1ipmiseld(8)                        ipmiseld                        ipmiseld(8)
2
3
4

NAME

6       ipmiseld - IPMI SEL logging daemon
7

SYNOPSIS

9       ipmiseld [OPTION...]
10

DESCRIPTION

12       The ipmiseld daemon polls the system event log (SEL) of specified hosts
13       and stores the logs into the local syslog. By default, the  daemon  can
14       also  make  best  efforts  to  manage the remote SEL's buffer to ensure
15       events are never lost. Recent logging data will be cached  to  disk  to
16       ensure that SEL events are not missed in the event the client or server
17       is rebooted.
18
19       Many of the options for this daemon are very similar to the ipmi-sel(8)
20       tool.  It  can be configured to log the local host, a remote host, or a
21       range of hosts to the local syslog. It can be configured via  the  com‐
22       mand     line     arguments     listed     below     or     via     the
23       /etc/freeipmi//ipmiseld.conf configuration file.
24
25       Listed below are general IPMI options, tool specific  options,  trouble
26       shooting  information,  workaround  information,  examples,  and  known
27       issues. For a general introduction to FreeIPMI please see freeipmi(7).
28

GENERAL OPTIONS

30       The following options are general options for configuring IPMI communi‐
31       cation and executing general tool commands.
32
33       -D IPMIDRIVER, --driver-type=IPMIDRIVER
34              Specify  the  driver type to use instead of doing an auto selec‐
35              tion.  The currently available outofband  drivers  are  LAN  and
36              LAN_2_0,  which  perform IPMI 1.5 and IPMI 2.0 respectively. The
37              currently available inband  drivers  are  KCS,  SSIF,  OPENIPMI,
38              SUNBMC, and INTELDCMI.
39
40       --disable-auto-probe
41              Do not probe in-band IPMI devices for default settings.
42
43       --driver-address=DRIVER-ADDRESS
44              Specify  the  in-band  driver  address to be used instead of the
45              probed value. DRIVER-ADDRESS should be prefixed with "0x" for  a
46              hex value and '0' for an octal value.
47
48       --driver-device=DEVICE
49              Specify the in-band driver device path to be used instead of the
50              probed path.
51
52       --register-spacing=REGISTER-SPACING
53              Specify the in-band  driver  register  spacing  instead  of  the
54              probed  value. Argument is in bytes (i.e. 32bit register spacing
55              = 4)
56
57       --target-channel-number=CHANNEL-NUMBER
58              Specify the in-band driver target channel number  to  send  IPMI
59              requests to.
60
61       --target-slave-address=SLAVE-ADDRESS
62              Specify  the  in-band  driver  target  slave number to send IPMI
63              requests to.
64
65       -h      IPMIHOST1,IPMIHOST2,...,      --hostname=IPMIHOST1[:PORT],IPMI‐
66       HOST2[:PORT],...
67              Specify  the  remote host(s) to communicate with. Multiple host‐
68              names may be separated by comma or may be specified in  a  range
69              format;  see  HOSTRANGED  SUPPORT below. An optional port can be
70              specified with each host, which may be useful in port forwarding
71              or  similar situations.  If specifying an IPv6 address and port,
72              use the format [ADDRESS]:PORT.
73
74       -u USERNAME, --username=USERNAME
75              Specify the username to use when authenticating with the  remote
76              host.   If  not  specified,  a null (i.e. anonymous) username is
77              assumed. The user must have atleast USER privileges in order for
78              this tool to operate fully.
79
80       -p PASSWORD, --password=PASSWORD
81              Specify the password to use when authenticationg with the remote
82              host.  If not specified, a null  password  is  assumed.  Maximum
83              password length is 16 for IPMI 1.5 and 20 for IPMI 2.0.
84
85       -P, --password-prompt
86              Prompt  for  password  to  avoid  possibility  of  listing it in
87              process lists.
88
89       -k K_G, --k-g=K_G
90              Specify the K_g BMC key to  use  when  authenticating  with  the
91              remote  host  for  IPMI  2.0.  If  not  specified, a null key is
92              assumed. To input the key in hexadecimal form, prefix the string
93              with  '0x'.  E.g.,  the key 'abc' can be entered with the either
