1ipmipower(8)                    System Commands                   ipmipower(8)
2
3
4

NAME

6       ipmipower - IPMI power control utility
7

SYNOPSIS

9       ipmipower [OPTION...]
10

DESCRIPTION

12       Ipmipower  allows  users  to remotely power on, off, cycle, hard reset,
13       get a power status query, perform a pulse diagnostic interrupt, or ini‐
14       tiate a soft-shutdown of the OS via ACPI through the IPMI over LAN pro‐
15       tocol.
16
17       When a power command (--on, --off, --cycle, --reset,  --stat,  --pulse,
18       or  --soft) is specified on the command line, Ipmipower will attempt to
19       run the power command on all hostnames listed on the command line  then
20       exit.
21
22       If  no power commands are specified on the command line, ipmipower will
23       run in interactive mode. Interactive mode gives the user a command line
24       interface to enter various commands. Details of the interactive command
25       line interface can be found below under INTERACTIVE COMMANDS.
26
27       Listed below are general IPMI options, tool specific  options,  trouble
28       shooting  information,  workaround  information,  examples,  and  known
29       issues. For a general introduction to FreeIPMI please see freeipmi(7).
30

GENERAL OPTIONS

32       The following options are general options for configuring IPMI communi‐
33       cation and executing general tool commands.
34
35       -D IPMIDRIVER, --driver-type=IPMIDRIVER
36              Specify  the  driver type to use instead of doing an auto selec‐
37              tion.  The currently available outofband  drivers  are  LAN  and
38              LAN_2_0, which perform IPMI 1.5 and IPMI 2.0 respectively.
39
40       -h      IPMIHOST1,IPMIHOST2,...,      --hostname=IPMIHOST1[:PORT],IPMI‐
41       HOST2[:PORT],...
42              Specify the remote host(s) to communicate with.  Multiple  host‐
43              names  may  be separated by comma or may be specified in a range
44              format; see HOSTRANGED SUPPORT below. An optional  port  can  be
45              specified with each host, which may be useful in port forwarding
46              or similar situations.  If specifying an IPv6 address and  port,
47              use the format [ADDRESS]:PORT.
48
49       -u USERNAME, --username=USERNAME
50              Specify  the username to use when authenticating with the remote
51              host.  If not specified, a null  (i.e.  anonymous)  username  is
52              assumed.  The  user must have atleast OPERATOR privileges to run
53              the --on, --off, --reset, --cycle, --pulse, or --soft power con‐
54              trol  commands.  The  user  must have atleast USER privileges to
55              determine the power status of the machine through --stat.
56
57       -p PASSWORD, --password=PASSWORD
58              Specify the password to use when authenticationg with the remote
59              host.   If  not  specified,  a null password is assumed. Maximum
60              password length is 16 for IPMI 1.5 and 20 for IPMI 2.0.
61
62       -P, --password-prompt
63              Prompt for password  to  avoid  possibility  of  listing  it  in
64              process lists.
65
66       -k K_G, --k-g=K_G
67              Specify  the  K_g  BMC  key  to use when authenticating with the
68              remote host for IPMI 2.0.  If  not  specified,  a  null  key  is
69              assumed. To input the key in hexadecimal form, prefix the string
70              with '0x'. E.g., the key 'abc' can be entered  with  the  either
71              the string 'abc' or the string '0x616263'
72
73       -K, --k-g-prompt
74              Prompt  for  k-g  to  avoid possibility of listing it in process
75              lists.
76
77       --session-timeout=MILLISECONDS
78              Specify the session timeout in milliseconds. Defaults  to  20000
79              milliseconds (20 seconds) if not specified.
80
81       --retransmission-timeout=MILLISECONDS
82              Specify  the  packet  retransmission  timeout  in  milliseconds.
83              Defaults to 400 milliseconds (0.4 seconds) if not specified.
84
85       -a AUTHENTICATION-TYPE, --authentication-type=AUTHENTICATION-TYPE
86              Specify the IPMI 1.5 authentication type to use.  The  currently
87              available  authentication types are NONE, STRAIGHT_PASSWORD_KEY,
88              MD2, and MD5. Defaults to MD5 if not specified.
89
90       -I CIPHER-SUITE-ID, --cipher-suite-id=CIPHER-SUITE-ID
91              Specify the IPMI 2.0 cipher suite ID to use. The Cipher Suite ID
92              identifies a set of authentication, integrity, and confidential‐
93              ity algorithms to use for IPMI 2.0 communication. The  authenti‐
94              cation  algorithm  identifies  the  algorithm to use for session
95              setup, the integrity algorithm identifies the algorithm  to  use
96              for session packet signatures, and the confidentiality algorithm
97              identifies the algorithm to use for payload encryption. Defaults
98              to  cipher  suite  ID  3  if not specified. The following cipher
99              suite ids are currently supported:
100
101              0 - Authentication Algorithm = None; Integrity Algorithm = None;
102              Confidentiality Algorithm = None
103
104              1  - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
105              None; Confidentiality Algorithm = None
106
107              2 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm  =
108              HMAC-SHA1-96; Confidentiality Algorithm = None
109
110              3  - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
111              HMAC-SHA1-96; Confidentiality Algorithm = AES-CBC-128
112
113              6 - Authentication Algorithm = HMAC-MD5; Integrity  Algorithm  =
114              None; Confidentiality Algorithm = None
115
116              7  -  Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
117              HMAC-MD5-128; Confidentiality Algorithm = None
118
119              8 - Authentication Algorithm = HMAC-MD5; Integrity  Algorithm  =
120              HMAC-MD5-128; Confidentiality Algorithm = AES-CBC-128
121
122              11  - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
123              MD5-128; Confidentiality Algorithm = None
124
125              12 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm  =
126              MD5-128; Confidentiality Algorithm = AES-CBC-128
127
128              15 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
129              = None; Confidentiality Algorithm = None
130
131              16 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
132              = HMAC_SHA256_128; Confidentiality Algorithm = None
133
134              17 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
135              = HMAC_SHA256_128; Confidentiality Algorithm = AES-CBC-128
136
137       -l PRIVILEGE-LEVEL, --privilege-level=PRIVILEGE-LEVEL
138              Specify the privilege level to be used. The currently  available
139              privilege  levels  are  USER,  OPERATOR,  and ADMIN. Defaults to
140              OPERATOR if not specified.
141
142       --config-file=FILE
143              Specify an alternate configuration file.
144
145       -W WORKAROUNDS, --workaround-flags=WORKAROUNDS
146              Specify workarounds to vendor compliance issues. Multiple  work‐
147              arounds  can be specified separated by commas. A special command
148              line flag of "none", will indicate no workarounds (may be useful
149              for overriding configured defaults). See WORKAROUNDS below for a
150              list of available workarounds.
151
152       --debug
153              Turn on debugging.
154
155       -?, --help
156              Output a help list and exit.
157
158       --usage
159              Output a usage message and exit.
160
161       -V, --version
162              Output the program version and exit.
163

