1IPMI-CONFIG(8)                  System Commands                 IPMI-CONFIG(8)
2
3
4

NAME

6       ipmi-config - configure IPMI values
7

SYNOPSIS

9       ipmi-config [OPTION...]
10

DESCRIPTION

12       ipmi-config is used to get and set configuration parameters in IPMI. In
13       can be used to configured usernames, passwords, networking information,
14       security,  Serial-over-LAN  (SOL), Platform Event Filtering (PEF), boot
15       devices, power restoration policy, sensor  thresholds,  sensor  events,
16       and  many  more configuration options.  Some configuration is typically
17       required before most IPMI  tools  can  be  used  to  access  a  machine
18       remotely.  By default, ipmi-config, will let you --checkout or --commit
19       only the core IPMI values necessary for IPMI configuration.  For  addi‐
20       tional  advanced  configuration fields related to Chassis configuration
21       (including boot options), Platform Event Filtering (PEF),  or  Sensors,
22       see  the --category option below.  The majority of configuration opera‐
23       tions require  ADMIN  privilege  when  using  ipmi-config  out-of-band.
24       Although  connecting  via  a user with ADMIN privileges is not required
25       for out-of-band use, the vast majority of  configuration  options  will
26       not be retrieved or set.
27
28       Listed  below  are general IPMI options, tool specific options, trouble
29       shooting  information,  workaround  information,  examples,  and  known
30       issues.  For a general introduction to FreeIPMI please see freeipmi(7).
31       See GENERAL USE below for a description on basic use of ipmi-config.
32

GENERAL OPTIONS

34       The following options are general options for configuring IPMI communi‐
35       cation and executing general tool commands.
36
37       -D IPMIDRIVER, --driver-type=IPMIDRIVER
38              Specify  the  driver type to use instead of doing an auto selec‐
39              tion.  The currently available outofband  drivers  are  LAN  and
40              LAN_2_0,  which  perform IPMI 1.5 and IPMI 2.0 respectively. The
41              currently available inband  drivers  are  KCS,  SSIF,  OPENIPMI,
42              SUNBMC, and INTELDCMI.
43
44       --disable-auto-probe
45              Do not probe in-band IPMI devices for default settings.
46
47       --driver-address=DRIVER-ADDRESS
48              Specify  the  in-band  driver  address to be used instead of the
49              probed value. DRIVER-ADDRESS should be prefixed with "0x" for  a
50              hex value and '0' for an octal value.
51
52       --driver-device=DEVICE
53              Specify the in-band driver device path to be used instead of the
54              probed path.
55
56       --register-spacing=REGISTER-SPACING
57              Specify the in-band  driver  register  spacing  instead  of  the
58              probed  value. Argument is in bytes (i.e. 32bit register spacing
59              = 4)
60
61       --target-channel-number=CHANNEL-NUMBER
62              Specify the in-band driver target channel number  to  send  IPMI
63              requests to.
64
65       --target-slave-address=SLAVE-ADDRESS
66              Specify  the  in-band  driver  target  slave number to send IPMI
67              requests to.
68
69       -h      IPMIHOST1,IPMIHOST2,...,      --hostname=IPMIHOST1[:PORT],IPMI‐
70       HOST2[:PORT],...
71              Specify  the  remote host(s) to communicate with. Multiple host‐
72              names may be separated by comma or may be specified in  a  range
73              format;  see  HOSTRANGED  SUPPORT below. An optional port can be
74              specified with each host, which may be useful in port forwarding
75              or  similar situations.  If specifying an IPv6 address and port,
76              use the format [ADDRESS]:PORT.
77
78       -u USERNAME, --username=USERNAME
79              Specify the username to use when authenticating with the  remote
80              host.   If  not  specified,  a null (i.e. anonymous) username is
81              assumed. The user must have atleast ADMIN  privileges  in  order
82              for this tool to operate fully.
83
84       -p PASSWORD, --password=PASSWORD
85              Specify the password to use when authenticationg with the remote
86              host.  If not specified, a null  password  is  assumed.  Maximum
87              password length is 16 for IPMI 1.5 and 20 for IPMI 2.0.
88
89       -P, --password-prompt
90              Prompt  for  password  to  avoid  possibility  of  listing it in
91              process lists.
92
93       -k K_G, --k-g=K_G
94              Specify the K_g BMC key to  use  when  authenticating  with  the
95              remote  host  for  IPMI  2.0.  If  not  specified, a null key is
96              assumed. To input the key in hexadecimal form, prefix the string
97              with  '0x'.  E.g.,  the key 'abc' can be entered with the either
98              the string 'abc' or the string '0x616263'
99
100       -K, --k-g-prompt
101              Prompt for k-g to avoid possibility of  listing  it  in  process
102              lists.
103
104       --session-timeout=MILLISECONDS
105              Specify  the  session timeout in milliseconds. Defaults to 20000
106              milliseconds (20 seconds) if not specified.
107
108       --retransmission-timeout=MILLISECONDS
109              Specify  the  packet  retransmission  timeout  in  milliseconds.
110              Defaults  to  1000 milliseconds (1 second) if not specified. The
111              retransmission timeout cannot be larger than the  session  time‐
112              out.
113
114       -a AUTHENTICATION-TYPE, --authentication-type=AUTHENTICATION-TYPE
115              Specify  the  IPMI 1.5 authentication type to use. The currently
116              available authentication types are NONE,  STRAIGHT_PASSWORD_KEY,
117              MD2, and MD5. Defaults to MD5 if not specified.
118
119       -I CIPHER-SUITE-ID, --cipher-suite-id=CIPHER-SUITE-ID
120              Specify the IPMI 2.0 cipher suite ID to use. The Cipher Suite ID
121              identifies a set of authentication, integrity, and confidential‐
122              ity  algorithms to use for IPMI 2.0 communication. The authenti‐
123              cation algorithm identifies the algorithm  to  use  for  session
124              setup,  the  integrity algorithm identifies the algorithm to use
125              for session packet signatures, and the confidentiality algorithm
126              identifies the algorithm to use for payload encryption. Defaults
127              to cipher suite ID 3 if  not  specified.  The  following  cipher
128              suite ids are currently supported:
129
130              0 - Authentication Algorithm = None; Integrity Algorithm = None;
131              Confidentiality Algorithm = None
132
133              1 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm  =
134              None; Confidentiality Algorithm = None
135
136              2  - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
137              HMAC-SHA1-96; Confidentiality Algorithm = None
138
139              3 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm  =
140              HMAC-SHA1-96; Confidentiality Algorithm = AES-CBC-128
141
142              6  -  Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
143              None; Confidentiality Algorithm = None
144
145              7 - Authentication Algorithm = HMAC-MD5; Integrity  Algorithm  =
146              HMAC-MD5-128; Confidentiality Algorithm = None
147
148              8  -  Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
149              HMAC-MD5-128; Confidentiality Algorithm = AES-CBC-128
150
151              11 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm  =
152              MD5-128; Confidentiality Algorithm = None
153
154              12  - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
155              MD5-128; Confidentiality Algorithm = AES-CBC-128
156
157              15 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
158              = None; Confidentiality Algorithm = None
159
160              16 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
161              = HMAC_SHA256_128; Confidentiality Algorithm = None
162
163              17 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
164              = HMAC_SHA256_128; Confidentiality Algorithm = AES-CBC-128
165
166       -l PRIVILEGE-LEVEL, --privilege-level=PRIVILEGE-LEVEL
167              Specify  the privilege level to be used. The currently available
168              privilege levels are USER,  OPERATOR,  and  ADMIN.  Defaults  to
169              ADMIN if not specified.
170
171       --config-file=FILE
172              Specify an alternate configuration file.
173
174       -W WORKAROUNDS, --workaround-flags=WORKAROUNDS
175              Specify  workarounds to vendor compliance issues. Multiple work‐
176              arounds can be specified separated by commas. A special  command
177              line flag of "none", will indicate no workarounds (may be useful
178              for overriding configured defaults). See WORKAROUNDS below for a
179              list of available workarounds.
180
181       --debug
182              Turn on debugging.
183
184       -?, --help
185              Output a help list and exit.
186
187       --usage
188              Output a usage message and exit.
189
190       -V, --version
191              Output the program version and exit.
192

