1ipmiseld(8)                        ipmiseld                        ipmiseld(8)
2
3
4

NAME

6       ipmiseld - IPMI SEL logging daemon
7

SYNOPSIS

9       ipmiseld [OPTION...]
10

DESCRIPTION

12       The ipmiseld daemon polls the system event log (SEL) of specified hosts
13       and stores the logs into the local syslog. By default, the  daemon  can
14       also  make  best  efforts  to  manage the remote SEL's buffer to ensure
15       events are never lost. Recent logging data will be cached  to  disk  to
16       ensure that SEL events are not missed in the event the client or server
17       is rebooted.
18
19       Many of the options for this daemon are very similar to the ipmi-sel(8)
20       tool.  It  can be configured to log the local host, a remote host, or a
21       range of hosts to the local syslog. It can be configured via  the  com‐
22       mand   line  arguments  listed  below  or  via  the  /etc/freeipmi//ip‐
23       miseld.conf configuration file.
24
25       Listed below are general IPMI options, tool specific  options,  trouble
26       shooting  information,  workaround information, examples, and known is‐
27       sues. For a general introduction to FreeIPMI please see freeipmi(7).
28

GENERAL OPTIONS

30       The following options are general options for configuring IPMI communi‐
31       cation and executing general tool commands.
32
33       -D IPMIDRIVER, --driver-type=IPMIDRIVER
34              Specify  the  driver type to use instead of doing an auto selec‐
35              tion.  The currently available outofband  drivers  are  LAN  and
36              LAN_2_0,  which  perform IPMI 1.5 and IPMI 2.0 respectively. The
37              currently available inband  drivers  are  KCS,  SSIF,  OPENIPMI,
38              SUNBMC, and INTELDCMI.
39
40       --disable-auto-probe
41              Do not probe in-band IPMI devices for default settings.
42
43       --driver-address=DRIVER-ADDRESS
44              Specify  the  in-band  driver  address to be used instead of the
45              probed value. DRIVER-ADDRESS should be prefixed with "0x" for  a
46              hex value and '0' for an octal value.
47
48       --driver-device=DEVICE
49              Specify the in-band driver device path to be used instead of the
50              probed path.
51
52       --register-spacing=REGISTER-SPACING
53              Specify the in-band  driver  register  spacing  instead  of  the
54              probed  value. Argument is in bytes (i.e. 32bit register spacing
55              = 4)
56
57       --target-channel-number=CHANNEL-NUMBER
58              Specify the in-band driver target channel number  to  send  IPMI
59              requests to.
60
61       --target-slave-address=SLAVE-ADDRESS
62              Specify  the in-band driver target slave number to send IPMI re‐
63              quests to.
64
65       -h      IPMIHOST1,IPMIHOST2,...,      --hostname=IPMIHOST1[:PORT],IPMI‐
66       HOST2[:PORT],...
67              Specify  the  remote host(s) to communicate with. Multiple host‐
68              names may be separated by comma or may be specified in  a  range
69              format;  see  HOSTRANGED  SUPPORT below. An optional port can be
70              specified with each host, which may be useful in port forwarding
71              or  similar situations.  If specifying an IPv6 address and port,
72              use the format [ADDRESS]:PORT.
73
74       -u USERNAME, --username=USERNAME
75              Specify the username to use when authenticating with the  remote
76              host.  If not specified, a null (i.e. anonymous) username is as‐
77              sumed. The user must have atleast USER privileges in  order  for
78              this tool to operate fully.
79
80       -p PASSWORD, --password=PASSWORD
81              Specify the password to use when authenticationg with the remote
82              host.  If not specified, a null  password  is  assumed.  Maximum
83              password length is 16 for IPMI 1.5 and 20 for IPMI 2.0.
84
85       -P, --password-prompt
86              Prompt  for  password  to  avoid  possibility  of  listing it in
87              process lists.
88
89       -k K_G, --k-g=K_G
90              Specify the K_g BMC key to use when authenticating with the  re‐
91              mote host for IPMI 2.0. If not specified, a null key is assumed.
92              To input the key in hexadecimal form,  prefix  the  string  with
93              '0x'.  E.g.,  the  key  'abc' can be entered with the either the