IPMIPOWER OPTIONS

165       The following options are specific to ipmipower.
166
167       -n, --on
168              Power on the target hosts.
169
170       -f, --off
171              Power off the target hosts.
172
173       -c, --cycle
174              Power cycle the target hosts.
175
176       -r, --reset
177              Reset the target hosts.
178
179       -s, --stat
180              Get power status of the target hosts.
181
182       --pulse
183              Send power diagnostic interrupt to target hosts.
184
185       --soft Initiate a soft-shutdown of the OS via ACPI.
186
187       --on-if-off
188              The IPMI specification does not require the power cycle or  hard
189              reset  commands  to  turn on a machine that is currently powered
190              off. This option will force ipmipower to issue a power  on  com‐
191              mand  instead  of  a  power  cycle  or hard reset command if the
192              remote machine's power is currently off.
193
194       --wait-until-on
195              The IPMI specification allows power on commands to return  prior
196              to  the  power  on actually taking place. This option will force
197              ipmipower to regularly query the  remote  BMC  and  return  only
198              after the machine has powered on.
199
200       --wait-until-off
201              The IPMI specification allows power off commands to return prior
202              the power off actually taking  place.  This  option  will  force
203              ipmipower  to  regularly  query  the  remote BMC and return only
204              after the machine has powered off.
205
206       --oem-power-type=OEM-POWER-TYPE
207              This option informs ipmipower to initiate power  control  opera‐
208              tions via an IPMI OEM specific power control extension. The cur‐
209              rently available POWERTYPEs are NONE and C410X. Please  see  OEM
210              POWER EXTENSIONS below for additional information.
211