IPMI-CONFIG OPTIONS

194       The  following options are used to read, write, and find differences in
195       configuration values.
196
197       -g CATEGORY, --category=CATEGORY
198              Specify the category or categories of configuration data to con‐
199              figure.   Currently  available  choices: core, chassis, sensors,
200              pef, dcmi. Multiple categories can be separated by comma.   core
201              includes  all  major IPMI configuration necessary to get IPMI to
202              function on a system, such as  configuration  for  users,  pass‐
203              words,  authentication,  networking,  and serial-over-lan (SOL).
204              chassis includes all chassis  relevant  configuration  including
205              boot  options,  front  panel  buttons,  and power behavior. dcmi
206              includes specialized functions provided by the Data Center  Man‐
207              agement Interface (DCMI). Defaults to core if not specified.
208
209       -o, --checkout
210              Fetch configuration information.
211
212       -c, --commit
213              Update  configuration  information  from  a  config  file or key
214              pairs.
215
216       -d, --diff
217              Show differences between stored information and a config file or
218              key pairs.
219
220       -n FILENAME, --filename=FILENAME
221              Specify  a  config  file  for checkout/commit/diff. If specified
222              with  checkout,  cannot  use  with  multiple   hosts   or   with
223              --always-prefix.
224
225       -e "KEY=VALUE", --key-pair="KEY=VALUE"
226              Specify KEY=VALUE pairs for checkout/commit/diff. Specify KEY by
227              SectionName:FieldName. This option can be used  multiple  times.
228              On  commit,  any KEY=VALUE pairs will overwrite any pairs speci‐
229              fied in a file with --filename.
230
231       -S SECTION, --section=SECTION
232              Specify a SECTION for checkout. This option can be used multiple
233              times.  The  SECTION you are specifying must be within the cate‐
234              gory or categories specified with --category.
235
236       -L, --listsections
237              List available sections for checkout with respect to  the  cate‐
238              gory  or  categories under --category. Some sections in the list
239              may not be checked out by default and may require  verbosity  to
240              be increased.
241
242       -v, --verbose
243              Output  verbose  information.  When  used with --checkout, addi‐
244              tional uncommon sections and/or fields will  be  shown.  In  the
245              core  category,  this includes checking out Serial Configuration
246              parameters, Vlan parameters, IPv4 Header parameters, RMCP  port,
247              and  sections for each channel on a system, if multiple channels
248              exist. In the pef category, this includes checkout out  sections
249              for each channel on a system, if multiple channels exist.
250
251       -vv    Output  very  verbose  information.  Output  additional detailed
252              information about what fields can and cannot be checked out, and
253              sometimes the reason why. Sometimes output fields that are iden‐
254              tified as unsupported on the motherboard.
255
256       --lan-channel-number=NUMBER
257              Use an specific channel number for LAN  configuration.  Particu‐
258              larly useful if motherboard contains multiple LAN channels and a
259              user wishes to use a specific one.
260
261       --serial-channel-number=NUMBER
262              Use an specific channel number for serial configuration. Partic‐
263              ularly  useful  if motherboard contains multiple serial channels
264              and a user wishes to use a specific one.
265
266       --sol-channel-number=NUMBER
267              Use an specific channel number for SOL  configuration.  Particu‐
268              larly useful if motherboard contains multiple SOL channels and a
269              user wishes to use a specific one.
270