94              string 'abc' or the string '0x616263'
95
96       -K, --k-g-prompt
97              Prompt for k-g to avoid possibility of  listing  it  in  process
98              lists.
99
100       --session-timeout=MILLISECONDS
101              Specify  the  session timeout in milliseconds. Defaults to 20000
102              milliseconds (20 seconds) if not specified.
103
104       --retransmission-timeout=MILLISECONDS
105              Specify the packet retransmission timeout in  milliseconds.  De‐
106              faults to 1000 milliseconds (1 second) if not specified. The re‐
107              transmission timeout cannot be larger than the session timeout.
108
109       -a AUTHENTICATION-TYPE, --authentication-type=AUTHENTICATION-TYPE
110              Specify the IPMI 1.5 authentication type to use.  The  currently
111              available  authentication types are NONE, STRAIGHT_PASSWORD_KEY,
112              MD2, and MD5. Defaults to MD5 if not specified.
113
114       -I CIPHER-SUITE-ID, --cipher-suite-id=CIPHER-SUITE-ID
115              Specify the IPMI 2.0 cipher suite ID to use. The Cipher Suite ID
116              identifies a set of authentication, integrity, and confidential‐
117              ity algorithms to use for IPMI 2.0 communication. The  authenti‐
118              cation  algorithm  identifies  the  algorithm to use for session
119              setup, the integrity algorithm identifies the algorithm  to  use
120              for session packet signatures, and the confidentiality algorithm
121              identifies the algorithm to use for payload encryption. Defaults
122              to  cipher  suite  ID  3  if not specified. The following cipher
123              suite ids are currently supported:
124
125              0 - Authentication Algorithm = None; Integrity Algorithm = None;
126              Confidentiality Algorithm = None
127
128              1  - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
129              None; Confidentiality Algorithm = None
130
131              2 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm  =
132              HMAC-SHA1-96; Confidentiality Algorithm = None
133
134              3  - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
135              HMAC-SHA1-96; Confidentiality Algorithm = AES-CBC-128
136
137              6 - Authentication Algorithm = HMAC-MD5; Integrity  Algorithm  =
138              None; Confidentiality Algorithm = None
139
140              7  -  Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
141              HMAC-MD5-128; Confidentiality Algorithm = None
142
143              8 - Authentication Algorithm = HMAC-MD5; Integrity  Algorithm  =
144              HMAC-MD5-128; Confidentiality Algorithm = AES-CBC-128
145
146              11  - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
147              MD5-128; Confidentiality Algorithm = None
148
149              12 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm  =
150              MD5-128; Confidentiality Algorithm = AES-CBC-128
151
152              15 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
153              = None; Confidentiality Algorithm = None
154
155              16 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
156              = HMAC_SHA256_128; Confidentiality Algorithm = None
157
158              17 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
159              = HMAC_SHA256_128; Confidentiality Algorithm = AES-CBC-128
160
161       -l PRIVILEGE-LEVEL, --privilege-level=PRIVILEGE-LEVEL
162              Specify the privilege level to be used. The currently  available
163              privilege  levels are USER, OPERATOR, and ADMIN. Defaults to OP‐
164              ERATOR if not specified.
165
166       --config-file=FILE
167              Specify an alternate configuration file.
168
169       -W WORKAROUNDS, --workaround-flags=WORKAROUNDS
170              Specify workarounds to vendor compliance issues. Multiple  work‐
171              arounds  can be specified separated by commas. A special command
172              line flag of "none", will indicate no workarounds (may be useful
173              for overriding configured defaults). See WORKAROUNDS below for a
174              list of available workarounds.
175
176       --debug
177              Turn on debugging.
178
179       -?, --help
180              Output a help list and exit.
181
182       --usage
183              Output a usage message and exit.
184
185       -V, --version
186              Output the program version and exit.
187

