K_g key if none was
464 entered) is not correct. It may also be possible the K_g key is not
465 correctly configured on the remote BMC.
466
467 "privilege level insufficient" - An IPMI command requires a higher user
468 privilege than the one authenticated with. Please try to authenticate
469 with a higher privilege. This may require authenticating to a different
470 user which has a higher maximum privilege.
471
472 "privilege level cannot be obtained for this user" - The privilege
473 level you are attempting to authenticate with is higher than the maxi‐
474 mum allowed for this user. Please try again with a lower privilege. It
475 may also be possible the maximum privilege level allowed for a user is
476 not configured properly on the remote BMC.
477
478 "authentication type unavailable for attempted privilege level" - The
479 authentication type you wish to authenticate with is not available for
480 this privilege level. Please try again with an alternate authentication
481 type or alternate privilege level. It may also be possible the avail‐
482 able authentication types you can authenticate with are not correctly
483 configured on the remote BMC.
484
485 "cipher suite id unavailable" - The cipher suite id you wish to authen‐
486 ticate with is not available on the remote BMC. Please try again with
487 an alternate cipher suite id. It may also be possible the available
488 cipher suite ids are not correctly configured on the remote BMC.
489
490 "ipmi 2.0 unavailable" - IPMI 2.0 was not discovered on the remote
491 machine. Please try to use IPMI 1.5 instead.
492
493 "connection timeout" - Initial IPMI communication failed. A number of
494 potential errors are possible, including an invalid hostname specified,
495 an IPMI IP address cannot be resolved, IPMI is not enabled on the
496 remote server, the network connection is bad, etc. Please verify con‐
497 figuration and connectivity.
498
499 "session timeout" - The IPMI session has timed out. Please reconnect.
500 If this error occurs often, you may wish to increase the retransmission
501 timeout. Some remote BMCs are considerably slower than others.
502
503 "device not found" - The specified device could not be found. Please
504 check configuration or inputs and try again.
505
506 "driver timeout" - Communication with the driver or device has timed
507 out. Please try again.
508
509 "message timeout" - Communication with the driver or device has timed
510 out. Please try again.
511
512 "BMC busy" - The BMC is currently busy. It may be processing informa‐
513 tion or have too many simultaneous sessions to manage. Please wait and
514 try again.
515
516 "could not find inband device" - An inband device could not be found.
517 Please check configuration or specify specific device or driver on the
518 command line.
519
520 "driver timeout" - The inband driver has timed out communicating to the
521 local BMC or service processor. The BMC or service processor may be
522 busy or (worst case) possibly non-functioning.
523
524 "internal IPMI error" - An IPMI error has occurred that FreeIPMI does
525 not know how to handle. Please e-mail <freeipmi-users@gnu.org> to
526 report the issue.
527
529 Some timestamps in the SEL may report a date of 1-Jan-1970, the epoch
530 for SEL timestamps. This timestamp is not necessarily incorrect. It
531 usually indicates a hardware event that occurred before a timestamp in
532 firmware has been initialized. For example, certain hardware components
533 will have their internal clocks reset during a power cycle.
534
535 However, if the internal clock of the SEL appears to be regularly
536 incorrect, you may need to set the SEL time. This can be done using
537 bmc-device(8).
538
539 The following are common SEL related messages.
540
541 "sel config file parse error" - A parse error was found in the sel
542 event interpretation configuration file. Please see freeipmi_inter‐
543 pret_sel.conf(5).
544
546 With so many different vendors implementing their own IPMI solutions,
547 different vendors may implement their IPMI protocols incorrectly. The
548 following describes a number of workarounds currently available to han‐
549 dle discovered compliance issues. When possible, workarounds have been
550 implemented so they will be transparent to the user. However, some will
551 require the user to specify a workaround be used via the -W option.
552
553 The hardware listed below may only indicate the hardware that a problem
554 was discovered on. Newer versions of hardware may fix the problems
555 indicated below. Similar machines from vendors may or may not exhibit
556 the same problems. Different vendors may license their firmware from
557 the same IPMI firmware developer, so it may be worthwhile to try work‐
558 arounds listed below even if your motherboard is not listed.
559
560 If you believe your hardware has an additional compliance issue that
561 needs a workaround to be implemented, please contact the FreeIPMI main‐
562 tainers on <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
563
564 assumeio - This workaround flag will assume inband interfaces communi‐
565 cate with system I/O rather than being memory-mapped. This will work
566 around systems that report invalid base addresses. Those hitting this
567 issue may see "device not supported" or "could not find inband device"
568 errors. Issue observed on HP ProLiant DL145 G1.
569
570 spinpoll - This workaround flag will inform some inband drivers (most
571 notably the KCS driver) to spin while polling rather than putting the
572 process to sleep. This may significantly improve the wall clock running
573 time of tools because an operating system scheduler's granularity may
574 be much larger than the time it takes to perform a single IPMI message
575 transaction. However, by spinning, your system may be performing less
576 useful work by not contexting out the tool for a more useful task.