SDR CACHE OPTIONS

272       This tool requires access to the sensor data repository (SDR) cache for
273       general  operation.  By default, SDR data will be downloaded and cached
274       on the local machine. The following options apply to the SDR cache.
275
276       --flush-cache
277              Flush a cached version  of  the  sensor  data  repository  (SDR)
278              cache. The SDR is typically cached for faster subsequent access.
279              However, it may need to be flushed and re-generated if  the  SDR
280              has been updated on a system.
281
282       --quiet-cache
283              Do  not output information about cache creation/deletion. May be
284              useful in scripting.
285
286       --sdr-cache-recreate
287              If the SDR cache is out of date or invalid, automatically recre‐
288              ate  the  sensor data repository (SDR) cache. This option may be
289              useful for scripting purposes.
290
291       --sdr-cache-file=FILE
292              Specify a specific sensor data repository (SDR) cache file to be
293              stored  or read from. If this option is used when multiple hosts
294              are specified, the same SDR cache file  will  be  used  for  all
295              hosts.
296
297       --sdr-cache-directory=DIRECTORY
298              Specify  an alternate directory for sensor data repository (SDR)
299              caches to be stored or read from. Defaults to the home directory
300              if not specified.
301

HOSTRANGED OPTIONS

303       The following options manipulate hostranged output. See HOSTRANGED SUP‐
304       PORT below for additional information on hostranges.
305
306       -B, --buffer-output
307              Buffer hostranged output. For each node, buffer standard  output
308              until the node has completed its IPMI operation. When specifying
309              this option, data may appear to output slower to the user  since
310              the  the entire IPMI operation must complete before any data can
311              be output.  See HOSTRANGED SUPPORT below for additional informa‐
312              tion.
313
314       -C, --consolidate-output
315              Consolidate hostranged output. The complete standard output from
316              every node specified will be consolidated  so  that  nodes  with
317              identical  output are not output twice. A header will list those
318              nodes with the consolidated output. When this option  is  speci‐
319              fied,  no  output  can  be seen until the IPMI operations to all
320              nodes has completed. If the  user  breaks  out  of  the  program
321              early,  all  currently  consolidated  output will be dumped. See
322              HOSTRANGED SUPPORT below for additional information.
323
324       -F NUM, --fanout=NUM
325              Specify multiple host fanout. A  "sliding  window"  (or  fanout)
326              algorithm is used for parallel IPMI communication so that slower
327              nodes or timed out nodes will not impede parallel communication.
328              The maximum number of threads available at the same time is lim‐
329              ited by the fanout. The default is 64.
330
331       -E, --eliminate
332              Eliminate hosts determined as undetected  by  ipmidetect.   This
333              attempts to remove the common issue of hostranged execution tim‐
334              ing out due to several nodes being removed  from  service  in  a
335              large  cluster.  The  ipmidetectd  daemon must be running on the
336              node executing the command.
337
338       --always-prefix
339              Always prefix output, even if only one host is specified or com‐
340              municating  in-band. This option is primarily useful for script‐
341              ing purposes. Option will be ignored if specified  with  the  -C
342              option.
343

GENERAL USE

345       Most users of will want to:
346
347       A)  Run  with --checkout to get a copy of the current configuration and
348       store it in a file. The standard output can be redirected to a file  or
349       a file can be specified with the --filename option.
350
351       B) Edit the configuration file with an editor.
352
353       C) Commit the configuration back using the --commit option and specify‐
354       ing the configuration file with the --filename option.  The  configura‐
355       tion  can  be committed to multiple hosts in parallel via the hostrange
356       support.
357
358       Although not typically necessarily, some motherboards do not store con‐
359       figuration  values  in  non-volatile  memory.  Therefore,  after system
360       reboots, some configuration values may have changed. The user may  wish
361       to  run configuration tools on each boot to ensure configuration values
362       remain.
363
364       Comments will be listed on occassion in checked out files with informa‐
365       tion  on how to configure fields.  The ipmi-config.conf(5) manpage also
366       provides additional information on the meaning of different fields.
367
368       For users with large clusters or sets of nodes, you may wish to use the
369       same  configuration  file  for  all nodes. The one problem with this is
370       that the IP address and MAC address will be different on each  node  in
371       your cluster and thus can't be configured through the same config file.
372       The IP address and MAC address in your config file may  be  overwritten
373       on  the  command  line  using  --key-pair option. The following example
374       could be used in a script to configure each node in a cluster with  the
375       same BMC config file. The script only needs to determine the correct IP
376       address and MAC address to use.
377
378       #    ipmi-config    --commit    -k    Lan_Conf:Ip_Address=$MY_IP     -k
379       Lan_Conf:Mac_Address=$MY_MAC --filename=my_bmc.conf
380