94              the string 'abc' or the string '0x616263'
95
96       -K, --k-g-prompt
97              Prompt for k-g to avoid possibility of  listing  it  in  process
98              lists.
99
100       --session-timeout=MILLISECONDS
101              Specify  the  session timeout in milliseconds. Defaults to 20000
102              milliseconds (20 seconds) if not specified.
103
104       --retransmission-timeout=MILLISECONDS
105              Specify  the  packet  retransmission  timeout  in  milliseconds.
106              Defaults  to  1000 milliseconds (1 second) if not specified. The
107              retransmission timeout cannot be larger than the  session  time‐
108              out.
109
110       -a AUTHENTICATION-TYPE, --authentication-type=AUTHENTICATION-TYPE
111              Specify  the  IPMI 1.5 authentication type to use. The currently
112              available authentication types are NONE,  STRAIGHT_PASSWORD_KEY,
113              MD2, and MD5. Defaults to MD5 if not specified.
114
115       -I CIPHER-SUITE-ID, --cipher-suite-id=CIPHER-SUITE-ID
116              Specify the IPMI 2.0 cipher suite ID to use. The Cipher Suite ID
117              identifies a set of authentication, integrity, and confidential‐
118              ity  algorithms to use for IPMI 2.0 communication. The authenti‐
119              cation algorithm identifies the algorithm  to  use  for  session
120              setup,  the  integrity algorithm identifies the algorithm to use
121              for session packet signatures, and the confidentiality algorithm
122              identifies the algorithm to use for payload encryption. Defaults
123              to cipher suite ID 3 if  not  specified.  The  following  cipher
124              suite ids are currently supported:
125
126              0 - Authentication Algorithm = None; Integrity Algorithm = None;
127              Confidentiality Algorithm = None
128
129              1 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm  =
130              None; Confidentiality Algorithm = None
131
132              2  - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
133              HMAC-SHA1-96; Confidentiality Algorithm = None
134
135              3 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm  =
136              HMAC-SHA1-96; Confidentiality Algorithm = AES-CBC-128
137
138              6  -  Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
139              None; Confidentiality Algorithm = None
140
141              7 - Authentication Algorithm = HMAC-MD5; Integrity  Algorithm  =
142              HMAC-MD5-128; Confidentiality Algorithm = None
143
144              8  -  Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
145              HMAC-MD5-128; Confidentiality Algorithm = AES-CBC-128
146
147              11 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm  =
148              MD5-128; Confidentiality Algorithm = None
149
150              12  - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
151              MD5-128; Confidentiality Algorithm = AES-CBC-128
152
153              15 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
154              = None; Confidentiality Algorithm = None
155
156              16 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
157              = HMAC_SHA256_128; Confidentiality Algorithm = None
158
159              17 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
160              = HMAC_SHA256_128; Confidentiality Algorithm = AES-CBC-128
161
162       -l PRIVILEGE-LEVEL, --privilege-level=PRIVILEGE-LEVEL
163              Specify  the privilege level to be used. The currently available
164              privilege levels are USER,  OPERATOR,  and  ADMIN.  Defaults  to
165              OPERATOR if not specified.
166
167       --config-file=FILE
168              Specify an alternate configuration file.
169
170       -W WORKAROUNDS, --workaround-flags=WORKAROUNDS
171              Specify  workarounds to vendor compliance issues. Multiple work‐
172              arounds can be specified separated by commas. A special  command
173              line flag of "none", will indicate no workarounds (may be useful
174              for overriding configured defaults). See WORKAROUNDS below for a
175              list of available workarounds.
176
177       --debug
178              Turn on debugging.
179
180       -?, --help
181              Output a help list and exit.
182
183       --usage
184              Output a usage message and exit.
185
186       -V, --version
187              Output the program version and exit.
188