IPMISELD OPTIONS

189       The following options are specific to ipmiseld.
190
191       -v     Log verbose information. This option will log additional  infor‐
192              mation.   Most  notably  it  will output additional hex codes to
193              given information on ambiguous SEL entries or SEL  records.  For
194              example, it will output Generator ID hex codes for sensors with‐
195              out names. Additional non-critical SEL  errors  or  issues  will
196              also  be logged. Somewhat common errors, such as timeouts or in‐
197              valid hostnames, will output with increased verbosity.
198
199       -t SENSOR-TYPE-LIST, --sensor-types=SENSOR-TYPE-LIST
200              Specify sensor types of SEL events to log. By default, all  sen‐
201              sor types are logged. A special command line type of "all", will
202              indicate all types should be shown (may be useful for overriding
203              configured  defaults). Multiple types can be separated by commas
204              or spaces.  Users  may  specify  sensor  types  by  string  (see
205              --list-sensor-types  in  ipmi-sel(8))  or  by number (decimal or
206              hex).
207
208       -T SENSOR-TYPE-LIST, --exclude-sensor-types=SENSOR-TYPE-LIST
209              Specify sensor types of SEL events to not log.  By  default,  no
210              sensor  types  are  filtered.  A  special  command  line type of
211              "none", will indicate no types should be excluded (may be useful
212              for overriding configured defaults). Multiple types can be sepa‐
213              rated by commas or spaces. Users may  specify  sensor  types  by
214              string  (see  --list-sensor-types  in  ipmi-sel(8)) or by number
215              (decimal or hex).
216
217       --system-event-only
218              Log only system event records (i.e. don't log OEM records).
219
220       --oem-event-only
221              Log  only  OEM  event  records  (i.e.  don't  log  system  event
222              records).
223
224       --event-state-config-file=FILE
225              Specify an alternate event state configuration file.
226
227       --interpret-oem-data
228              Attempt  to interpret OEM data, such as event data, sensor read‐
229              ings, or general extra info, etc. If an  OEM  interpretation  is
230              not available, the default output will be generated. Correctness
231              of OEM interpretations cannot be  guaranteed  due  to  potential
232              changes OEM vendors may make in products, firmware, etc. See OEM
233              INTERPRETATION below for confirmed supported motherboard  inter‐
234              pretations.
235
236       --entity-sensor-names
237              Output  sensor  names prefixed with their entity id and instance
238              number when appropriate. This may be necessary on  some  mother‐
239              boards  to help identify what sensors are referencing. For exam‐
240              ple, a motherboard may have multiple sensors named  'TEMP'.  The
241              entity  id  and  instance  number  may help clarify which sensor
242              refers to "Processor 1" vs. "Processor 2".
243
244       --non-abbreviated-units
245              Output non-abbreviated units (e.g. 'Amps' instead of  'A').  May
246              aid  in  disambiguation  of  units  (e.g.  'C'  for  Celsius  or
247              Coulombs).
248
249       --event-state-filter=FILTERSTRING
250              Specify event states to be filtered out and not logged. Possible
251              inputs  are  NOMINAL, WARNING, CRITICAL, and NA. Multiple states
252              can be listed separated by comma. The  special  case  string  of
253              "none"  will indicate no event states should be excluded (may be
254              useful for overriding configured defaults).
255
256       --warning-threshold=PERCENTINT
257              Specify SEL fullness warning threshold as an integer percentage.
258              When  the  SEL  is  past this percentage full, a warning will be
259              output indicating that SEL is nearly full. Specify 0 to  disable
260              warning logs. Defaults to 80.
261
262       --clear-threshold=PERCENTINT
263              Specify  SEL  fullness clear threshold as an integer percentage.
264              When the SEL is past this percentage full, ipmiseld will attempt
265              to clear the SEL. Specify 0 to disable clearing. When the SEL is
266              full, it will be the responsibility of the user to clear the SEL
267              manually if clearing is disabled. Defaults to 0. If specified to
268              a non-zero value, be careful that the clearing of the SEL  could
269              affect other applications that monitor the SEL, such as monitor‐
270              ing applications that use ipmi-sel(8) or libipmimonitoring(3).
271
272       --system-event-format=FORMATSTRING
273              Specify the format of the log output when a SEL system event  is
274              encountered.  Defaults to "SEL System Event: %d, %t, %s, %I, %E"
275              if logging locally, "SEL System Event(%h): %d, %t, %s,  %I,  %E"
276              if  logging  outofband  or  with  hostranges. See SEL LOG FORMAT
277              STRING below for formatting details.
278
279       --oem-timestamped-event-format=FORMATSTRING
280              Specify the format of the log output when a SEL OEM  timestamped
281              event  is  encountered.  Defaults to "SEL OEM Event: %d, %t, %I,
282              %o" if logging locally, "SEL OEM Event(%h): %d, %t, %I,  %o"  if
283              logging outofband or with hostranges.. See SEL LOG FORMAT STRING
284              below for formatting details.
285
286       --oem-non-timestamped-event-format=FORMATSTRING
287              Specify the format of the log output when a SEL  OEM  non-times‐
288              tamped event is encountered. Defaults to "SEL OEM Event: %I, %o"
289              if logging locally, "SEL OEM Event(%h): %I, %o" if logging  out‐
290              ofband  or with hostranges.. See SEL LOG FORMAT STRING below for
291              formatting details.
292
293       --poll-interval=SECONDS
294              Specify the poll interval to check the SEL for new  events.  De‐
295              faults to 300 seconds (i.e. 5 minutes).
296
297       --log-facility=STRING
298              Specify  the  log facility to use. Defaults to LOG_DAEMON. Legal
299              inputs are LOG_DAEMON, LOG_USER, LOG_LOCAL0, LOG_LOCAL1, LOG_LO‐
300              CAL2,  LOG_LOCAL3,  LOG_LOCAL4,  LOG_LOCAL5, LOG_LOCAL6, LOG_LO‐
301              CAL7.
302
303       --log-priority=STRING
304              Specify the log priority to use. Defaults to LOG_ERR. Legal  in‐
305              puts  are  LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING,
306              LOG_NOTICE, LOG_INFO, LOG_DEBUG.
307
308       --cache-directory=DIRECTORY
309              Specify an alternate cache directory location  for  ipmiseld  to
310              use. The cache directory will be used to cache a wide variety of
311              data, including the SDR and recent logging information to ensure
312              log entries are not missed on reboots and other system failures.
313
314       --ignore-sdr
315              Ignore  SDR  related  processing. May lead to incomplete or less
316              useful information being output, however it will allow function‐
317              ality for systems without SDRs or when the correct SDR cannot be
318              loaded.
319
320       --re-download-sdr
321              Re-download the SDR on start even if it is not out of date. This
322              may  help work around systems that do not properly timestamp SDR
323              modification times.
324
325       --clear-sel
326              On startup, clear any SEL being monitored.  May  be  useful  the
327              first  time  running  ipmiseld  to avoid warning messages or SEL
328              clears until a long time in the future.
329
330       --threadpool-count=NUM
331              Specify the number of threads for parallel SEL polling. This op‐
332              tion  is  very similar to the --fanout option in ipmi-sel(8) but
333              the threads are created only once on initialization  for  faster
334              processing. Defaults to 8, however the threadpool count will al‐
335              ways be decreased if the number of nodes specified is less  than
336              the number of threads.
337
338       --test-run
339              Do  not daemonize, output the current SEL of configured hosts as
340              a test of current settings and configuration. SEL  entries  will
341              be output to stdout instead of syslog.
342
343       --foreground
344              Run daemon in the foreground. SEL entries will be output to std‐
345              out instead of syslog.
346