IPMIPOWER ADVANCED NETWORK OPTIONS

213       The  following  options  are  used to change the networking behavior of
214       ipmipower.
215
216       --retransmission-wait-timeout=MILLISECONDS
217              Specify the retransmission wait timeout length in  milliseconds.
218              The retransmission wait timeout is similar to the retransmission
219              timeout above, but is used  specifically  for  power  completion
220              verification   with  the  --wait-until-on  and  --wait-until-off
221              options.  Defaults to 500 milliseconds (0.5 seconds).
222
223       --retransmission-backoff-count=COUNT
224              Specify the retransmission backoff  count  for  retransmissions.
225              After  ever  COUNT  retransmissions,  the retransmission timeout
226              length will be increased by another factor. Defaults to 8.
227
228       --ping-interval=MILLISECONDS
229              Specify the ping interval length in milliseconds.  When  running
230              in  interactive  mode, RMCP (Remote Management Control Protocol)
231              discovery messages will be sent to all configured  remote  hosts
232              every  MILLISECONDS to confirm their support of IPMI. Power com‐
233              mands cannot be sent to a host until it is  discovered  (or  re-
234              discovered if previously lost). Defaults to 5000 milliseconds (5
235              seconds). Ping discovery messages can  be  disabled  by  setting
236              this  valu  to 0. RMCP ping discovery messages are automatically
237              disabled in non-interactive mode.
238
239       --ping-timeout=MILLISECONDS
240              Specify the ping timeout length in milliseconds. When running in
241              interactive mode, RMCP (Remote Management Control Protocol) mes‐
242              sages discovery will be sent to all configured remote  hosts  to
243              confirm  their  support  of  IPMI.  A  remote host is considered
244              undiscovered if the host does not respond in MILLISECONDS  time.
245              Defaults  to  30000  milliseconds (30 seconds). The ping timeout
246              cannot be larger than the ping interval.
247
248       --ping-packet-count=COUNT
249              Specify the ping packet count size.  Defaults  to  10.  See  the
250              --ping-percent-fR  option  below  for  more  information on this
251              option.
252
253       --ping-percent=PERCENT
254              Specify the ping percent value. Defaults to 50.  Since  IPMI  is
255              based  on  UDP,  it  is  difficult  for ipmipower to distinguish
256              between a missing machine and a bad (or heavily loaded)  network
257              connection  in  interactive  mode.  when  running in interactive
258              mode. For example, suppose a link consistently drops 80% of  the
259              packets to a particular machine. The power control operation may
260              have difficulty completing, although a recent pong response from
261              RMCP  makes  ipmipower believe the machine is up and functioning
262              properly.  The ping packet count and percent options are used to
263              alleviate  this problem.  Ipmipower will monitor RMCP ping pack‐
264              ets in packet count chunks. If  ipmipower  does  not  receive  a
265              response   to  greater  than  ping  percent  of  those  packets,
266              ipmipower will assume the link to this node is bad and will  not
267              send  power control operations to that node until the connection
268              is determined to be reliable. This heuristic can be disabled  by
269              setting  either the ping packet count or ping percent to 0. This
270              feature is not used if ping interval is set to 0.
271
272       --ping-consec-count=COUNT
273              Specify the ping consecutive count. This  is  another  heuristic
274              used  to  determine  if  a node should be considered discovered,
275              undiscovered, or with a bad connection. If  a  valid  RMCP  pong
276              response  was  received  for the last COUNT ping packets, a node
277              will be considered discovered, regardless  of  other  heuristics
278              listed  above.  Defaults to 5. This heuristic can be disabled by
279              setting this value to 0. This feature is not used if other  ping
280              features described above are disabled.
281

HOSTRANGED OPTIONS

283       The following options manipulate hostranged output. See HOSTRANGED SUP‐
284       PORT below for additional information on hostranges.
285
286       -B, --buffer-output
287              Buffer hostranged output. For each node, buffer standard  output
288              until the node has completed its IPMI operation. When specifying
289              this option, data may appear to output slower to the user  since
290              the  the entire IPMI operation must complete before any data can
291              be output.  See HOSTRANGED SUPPORT below for additional informa‐
292              tion.
293
294       -C, --consolidate-output
295              Consolidate hostranged output. The complete standard output from
296              every node specified will be consolidated  so  that  nodes  with
297              identical  output are not output twice. A header will list those
298              nodes with the consolidated output. When this option  is  speci‐
299              fied,  no  output  can  be seen until the IPMI operations to all
300              nodes has completed. If the  user  breaks  out  of  the  program
301              early,  all  currently  consolidated  output will be dumped. See
302              HOSTRANGED SUPPORT below for additional information.
303
304       -F NUM, --fanout=NUM
305              Specify multiple host fanout. Indicates the  maximum  number  of
306              power control operations that can be executed in parallel.
307
308       -E, --eliminate
309              Eliminate  hosts  determined  as undetected by ipmidetect.  This
310              attempts to remove the common issue of hostranged execution tim‐
311              ing  out  due  to  several nodes being removed from service in a
312              large cluster. The ipmidetectd daemon must  be  running  on  the
313              node executing the command.
314
315       --always-prefix
316              Always prefix output, even if only one host is specified or com‐
317              municating in-band. This option is primarily useful for  script‐
318              ing  purposes.  Option  will be ignored if specified with the -C
319              option.
320