IPMISELD OPTIONS

190       The following options are specific to ipmiseld.
191
192       -v     Log  verbose information. This option will log additional infor‐
193              mation.  Most notably it will output  additional  hex  codes  to
194              given  information  on ambiguous SEL entries or SEL records. For
195              example, it will output Generator ID hex codes for sensors with‐
196              out  names.  Additional  non-critical  SEL errors or issues will
197              also be logged. Somewhat common  errors,  such  as  timeouts  or
198              invalid hostnames, will output with increased verbosity.
199
200       -t SENSOR-TYPE-LIST, --sensor-types=SENSOR-TYPE-LIST
201              Specify  sensor types of SEL events to log. By default, all sen‐
202              sor types are logged. A special command line type of "all", will
203              indicate all types should be shown (may be useful for overriding
204              configured defaults). Multiple types can be separated by  commas
205              or  spaces.   Users  may  specify  sensor  types  by string (see
206              --list-sensor-types in ipmi-sel(8)) or  by  number  (decimal  or
207              hex).
208
209       -T SENSOR-TYPE-LIST, --exclude-sensor-types=SENSOR-TYPE-LIST
210              Specify  sensor  types  of SEL events to not log. By default, no
211              sensor types are  filtered.  A  special  command  line  type  of
212              "none", will indicate no types should be excluded (may be useful
213              for overriding configured defaults). Multiple types can be sepa‐
214              rated  by  commas  or  spaces. Users may specify sensor types by
215              string (see --list-sensor-types in  ipmi-sel(8))  or  by  number
216              (decimal or hex).
217
218       --system-event-only
219              Log only system event records (i.e. don't log OEM records).
220
221       --oem-event-only
222              Log  only  OEM  event  records  (i.e.  don't  log  system  event
223              records).
224
225       --event-state-config-file=FILE
226              Specify an alternate event state configuration file.
227
228       --interpret-oem-data
229              Attempt to interpret OEM data, such as event data, sensor  read‐
230              ings,  or  general  extra info, etc. If an OEM interpretation is
231              not available, the default output will be generated. Correctness
232              of  OEM  interpretations  cannot  be guaranteed due to potential
233              changes OEM vendors may make in products, firmware, etc. See OEM
234              INTERPRETATION  below for confirmed supported motherboard inter‐
235              pretations.
236
237       --entity-sensor-names
238              Output sensor names prefixed with their entity id  and  instance
239              number  when  appropriate. This may be necessary on some mother‐
240              boards to help identify what sensors are referencing. For  exam‐
241              ple,  a  motherboard may have multiple sensors named 'TEMP'. The
242              entity id and instance number  may  help  clarify  which  sensor
243              refers to "Processor 1" vs. "Processor 2".
244
245       --non-abbreviated-units
246              Output  non-abbreviated  units (e.g. 'Amps' instead of 'A'). May
247              aid  in  disambiguation  of  units  (e.g.  'C'  for  Celsius  or
248              Coulombs).
249
250       --event-state-filter=FILTERSTRING
251              Specify event states to be filtered out and not logged. Possible
252              inputs are NOMINAL, WARNING, CRITICAL, and NA.  Multiple  states
253              can  be  listed  separted  by  comma. The special case string of
254              "none" will indicate no event states should be excluded (may  be
255              useful for overriding configured defaults).
256
257       --warning-threshold=PERCENTINT
258              Specify SEL fullness warning threshold as an integer percentage.
259              When the SEL is past this percentage full,  a  warning  will  be
260              output  indicating that SEL is nearly full. Specify 0 to disable
261              warning logs. Defaults to 80.
262
263       --clear-threshold=PERCENTINT
264              Specify SEL fullness clear threshold as an  integer  percentage.
265              When the SEL is past this percentage full, ipmiseld will attempt
266              to clear the SEL. Specify 0 to disable clearing. When the SEL is
267              full, it will be the responsibility of the user to clear the SEL
268              manually if clearing is disabled. Defaults to 0. If specified to
269              a  non-zero value, be careful that the clearing of the SEL could
270              affect other applications that monitor the SEL, such as monitor‐
271              ing applications that use ipmi-sel(8) or libipmimonitoring(3).
272
273       --system-event-format=FORMATSTRING
274              Specify  the format of the log output when a SEL system event is
275              encountered. Defaults to "SEL System Event: %d, %t, %s, %I,  %E"
276              if  logging  locally, "SEL System Event(%h): %d, %t, %s, %I, %E"
277              if logging outofband or with  hostranges.  See  SEL  LOG  FORMAT
278              STRING below for formatting details.
279
280       --oem-timestamped-event-format=FORMATSTRING
281              Specify  the format of the log output when a SEL OEM timestamped
282              event is encountered. Defaults to "SEL OEM Event:  %d,  %t,  %I,
283              %o"  if  logging locally, "SEL OEM Event(%h): %d, %t, %I, %o" if
284              logging outofband or with hostranges.. See SEL LOG FORMAT STRING
285              below for formatting details.
286
287       --oem-non-timestamped-event-format=FORMATSTRING
288              Specify  the  format of the log output when a SEL OEM non-times‐
289              tamped event is encountered. Defaults to "SEL OEM Event: %I, %o"
290              if  logging locally, "SEL OEM Event(%h): %I, %o" if logging out‐
291              ofband or with hostranges.. See SEL LOG FORMAT STRING below  for
292              formatting details.
293
294       --poll-interval=SECONDS
295              Specify  the  poll  interval  to  check  the SEL for new events.
296              Defaults to 300 seconds (i.e. 5 minutes).
297
298       --log-facility=STRING
299              Specify the log facility to use. Defaults to  LOG_DAEMON.  Legal
300              inputs   are   LOG_DAEMON,   LOG_USER,  LOG_LOCAL0,  LOG_LOCAL1,
301              LOG_LOCAL2,  LOG_LOCAL3,  LOG_LOCAL4,  LOG_LOCAL5,   LOG_LOCAL6,
302              LOG_LOCAL7.
303
304       --log-priority=STRING
305              Specify  the  log  priority  to  use. Defaults to LOG_ERR. Legal
306              inputs are LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING,
307              LOG_NOTICE, LOG_INFO, LOG_DEBUG.
308
309       --cache-directory=DIRECTORY
310              Specify  an  alternate  cache directory location for ipmiseld to
311              use. The cache directory will be used to cache a wide variety of
312              data, including the SDR and recent logging information to ensure
313              log entries are not missed on reboots and other system failures.
314
315       --ignore-sdr
316              Ignore SDR related processing. May lead to  incomplete  or  less
317              useful information being output, however it will allow function‐
318              ality for systems without SDRs or when the correct SDR cannot be
319              loaded.
320
321       --re-download-sdr
322              Re-download the SDR on start even if it is not out of date. This
323              may help work around systems that do not properly timestamp  SDR
324              modification times.
325
326       --clear-sel
327              On  startup,  clear  any  SEL being monitored. May be useful the
328              first time running ipmiseld to avoid  warning  messages  or  SEL
329              clears until a long time in the future.
330
331       --threadpool-count=NUM
332              Specify  the  number  of  threads for parallel SEL polling. This
333              option is very similar to the --fanout option in ipmi-sel(8) but
334              the  threads  are created only once on initialization for faster
335              processing. Defaults to 8, however  the  threadpool  count  will
336              always  be  decreased  if  the number of nodes specified is less
337              than the number of threads.
338
339       --test-run
340              Do not daemonize, output the current SEL of configured hosts  as
341              a  test  of current settings and configuration. SEL entries will
342              be output to stdout instead of syslog.
343
344       --foreground
345              Run daemon in the foreground. SEL entries will be output to std‐
346              out instead of syslog.
347