SEL LOG FORMAT STRING

348       The output format of log  messages  can  be  adjusted  via  the  --sys‐
349       tem-event-format,  --oem-timestamped-event-format  and --oem-non-times‐
350       tamped-event-format  options.  Options  such  as  --interpret-oem-data,
351       --entity-sensor-names,  and  --non-abbreviated-units can further adjust
352       the output format. The following conversion directives will  allow  the
353       user to output specifics of each SEL event that occurs.
354
355       For System, OEM timestamped, and OEM non-timestamped events
356
357       %h - target host, useful if logging from multiple hosts
358
359       %i - record ID in decimal
360
361       %I - event state interpretation (NOMINAL, WARNING, or CRITICAL)
362
363       For System and OEM timestamped events
364
365       %t - time in format H:M:S using 24 hour clock
366
367       %d - date in format D-M-YEAR
368
369       For System events
370
371       %T - sensor type
372
373       %s - sensor name
374
375       %e - event data 1 string
376
377       %f - event data 2 string [2]
378
379       %h - event data 3 string
380
381       %c - combined event data 2 and event data 3 string
382
383       %p - event data 2 previous state string
384
385       %S - event data 2 severity string
386
387       %E - combined event data 1, 2, and 3 string
388
389       %k - event direction
390
391       For OEM timestamped events
392
393       %m - manufacturer id
394
395       For OEM timestamped and OEM non-timestamped events
396
397       %o - oem data in hex
398
399       %O - OEM supplied string describing the event (depends on manufacturer)
400