CORE SPECIAL CASE CONFIGURATION INFORMATION

382       The  UserN:Password  fields (where N is a number) cannot be checked out
383       on some systems, therefore the checked out value will always be blank.
384
385       The UserN:Enable_User field (where N is a number) cannot be checked out
386       on older IPMI systems, therefore the checked out value will sometime be
387       blank.
388
389       The  UserN:Lan_Session_Limit  and   UserN:Serial_Session_Limit   fields
390       (where  N is a number) cannot be checked out on some systems, therefore
391       the checked out value will always be blank. If not specified  in  later
392       commits  of  configurations,  the  field  may  be  reset  to 0 due to a
393       requirement that other fields (configured along with the session limit)
394       will  require  an input value for the session limit.  Under most condi‐
395       tions, it is not necessary to set this field and most users may  choose
396       to  ignore it. This field is considered optional by IPMI standards, and
397       may result in errors when attempting to  configure  it  to  a  non-zero
398       value.  If  errors to occur, setting the value back to 0 should resolve
399       problems.
400
401       The fields Lan_Conf:IP_Address and Lan_Conf:MAC_Address cannot be  com‐
402       mitted  in parallel via hostrange support. Each machine must be config‐
403       ured with a unique IP Address and MAC Address tuple, therefore we  dis‐
404       allow this configuration in ipmi-config.
405
406       On some motherboards, Lan_Conf:MAC_Address may be read only and the MAC
407       address is automatically configured.
408
409       On some motherboards, Lan_Conf:MAC_Address may be read only and the MAC
410       address is configured via an OEM command. See ipmi-oem(8) to see if OEM
411       configuration for your motherboard is supported.
412
413       On some motherboards, a number of user configuration fields  cannot  be
414       read or configured until after a non-null username or non-null password
415       is configured. In some of these cases, an  appropriate  output  in  the
416       config  file will indicate this situation. However, not all motherboard
417       corner cases may be detected. Users may wish to play  around  with  the
418       ordering of fields to work around these problems.
419
420       On  some  motherboards,  OEM  Authentication in Lan_Conf_Auth cannot be
421       enabled. However, the default motherboard settings  have  these  fields
422       enabled.  Users  are  advised to disable all OEM Authentication in this
423       section.
424
425       On some motherboards, multiple channels may exist  for  either  LAN  or
426       Serial IPMI communication. If multiple channels exist, configuration of
427       both channels can  be  viewed  and  ultimately  configured  by  running
428       --checkout  under  verbose  mode. Each section or key name will be suf‐
429       fixed appropriately with the word Channel and the channel  number.  For
430       example,  you  might  see  a Lan_Conf_Channel_1 and Lan_Conf_Channel_3,
431       where you can configure LAN configuration on Channels 1 and  3  respec‐
432       tively.
433
434       On  some  motherboards, configuration changes will not be "absorbed" by
435       the system until the motherboard is  hard-reset.  This  can  be  accom‐
436       plished  by  physically  powering  off  and  on the system (e.g. button
437       push), or it can be accomplished through a cold-reset. A cold-reset can
438       be executed via bmc-device.
439

CHASSIS SPECIAL CASE CONFIGURATION INFORMATION

441       The        Chassis_Front_Panel_Buttons:Enable_Standby_Button_For_Enter‐
442       ing_Standy,        Chassis_Front_Panel_Buttons:Enable_Diagnostic_Inter‐
443       rupt_Button  Chassis_Front_Panel_Buttons:Enable_Reset_Button, and Chas‐
444       sis_Front_Panel_Buttons:Enable_Power_Off_Button_For_Power_Off_Only
445       fields  may  not be able to be checked out on some IPMI systems, there‐
446       fore the checked out value may be blank. Some of these  fields  may  be
447       disableable,  while  some  are  not.  The Chassis_Power_Conf:Power_Con‐
448       trol_Interval field cannot be checked out. Therefore  the  checked  out
449       value will always be blank.
450