INTERACTIVE COMMANDS

322       Ipmipower provides the following interactive commands at the ipmipower>
323       prompt.  Before any power commands (on, off, cycle, reset, stat, pulse,
324       or soft) can be used, hostnames  must  be  configured  into  ipmipower,
325       either  through  the  command prompt or the hostname command below. The
326       parameters and options to the commands below mirror  their  appropriate
327       command line options.
328
329       hostname [IPMIHOST(s)]
330              Specify a new set of hosts. No input to unconfigure all hosts.
331
332       username [USERNAME]
333              Specify a new username. No input for null username.
334
335       password [PASSWORD]
336              Specify a new password. No input for null password.
337
338       k_g [K_G]
339              Specify  a  new  K_g BMC Key. No input for null key. Prefix with
340              '0x' to enter a key in hexadecimal
341
342       ipmi-version IPMIVERSION
343              Specify the ipmi version to use.
344
345       session-timeout MILLISECONDS
346              Specify a new session timeout length.
347
348       retransmission-timeout MILLISECONDS
349              Specify a new retransmiision timeout length.
350
351       authentication-type AUTHENTICATION-TYPE
352              Specify the authentication type to use.
353
354       cipher-suite-id CIPHER-SUITE-ID
355              Specify the cipher suite id to use.
356
357       privilege-level PRIVILEGE-LEVEL
358              Specify the privilege level to use.
359
360       workaround-flags WORKAROUNDS
361              Specify workaround flags.
362
363       debug [on|off]
364              Toggle debug output.
365
366       on [IPMIHOST(s)]
367              Turn on all configured hosts or specified hosts.
368
369       off [IPMIHOST(s)]
370              Turn off all configured hosts or specified hosts.
371
372       cycle [IPMIHOST(s)]
373              Power cycle all configured hosts or specified hosts.
374
375       reset [IPMIHOST(s)]
376              Reset all configured hosts or specified hosts.
377
378       stat [IPMIHOST(s)]
379              Query power status for all configured hosts or specified hosts.
380
381       pulse [IPMIHOST(s)]
382              Pulse diagnostic interrupt all  configured  hosts  or  specified
383              hosts.
384
385       soft [IPMIHOST(s)]
386              Initiate  a  soft-shutdown for all configured hosts or specified
387              hosts.
388
389       identify-on [IPMIHOST(s)]
390              Turn on physical system identification.
391
392       identify-off [IPMIHOST(s)]
393              Turn off physical system identification.
394
395       identify-status [IPMIHOST(s)]
396              Query physical system identification status.
397
398       on-if-off [on|off]
399              Toggle on-if-off functionality.
400
401       wait-until-on [on|off]
402              Toggle wait-until-on functionality.
403
404       wait-until-off [on|off]
405              Toggle wait-until-off functionality.
406
407       retransmission-wait-timeout MILLISECONDS
408              Specify a new retransmission wait timeout length.
409
410       retransmission-backoff-count COUNT
411              Specify a new retransmission backoff count.
412
413       ping-interval MILLISECONDS
414              Specify a new ping interval length.
415
416       ping-timeout MILLISECONDS
417              Specify a new ping timeout length.
418
419       ping-packet-count COUNT
420              Specify a new ping packet count.
421
422       ping-percent PERCENT
423              Specify a new ping percent.
424
425       ping-consec-count COUNT
426              Specify a new ping consec count.
427
428       buffer-output [on|off]
429              Toggle buffer-output functionality.
430
431       consolidate-output [on|off]
432              Toggle consolidate-output functionality.
433
434       fanout COUNT
435              Specify a fanout.
436
437       always-prefix [on|off]
438              Toggle always-prefix functionality.
439
440       help   Output help menu.
441
442       version
443              Output version.
444
445       config Output the current configuration.
446
447       quit   Quit program.
448