HOSTRANGED SUPPORT

402       Multiple hosts can be input either as an explicit comma separated lists
403       of hosts or a range of hostnames in  the  general  form:  prefix[n-m,l-
404       k,...],  where  n < m and l < k, etc. The later form should not be con‐
405       fused with regular expression character classes (also denoted  by  []).
406       For example, foo[19] does not represent foo1 or foo9, but rather repre‐
407       sents a degenerate range: foo19.
408
409       This range syntax is meant only as a convenience  on  clusters  with  a
410       prefixNN  naming  convention  and specification of ranges should not be
411       considered necessary -- the list foo1,foo9 could be specified as  such,
412       or by the range foo[1,9].
413
414       Some examples of range usage follow:
415           foo[01-05] instead of foo01,foo02,foo03,foo04,foo05
416           foo[7,9-10] instead of foo7,foo9,foo10
417           foo[0-3] instead of foo0,foo1,foo2,foo3
418
419       As a reminder to the reader, some shells will interpret brackets ([ and
420       ]) for pattern matching. Depending on your shell, it may  be  necessary
421       to enclose ranged lists within quotes.
422
423       In-band  IPMI  Communication  will be used when the host "localhost" is
424       specified. This allows the user to add  the  localhost  into  the  hos‐
425       tranged output.
426

GENERAL TROUBLESHOOTING

428       Most often, IPMI problems are due to configuration problems.
429
430       IPMI  over  LAN  problems  involve a misconfiguration of the remote ma‐
431       chine's BMC.  Double check to make sure the  following  are  configured
432       properly  in  the remote machine's BMC: IP address, MAC address, subnet
433       mask, username, user enablement, user privilege, password,  LAN  privi‐
434       lege,  LAN enablement, and allowed authentication type(s). For IPMI 2.0
435       connections, double check to make sure the  cipher  suite  privilege(s)
436       and  K_g  key  are  configured properly. The ipmi-config(8) tool can be
437       used to check and/or change these configuration settings.
438
439       Inband IPMI problems are  typically  caused  by  improperly  configured
440       drivers or non-standard BMCs.
441
442       In  addition  to the troubleshooting tips below, please see WORKAROUNDS
443       below to also if there are any vendor specific bugs that have been dis‐
444       covered and worked around.
445
446       Listed below are many of the common issues for error messages.  For ad‐
447       ditional support, please e-mail  the  <freeipmi-users@gnu.org>  mailing
448       list.
449
450       "username  invalid"  - The username entered (or a NULL username if none
451       was entered) is not available on the remote machine.  It  may  also  be
452       possible the remote BMC's username configuration is incorrect.
453
454       "password  invalid"  - The password entered (or a NULL password if none
455       was entered) is not correct. It may also be possible the  password  for
456       the user is not correctly configured on the remote BMC.
457
458       "password  verification timeout" - Password verification has timed out.
459       A "password invalid" error (described  above)  or  a  generic  "session
460       timeout" (described below) occurred.  During this point in the protocol
461       it cannot be differentiated which occurred.
462
463       "k_g invalid" - The K_g key entered (or a NULL K_g key if none was  en‐
464       tered)  is not correct. It may also be possible the K_g key is not cor‐
465       rectly configured on the remote BMC.
466
467       "privilege level insufficient" - An IPMI command requires a higher user
468       privilege  than  the one authenticated with. Please try to authenticate
469       with a higher privilege. This may require authenticating to a different
470       user which has a higher maximum privilege.
471
472       "privilege  level  cannot  be  obtained  for this user" - The privilege
473       level you are attempting to authenticate with is higher than the  maxi‐
474       mum  allowed for this user. Please try again with a lower privilege. It
475       may also be possible the maximum privilege level allowed for a user  is
476       not configured properly on the remote BMC.
477
478       "authentication  type  unavailable for attempted privilege level" - The
479       authentication type you wish to authenticate with is not available  for
480       this privilege level. Please try again with an alternate authentication
481       type or alternate privilege level. It may also be possible  the  avail‐
482       able  authentication  types you can authenticate with are not correctly
483       configured on the remote BMC.
484
485       "cipher suite id unavailable" - The cipher suite id you wish to authen‐
486       ticate  with  is not available on the remote BMC. Please try again with
487       an alternate cipher suite id. It may also be possible the available ci‐
488       pher suite ids are not correctly configured on the remote BMC.
489
490       "ipmi  2.0 unavailable" - IPMI 2.0 was not discovered on the remote ma‐
491       chine. Please try to use IPMI 1.5 instead.
492
493       "connection timeout" - Initial IPMI communication failed. A  number  of
494       potential errors are possible, including an invalid hostname specified,
495       an IPMI IP address cannot be resolved, IPMI is not enabled on  the  re‐
496       mote server, the network connection is bad, etc. Please verify configu‐
497       ration and connectivity.
498
499       "session timeout" - The IPMI session has timed out.  Please  reconnect.
500       If this error occurs often, you may wish to increase the retransmission
501       timeout. Some remote BMCs are considerably slower than others.
502
503       "device not found" - The specified device could not  be  found.  Please
504       check configuration or inputs and try again.
505
506       "driver  timeout"  -  Communication with the driver or device has timed
507       out. Please try again.
508
509       "message timeout" - Communication with the driver or device  has  timed
510       out. Please try again.
511
512       "BMC  busy"  - The BMC is currently busy. It may be processing informa‐
513       tion or have too many simultaneous sessions to manage. Please wait  and
514       try again.
515
516       "could  not  find inband device" - An inband device could not be found.
517       Please check configuration or specify specific device or driver on  the
518       command line.
519
520       "driver timeout" - The inband driver has timed out communicating to the
521       local BMC or service processor. The BMC or  service  processor  may  be
522       busy or (worst case) possibly non-functioning.
523
524       "internal  IPMI  error" - An IPMI error has occurred that FreeIPMI does
525       not know how to handle. Please e-mail <freeipmi-users@gnu.org>  to  re‐
526       port the issue.
527