PEF SPECIAL CASE CONFIGURATION INFORMATION

452       On some motherboards, multiple channels may exist for LAN IPMI communi‐
453       cation. If multiple channels exist, configuration of both channels  can
454       be viewed and ultimately configured by running --checkout under verbose
455       mode. Each section name will be suffixed appropriately  with  the  word
456       Channel  and  the  channel  number. For example, you might see a Commu‐
457       nity_String_Channel_1 and  Community_String_Channel_3,  where  you  can
458       configure  the  Community String on Channels 1 and 3 respectively.  The
459       following are the options suitable for input  for  Sensor_Type  in  PEF
460       configuration.
461
462       Sensor_Type Options
463              Reserved, Temperature, Voltage, Current, Fan, Physical_Security,
464              Platform_Security_Violation_Attempt,  Processor,   Power_Supply,
465              Power_Unit,  Cooling_Device,  Other_Units_Based_Sensor,  Memory,
466              Drive_Slot,    Post_Memory_Resize,     System_Firmware_Progress,
467              Event_Logging_Disabled, Watchdog1, System_Event, Critical_Inter‐
468              rupt, Button_Switch, Module_Board,  Microcontroller_Coprocessor,
469              Add_In_Card,  Chassis,  Chip_Set, Other_FRU, Cable_Interconnect,
470              Terminator, System_Boot_Initiated, Boot_Error, OS_Boot, OS_Crit‐
471              ical_Stop,  Slot_Connector,  System_ACPI_Power_State, Watchdog2,
472              Platform_Alert, Entity_Presence, Monitor_Asic_IC,  Lan,  Manage‐
473              ment_Subsystem_Health,  Battery,  Session_Audit, Version_Change,
474              FRU_State, and Any
475

SENSORS SPECIAL CASE CONFIGURATION INFORMATION

477       Since  many  configurable  fields  involve  decimal   numbers,   preci‐
478       sion/floating point inaccuracies may occur when configuring new thresh‐
479       olds. The inaccuracies may not be apparent immediately. It is recommend
480       users verify their changes after configuring new thresholds.
481

HOSTRANGED SUPPORT

483       Multiple hosts can be input either as an explicit comma separated lists
484       of hosts or a range of hostnames in  the  general  form:  prefix[n-m,l-
485       k,...],  where  n < m and l < k, etc. The later form should not be con‐
486       fused with regular expression character classes (also denoted  by  []).
487       For example, foo[19] does not represent foo1 or foo9, but rather repre‐
488       sents a degenerate range: foo19.
489
490       This range syntax is meant only as a convenience  on  clusters  with  a
491       prefixNN  naming  convention  and specification of ranges should not be
492       considered necessary -- the list foo1,foo9 could be specified as  such,
493       or by the range foo[1,9].
494
495       Some examples of range usage follow:
496           foo[01-05] instead of foo01,foo02,foo03,foo04,foo05
497           foo[7,9-10] instead of foo7,foo9,foo10
498           foo[0-3] instead of foo0,foo1,foo2,foo3
499
500       As a reminder to the reader, some shells will interpret brackets ([ and
501       ]) for pattern matching. Depending on your shell, it may  be  necessary
502       to enclose ranged lists within quotes.
503
504       When  multiple  hosts  are specified by the user, a thread will be exe‐
505       cuted for each host in parallel up to the configured fanout (which  can
506       be  adjusted via the -F option). This will allow communication to large
507       numbers of nodes far more quickly than if done in serial.
508
509       By default, standard output from each node  specified  will  be  output
510       with the hostname prepended to each line. Although this output is read‐
511       able in many situations, it may be difficult to read  in  other  situa‐
512       tions.  For  example, output from multiple nodes may be mixed together.
513       The -B and -C options can be used to change this default.
514
515       In-band IPMI Communication will be used when the  host  "localhost"  is
516       specified.  This  allows  the  user  to add the localhost into the hos‐
517       tranged output.
518