SEL LOG FORMAT STRING

349       The  output  format  of  log  messages  can  be adjusted via the --sys‐
350       tem-event-format, --oem-timestamped-event-format  and  --oem-non-times‐
351       tamped-event-format  options.  Options  such  as  --interpret-oem-data,
352       --entity-sensor-names, and --non-abbreviated-units can  further  adjust
353       the  output  format. The following conversion directives will allow the
354       user to output specifics of each SEL event that occurs.
355
356       For System, OEM timestamped, and OEM non-timestamped events
357
358       %h - target host, useful if logging from multiple hosts
359
360       %i - record ID in decimal
361
362       %I - event state interpretation (NOMINAL, WARNING, or CRITICAL)
363
364       For System and OEM timestamped events
365
366       %t - time in format H:M:S using 24 hour clock
367
368       %d - date in format D-M-YEAR
369
370       For System events
371
372       %T - sensor type
373
374       %s - sensor name
375
376       %e - event data 1 string
377
378       %f - event data 2 string [2]
379
380       %h - event data 3 string
381
382       %c - combined event data 2 and event data 3 string
383
384       %p - event data 2 previous state string
385
386       %S - event data 2 severity string
387
388       %E - combined event data 1, 2, and 3 string
389
390       %k - event direction
391
392       For OEM timestamped events
393
394       %m - manufacturer id
395
396       For OEM timestamped and OEM non-timestamped events
397
398       %o - oem data in hex
399
400       %O - OEM supplied string describing the event (depends on manufacturer)
401

HOSTRANGED SUPPORT

403       Multiple hosts can be input either as an explicit comma separated lists
404       of  hosts  or  a  range of hostnames in the general form: prefix[n-m,l-
405       k,...], where n < m and l < k, etc. The later form should not  be  con‐
406       fused  with  regular expression character classes (also denoted by []).
407       For example, foo[19] does not represent foo1 or foo9, but rather repre‐
408       sents a degenerate range: foo19.
409
410       This  range  syntax  is  meant only as a convenience on clusters with a
411       prefixNN naming convention and specification of ranges  should  not  be
412       considered  necessary -- the list foo1,foo9 could be specified as such,
413       or by the range foo[1,9].
414
415       Some examples of range usage follow:
416           foo[01-05] instead of foo01,foo02,foo03,foo04,foo05
417           foo[7,9-10] instead of foo7,foo9,foo10
418           foo[0-3] instead of foo0,foo1,foo2,foo3
419
420       As a reminder to the reader, some shells will interpret brackets ([ and
421       ])  for  pattern matching. Depending on your shell, it may be necessary
422       to enclose ranged lists within quotes.
423
424       In-band IPMI Communication will be used when the  host  "localhost"  is
425       specified.  This  allows  the  user  to add the localhost into the hos‐
426       tranged output.
427