577
578 authcap - This workaround flag will skip early checks for username
579 capabilities, authentication capabilities, and K_g support and allow
580 IPMI authentication to succeed. It works around multiple issues in
581 which the remote system does not properly report username capabilities,
582 authentication capabilities, or K_g status. Those hitting this issue
583 may see "username invalid", "authentication type unavailable for
584 attempted privilege level", or "k_g invalid" errors. Issue observed on
585 Asus P5M2/P5MT-R/RS162-E4/RX4, Intel SR1520ML/X38ML, and Sun Fire
586 2200/4150/4450 with ELOM.
587
588 nochecksumcheck - This workaround flag will tell FreeIPMI to not check
589 the checksums returned from IPMI command responses. It works around
590 systems that return invalid checksums due to implementation errors, but
591 the packet is otherwise valid. Users are cautioned on the use of this
592 option, as it removes validation of packet integrity in a number of
593 circumstances. However, it is unlikely to be an issue in most situa‐
594 tions. Those hitting this issue may see "connection timeout", "session
595 timeout", or "password verification timeout" errors. On IPMI 1.5 con‐
596 nections, the "noauthcodecheck" workaround may also needed too. Issue
597 observed on Supermicro X9SCM-iiF, Supermicro X9DRi-F, and Supermicro
598 X9DRFR.
599
600 idzero - This workaround flag will allow empty session IDs to be
601 accepted by the client. It works around IPMI sessions that report empty
602 session IDs to the client. Those hitting this issue may see "session
603 timeout" errors. Issue observed on Tyan S2882 with M3289 BMC.
604
605 unexpectedauth - This workaround flag will allow unexpected non-null
606 authcodes to be checked as though they were expected. It works around
607 an issue when packets contain non-null authentication data when they
608 should be null due to disabled per-message authentication. Those hit‐
609 ting this issue may see "session timeout" errors. Issue observed on
610 Dell PowerEdge 2850,SC1425. Confirmed fixed on newer firmware.
611
612 forcepermsg - This workaround flag will force per-message authentica‐
613 tion to be used no matter what is advertised by the remote system. It
614 works around an issue when per-message authentication is advertised as
615 disabled on the remote system, but it is actually required for the pro‐
616 tocol. Those hitting this issue may see "session timeout" errors.
617 Issue observed on IBM eServer 325.
618
619 endianseq - This workaround flag will flip the endian of the session
620 sequence numbers to allow the session to continue properly. It works
621 around IPMI 1.5 session sequence numbers that are the wrong endian.
622 Those hitting this issue may see "session timeout" errors. Issue
623 observed on some Sun ILOM 1.0/2.0 (depends on service processor
624 endian).
625
626 noauthcodecheck - This workaround flag will tell FreeIPMI to not check
627 the authentication codes returned from IPMI 1.5 command responses. It
628 works around systems that return invalid authentication codes due to
629 hashing or implementation errors. Users are cautioned on the use of
630 this option, as it removes an authentication check verifying the valid‐
631 ity of a packet. However, in most organizations, this is unlikely to be
632 a security issue. Those hitting this issue may see "connection time‐
633 out", "session timeout", or "password verification timeout" errors.
634 Issue observed on Xyratex FB-H8-SRAY, Intel Windmill, Quanta Winter‐
635 fell, and Wiwynn Windmill.
636
637 intel20 - This workaround flag will work around several Intel IPMI 2.0
638 authentication issues. The issues covered include padding of usernames,
639 and password truncation if the authentication algorithm is HMAC-
640 MD5-128. Those hitting this issue may see "username invalid", "password
641 invalid", or "k_g invalid" errors. Issue observed on Intel SE7520AF2
642 with Intel Server Management Module (Professional Edition).
643
644 supermicro20 - This workaround flag will work around several Supermicro
645 IPMI 2.0 authentication issues on motherboards w/ Peppercon IPMI
646 firmware. The issues covered include handling invalid length authenti‐
647 cation codes. Those hitting this issue may see "password invalid"
648 errors. Issue observed on Supermicro H8QME with SIMSO daughter card.
649 Confirmed fixed on newerver firmware.
650
651 sun20 - This workaround flag will work work around several Sun IPMI 2.0
652 authentication issues. The issues covered include invalid lengthed hash
653 keys, improperly hashed keys, and invalid cipher suite records. Those
654 hitting this issue may see "password invalid" or "bmc error" errors.
655 Issue observed on Sun Fire 4100/4200/4500 with ILOM. This workaround
656 automatically includes the "opensesspriv" workaround.
