1ipmiseld(8)                        ipmiseld                        ipmiseld(8)
2
3
4

NAME

6       ipmiseld - IPMI SEL logging daemon
7

SYNOPSIS

9       ipmiseld [OPTION...]
10

DESCRIPTION

12       The ipmiseld daemon polls the system event log (SEL) of specified hosts
13       and stores the logs into the local syslog. By default, the  daemon  can
14       also  make  best  efforts  to  manage the remote SEL's buffer to ensure
15       events are never lost. Recent logging data will be cached  to  disk  to
16       ensure that SEL events are not missed in the event the client or server
17       is rebooted.
18
19       Many of the options for this daemon are very similar to the ipmi-sel(8)
20       tool.  It  can be configured to log the local host, a remote host, or a
21       range of hosts to the local syslog. It can be configured via  the  com‐
22       mand     line     arguments     listed     below     or     via     the
23       /etc/freeipmi//ipmiseld.conf configuration file.
24
25       Listed below are general IPMI options, tool specific  options,  trouble
26       shooting  information,  workaround  information,  examples,  and  known
27       issues. For a general introduction to FreeIPMI please see freeipmi(7).
28

GENERAL OPTIONS

30       The following options are general options for configuring IPMI communi‐
31       cation and executing general tool commands.
32
33       -D IPMIDRIVER, --driver-type=IPMIDRIVER
34              Specify  the  driver type to use instead of doing an auto selec‐
35              tion.  The currently available outofband  drivers  are  LAN  and
36              LAN_2_0,  which  perform IPMI 1.5 and IPMI 2.0 respectively. The
37              currently available inband  drivers  are  KCS,  SSIF,  OPENIPMI,
38              SUNBMC, and INTELDCMI.
39
40       --disable-auto-probe
41              Do not probe in-band IPMI devices for default settings.
42
43       --driver-address=DRIVER-ADDRESS
44              Specify  the  in-band  driver  address to be used instead of the
45              probed value. DRIVER-ADDRESS should be prefixed with "0x" for  a
46              hex value and '0' for an octal value.
47
48       --driver-device=DEVICE
49              Specify the in-band driver device path to be used instead of the
50              probed path.
51
52       --register-spacing=REGISTER-SPACING
53              Specify the in-band  driver  register  spacing  instead  of  the
54              probed  value. Argument is in bytes (i.e. 32bit register spacing
55              = 4)
56
57       --target-channel-number=CHANNEL-NUMBER
58              Specify the in-band driver target channel number  to  send  IPMI
59              requests to.
60
61       --target-slave-address=SLAVE-ADDRESS
62              Specify  the  in-band  driver  target  slave number to send IPMI
63              requests to.
64
65       -h      IPMIHOST1,IPMIHOST2,...,      --hostname=IPMIHOST1[:PORT],IPMI‐
66       HOST2[:PORT],...
67              Specify  the  remote host(s) to communicate with. Multiple host‐
68              names may be separated by comma or may be specified in  a  range
69              format;  see  HOSTRANGED  SUPPORT below. An optional port can be
70              specified with each host, which may be useful in port forwarding
71              or similar situations.
72
73       -u USERNAME, --username=USERNAME
74              Specify  the username to use when authenticating with the remote
75              host.  If not specified, a null  (i.e.  anonymous)  username  is
76              assumed. The user must have atleast USER privileges in order for
77              this tool to operate fully.
78
79       -p PASSWORD, --password=PASSWORD
80              Specify the password to use when authenticationg with the remote
81              host.   If  not  specified,  a null password is assumed. Maximum
82              password length is 16 for IPMI 1.5 and 20 for IPMI 2.0.
83
84       -P, --password-prompt
85              Prompt for password  to  avoid  possibility  of  listing  it  in
86              process lists.
87
88       -k K_G, --k-g=K_G
89              Specify  the  K_g  BMC  key  to use when authenticating with the
90              remote host for IPMI 2.0.  If  not  specified,  a  null  key  is
91              assumed. To input the key in hexadecimal form, prefix the string
92              with '0x'. E.g., the key 'abc' can be entered  with  the  either
93              the string 'abc' or the string '0x616263'
94