GENERAL TROUBLESHOOTING

429       Most often, IPMI problems are due to configuration problems.
430
431       IPMI over  LAN  problems  involve  a  misconfiguration  of  the  remote
432       machine's  BMC.  Double check to make sure the following are configured
433       properly in the remote machine's BMC: IP address, MAC  address,  subnet
434       mask,  username,  user enablement, user privilege, password, LAN privi‐
435       lege, LAN enablement, and allowed authentication type(s). For IPMI  2.0
436       connections,  double  check  to make sure the cipher suite privilege(s)
437       and K_g key are configured properly. The  ipmi-config(8)  tool  can  be
438       used to check and/or change these configuration settings.
439
440       Inband  IPMI  problems  are  typically  caused by improperly configured
441       drivers or non-standard BMCs.
442
443       In addition to the troubleshooting tips below, please  see  WORKAROUNDS
444       below to also if there are any vendor specific bugs that have been dis‐
445       covered and worked around.
446
447       Listed below are many of the common issues  for  error  messages.   For
448       additional  support, please e-mail the <freeipmi-users@gnu.org> mailing
449       list.
450
451       "username invalid" - The username entered (or a NULL username  if  none
452       was  entered)  is  not  available on the remote machine. It may also be
453       possible the remote BMC's username configuration is incorrect.
454
455       "password invalid" - The password entered (or a NULL password  if  none
456       was  entered)  is not correct. It may also be possible the password for
457       the user is not correctly configured on the remote BMC.
458
459       "password verification timeout" - Password verification has timed  out.
460       A  "password  invalid"  error  (described  above) or a generic "session
461       timeout" (described below) occurred.  During this point in the protocol
462       it cannot be differentiated which occurred.
463
464       "k_g  invalid"  -  The  K_g  key entered (or a NULL K_g key if none was
465       entered) is not correct. It may also be possible the  K_g  key  is  not
466       correctly configured on the remote BMC.
467
468       "privilege level insufficient" - An IPMI command requires a higher user
469       privilege than the one authenticated with. Please try  to  authenticate
470       with a higher privilege. This may require authenticating to a different
471       user which has a higher maximum privilege.
472
473       "privilege level cannot be obtained for  this  user"  -  The  privilege
474       level  you are attempting to authenticate with is higher than the maxi‐
475       mum allowed for this user. Please try again with a lower privilege.  It
476       may  also be possible the maximum privilege level allowed for a user is
477       not configured properly on the remote BMC.
478
479       "authentication type unavailable for attempted privilege level"  -  The
480       authentication  type you wish to authenticate with is not available for
481       this privilege level. Please try again with an alternate authentication
482       type  or  alternate privilege level. It may also be possible the avail‐
483       able authentication types you can authenticate with are  not  correctly
484       configured on the remote BMC.
485
486       "cipher suite id unavailable" - The cipher suite id you wish to authen‐
487       ticate with is not available on the remote BMC. Please try  again  with
488       an  alternate  cipher  suite  id. It may also be possible the available
489       cipher suite ids are not correctly configured on the remote BMC.
490
491       "ipmi 2.0 unavailable" - IPMI 2.0 was  not  discovered  on  the  remote
492       machine. Please try to use IPMI 1.5 instead.
493
494       "connection  timeout"  - Initial IPMI communication failed. A number of
495       potential errors are possible, including an invalid hostname specified,
496       an  IPMI  IP  address  cannot  be  resolved, IPMI is not enabled on the
497       remote server, the network connection is bad, etc. Please  verify  con‐
498       figuration and connectivity.
499
500       "session  timeout"  - The IPMI session has timed out. Please reconnect.
501       If this error occurs often, you may wish to increase the retransmission
502       timeout. Some remote BMCs are considerably slower than others.
503
504       "device  not  found"  - The specified device could not be found. Please
505       check configuration or inputs and try again.
506
507       "driver timeout" - Communication with the driver or  device  has  timed
508       out. Please try again.
509
510       "message  timeout"  - Communication with the driver or device has timed
511       out. Please try again.
512
513       "BMC busy" - The BMC is currently busy. It may be  processing  informa‐
514       tion  or have too many simultaneous sessions to manage. Please wait and
515       try again.
516
517       "could not find inband device" - An inband device could not  be  found.
518       Please  check configuration or specify specific device or driver on the
519       command line.
520
521       "driver timeout" - The inband driver has timed out communicating to the
522       local  BMC  or  service  processor. The BMC or service processor may be
523       busy or (worst case) possibly non-functioning.
524
525       "internal IPMI error" - An IPMI error has occurred that  FreeIPMI  does
526       not  know  how  to  handle.  Please  e-mail <freeipmi-users@gnu.org> to
527       report the issue.
528