OEM POWER EXTENSIONS

450       Some motherboards include IPMI OEM extensions for alternate power  con‐
451       trol  mechanisms. For example, these power control mechanisms may allow
452       you to power control a sub-device within the  system  rather  than  the
453       entire system itself.
454
455       By  specifying  an  OEM  power type via --oem-power-type on the command
456       line or freeipmi.conf(5), you can instruct ipmipower to execute  alter‐
457       nate power control implementations over the standard ones. Depending on
458       the OEM extension, some power control commands may no longer be  avail‐
459       able.  For  example,  an OEM extension may allow on but not cycle. Spe‐
460       cific ipmipower options may not longer function either.
461
462       Some OEM extensions may require additional arguments  for  their  power
463       control  action,  such as a sub-device identifier. Additional arguments
464       can be provided by appending a plus sign ('+') and the  extra  informa‐
465       tion  to  the end of the hostname. This can be done on the command line
466       or in interactive mode. For example, the hostname mynode+18 would indi‐
467       cate the power control operation should be sent to the host mynode, and
468       18 is the identifier of a possible sub-device to be  power  controlled.
469       The  --consolidate-output option is commonly disabled when using an OEM
470       power control that requires extra arguments.
471
472       Because OEM power control may involve subtypes, it is possible  a  user
473       may  wish  to  power control multiple sub-devices on the same host. For
474       example, you might specify the hosts mynode+1,mynode+2,  indicating  to
475       power  control  subdevice  1 and 2 on mynode.  Because many BMCs cannot
476       handle multiple IPMI sessions, power control  operations  to  the  same
477       host will be serialized internally by ipmipower.
478
479       The  following  are  the  current OEM power types available, along with
480       information on the systems they work with and the power control  opera‐
481       tions available.
482
483       C410X  This  OEM power type supports the power control of PCIe slots on
484              Dell Poweredge C410x systems. It supports on, off, and stat. The
485              PCIe  slot  number ranges from 1-16 and must always be specified
486              when attempting to power control with this extension. For  exam‐
487              ple,  the hostname mynode+2 would inform ipmipower to operate on
488              slot number 2 on mynode.  The C410x appears to  have  difficulty
489              handling  new  slot power control requests until prior ones have
490              completed.  Users  may  wish  to  strongly  consider  using  the
491              --wait-until-on  and  --wait-until-off options if multiple slots
492              will be power controlled in short succession.
493
494       NONE   This informs ipmipower that no OEM power type extension is to be
495              used  and  standard  IPMI  power  control  is  used. This is the
496              default.
497

HOSTRANGED SUPPORT

499       Multiple hosts can be input either as an explicit comma separated lists
500       of  hosts  or  a  range of hostnames in the general form: prefix[n-m,l-
501       k,...], where n < m and l < k, etc. The later form should not  be  con‐
502       fused  with  regular expression character classes (also denoted by []).
503       For example, foo[19] does not represent foo1 or foo9, but rather repre‐
504       sents a degenerate range: foo19.
505
506       This  range  syntax  is  meant only as a convenience on clusters with a
507       prefixNN naming convention and specification of ranges  should  not  be
508       considered  necessary -- the list foo1,foo9 could be specified as such,
509       or by the range foo[1,9].
510
511       Some examples of range usage follow:
512           foo[01-05] instead of foo01,foo02,foo03,foo04,foo05
513           foo[7,9-10] instead of foo7,foo9,foo10
514           foo[0-3] instead of foo0,foo1,foo2,foo3
515
516       As a reminder to the reader, some shells will interpret brackets ([ and
517       ])  for  pattern matching. Depending on your shell, it may be necessary
518       to enclose ranged lists within quotes.
519
520       When multiple hosts are specified by the user, a socket will be created
521       for  each host and polled on, effectively allowing communication to all
522       hosts in parallel. This will allow communication to  large  numbers  of
523       nodes  far more quickly than if done in serial.  The -F option can con‐
524       figure the number of nodes that can be communicated with in parallel at
525       the same time.
526
527       By  default,  standard  output  from each node specified will be output
528       with the hostname prepended to each line. Although this output is read‐
529       able  in  many  situations, it may be difficult to read in other situa‐
530       tions. For example, output from multiple nodes may be  mixed  together.
531       The -B and -C options can be used to change this default.
532

EXAMPLES

534       Determine the power status of foo[0-2] with null username and password
535               ipmipower -h foo[0-2] --stat
536
537       Determine the power status of foo[0-2] with non-null username and pass‐
538       word
539               ipmipower -h foo[0-2] -u foo -p bar --stat
540
541       Hard reset nodes foo[0-2] with non-null username and password
542               ipmipower -h foo[0-2] -u foo -p bar --reset
543