95       -K, --k-g-prompt
96              Prompt  for  k-g  to  avoid possibility of listing it in process
97              lists.
98
99       --session-timeout=MILLISECONDS
100              Specify the session timeout in milliseconds. Defaults  to  20000
101              milliseconds (20 seconds) if not specified.
102
103       --retransmission-timeout=MILLISECONDS
104              Specify  the  packet  retransmission  timeout  in  milliseconds.
105              Defaults to 1000 milliseconds (1 second) if not  specified.  The
106              retransmission  timeout  cannot be larger than the session time‐
107              out.
108
109       -a AUTHENTICATION-TYPE, --authentication-type=AUTHENTICATION-TYPE
110              Specify the IPMI 1.5 authentication type to use.  The  currently
111              available  authentication types are NONE, STRAIGHT_PASSWORD_KEY,
112              MD2, and MD5. Defaults to MD5 if not specified.
113
114       -I CIPHER-SUITE-ID, --cipher-suite-id=CIPHER-SUITE-ID
115              Specify the IPMI 2.0 cipher suite ID to use. The Cipher Suite ID
116              identifies a set of authentication, integrity, and confidential‐
117              ity algorithms to use for IPMI 2.0 communication. The  authenti‐
118              cation  algorithm  identifies  the  algorithm to use for session
119              setup, the integrity algorithm identifies the algorithm  to  use
120              for session packet signatures, and the confidentiality algorithm
121              identifies the algorithm to use for payload encryption. Defaults
122              to  cipher  suite  ID  3  if not specified. The following cipher
123              suite ids are currently supported:
124
125              0 - Authentication Algorithm = None; Integrity Algorithm = None;
126              Confidentiality Algorithm = None
127
128              1  - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
129              None; Confidentiality Algorithm = None
130
131              2 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm  =
132              HMAC-SHA1-96; Confidentiality Algorithm = None
133
134              3  - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
135              HMAC-SHA1-96; Confidentiality Algorithm = AES-CBC-128
136
137              6 - Authentication Algorithm = HMAC-MD5; Integrity  Algorithm  =
138              None; Confidentiality Algorithm = None
139
140              7  -  Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
141              HMAC-MD5-128; Confidentiality Algorithm = None
142
143              8 - Authentication Algorithm = HMAC-MD5; Integrity  Algorithm  =
144              HMAC-MD5-128; Confidentiality Algorithm = AES-CBC-128
145
146              11  - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
147              MD5-128; Confidentiality Algorithm = None
148
149              12 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm  =
150              MD5-128; Confidentiality Algorithm = AES-CBC-128
151
152              15 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
153              = None; Confidentiality Algorithm = None
154
155              16 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
156              = HMAC_SHA256_128; Confidentiality Algorithm = None
157
158              17 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
159              = HMAC_SHA256_128; Confidentiality Algorithm = AES-CBC-128
160
161       -l PRIVILEGE-LEVEL, --privilege-level=PRIVILEGE-LEVEL
162              Specify the privilege level to be used. The currently  available
163              privilege  levels  are  USER,  OPERATOR,  and ADMIN. Defaults to
164              OPERATOR if not specified.
165
166       --config-file=FILE
167              Specify an alternate configuration file.
168
169       -W WORKAROUNDS, --workaround-flags=WORKAROUNDS
170              Specify workarounds to vendor compliance issues. Multiple  work‐
171              arounds  can be specified separated by commas. A special command
172              line flag of "none", will indicate no workarounds (may be useful
173              for overriding configured defaults). See WORKAROUNDS below for a
174              list of available workarounds.
175
176       --debug
177              Turn on debugging.
178
179       -?, --help
180              Output a help list and exit.
181
182       --usage
183              Output a usage message and exit.
184
185       -V, --version
186              Output the program version and exit.
187