IPMISELD TROUBLESHOOTING

530       Some timestamps in the SEL may report a date of 1-Jan-1970,  the  epoch
531       for  SEL  timestamps.  This  timestamp is not necessarily incorrect. It
532       usually indicates a hardware event that occurred before a timestamp  in
533       firmware has been initialized. For example, certain hardware components
534       will have their internal clocks reset during a power cycle.
535
536       However, if the internal clock of  the  SEL  appears  to  be  regularly
537       incorrect,  you  may  need  to set the SEL time. This can be done using
538       bmc-device(8).
539
540       The following are common SEL related messages.
541
542       "sel config file parse error" - A parse error  was  found  in  the  sel
543       event  interpretation  configuration  file.  Please see freeipmi_inter‐
544       pret_sel.conf(5).
545

WORKAROUNDS

547       With so many different vendors implementing their own  IPMI  solutions,
548       different  vendors  may implement their IPMI protocols incorrectly. The
549       following describes a number of workarounds currently available to han‐
550       dle  discovered compliance issues. When possible, workarounds have been
551       implemented so they will be transparent to the user. However, some will
552       require the user to specify a workaround be used via the -W option.
553
554       The hardware listed below may only indicate the hardware that a problem
555       was discovered on. Newer versions of  hardware  may  fix  the  problems
556       indicated  below.  Similar machines from vendors may or may not exhibit
557       the same problems. Different vendors may license  their  firmware  from
558       the  same IPMI firmware developer, so it may be worthwhile to try work‐
559       arounds listed below even if your motherboard is not listed.
560
561       If you believe your hardware has an additional  compliance  issue  that
562       needs a workaround to be implemented, please contact the FreeIPMI main‐
563       tainers on <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
564
565       assumeio - This workaround flag will assume inband interfaces  communi‐
566       cate  with  system  I/O rather than being memory-mapped. This will work
567       around systems that report invalid base addresses. Those  hitting  this
568       issue  may see "device not supported" or "could not find inband device"
569       errors.  Issue observed on HP ProLiant DL145 G1.
570
571       spinpoll - This workaround flag will inform some inband  drivers  (most
572       notably  the  KCS driver) to spin while polling rather than putting the
573       process to sleep. This may significantly improve the wall clock running
574       time  of  tools because an operating system scheduler's granularity may
575       be much larger than the time it takes to perform a single IPMI  message
576       transaction.  However,  by spinning, your system may be performing less
577       useful work by not contexting out the tool for a more useful task.
578
579       authcap - This workaround flag will  skip  early  checks  for  username
580       capabilities,  authentication  capabilities,  and K_g support and allow
581       IPMI authentication to succeed. It  works  around  multiple  issues  in
582       which the remote system does not properly report username capabilities,
583       authentication capabilities, or K_g status. Those  hitting  this  issue
584       may  see  "username  invalid",  "authentication  type  unavailable  for
585       attempted privilege level", or "k_g invalid" errors.  Issue observed on
586       Asus  P5M2/P5MT-R/RS162-E4/RX4,  Intel  SR1520ML/X38ML,  and  Sun  Fire
587       2200/4150/4450 with ELOM.
588
589       nochecksumcheck - This workaround flag will tell FreeIPMI to not  check
590       the  checksums  returned  from  IPMI command responses. It works around
591       systems that return invalid checksums due to implementation errors, but
592       the  packet  is otherwise valid. Users are cautioned on the use of this
593       option, as it removes validation of packet integrity  in  a  number  of
594       circumstances.  However,  it  is unlikely to be an issue in most situa‐
595       tions. Those hitting this issue may see "connection timeout",  "session
596       timeout",  or  "password verification timeout" errors. On IPMI 1.5 con‐
597       nections, the "noauthcodecheck" workaround may also needed  too.  Issue
598       observed  on  Supermicro  X9SCM-iiF, Supermicro X9DRi-F, and Supermicro
599       X9DRFR.
600
601       idzero - This workaround flag  will  allow  empty  session  IDs  to  be
602       accepted by the client. It works around IPMI sessions that report empty
603       session IDs to the client. Those hitting this issue  may  see  "session
604       timeout" errors. Issue observed on Tyan S2882 with M3289 BMC.
605
606       unexpectedauth  -  This  workaround flag will allow unexpected non-null
607       authcodes to be checked as though they were expected. It  works  around
608       an  issue  when  packets contain non-null authentication data when they
609       should be null due to disabled per-message authentication.  Those  hit‐
610       ting  this  issue  may  see "session timeout" errors. Issue observed on
611       Dell PowerEdge 2850,SC1425. Confirmed fixed on newer firmware.