GENERAL TROUBLESHOOTING

545       Most often, IPMI problems are due to configuration problems.
546
547       IPMI over  LAN  problems  involve  a  misconfiguration  of  the  remote
548       machine's  BMC.  Double check to make sure the following are configured
549       properly in the remote machine's BMC: IP address, MAC  address,  subnet
550       mask,  username,  user enablement, user privilege, password, LAN privi‐
551       lege, LAN enablement, and allowed authentication type(s). For IPMI  2.0
552       connections,  double  check  to make sure the cipher suite privilege(s)
553       and K_g key are configured properly. The  ipmi-config(8)  tool  can  be
554       used to check and/or change these configuration settings.
555
556       In  addition  to the troubleshooting tips below, please see WORKAROUNDS
557       below to also if there are any vendor specific bugs that have been dis‐
558       covered and worked around.
559
560       Listed  below  are  many  of the common issues for error messages.  For
561       additional support, please e-mail the <freeipmi-users@gnu.org>  mailing
562       list.
563
564       "username  invalid"  - The username entered (or a NULL username if none
565       was entered) is not available on the remote machine.  It  may  also  be
566       possible the remote BMC's username configuration is incorrect.
567
568       "password  invalid"  - The password entered (or a NULL password if none
569       was entered) is not correct. It may also be possible the  password  for
570       the user is not correctly configured on the remote BMC.
571
572       "password  verification timeout" - Password verification has timed out.
573       A "password invalid" error (described  above)  or  a  generic  "session
574       timeout" (described below) occurred.  During this point in the protocol
575       it cannot be differentiated which occurred.
576
577       "k_g invalid" - The K_g key entered (or a NULL  K_g  key  if  none  was
578       entered)  is  not  correct.  It may also be possible the K_g key is not
579       correctly configured on the remote BMC.
580
581       "privilege level insufficient" - An IPMI command requires a higher user
582       privilege  than  the one authenticated with. Please try to authenticate
583       with a higher privilege. This may require authenticating to a different
584       user which has a higher maximum privilege.
585
586       "privilege  level  cannot  be  obtained  for this user" - The privilege
587       level you are attempting to authenticate with is higher than the  maxi‐
588       mum  allowed for this user. Please try again with a lower privilege. It
589       may also be possible the maximum privilege level allowed for a user  is
590       not configured properly on the remote BMC.
591
592       "authentication  type  unavailable for attempted privilege level" - The
593       authentication type you wish to authenticate with is not available  for
594       this privilege level. Please try again with an alternate authentication
595       type or alternate privilege level. It may also be possible  the  avail‐
596       able  authentication  types you can authenticate with are not correctly
597       configured on the remote BMC.
598
599       "cipher suite id unavailable" - The cipher suite id you wish to authen‐
600       ticate  with  is not available on the remote BMC. Please try again with
601       an alternate cipher suite id. It may also  be  possible  the  available
602       cipher suite ids are not correctly configured on the remote BMC.
603
604       "ipmi  2.0  unavailable"  -  IPMI  2.0 was not discovered on the remote
605       machine. Please try to use IPMI 1.5 instead.
606
607       "connection timeout" - Initial IPMI communication failed. A  number  of
608       potential errors are possible, including an invalid hostname specified,
609       an IPMI IP address cannot be resolved,  IPMI  is  not  enabled  on  the
610       remote  server,  the network connection is bad, etc. Please verify con‐
611       figuration and connectivity.
612
613       "session timeout" - The IPMI session has timed out.  Please  reconnect.
614       If this error occurs often, you may wish to increase the retransmission
615       timeout. Some remote BMCs are considerably slower than others.
616
617       "internal IPMI error" - An IPMI error has occurred that  FreeIPMI  does
618       not  know  how  to  handle.  Please  e-mail <freeipmi-users@gnu.org> to
619       report the issue.
620

IPMIPOWER TROUBLESHOOTING

622       When powering on a powered off machine, the client must have a means by
623       which to resolve the MAC address of the remote machine's ethernet card.
624       While most modern IPMI solutions support the ability to ARP and resolve
625       addresses  when the machine is powered off, some older machines do not.
626       This is typically solved in one of two ways:
627
628       1) Enable gratuitous ARPs on the remote  machine.  The  remote  machine
629       will  send  out  a gratuitous ARP, which advertises the ethernet IP and
630       MAC address so that other machines  on  the  network  this  information
631       their  local  ARP  cache. For large clusters, this method is not recom‐
632       mended since gratuitous ARPs can flood  the  network  with  unnecessary
633       traffic.
634
635       2)  Permanently store the remote machine's MAC address in the local ARP
636       cache. This is the more common approach on large clusters.
637
638       Other methods are listed in the IPMI specification.
639