IPMISELD TROUBLESHOOTING

529       Some  timestamps  in the SEL may report a date of 1-Jan-1970, the epoch
530       for SEL timestamps. This timestamp is  not  necessarily  incorrect.  It
531       usually  indicates a hardware event that occurred before a timestamp in
532       firmware has been initialized. For example, certain hardware components
533       will have their internal clocks reset during a power cycle.
534
535       However,  if  the internal clock of the SEL appears to be regularly in‐
536       correct, you may need to set the SEL time. This can be done using  bmc-
537       device(8).
538
539       The following are common SEL related messages.
540
541       "sel  config  file  parse  error"  - A parse error was found in the sel
542       event interpretation configuration  file.  Please  see  freeipmi_inter‐
543       pret_sel.conf(5).
544

WORKAROUNDS

546       With  so  many different vendors implementing their own IPMI solutions,
547       different vendors may implement their IPMI protocols  incorrectly.  The
548       following describes a number of workarounds currently available to han‐
549       dle discovered compliance issues. When possible, workarounds have  been
550       implemented so they will be transparent to the user. However, some will
551       require the user to specify a workaround be used via the -W option.
552
553       The hardware listed below may only indicate the hardware that a problem
554       was  discovered on. Newer versions of hardware may fix the problems in‐
555       dicated below. Similar machines from vendors may or may not exhibit the
556       same  problems.  Different  vendors may license their firmware from the
557       same IPMI firmware developer, so it may  be  worthwhile  to  try  work‐
558       arounds listed below even if your motherboard is not listed.
559
560       If  you  believe  your hardware has an additional compliance issue that
561       needs a workaround to be implemented, please contact the FreeIPMI main‐
562       tainers on <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
563
564       assumeio  - This workaround flag will assume inband interfaces communi‐
565       cate with system I/O rather than being memory-mapped.  This  will  work
566       around  systems  that report invalid base addresses. Those hitting this
567       issue may see "device not supported" or "could not find inband  device"
568       errors.  Issue observed on HP ProLiant DL145 G1.
569
570       spinpoll  -  This workaround flag will inform some inband drivers (most
571       notably the KCS driver) to spin while polling rather than  putting  the
572       process to sleep. This may significantly improve the wall clock running
573       time of tools because an operating system scheduler's  granularity  may
574       be  much larger than the time it takes to perform a single IPMI message
575       transaction. However, by spinning, your system may be  performing  less
576       useful work by not contexting out the tool for a more useful task.
577
578       authcap  - This workaround flag will skip early checks for username ca‐
579       pabilities, authentication capabilities, and K_g support and allow IPMI
580       authentication to succeed. It works around multiple issues in which the
581       remote system does not properly report username capabilities, authenti‐
582       cation  capabilities,  or  K_g status. Those hitting this issue may see
583       "username invalid",  "authentication  type  unavailable  for  attempted
584       privilege  level",  or  "k_g  invalid"  errors.  Issue observed on Asus
585       P5M2/P5MT-R/RS162-E4/RX4,   Intel   SR1520ML/X38ML,   and   Sun    Fire
586       2200/4150/4450 with ELOM.
587
588       nochecksumcheck  - This workaround flag will tell FreeIPMI to not check
589       the checksums returned from IPMI command  responses.  It  works  around
590       systems that return invalid checksums due to implementation errors, but
591       the packet is otherwise valid. Users are cautioned on the use  of  this
592       option,  as  it  removes  validation of packet integrity in a number of
593       circumstances. However, it is unlikely to be an issue  in  most  situa‐
594       tions.  Those hitting this issue may see "connection timeout", "session
595       timeout", or "password verification timeout" errors. On IPMI  1.5  con‐
596       nections,  the  "noauthcodecheck" workaround may also needed too. Issue
597       observed on Supermicro X9SCM-iiF, Supermicro  X9DRi-F,  and  Supermicro
598       X9DRFR.
599
600       idzero  -  This  workaround flag will allow empty session IDs to be ac‐
601       cepted by the client. It works around IPMI sessions that  report  empty
602       session  IDs  to  the client. Those hitting this issue may see "session
603       timeout" errors. Issue observed on Tyan S2882 with M3289 BMC.
604
605       unexpectedauth - This workaround flag will  allow  unexpected  non-null
606       authcodes  to  be checked as though they were expected. It works around
607       an issue when packets contain non-null authentication  data  when  they
608       should  be  null due to disabled per-message authentication. Those hit‐
609       ting this issue may see "session timeout"  errors.  Issue  observed  on
610       Dell PowerEdge 2850,SC1425. Confirmed fixed on newer firmware.