GENERAL TROUBLESHOOTING

520       Most often, IPMI problems are due to configuration problems.
521
522       IPMI over  LAN  problems  involve  a  misconfiguration  of  the  remote
523       machine's  BMC.  Double check to make sure the following are configured
524       properly in the remote machine's BMC: IP address, MAC  address,  subnet
525       mask,  username,  user enablement, user privilege, password, LAN privi‐
526       lege, LAN enablement, and allowed authentication type(s). For IPMI  2.0
527       connections,  double  check  to make sure the cipher suite privilege(s)
528       and K_g key are configured properly. The  ipmi-config(8)  tool  can  be
529       used to check and/or change these configuration settings.
530
531       Inband  IPMI  problems  are  typically  caused by improperly configured
532       drivers or non-standard BMCs.
533
534       In addition to the troubleshooting tips below, please  see  WORKAROUNDS
535       below to also if there are any vendor specific bugs that have been dis‐
536       covered and worked around.
537
538       Listed below are many of the common issues  for  error  messages.   For
539       additional  support, please e-mail the <freeipmi-users@gnu.org> mailing
540       list.
541
542       "username invalid" - The username entered (or a NULL username  if  none
543       was  entered)  is  not  available on the remote machine. It may also be
544       possible the remote BMC's username configuration is incorrect.
545
546       "password invalid" - The password entered (or a NULL password  if  none
547       was  entered)  is not correct. It may also be possible the password for
548       the user is not correctly configured on the remote BMC.
549
550       "password verification timeout" - Password verification has timed  out.
551       A  "password  invalid"  error  (described  above) or a generic "session
552       timeout" (described below) occurred.  During this point in the protocol
553       it cannot be differentiated which occurred.
554
555       "k_g  invalid"  -  The  K_g  key entered (or a NULL K_g key if none was
556       entered) is not correct. It may also be possible the  K_g  key  is  not
557       correctly configured on the remote BMC.
558
559       "privilege level insufficient" - An IPMI command requires a higher user
560       privilege than the one authenticated with. Please try  to  authenticate
561       with a higher privilege. This may require authenticating to a different
562       user which has a higher maximum privilege.
563
564       "privilege level cannot be obtained for  this  user"  -  The  privilege
565       level  you are attempting to authenticate with is higher than the maxi‐
566       mum allowed for this user. Please try again with a lower privilege.  It
567       may  also be possible the maximum privilege level allowed for a user is
568       not configured properly on the remote BMC.
569
570       "authentication type unavailable for attempted privilege level"  -  The
571       authentication  type you wish to authenticate with is not available for
572       this privilege level. Please try again with an alternate authentication
573       type  or  alternate privilege level. It may also be possible the avail‐
574       able authentication types you can authenticate with are  not  correctly
575       configured on the remote BMC.
576
577       "cipher suite id unavailable" - The cipher suite id you wish to authen‐
578       ticate with is not available on the remote BMC. Please try  again  with
579       an  alternate  cipher  suite  id. It may also be possible the available
580       cipher suite ids are not correctly configured on the remote BMC.
581
582       "ipmi 2.0 unavailable" - IPMI 2.0 was  not  discovered  on  the  remote
583       machine. Please try to use IPMI 1.5 instead.
584
585       "connection  timeout"  - Initial IPMI communication failed. A number of
586       potential errors are possible, including an invalid hostname specified,
587       an  IPMI  IP  address  cannot  be  resolved, IPMI is not enabled on the
588       remote server, the network connection is bad, etc. Please  verify  con‐
589       figuration and connectivity.
590
591       "session  timeout"  - The IPMI session has timed out. Please reconnect.
592       If this error occurs often, you may wish to increase the retransmission
593       timeout. Some remote BMCs are considerably slower than others.
594
595       "device  not  found"  - The specified device could not be found. Please
596       check configuration or inputs and try again.
597
598       "driver timeout" - Communication with the driver or  device  has  timed
599       out. Please try again.
600
601       "message  timeout"  - Communication with the driver or device has timed
602       out. Please try again.
603
604       "BMC busy" - The BMC is currently busy. It may be  processing  informa‐
605       tion  or have too many simultaneous sessions to manage. Please wait and
606       try again.
607
608       "could not find inband device" - An inband device could not  be  found.
609       Please  check configuration or specify specific device or driver on the
610       command line.
611
612       "driver timeout" - The inband driver has timed out communicating to the
613       local  BMC  or  service  processor. The BMC or service processor may be
614       busy or (worst case) possibly non-functioning.
615