WORKAROUNDS

641       With so many different vendors implementing their own  IPMI  solutions,
642       different  vendors  may implement their IPMI protocols incorrectly. The
643       following describes a number of workarounds currently available to han‐
644       dle  discovered compliance issues. When possible, workarounds have been
645       implemented so they will be transparent to the user. However, some will
646       require the user to specify a workaround be used via the -W option.
647
648       The hardware listed below may only indicate the hardware that a problem
649       was discovered on. Newer versions of  hardware  may  fix  the  problems
650       indicated  below.  Similar machines from vendors may or may not exhibit
651       the same problems. Different vendors may license  their  firmware  from
652       the  same IPMI firmware developer, so it may be worthwhile to try work‐
653       arounds listed below even if your motherboard is not listed.
654
655       If you believe your hardware has an additional  compliance  issue  that
656       needs a workaround to be implemented, please contact the FreeIPMI main‐
657       tainers on <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
658
659       authcap - This workaround flag will  skip  early  checks  for  username
660       capabilities,  authentication  capabilities,  and K_g support and allow
661       IPMI authentication to succeed. It  works  around  multiple  issues  in
662       which the remote system does not properly report username capabilities,
663       authentication capabilities, or K_g status. Those  hitting  this  issue
664       may  see  "username  invalid",  "authentication  type  unavailable  for
665       attempted privilege level", or "k_g invalid" errors.  Issue observed on
666       Asus  P5M2/P5MT-R/RS162-E4/RX4,  Intel  SR1520ML/X38ML,  and  Sun  Fire
667       2200/4150/4450 with ELOM.
668
669       nochecksumcheck - This workaround flag will tell FreeIPMI to not  check
670       the  checksums  returned  from  IPMI command responses. It works around
671       systems that return invalid checksums due to implementation errors, but
672       the  packet  is otherwise valid. Users are cautioned on the use of this
673       option, as it removes validation of packet integrity  in  a  number  of
674       circumstances.  However,  it  is unlikely to be an issue in most situa‐
675       tions. Those hitting this issue may see "connection timeout",  "session
676       timeout",  or  "password verification timeout" errors. On IPMI 1.5 con‐
677       nections, the "noauthcodecheck" workaround may also needed  too.  Issue
678       observed  on  Supermicro  X9SCM-iiF, Supermicro X9DRi-F, and Supermicro
679       X9DRFR.
680
681       idzero - This workaround flag  will  allow  empty  session  IDs  to  be
682       accepted by the client. It works around IPMI sessions that report empty
683       session IDs to the client. Those hitting this issue  may  see  "session
684       timeout" errors. Issue observed on Tyan S2882 with M3289 BMC.
685
686       unexpectedauth  -  This  workaround flag will allow unexpected non-null
687       authcodes to be checked as though they were expected. It  works  around
688       an  issue  when  packets contain non-null authentication data when they
689       should be null due to disabled per-message authentication.  Those  hit‐
690       ting  this  issue  may  see "session timeout" errors. Issue observed on
691       Dell PowerEdge 2850,SC1425. Confirmed fixed on newer firmware.
692
693       forcepermsg - This workaround flag will force  per-message  authentica‐
694       tion  to  be used no matter what is advertised by the remote system. It
695       works around an issue when per-message authentication is advertised  as
696       disabled on the remote system, but it is actually required for the pro‐
697       tocol. Those hitting this  issue  may  see  "session  timeout"  errors.
698       Issue observed on IBM eServer 325.
699
700       endianseq  -  This  workaround flag will flip the endian of the session
701       sequence numbers to allow the session to continue  properly.  It  works
702       around  IPMI  1.5  session  sequence numbers that are the wrong endian.
703       Those hitting this  issue  may  see  "session  timeout"  errors.  Issue
704       observed  on  some  Sun  ILOM  1.0/2.0  (depends  on  service processor
705       endian).
706
707       noauthcodecheck - This workaround flag will tell FreeIPMI to not  check
708       the  authentication  codes returned from IPMI 1.5 command responses. It
709       works around systems that return invalid authentication  codes  due  to
710       hashing  or  implementation  errors.  Users are cautioned on the use of
711       this option, as it removes an authentication check verifying the valid‐
712       ity of a packet. However, in most organizations, this is unlikely to be
713       a security issue. Those hitting this issue may  see  "connection  time‐
714       out",  "session  timeout",  or  "password verification timeout" errors.
715       Issue observed on Xyratex FB-H8-SRAY, Intel  Windmill,  Quanta  Winter‐
716       fell, and Wiwynn Windmill.
717
718       intel20  - This workaround flag will work around several Intel IPMI 2.0
719       authentication issues. The issues covered include padding of usernames,
720       and  password  truncation  if  the  authentication  algorithm  is HMAC-
721       MD5-128. Those hitting this issue may see "username invalid", "password
722       invalid",  or  "k_g  invalid" errors. Issue observed on Intel SE7520AF2
723       with Intel Server Management Module (Professional Edition).
724
725       supermicro20 - This workaround flag will work around several Supermicro
726       IPMI  2.0  authentication  issues  on  motherboards  w/  Peppercon IPMI
727       firmware. The issues covered include handling invalid length  authenti‐
728       cation  codes.  Those  hitting  this  issue  may see "password invalid"
729       errors.  Issue observed on Supermicro H8QME with SIMSO  daughter  card.
730       Confirmed fixed on newerver firmware.
731
732       sun20 - This workaround flag will work work around several Sun IPMI 2.0
733       authentication issues. The issues covered include invalid lengthed hash
734       keys,  improperly  hashed keys, and invalid cipher suite records. Those
735       hitting this issue may see "password invalid" or  "bmc  error"  errors.
736       Issue  observed  on Sun Fire 4100/4200/4500 with ILOM.  This workaround
737       automatically includes the "opensesspriv" workaround.
738
739       opensesspriv - This workaround flag will slightly alter FreeIPMI's IPMI
740       2.0 connection protocol to workaround an invalid hashing algorithm used
741       by the remote system. The privilege level sent during the Open  Session
742       stage of an IPMI 2.0 connection is used for hashing keys instead of the
743       privilege level sent during the RAKP1 connection stage.  Those  hitting
744       this  issue may see "password invalid", "k_g invalid", or "bad rmcpplus
745       status code" errors.  Issue observed on Sun  Fire  4100/4200/4500  with
746       ILOM, Inventec 5441/Dell Xanadu II, Supermicro X8DTH, Supermicro X8DTG,
747       Intel S5500WBV/Penguin Relion 700,  Intel  S2600JF/Appro  512X,  Quanta
748       QSSC-S4R/Appro  GB812X-CN, and Dell C5220. This workaround is automati‐
749       cally triggered with the "sun20" workaround.
750
751       integritycheckvalue - This workaround flag will work around an  invalid
752       integrity  check  value  during  an IPMI 2.0 session establishment when
753       using Cipher Suite ID 0. The integrity check value should be 0  length,
754       however  the  remote motherboard responds with a non-empty field. Those
755       hitting this issue may see "k_g  invalid"  errors.  Issue  observed  on
756       Supermicro  X8DTG,  Supermicro X8DTU, and Intel S5500WBV/Penguin Relion
757       700, and Intel S2600JF/Appro 512X.
758
759       ipmiping - This workaround option will inform  ipmipower  to  use  IPMI
760       based ping packets instead of RMCP ping packets. Some motherboards have
761       been observed to not implement RMCP  ping/pong  support  despite  being
762       required  by  the IPMI specification. Issue observed on Intel Windmill,
763       Quanta Winterfell, and Wiwynn Windmill.
764
765       No IPMI 1.5 Support - Some motherboards that support IPMI 2.0 have been
766       found  to  not support IPMI 1.5. Those hitting this issue may see "ipmi
767       2.0 unavailable" or "connection timeout"  errors.  This  issue  can  be
768       worked  around  by  using  IPMI  2.0  instead of IPMI 1.5 by specifying
769       --driver-type=LAN_2_0. Issue observed on a number of HP and  Supermicro
770       motherboards.
771