IPMISELD OPTIONS

189       The following options are specific to Ipmiseld.
190
191       -v     Log verbose information. This option will log additional  infor‐
192              mation.   Most  notably  it  will output additional hex codes to
193              given information on ambiguous SEL entries or SEL  records.  For
194              example, it will output Generator ID hex codes for sensors with‐
195              out names. Additional non-critical SEL  errors  or  issues  will
196              also  be  logged.  Somewhat  common  errors, such as timeouts or
197              invalid hostnames, will output with increased verbosity.
198
199       -t SENSOR-TYPE-LIST, --sensor-types=SENSOR-TYPE-LIST
200              Specify sensor types of SEL events to log. By default, all  sen‐
201              sor types are logged. A special command line type of "all", will
202              indicate all types should be shown (may be useful for overriding
203              configured  defaults). Multiple types can be separated by commas
204              or spaces.  Users  may  specify  sensor  types  by  string  (see
205              --list-sensor-types  in  ipmi-sel(8))  or  by number (decimal or
206              hex).
207
208       -T SENSOR-TYPE-LIST, --exclude-sensor-types=SENSOR-TYPE-LIST
209              Specify sensor types of SEL events to not log.  By  default,  no
210              sensor  types  are  filtered.  A  special  command  line type of
211              "none", will indicate no types should be excluded (may be useful
212              for overriding configured defaults). Multiple types can be sepa‐
213              rated by commas or spaces. Users may  specify  sensor  types  by
214              string  (see  --list-sensor-types  in  ipmi-sel(8)) or by number
215              (decimal or hex).
216
217       --system-event-only
218              Log only system event records (i.e. don't log OEM records).
219
220       --oem-event-only
221              Log  only  OEM  event  records  (i.e.  don't  log  system  event
222              records).
223
224       --event-state-config-file=FILE
225              Specify an alternate event state configuration file.
226
227       --interpret-oem-data
228              Attempt  to interpret OEM data, such as event data, sensor read‐
229              ings, or general extra info, etc. If an  OEM  interpretation  is
230              not available, the default output will be generated. Correctness
231              of OEM interpretations cannot be  guaranteed  due  to  potential
232              changes OEM vendors may make in products, firmware, etc. See OEM
233              INTERPRETATION below for confirmed supported motherboard  inter‐
234              pretations.
235
236       --entity-sensor-names
237              Output  sensor  names prefixed with their entity id and instance
238              number when appropriate. This may be necessary on  some  mother‐
239              boards  to help identify what sensors are referencing. For exam‐
240              ple, a motherboard may have multiple sensors named  'TEMP'.  The
241              entity  id  and  instance  number  may help clarify which sensor
242              refers to "Processor 1" vs. "Processor 2".
243
244       --non-abbreviated-units
245              Output non-abbreviated units (e.g. 'Amps' instead of  'A').  May
246              aid  in  disambiguation  of  units  (e.g.  'C'  for  Celsius  or
247              Coulombs).
248
249       --event-state-filter=FILTERSTRING
250              Specify event states to be filtered out and not logged. Possible
251              inputs  are  NOMINAL, WARNING, CRITICAL, and NA. Multiple states
252              can be listed separted by comma.  The  special  case  string  of
253              "none"  will indicate no event states should be excluded (may be
254              useful for overriding configured defaults).
255
256       --warning-threshold=PERCENTINT
257              Specify SEL fullness warning threshold as an integer percentage.
258              When  the  SEL  is  past this percentage full, a warning will be
259              output indicating that SEL is nearly full. Specify 0 to  disable
260              warning logs. Defaults to 80.
261
262       --clear-threshold=PERCENTINT
263              Specify  SEL  fullness clear threshold as an integer percentage.
264              When the SEL is past this percentage full, ipmiseld will attempt
265              to clear the SEL. Specify 0 to disable clearing. When the SEL is
266              full, it will be the responsibility of the user to clear the SEL
267              manually if clearing is disabled. Defaults to 0. If specified to
268              a non-zero value, be careful that the clearing of the SEL  could
269              affect other applications that monitor the SEL, such as monitor‐
270              ing applications that use ipmi-sel(8) or libipmimonitoring(3).
271
272       --system-event-format=FORMATSTRING
273              Specify the format of the log output when a SEL system event  is
274              encountered.  Defaults to "SEL System Event: %d, %t, %s, %I, %E"
275              if logging locally, "SEL System Event(%h): %d, %t, %s,  %I,  %E"
276              if  logging  outofband  or  with  hostranges. See SEL LOG FORMAT
277              STRING below for formatting details.
278
279       --oem-timestamped-event-format=FORMATSTRING
280              Specify the format of the log output when a SEL OEM  timestamped
281              event  is  encountered.  Defaults to "SEL OEM Event: %d, %t, %I,
282              %o" if logging locally, "SEL OEM Event(%h): %d, %t, %I,  %o"  if
283              logging outofband or with hostranges.. See SEL LOG FORMAT STRING
284              below for formatting details.
285
286       --oem-non-timestamped-event-format=FORMATSTRING
287              Specify the format of the log output when a SEL  OEM  non-times‐
288              tamped event is encountered. Defaults to "SEL OEM Event: %I, %o"
289              if logging locally, "SEL OEM Event(%h): %I, %o" if logging  out‐
290              ofband  or with hostranges.. See SEL LOG FORMAT STRING below for
291              formatting details.
292
293       --poll-interval=SECONDS
294              Specify the poll interval to  check  the  SEL  for  new  events.
295              Defaults to 300 seconds (i.e. 5 minutes).
296
297       --log-facility=STRING
298              Specify  the  log facility to use. Defaults to LOG_DAEMON. Legal
299              inputs  are  LOG_DAEMON,   LOG_USER,   LOG_LOCAL0,   LOG_LOCAL1,
300              LOG_LOCAL2,   LOG_LOCAL3,  LOG_LOCAL4,  LOG_LOCAL5,  LOG_LOCAL6,
301              LOG_LOCAL7.
302
303       --log-priority=STRING
304              Specify the log priority to  use.  Defaults  to  LOG_ERR.  Legal
305              inputs are LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING,
306              LOG_NOTICE, LOG_INFO, LOG_DEBUG.
307
308       --cache-directory=DIRECTORY
309              Specify an alternate cache directory location  for  ipmiseld  to
310              use. The cache directory will be used to cache a wide variety of
311              data, including the SDR and recent logging information to ensure
312              log entries are not missed on reboots and other system failures.
313
314       --ignore-sdr
315              Ignore  SDR  related  processing. May lead to incomplete or less
316              useful information being output, however it will allow function‐
317              ality for systems without SDRs or when the correct SDR cannot be
318              loaded.
319
320       --re-download-sdr
321              Re-download the SDR on start even if it is not out of date. This
322              may  help work around systems that do not properly timestamp SDR
323              modification times.
324
325       --clear-sel
326              On startup, clear any SEL being monitored.  May  be  useful  the
327              first  time  running  ipmiseld  to avoid warning messages or SEL
328              clears until a long time in the future.
329
330       --threadpool-count=NUM
331              Specify the number of threads for  parallel  SEL  polling.  This
332              option is very similar to the --fanout option in ipmi-sel(8) but
333              the threads are created only once on initialization  for  faster
334              processing.  Defaults  to  8,  however the threadpool count will
335              always be decreased if the number of  nodes  specified  is  less
336              than the number of threads.
337
338       --test-run
339              Do  not daemonize, output the current SEL of configured hosts as
340              a test of current settings and configuration. SEL  entries  will
341              be output to stdout instead of syslog.
342
343       --foreground
344              Run daemon in the foreground. SEL entries will be output to std‐
345              out instead of syslog.
346