WORKAROUNDS

617       With so many different vendors implementing their own  IPMI  solutions,
618       different  vendors  may implement their IPMI protocols incorrectly. The
619       following describes a number of workarounds currently available to han‐
620       dle  discovered compliance issues. When possible, workarounds have been
621       implemented so they will be transparent to the user. However, some will
622       require the user to specify a workaround be used via the -W option.
623
624       The hardware listed below may only indicate the hardware that a problem
625       was discovered on. Newer versions of  hardware  may  fix  the  problems
626       indicated  below.  Similar machines from vendors may or may not exhibit
627       the same problems. Different vendors may license  their  firmware  from
628       the  same IPMI firmware developer, so it may be worthwhile to try work‐
629       arounds listed below even if your motherboard is not listed.
630
631       If you believe your hardware has an additional  compliance  issue  that
632       needs a workaround to be implemented, please contact the FreeIPMI main‐
633       tainers on <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
634
635       assumeio - This workaround flag will assume inband interfaces  communi‐
636       cate  with  system  I/O rather than being memory-mapped. This will work
637       around systems that report invalid base addresses. Those  hitting  this
638       issue  may see "device not supported" or "could not find inband device"
639       errors.  Issue observed on HP ProLiant DL145 G1.
640
641       spinpoll - This workaround flag will inform some inband  drivers  (most
642       notably  the  KCS driver) to spin while polling rather than putting the
643       process to sleep. This may significantly improve the wall clock running
644       time  of  tools because an operating system scheduler's granularity may
645       be much larger than the time it takes to perform a single IPMI  message
646       transaction.  However,  by spinning, your system may be performing less
647       useful work by not contexting out the tool for a more useful task.
648
649       authcap - This workaround flag will  skip  early  checks  for  username
650       capabilities,  authentication  capabilities,  and K_g support and allow
651       IPMI authentication to succeed. It  works  around  multiple  issues  in
652       which the remote system does not properly report username capabilities,
653       authentication capabilities, or K_g status. Those  hitting  this  issue
654       may  see  "username  invalid",  "authentication  type  unavailable  for
655       attempted privilege level", or "k_g invalid" errors.  Issue observed on
656       Asus  P5M2/P5MT-R/RS162-E4/RX4,  Intel  SR1520ML/X38ML,  and  Sun  Fire
657       2200/4150/4450 with ELOM.
658
659       nochecksumcheck - This workaround flag will tell FreeIPMI to not  check
660       the  checksums  returned  from  IPMI command responses. It works around
661       systems that return invalid checksums due to implementation errors, but
662       the  packet  is otherwise valid. Users are cautioned on the use of this
663       option, as it removes validation of packet integrity  in  a  number  of
664       circumstances.  However,  it  is unlikely to be an issue in most situa‐
665       tions. Those hitting this issue may see "connection timeout",  "session
666       timeout",  or  "password verification timeout" errors. On IPMI 1.5 con‐
667       nections, the "noauthcodecheck" workaround may also needed  too.  Issue
668       observed  on  Supermicro  X9SCM-iiF, Supermicro X9DRi-F, and Supermicro
669       X9DRFR.
670
671       idzero - This workaround flag  will  allow  empty  session  IDs  to  be
672       accepted by the client. It works around IPMI sessions that report empty
673       session IDs to the client. Those hitting this issue  may  see  "session
674       timeout" errors. Issue observed on Tyan S2882 with M3289 BMC.
675
676       unexpectedauth  -  This  workaround flag will allow unexpected non-null
677       authcodes to be checked as though they were expected. It  works  around
678       an  issue  when  packets contain non-null authentication data when they
679       should be null due to disabled per-message authentication.  Those  hit‐
680       ting  this  issue  may  see "session timeout" errors. Issue observed on
681       Dell PowerEdge 2850,SC1425. Confirmed fixed on newer firmware.
682
683       forcepermsg - This workaround flag will force  per-message  authentica‐
684       tion  to  be used no matter what is advertised by the remote system. It
685       works around an issue when per-message authentication is advertised  as
686       disabled on the remote system, but it is actually required for the pro‐
687       tocol. Those hitting this  issue  may  see  "session  timeout"  errors.
688       Issue observed on IBM eServer 325.
689
690       endianseq  -  This  workaround flag will flip the endian of the session
691       sequence numbers to allow the session to continue  properly.  It  works
692       around  IPMI  1.5  session  sequence numbers that are the wrong endian.
693       Those hitting this  issue  may  see  "session  timeout"  errors.  Issue
694       observed  on  some  Sun  ILOM  1.0/2.0  (depends  on  service processor
695       endian).
696
697       noauthcodecheck - This workaround flag will tell FreeIPMI to not  check
698       the  authentication  codes returned from IPMI 1.5 command responses. It
699       works around systems that return invalid authentication  codes  due  to
700       hashing  or  implementation  errors.  Users are cautioned on the use of
701       this option, as it removes an authentication check verifying the valid‐
702       ity of a packet. However, in most organizations, this is unlikely to be
703       a security issue. Those hitting this issue may  see  "connection  time‐
704       out",  "session  timeout",  or  "password verification timeout" errors.
705       Issue observed on Xyratex FB-H8-SRAY, Intel  Windmill,  Quanta  Winter‐
706       fell, and Wiwynn Windmill.
707
708       intel20  - This workaround flag will work around several Intel IPMI 2.0
709       authentication issues. The issues covered include padding of usernames,
710       and  password  truncation  if  the  authentication  algorithm  is HMAC-
711       MD5-128. Those hitting this issue may see "username invalid", "password
712       invalid",  or  "k_g  invalid" errors. Issue observed on Intel SE7520AF2
713       with Intel Server Management Module (Professional Edition).
714
715       supermicro20 - This workaround flag will work around several Supermicro
716       IPMI  2.0  authentication  issues  on  motherboards  w/  Peppercon IPMI
717       firmware. The issues covered include handling invalid length  authenti‐
718       cation  codes.  Those  hitting  this  issue  may see "password invalid"
719       errors.  Issue observed on Supermicro H8QME with SIMSO  daughter  card.
720       Confirmed fixed on newerver firmware.
721
722       sun20 - This workaround flag will work work around several Sun IPMI 2.0
723       authentication issues. The issues covered include invalid lengthed hash
724       keys,  improperly  hashed keys, and invalid cipher suite records. Those
725       hitting this issue may see "password invalid" or  "bmc  error"  errors.
726       Issue  observed  on Sun Fire 4100/4200/4500 with ILOM.  This workaround
727       automatically includes the "opensesspriv" workaround.
728
729       opensesspriv - This workaround flag will slightly alter FreeIPMI's IPMI
730       2.0 connection protocol to workaround an invalid hashing algorithm used
731       by the remote system. The privilege level sent during the Open  Session
732       stage of an IPMI 2.0 connection is used for hashing keys instead of the
733       privilege level sent during the RAKP1 connection stage.  Those  hitting
734       this  issue may see "password invalid", "k_g invalid", or "bad rmcpplus
735       status code" errors.  Issue observed on Sun  Fire  4100/4200/4500  with
736       ILOM, Inventec 5441/Dell Xanadu II, Supermicro X8DTH, Supermicro X8DTG,
737       Intel S5500WBV/Penguin Relion 700,  Intel  S2600JF/Appro  512X,  Quanta
738       QSSC-S4R/Appro  GB812X-CN, and Dell C5220. This workaround is automati‐
739       cally triggered with the "sun20" workaround.
740
741       integritycheckvalue - This workaround flag will work around an  invalid
742       integrity  check  value  during  an IPMI 2.0 session establishment when
743       using Cipher Suite ID 0. The integrity check value should be 0  length,
744       however  the  remote motherboard responds with a non-empty field. Those
745       hitting this issue may see "k_g  invalid"  errors.  Issue  observed  on
746       Supermicro  X8DTG,  Supermicro X8DTU, and Intel S5500WBV/Penguin Relion
747       700, and Intel S2600JF/Appro 512X.
748
749       No IPMI 1.5 Support - Some motherboards that support IPMI 2.0 have been
750       found  to  not support IPMI 1.5. Those hitting this issue may see "ipmi
751       2.0 unavailable" or "connection timeout"  errors.  This  issue  can  be
752       worked  around  by  using  IPMI  2.0  instead of IPMI 1.5 by specifying
753       --driver-type=LAN_2_0. Issue observed on a number of HP and  Supermicro
754       motherboards.
755
756       slowcommit  -  This  workaround  will  slow  down commits to the BMC by
757       sleeping one second between the commit of  sections.  It  works  around
758       motherboards  that have BMCs that can be overwhelmed by commits.  Those
759       hitting this issue may see commit errors or commits not  being  written
760       to the BMC. Issue observed on Supermicro H8QME.
761
762       veryslowcommit  -  This workaround will slow down commits to the BMC by
763       sleeping one second between the commit of every key.  It  works  around
764       motherboards  that have BMCs that can be overwhelmed by commits.  Those
765       hitting this issue may see commit errors or commits not  being  written
766       to the BMC. Issue observed on Quanta S99Q/Dell FS12-TY.
767
768       solchannelassumelanchannel  - This workaround will force ipmi-config to
769       assume that the channel used SOL is identical to the channel  used  for
770       LAN.  On  some  motherboards,  the SOL channel is reported incorrectly,
771       leading to incorrect configuration. Most notably, this problem has come
772       up  when  attempting to configure multiple channels.  Issue observed on
773       Intel S5500WBV/Penguin Relion 700.
774