612
613       forcepermsg - This workaround flag will force  per-message  authentica‐
614       tion  to  be used no matter what is advertised by the remote system. It
615       works around an issue when per-message authentication is advertised  as
616       disabled on the remote system, but it is actually required for the pro‐
617       tocol. Those hitting this  issue  may  see  "session  timeout"  errors.
618       Issue observed on IBM eServer 325.
619
620       endianseq  -  This  workaround flag will flip the endian of the session
621       sequence numbers to allow the session to continue  properly.  It  works
622       around  IPMI  1.5  session  sequence numbers that are the wrong endian.
623       Those hitting this  issue  may  see  "session  timeout"  errors.  Issue
624       observed  on  some  Sun  ILOM  1.0/2.0  (depends  on  service processor
625       endian).
626
627       noauthcodecheck - This workaround flag will tell FreeIPMI to not  check
628       the  authentication  codes returned from IPMI 1.5 command responses. It
629       works around systems that return invalid authentication  codes  due  to
630       hashing  or  implementation  errors.  Users are cautioned on the use of
631       this option, as it removes an authentication check verifying the valid‐
632       ity of a packet. However, in most organizations, this is unlikely to be
633       a security issue. Those hitting this issue may  see  "connection  time‐
634       out",  "session  timeout",  or  "password verification timeout" errors.
635       Issue observed on Xyratex FB-H8-SRAY, Intel  Windmill,  Quanta  Winter‐
636       fell, and Wiwynn Windmill.
637
638       intel20  - This workaround flag will work around several Intel IPMI 2.0
639       authentication issues. The issues covered include padding of usernames,
640       and  password  truncation  if  the  authentication  algorithm  is HMAC-
641       MD5-128. Those hitting this issue may see "username invalid", "password
642       invalid",  or  "k_g  invalid" errors. Issue observed on Intel SE7520AF2
643       with Intel Server Management Module (Professional Edition).
644
645       supermicro20 - This workaround flag will work around several Supermicro
646       IPMI  2.0  authentication  issues  on  motherboards  w/  Peppercon IPMI
647       firmware. The issues covered include handling invalid length  authenti‐
648       cation  codes.  Those  hitting  this  issue  may see "password invalid"
649       errors.  Issue observed on Supermicro H8QME with SIMSO  daughter  card.
650       Confirmed fixed on newerver firmware.
651
652       sun20 - This workaround flag will work work around several Sun IPMI 2.0
653       authentication issues. The issues covered include invalid lengthed hash
654       keys,  improperly  hashed keys, and invalid cipher suite records. Those
655       hitting this issue may see "password invalid" or  "bmc  error"  errors.
656       Issue  observed  on Sun Fire 4100/4200/4500 with ILOM.  This workaround
657       automatically includes the "opensesspriv" workaround.
658
659       opensesspriv - This workaround flag will slightly alter FreeIPMI's IPMI
660       2.0 connection protocol to workaround an invalid hashing algorithm used
661       by the remote system. The privilege level sent during the Open  Session
662       stage of an IPMI 2.0 connection is used for hashing keys instead of the
663       privilege level sent during the RAKP1 connection stage.  Those  hitting
664       this  issue may see "password invalid", "k_g invalid", or "bad rmcpplus
665       status code" errors.  Issue observed on Sun  Fire  4100/4200/4500  with
666       ILOM, Inventec 5441/Dell Xanadu II, Supermicro X8DTH, Supermicro X8DTG,
667       Intel S5500WBV/Penguin Relion 700,  Intel  S2600JF/Appro  512X,  Quanta
668       QSSC-S4R/Appro  GB812X-CN, and Dell C5220. This workaround is automati‐
669       cally triggered with the "sun20" workaround.
670
671       integritycheckvalue - This workaround flag will work around an  invalid
672       integrity  check  value  during  an IPMI 2.0 session establishment when
673       using Cipher Suite ID 0. The integrity check value should be 0  length,
674       however  the  remote motherboard responds with a non-empty field. Those
675       hitting this issue may see "k_g  invalid"  errors.  Issue  observed  on
676       Supermicro  X8DTG,  Supermicro X8DTU, and Intel S5500WBV/Penguin Relion
677       700, and Intel S2600JF/Appro 512X.
678
679       assumesystemevent - This workaround  option  will  assume  invalid  SEL
680       record  types  are  system event records. Records may be formatted cor‐
681       rectly but report invalid record types. Those hitting  this  issue  may
682       see  "Unknown  SEL Record Type" errors. Output may be unknown, pray for
683       the best. This option is confirmed to work around compliances issues on
684       HP DL 380 G5 motherboards.
685
686       No IPMI 1.5 Support - Some motherboards that support IPMI 2.0 have been
687       found to not support IPMI 1.5. Those hitting this issue may  see  "ipmi
688       2.0  unavailable"  or  "connection  timeout"  errors. This issue can be
689       worked around by using IPMI 2.0  instead  of  IPMI  1.5  by  specifying
690       --driver-type=LAN_2_0. Issue observed on HP Proliant DL 145.
691