SEL LOG FORMAT STRING

348       The output format of log  messages  can  be  adjusted  via  the  --sys‐
349       tem-event-format,  --oem-timestamped-event-format  and --oem-non-times‐
350       tamped-event-format  options.  Options  such  as  --interpret-oem-data,
351       --entity-sensor-names,  and  --non-abbreviated-units can further adjust
352       the output format. The following conversion directives will  allow  the
353       user to output specifics of each SEL event that occurs.
354
355       For System, OEM timestamped, and OEM non-timestamped events
356
357       %h - target host, useful if logging from multiple hosts
358
359       %i - record ID in decimal
360
361       %I - event state interpretation (NOMINAL, WARNING, or CRITICAL)
362
363       For System and OEM timestamped events
364
365       %t - time in format H:M:S using 24 hour clock
366
367       %d - date in format D-M-YEAR
368
369       For System events
370
371       %T - sensor type
372
373       %s - sensor name
374
375       %e - event data 1 string
376
377       %f - event data 2 string [2]
378
379       %h - event data 3 string
380
381       %c - combined event data 2 and event data 3 string
382
383       %p - event data 2 previous state string
384
385       %S - event data 2 severity string
386
387       %E - combined event data 1, 2, and 3 string
388
389       %k - event direction
390
391       For OEM timestamped events
392
393       %m - manufacturer id
394
395       For OEM timestamped and OEM non-timestamped events
396
397       %o - oem data in hex
398
399       %O - OEM supplied string describing the event (depends on manufacturer)
400

HOSTRANGED SUPPORT

402       Multiple hosts can be input either as an explicit comma separated lists
403       of hosts or a range of hostnames in  the  general  form:  prefix[n-m,l-
404       k,...],  where  n < m and l < k, etc. The later form should not be con‐
405       fused with regular expression character classes (also denoted  by  []).
406       For example, foo[19] does not represent foo1 or foo9, but rather repre‐
407       sents a degenerate range: foo19.
408
409       This range syntax is meant only as a convenience  on  clusters  with  a
410       prefixNN  naming  convention  and specification of ranges should not be
411       considered necessary -- the list foo1,foo9 could be specified as  such,
412       or by the range foo[1,9].
413
414       Some examples of range usage follow:
415           foo[01-05] instead of foo01,foo02,foo03,foo04,foo05
416           foo[7,9-10] instead of foo7,foo9,foo10
417           foo[0-3] instead of foo0,foo1,foo2,foo3
418
419       As a reminder to the reader, some shells will interpret brackets ([ and
420       ]) for pattern matching. Depending on your shell, it may  be  necessary
421       to enclose ranged lists within quotes.
422
423       In-band  IPMI  Communication  will be used when the host "localhost" is
424       specified. This allows the user to add  the  localhost  into  the  hos‐
425       tranged output.
426