DIAGNOSTICS

773       Upon  successful  execution, exit status is 0. On error, exit status is
774       1.
775
776       If multiple hosts are specified for communication, the exit status is 0
777       if  and  only  if  all targets successfully execute. Otherwise the exit
778       status is 1.
779
780       When operating in interactive mode, the exit value will be based on the
781       last power operation executed.
782

KNOWN ISSUES

784       On  older  operating systems, if you input your username, password, and
785       other potentially security relevant information on  the  command  line,
786       this information may be discovered by other users when using tools like
787       the ps(1) command or looking in the /proc file system. It is  generally
788       more  secure  to input password information with options like the -P or
789       -K options. Configuring security relevant information in  the  FreeIPMI
790       configuration file would also be an appropriate way to hide this infor‐
791       mation.
792
793       In order to prevent brute force attacks,  some  BMCs  will  temporarily
794       "lock  up" after a number of remote authentication errors. You may need
795       to wait awhile in order to this temporary "lock up" to pass before  you
796       may authenticate again.
797
798       IPMI  specifications  do  not  require  BMCs to perform a power control
799       operation before returning a completion code to the caller.  Therefore,
800       it is possible for ipmipower to return power status queries opposite of
801       what you are expecting.  For example, if a  "power  off"  operation  is
802       performed,  a  BMC may return a successful completion code to ipmipower
803       before the "power off"  operation  is  actually  performed.  Subsequent
804       power status queries may return "on" for several seconds, until the BMC
805       actually performs the "power off" operation.
806

REPORTING BUGS

808       Report bugs to <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
809
811       Copyright (C) 2007-2015 Lawrence Livermore National Security, LLC.
812       Copyright (C) 2003-2007 The Regents of the University of California.
813
814       This program is free software; you can redistribute it and/or modify it
815       under  the  terms of the GNU General Public License as published by the
816       Free Software Foundation; either version 3 of the License, or (at  your
817       option) any later version.
818

SEE ALSO

820       freeipmi.conf(5), freeipmi(7), ipmi-config(8), ipmi-oem(8)
821
822       http://www.gnu.org/software/freeipmi/
823
824
825
826ipmipower 1.6.7                   2021-02-12                      ipmipower(8)
Impressum