OEM INTERPRETATION

693       The  following  motherboards are confirmed to have atleast some support
694       by the --interpret-oem-data option. While highly probable the OEM  data
695       interpretations  would work across other motherboards by the same manu‐
696       facturer, there are no guarantees. Some of the motherboards  below  may
697       be rebranded by vendors/distributors.
698
699       Dell  Poweredge  2900,  Dell  Poweredge 2950, Dell Poweredge R610, Dell
700       Poweredge R710, Fujitsu iRMC S1 and iRMC S2 systems, Intel S5500WB/Pen‐
701       guin  Computing  Relion  700, Intel S2600JF/Appro 512X, Intel S5000PAL,
702       Inventec 5441/Dell Xanadu II, Inventec  5442/Dell  Xanadu  III,  Quanta
703       S99Q/Dell  FS12-TY, Quanta QSSC-S4R/Appro GB812X-CN, Sun X4140 Supermi‐
704       cro X7DBR-3, Supermicro X7DB8, Supermicro X8DTN, Supermicro  X7SBI-LN4,
705       Supermicro   X8DTH,  Supermicro  X8DTG,  Supermicro  X8DTU,  Supermicro
706       X8DT3-LN4F, Supermicro X8DTU-6+, Supermicro X8DTL, Supermicro X8DTL-3F,
707       Supermicro  X8SIL-F,  Supermicro  X9SCL,  Supermicro  X9SCM, Supermicro
708       X8DTN+-F, Supermicro X8SIE, Supermicro X9SCA-F-O,  Supermicro  H8DGU-F,
709       Supermicro   X9DRi-F,  Supermicro  X9DRI-LN4F+,  Supermicro  X9SPU-F-O,
710       Supermicro X9SCM-iiF, Wistron/Dell Poweredge C6220.
711

KNOWN ISSUES

713       On older operating systems, if you input your username,  password,  and
714       other  potentially  security  relevant information on the command line,
715       this information may be discovered by other users when using tools like
716       the  ps(1) command or looking in the /proc file system. It is generally
717       more secure to input password information with options like the  -P  or
718       -K  options.  Configuring security relevant information in the FreeIPMI
719       configuration file would also be an appropriate way to hide this infor‐
720       mation.
721
722       In  order  to  prevent  brute force attacks, some BMCs will temporarily
723       "lock up" after a number of remote authentication errors. You may  need
724       to  wait awhile in order to this temporary "lock up" to pass before you
725       may authenticate again.
726

FILES

728       /etc/freeipmi//ipmiseld.conf /var/cache/ipmiseld/
729

REPORTING BUGS

731       Report bugs to <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
732
734       Copyright (C) 2012-2015 Lawrence Livermore National Security, LLC.
735
736       This program is free software; you can redistribute it and/or modify it
737       under  the  terms of the GNU General Public License as published by the
738       Free Software Foundation; either version 3 of the License, or (at  your
739       option) any later version.
740

SEE ALSO

742       freeipmi(7),  ipmi-sel(8),  ipmiseld.conf(5),  bmc-device(8), ipmi-con‐
743       fig(8), freeipmi_interpret_sel.conf(5)
744
745       http://www.gnu.org/software/freeipmi/
746
747
748
749ipmiseld 1.6.4                    2019-08-21                       ipmiseld(8)
Impressum