GENERAL TROUBLESHOOTING

428       Most often, IPMI problems are due to configuration problems.
429
430       IPMI  over  LAN  problems  involve  a  misconfiguration  of  the remote
431       machine's BMC.  Double check to make sure the following are  configured
432       properly  in  the remote machine's BMC: IP address, MAC address, subnet
433       mask, username, user enablement, user privilege, password,  LAN  privi‐
434       lege,  LAN enablement, and allowed authentication type(s). For IPMI 2.0
435       connections, double check to make sure the  cipher  suite  privilege(s)
436       and  K_g  key  are  configured properly. The ipmi-config(8) tool can be
437       used to check and/or change these configuration settings.
438
439       Inband IPMI problems are  typically  caused  by  improperly  configured
440       drivers or non-standard BMCs.
441
442       In  addition  to the troubleshooting tips below, please see WORKAROUNDS
443       below to also if there are any vendor specific bugs that have been dis‐
444       covered and worked around.
445
446       Listed  below  are  many  of the common issues for error messages.  For
447       additional support, please e-mail the <freeipmi-users@gnu.org>  mailing
448       list.
449
450       "username  invalid"  - The username entered (or a NULL username if none
451       was entered) is not available on the remote machine.  It  may  also  be
452       possible the remote BMC's username configuration is incorrect.
453
454       "password  invalid"  - The password entered (or a NULL password if none
455       was entered) is not correct. It may also be possible the  password  for
456       the user is not correctly configured on the remote BMC.
457
458       "password  verification timeout" - Password verification has timed out.
459       A "password invalid" error (described  above)  or  a  generic  "session
460       timeout" (described below) occurred.  During this point in the protocol
461       it cannot be differentiated which occurred.
462
463       "k_g invalid" - The K_g key entered (or a NULL  K_g  key  if  none  was
464       entered)  is  not  correct.  It may also be possible the K_g key is not
465       correctly configured on the remote BMC.
466
467       "privilege level insufficient" - An IPMI command requires a higher user
468       privilege  than  the one authenticated with. Please try to authenticate
469       with a higher privilege. This may require authenticating to a different
470       user which has a higher maximum privilege.
471
472       "privilege  level  cannot  be  obtained  for this user" - The privilege
473       level you are attempting to authenticate with is higher than the  maxi‐
474       mum  allowed for this user. Please try again with a lower privilege. It
475       may also be possible the maximum privilege level allowed for a user  is
476       not configured properly on the remote BMC.
477
478       "authentication  type  unavailable for attempted privilege level" - The
479       authentication type you wish to authenticate with is not available  for
480       this privilege level. Please try again with an alternate authentication
481       type or alternate privilege level. It may also be possible  the  avail‐
482       able  authentication  types you can authenticate with are not correctly
483       configured on the remote BMC.
484
485       "cipher suite id unavailable" - The cipher suite id you wish to authen‐
486       ticate  with  is not available on the remote BMC. Please try again with
487       an alternate cipher suite id. It may also  be  possible  the  available
488       cipher suite ids are not correctly configured on the remote BMC.
489
490       "ipmi  2.0  unavailable"  -  IPMI  2.0 was not discovered on the remote
491       machine. Please try to use IPMI 1.5 instead.
492
493       "connection timeout" - Initial IPMI communication failed. A  number  of
494       potential errors are possible, including an invalid hostname specified,
495       an IPMI IP address cannot be resolved,  IPMI  is  not  enabled  on  the
496       remote  server,  the network connection is bad, etc. Please verify con‐
497       figuration and connectivity.
498
499       "session timeout" - The IPMI session has timed out.  Please  reconnect.
500       If this error occurs often, you may wish to increase the retransmission
501       timeout. Some remote BMCs are considerably slower than others.
502
503       "device not found" - The specified device could not  be  found.  Please
504       check configuration or inputs and try again.
505
506       "driver  timeout"  -  Communication with the driver or device has timed
507       out. Please try again.
508
509       "message timeout" - Communication with the driver or device  has  timed
510       out. Please try again.
511
512       "BMC  busy"  - The BMC is currently busy. It may be processing informa‐
513       tion or have too many simultaneous sessions to manage. Please wait  and
514       try again.
515
516       "could  not  find inband device" - An inband device could not be found.
517       Please check configuration or specify specific device or driver on  the
518       command line.
519
520       "driver timeout" - The inband driver has timed out communicating to the
521       local BMC or service processor. The BMC or  service  processor  may  be
522       busy or (worst case) possibly non-functioning.
523
524       "internal  IPMI  error" - An IPMI error has occurred that FreeIPMI does
525       not know how  to  handle.  Please  e-mail  <freeipmi-users@gnu.org>  to
526       report the issue.
527