657
658 opensesspriv - This workaround flag will slightly alter FreeIPMI's IPMI
659 2.0 connection protocol to workaround an invalid hashing algorithm used
660 by the remote system. The privilege level sent during the Open Session
661 stage of an IPMI 2.0 connection is used for hashing keys instead of the
662 privilege level sent during the RAKP1 connection stage. Those hitting
663 this issue may see "password invalid", "k_g invalid", or "bad rmcpplus
664 status code" errors. Issue observed on Sun Fire 4100/4200/4500 with
665 ILOM, Inventec 5441/Dell Xanadu II, Supermicro X8DTH, Supermicro X8DTG,
666 Intel S5500WBV/Penguin Relion 700, Intel S2600JF/Appro 512X, and Quanta
667 QSSC-S4R/Appro GB812X-CN. This workaround is automatically triggered
668 with the "sun20" workaround.
669
670 integritycheckvalue - This workaround flag will work around an invalid
671 integrity check value during an IPMI 2.0 session establishment when
672 using Cipher Suite ID 0. The integrity check value should be 0 length,
673 however the remote motherboard responds with a non-empty field. Those
674 hitting this issue may see "k_g invalid" errors. Issue observed on
675 Supermicro X8DTG, Supermicro X8DTU, and Intel S5500WBV/Penguin Relion
676 700, and Intel S2600JF/Appro 512X.
677
678 assumesystemevent - This workaround option will assume invalid SEL
679 record types are system event records. Records may be formatted cor‐
680 rectly but report invalid record types. Those hitting this issue may
681 see "Unknown SEL Record Type" errors. Output may be unknown, pray for
682 the best. This option is confirmed to work around compliances issues on
683 HP DL 380 G5 motherboards.
684
685 No IPMI 1.5 Support - Some motherboards that support IPMI 2.0 have been
686 found to not support IPMI 1.5. Those hitting this issue may see "ipmi
687 2.0 unavailable" or "connection timeout" errors. This issue can be
688 worked around by using IPMI 2.0 instead of IPMI 1.5 by specifying
689 --driver-type=LAN_2_0. Issue observed on HP Proliant DL 145.
690
692 The following motherboards are confirmed to have atleast some support
693 by the --interpret-oem-data option. While highly probable the OEM data
694 interpretations would work across other motherboards by the same manu‐
695 facturer, there are no guarantees. Some of the motherboards below may
696 be rebranded by vendors/distributors.
697
698 Dell Poweredge 2900, Dell Poweredge 2950, Dell Poweredge R610, Dell
699 Poweredge R710, Fujitsu iRMC S1 and iRMC S2 systems, Intel S5500WB/Pen‐
700 guin Computing Relion 700, Intel S2600JF/Appro 512X, Intel S5000PAL,
701 Inventec 5441/Dell Xanadu II, Inventec 5442/Dell Xanadu III, Quanta
702 S99Q/Dell FS12-TY, Quanta QSSC-S4R/Appro GB812X-CN, Sun X4140 Supermi‐
703 cro X7DBR-3, Supermicro X7DB8, Supermicro X8DTN, Supermicro X7SBI-LN4,
704 Supermicro X8DTH, Supermicro X8DTG, Supermicro X8DTU, Supermicro
705 X8DT3-LN4F, Supermicro X8DTU-6+, Supermicro X8DTL, Supermicro X8DTL-3F,
706 Supermicro X8SIL-F, Supermicro X9SCL, Supermicro X9SCM, Supermicro
707 X8DTN+-F, Supermicro X8SIE, Supermicro X9SCA-F-O, Supermicro H8DGU-F,
708 Supermicro X9DRi-F, Supermicro X9DRI-LN4F+, Supermicro X9SPU-F-O,
709 Supermicro X9SCM-iiF, Wistron/Dell Poweredge C6220.
710
712 On older operating systems, if you input your username, password, and
713 other potentially security relevant information on the command line,
714 this information may be discovered by other users when using tools like
715 the ps(1) command or looking in the /proc file system. It is generally
716 more secure to input password information with options like the -P or
717 -K options. Configuring security relevant information in the FreeIPMI
718 configuration file would also be an appropriate way to hide this infor‐
719 mation.
720
721 In order to prevent brute force attacks, some BMCs will temporarily
722 "lock up" after a number of remote authentication errors. You may need
723 to wait awhile in order to this temporary "lock up" to pass before you
724 may authenticate again.
725
727 /etc/freeipmi//ipmiseld.conf /var/cache/ipmiseld/
728
730 Report bugs to <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
731
733 Copyright (C) 2012-2015 Lawrence Livermore National Security, LLC.
734
735 This program is free software; you can redistribute it and/or modify it
736 under the terms of the GNU General Public License as published by the
737 Free Software Foundation; either version 3 of the License, or (at your
738 option) any later version.
739
741 freeipmi(7), ipmi-sel(8), ipmiseld.conf(5), bmc-device(8), ipmi-con‐
742 fig(8), freeipmi_interpret_sel.conf(5)
743
744 http://www.gnu.org/software/freeipmi/
745
746
747
748ipmiseld 1.5.7 2018-04-11 ipmiseld(8)