EXAMPLES

776       # ipmi-config --checkout
777
778       Output all core configuration information to the console.  #  ipmi-con‐
779       fig --checkout --category=pef
780
781       Output all pef configuration information to the console.  # ipmi-config
782       --checkout --category=pef,chassis
783
784       Output all pef and chassis configuration information to the console.
785
786       # ipmi-config --checkout --filename=bmc-data1.conf
787
788       Store all core configuration information in bmc-data1.conf.
789
790       # ipmi-config --diff --filename=bmc-data2.conf
791
792       Show all difference between the  current  configuration  and  the  bmc-
793       data2.conf file.
794
795       #  ipmi-config  --diff  --key-pair="lan_conf_misc:gratuitous_arp_inter‐
796       val=8"
797
798       Show   difference   with   the   current    configuration    and    the
799       'lan_conf_misc:gratuitous_arp_interval' of value '8'.
800
801       # ipmi-config --commit --filename=bmc-data1.conf
802
803       Commit all configuration values from the bmc-data1.conf file.
804
805       #  ipmi-config --commit --key-pair="lan_conf_misc:gratuitous_arp_inter‐
806       val=4"
807
808       Commit key 'lan_conf_misc:gratuitous_arp_interval' of value '4'.
809
810       #    ipmi-config    --commit    --filename=bmc-data-updt.conf    --key-
811       pair="lan_conf_misc:gratuitous_arp_interval=4"
812
813       Commit   all  configuration  values  from  bmc-data-updt.conf  and  key
814       'lan_conf_misc:gratuitous_arp_interval' of value '4'.
815

DIAGNOSTICS

817       Upon successful execution, exit status is 0. On non-fatal  error,  exit
818       status is 1. On fatal error, exit status is 2.
819
820       If multiple hosts are specified for communication, the exit status is 0
821       if and only if all targets successfully execute. If any non-fatal error
822       occurs, exit status is 1. If any fatal error occurs, exit status is 2.
823

KNOWN ISSUES

825       On  older  operating systems, if you input your username, password, and
826       other potentially security relevant information on  the  command  line,
827       this information may be discovered by other users when using tools like
828       the ps(1) command or looking in the /proc file system. It is  generally
829       more  secure  to input password information with options like the -P or
830       -K options. Configuring security relevant information in  the  FreeIPMI
831       configuration file would also be an appropriate way to hide this infor‐
832       mation.
833
834       In order to prevent brute force attacks,  some  BMCs  will  temporarily
835       "lock  up" after a number of remote authentication errors. You may need
836       to wait awhile in order to this temporary "lock up" to pass before  you
837       may authenticate again.
838

REPORTING BUGS

840       Report bugs to <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
841
843       Copyright © 2003-2015 FreeIPMI Core Team.
844
845       This program is free software; you can redistribute it and/or modify it
846       under the terms of the GNU General Public License as published  by  the
847       Free  Software Foundation; either version 3 of the License, or (at your
848       option) any later version.
849

SEE ALSO

851       ipmi-config.conf(5), freeipmi(7), bmc-device(8)
852
853       http://www.gnu.org/software/freeipmi/
854
855
856
857ipmi-config 1.6.7                 2021-02-12                    IPMI-CONFIG(8)
Impressum