IPMISELD TROUBLESHOOTING

529       Some  timestamps  in the SEL may report a date of 1-Jan-1970, the epoch
530       for SEL timestamps. This timestamp is  not  necessarily  incorrect.  It
531       usually  indicates a hardware event that occurred before a timestamp in
532       firmware has been initialized. For example, certain hardware components
533       will have their internal clocks reset during a power cycle.
534
535       However,  if  the  internal  clock  of  the SEL appears to be regularly
536       incorrect, you may need to set the SEL time. This  can  be  done  using
537       bmc-device(8).
538
539       The following are common SEL related messages.
540
541       "sel  config  file  parse  error"  - A parse error was found in the sel
542       event interpretation configuration  file.  Please  see  freeipmi_inter‐
543       pret_sel.conf(5).
544

WORKAROUNDS

546       With  so  many different vendors implementing their own IPMI solutions,
547       different vendors may implement their IPMI protocols  incorrectly.  The
548       following describes a number of workarounds currently available to han‐
549       dle discovered compliance issues. When possible, workarounds have  been
550       implemented so they will be transparent to the user. However, some will
551       require the user to specify a workaround be used via the -W option.
552
553       The hardware listed below may only indicate the hardware that a problem
554       was  discovered  on.  Newer  versions  of hardware may fix the problems
555       indicated below. Similar machines from vendors may or may  not  exhibit
556       the  same  problems.  Different vendors may license their firmware from
557       the same IPMI firmware developer, so it may be worthwhile to try  work‐
558       arounds listed below even if your motherboard is not listed.
559
560       If  you  believe  your hardware has an additional compliance issue that
561       needs a workaround to be implemented, please contact the FreeIPMI main‐
562       tainers on <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
563
564       assumeio  - This workaround flag will assume inband interfaces communi‐
565       cate with system I/O rather than being memory-mapped.  This  will  work
566       around  systems  that report invalid base addresses. Those hitting this
567       issue may see "device not supported" or "could not find inband  device"
568       errors.  Issue observed on HP ProLiant DL145 G1.
569
570       spinpoll  -  This workaround flag will inform some inband drivers (most
571       notably the KCS driver) to spin while polling rather than  putting  the
572       process to sleep. This may significantly improve the wall clock running
573       time of tools because an operating system scheduler's  granularity  may
574       be  much larger than the time it takes to perform a single IPMI message
575       transaction. However, by spinning, your system may be  performing  less
576       useful work by not contexting out the tool for a more useful task.
577
578       authcap  -  This  workaround  flag  will skip early checks for username
579       capabilities, authentication capabilities, and K_g  support  and  allow
580       IPMI  authentication  to  succeed.  It  works around multiple issues in
581       which the remote system does not properly report username capabilities,
582       authentication  capabilities,  or  K_g status. Those hitting this issue
583       may  see  "username  invalid",  "authentication  type  unavailable  for
584       attempted privilege level", or "k_g invalid" errors.  Issue observed on
585       Asus  P5M2/P5MT-R/RS162-E4/RX4,  Intel  SR1520ML/X38ML,  and  Sun  Fire
586       2200/4150/4450 with ELOM.
587
588       nochecksumcheck  - This workaround flag will tell FreeIPMI to not check
589       the checksums returned from IPMI command  responses.  It  works  around
590       systems that return invalid checksums due to implementation errors, but
591       the packet is otherwise valid. Users are cautioned on the use  of  this
592       option,  as  it  removes  validation of packet integrity in a number of
593       circumstances. However, it is unlikely to be an issue  in  most  situa‐
594       tions.  Those hitting this issue may see "connection timeout", "session
595       timeout", or "password verification timeout" errors. On IPMI  1.5  con‐
596       nections,  the  "noauthcodecheck" workaround may also needed too. Issue
597       observed on Supermicro X9SCM-iiF, Supermicro  X9DRi-F,  and  Supermicro
598       X9DRFR.
599
600       idzero  -  This  workaround  flag  will  allow  empty session IDs to be
601       accepted by the client. It works around IPMI sessions that report empty
602       session  IDs  to  the client. Those hitting this issue may see "session
603       timeout" errors. Issue observed on Tyan S2882 with M3289 BMC.
604
605       unexpectedauth - This workaround flag will  allow  unexpected  non-null
606       authcodes  to  be checked as though they were expected. It works around
607       an issue when packets contain non-null authentication  data  when  they
608       should  be  null due to disabled per-message authentication. Those hit‐
609       ting this issue may see "session timeout"  errors.  Issue  observed  on
610       Dell PowerEdge 2850,SC1425. Confirmed fixed on newer firmware.