611
612       forcepermsg  -  This workaround flag will force per-message authentica‐
613       tion to be used no matter what is advertised by the remote  system.  It
614       works  around an issue when per-message authentication is advertised as
615       disabled on the remote system, but it is actually required for the pro‐
616       tocol.  Those hitting this issue may see "session timeout" errors.  Is‐
617       sue observed on IBM eServer 325.
618
619       endianseq - This workaround flag will flip the endian  of  the  session
620       sequence  numbers  to  allow the session to continue properly. It works
621       around IPMI 1.5 session sequence numbers that  are  the  wrong  endian.
622       Those  hitting  this  issue may see "session timeout" errors. Issue ob‐
623       served on some Sun ILOM 1.0/2.0 (depends on service processor endian).
624
625       noauthcodecheck - This workaround flag will tell FreeIPMI to not  check
626       the  authentication  codes returned from IPMI 1.5 command responses. It
627       works around systems that return invalid authentication  codes  due  to
628       hashing  or  implementation  errors.  Users are cautioned on the use of
629       this option, as it removes an authentication check verifying the valid‐
630       ity of a packet. However, in most organizations, this is unlikely to be
631       a security issue. Those hitting this issue may  see  "connection  time‐
632       out",  "session  timeout",  or  "password verification timeout" errors.
633       Issue observed on Xyratex FB-H8-SRAY, Intel  Windmill,  Quanta  Winter‐
634       fell, and Wiwynn Windmill.
635
636       intel20  - This workaround flag will work around several Intel IPMI 2.0
637       authentication issues. The issues covered include padding of usernames,
638       and  password  truncation  if  the  authentication  algorithm  is HMAC-
639       MD5-128. Those hitting this issue may see "username invalid", "password
640       invalid",  or  "k_g  invalid" errors. Issue observed on Intel SE7520AF2
641       with Intel Server Management Module (Professional Edition).
642
643       supermicro20 - This workaround flag will work around several Supermicro
644       IPMI  2.0  authentication  issues  on  motherboards  w/  Peppercon IPMI
645       firmware. The issues covered include handling invalid length  authenti‐
646       cation  codes.  Those hitting this issue may see "password invalid" er‐
647       rors.  Issue observed on Supermicro H8QME  with  SIMSO  daughter  card.
648       Confirmed fixed on newerver firmware.
649
650       sun20 - This workaround flag will work work around several Sun IPMI 2.0
651       authentication issues. The issues covered include invalid lengthed hash
652       keys,  improperly  hashed keys, and invalid cipher suite records. Those
653       hitting this issue may see "password invalid" or  "bmc  error"  errors.
654       Issue  observed  on Sun Fire 4100/4200/4500 with ILOM.  This workaround
655       automatically includes the "opensesspriv" workaround.
656
657       opensesspriv - This workaround flag will slightly alter FreeIPMI's IPMI
658       2.0 connection protocol to workaround an invalid hashing algorithm used
659       by the remote system. The privilege level sent during the Open  Session
660       stage of an IPMI 2.0 connection is used for hashing keys instead of the
661       privilege level sent during the RAKP1 connection stage.  Those  hitting
662       this  issue may see "password invalid", "k_g invalid", or "bad rmcpplus
663       status code" errors.  Issue observed on Sun  Fire  4100/4200/4500  with
664       ILOM, Inventec 5441/Dell Xanadu II, Supermicro X8DTH, Supermicro X8DTG,
665       Intel S5500WBV/Penguin Relion 700,  Intel  S2600JF/Appro  512X,  Quanta
666       QSSC-S4R/Appro  GB812X-CN, and Dell C5220. This workaround is automati‐
667       cally triggered with the "sun20" workaround.
668
669       integritycheckvalue - This workaround flag will work around an  invalid
670       integrity check value during an IPMI 2.0 session establishment when us‐
671       ing Cipher Suite ID 0. The integrity check value should  be  0  length,
672       however  the  remote motherboard responds with a non-empty field. Those
673       hitting this issue may see "k_g invalid" errors. Issue observed on  Su‐
674       permicro  X8DTG,  Supermicro  X8DTU,  and Intel S5500WBV/Penguin Relion
675       700, and Intel S2600JF/Appro 512X.
676
677       assumesystemevent - This workaround  option  will  assume  invalid  SEL
678       record  types  are  system event records. Records may be formatted cor‐
679       rectly but report invalid record types. Those hitting  this  issue  may
680       see  "Unknown  SEL Record Type" errors. Output may be unknown, pray for
681       the best. This option is confirmed to work around compliances issues on
682       HP DL 380 G5 motherboards.
683
684       No IPMI 1.5 Support - Some motherboards that support IPMI 2.0 have been
685       found to not support IPMI 1.5. Those hitting this issue may  see  "ipmi
686       2.0  unavailable"  or  "connection  timeout"  errors. This issue can be
687       worked around by using IPMI 2.0  instead  of  IPMI  1.5  by  specifying
688       --driver-type=LAN_2_0.  Issue observed on a number of HP and Supermicro
689       motherboards.
690