611
612       forcepermsg  -  This workaround flag will force per-message authentica‐
613       tion to be used no matter what is advertised by the remote  system.  It
614       works  around an issue when per-message authentication is advertised as
615       disabled on the remote system, but it is actually required for the pro‐
616       tocol.  Those  hitting  this  issue  may  see "session timeout" errors.
617       Issue observed on IBM eServer 325.
618
619       endianseq - This workaround flag will flip the endian  of  the  session
620       sequence  numbers  to  allow the session to continue properly. It works
621       around IPMI 1.5 session sequence numbers that  are  the  wrong  endian.
622       Those  hitting  this  issue  may  see  "session  timeout" errors. Issue
623       observed on  some  Sun  ILOM  1.0/2.0  (depends  on  service  processor
624       endian).
625
626       noauthcodecheck  - This workaround flag will tell FreeIPMI to not check
627       the authentication codes returned from IPMI 1.5 command  responses.  It
628       works  around  systems  that return invalid authentication codes due to
629       hashing or implementation errors. Users are cautioned  on  the  use  of
630       this option, as it removes an authentication check verifying the valid‐
631       ity of a packet. However, in most organizations, this is unlikely to be
632       a  security  issue.  Those hitting this issue may see "connection time‐
633       out", "session timeout", or  "password  verification  timeout"  errors.
634       Issue  observed  on  Xyratex FB-H8-SRAY, Intel Windmill, Quanta Winter‐
635       fell, and Wiwynn Windmill.
636
637       intel20 - This workaround flag will work around several Intel IPMI  2.0
638       authentication issues. The issues covered include padding of usernames,
639       and password  truncation  if  the  authentication  algorithm  is  HMAC-
640       MD5-128. Those hitting this issue may see "username invalid", "password
641       invalid", or "k_g invalid" errors. Issue observed  on  Intel  SE7520AF2
642       with Intel Server Management Module (Professional Edition).
643
644       supermicro20 - This workaround flag will work around several Supermicro
645       IPMI 2.0  authentication  issues  on  motherboards  w/  Peppercon  IPMI
646       firmware.  The issues covered include handling invalid length authenti‐
647       cation codes. Those hitting  this  issue  may  see  "password  invalid"
648       errors.   Issue  observed on Supermicro H8QME with SIMSO daughter card.
649       Confirmed fixed on newerver firmware.
650
651       sun20 - This workaround flag will work work around several Sun IPMI 2.0
652       authentication issues. The issues covered include invalid lengthed hash
653       keys, improperly hashed keys, and invalid cipher suite  records.  Those
654       hitting  this  issue  may see "password invalid" or "bmc error" errors.
655       Issue observed on Sun Fire 4100/4200/4500 with ILOM.   This  workaround
656       automatically includes the "opensesspriv" workaround.
657
658       opensesspriv - This workaround flag will slightly alter FreeIPMI's IPMI
659       2.0 connection protocol to workaround an invalid hashing algorithm used
660       by  the remote system. The privilege level sent during the Open Session
661       stage of an IPMI 2.0 connection is used for hashing keys instead of the
662       privilege  level  sent during the RAKP1 connection stage. Those hitting
663       this issue may see "password invalid", "k_g invalid", or "bad  rmcpplus
664       status  code"  errors.   Issue observed on Sun Fire 4100/4200/4500 with
665       ILOM, Inventec 5441/Dell Xanadu II, Supermicro X8DTH, Supermicro X8DTG,
666       Intel S5500WBV/Penguin Relion 700, Intel S2600JF/Appro 512X, and Quanta
667       QSSC-S4R/Appro GB812X-CN. This workaround  is  automatically  triggered
668       with the "sun20" workaround.
669
670       integritycheckvalue  - This workaround flag will work around an invalid
671       integrity check value during an IPMI  2.0  session  establishment  when
672       using  Cipher Suite ID 0. The integrity check value should be 0 length,
673       however the remote motherboard responds with a non-empty  field.  Those
674       hitting  this  issue  may  see  "k_g invalid" errors. Issue observed on
675       Supermicro X8DTG, Supermicro X8DTU, and Intel  S5500WBV/Penguin  Relion
676       700, and Intel S2600JF/Appro 512X.
677
678       assumesystemevent  -  This  workaround  option  will assume invalid SEL
679       record types are system event records. Records may  be  formatted  cor‐
680       rectly  but  report  invalid record types. Those hitting this issue may
681       see "Unknown SEL Record Type" errors. Output may be unknown,  pray  for
682       the best. This option is confirmed to work around compliances issues on
683       HP DL 380 G5 motherboards.
684
685       No IPMI 1.5 Support - Some motherboards that support IPMI 2.0 have been
686       found  to  not support IPMI 1.5. Those hitting this issue may see "ipmi
687       2.0 unavailable" or "connection timeout"  errors.  This  issue  can  be
688       worked  around  by  using  IPMI  2.0  instead of IPMI 1.5 by specifying
689       --driver-type=LAN_2_0. Issue observed on HP Proliant DL 145.
690

OEM INTERPRETATION

692       The following motherboards are confirmed to have atleast  some  support
693       by  the --interpret-oem-data option. While highly probable the OEM data
694       interpretations would work across other motherboards by the same  manu‐
695       facturer,  there  are no guarantees. Some of the motherboards below may
696       be rebranded by vendors/distributors.
697
698       Dell Poweredge 2900, Dell Poweredge 2950,  Dell  Poweredge  R610,  Dell
699       Poweredge R710, Fujitsu iRMC S1 and iRMC S2 systems, Intel S5500WB/Pen‐
700       guin Computing Relion 700, Intel S2600JF/Appro  512X,  Intel  S5000PAL,
701       Inventec  5441/Dell  Xanadu  II,  Inventec 5442/Dell Xanadu III, Quanta
702       S99Q/Dell FS12-TY, Quanta QSSC-S4R/Appro GB812X-CN, Sun X4140  Supermi‐
703       cro  X7DBR-3, Supermicro X7DB8, Supermicro X8DTN, Supermicro X7SBI-LN4,
704       Supermicro  X8DTH,  Supermicro  X8DTG,  Supermicro  X8DTU,   Supermicro
705       X8DT3-LN4F, Supermicro X8DTU-6+, Supermicro X8DTL, Supermicro X8DTL-3F,
706       Supermicro X8SIL-F,  Supermicro  X9SCL,  Supermicro  X9SCM,  Supermicro
707       X8DTN+-F,  Supermicro  X8SIE, Supermicro X9SCA-F-O, Supermicro H8DGU-F,
708       Supermicro  X9DRi-F,  Supermicro  X9DRI-LN4F+,  Supermicro   X9SPU-F-O,
709       Supermicro X9SCM-iiF, Wistron/Dell Poweredge C6220.
710

KNOWN ISSUES

712       On  older  operating systems, if you input your username, password, and
713       other potentially security relevant information on  the  command  line,
714       this information may be discovered by other users when using tools like
715       the ps(1) command or looking in the /proc file system. It is  generally
716       more  secure  to input password information with options like the -P or
717       -K options. Configuring security relevant information in  the  FreeIPMI
718       configuration file would also be an appropriate way to hide this infor‐
719       mation.
720
721       In order to prevent brute force attacks,  some  BMCs  will  temporarily
722       "lock  up" after a number of remote authentication errors. You may need
723       to wait awhile in order to this temporary "lock up" to pass before  you
724       may authenticate again.
725

FILES

727       /etc/freeipmi//ipmiseld.conf /var/cache/ipmiseld/
728

REPORTING BUGS

730       Report bugs to <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
731
733       Copyright (C) 2012-2015 Lawrence Livermore National Security, LLC.
734
735       This program is free software; you can redistribute it and/or modify it
736       under the terms of the GNU General Public License as published  by  the
737       Free  Software Foundation; either version 3 of the License, or (at your
738       option) any later version.
739

SEE ALSO

741       freeipmi(7), ipmi-sel(8),  ipmiseld.conf(5),  bmc-device(8),  ipmi-con‐
742       fig(8), freeipmi_interpret_sel.conf(5)
743
744       http://www.gnu.org/software/freeipmi/
745
746
747
748ipmiseld 1.5.7                    2018-04-11                       ipmiseld(8)
Impressum