OEM INTERPRETATION

692       The following motherboards are confirmed to have atleast  some  support
693       by  the --interpret-oem-data option. While highly probable the OEM data
694       interpretations would work across other motherboards by the same  manu‐
695       facturer,  there  are no guarantees. Some of the motherboards below may
696       be rebranded by vendors/distributors.
697
698       Dell Poweredge 2900, Dell Poweredge 2950,  Dell  Poweredge  R610,  Dell
699       Poweredge R710, Fujitsu iRMC S1 and iRMC S2 systems, Intel S5500WB/Pen‐
700       guin Computing Relion 700, Intel S2600JF/Appro  512X,  Intel  S5000PAL,
701       Inventec  5441/Dell  Xanadu  II,  Inventec 5442/Dell Xanadu III, Quanta
702       S99Q/Dell FS12-TY, Quanta QSSC-S4R/Appro GB812X-CN, Sun X4140  Supermi‐
703       cro  X7DBR-3, Supermicro X7DB8, Supermicro X8DTN, Supermicro X7SBI-LN4,
704       Supermicro  X8DTH,  Supermicro  X8DTG,  Supermicro  X8DTU,   Supermicro
705       X8DT3-LN4F, Supermicro X8DTU-6+, Supermicro X8DTL, Supermicro X8DTL-3F,
706       Supermicro X8SIL-F,  Supermicro  X9SCL,  Supermicro  X9SCM,  Supermicro
707       X8DTN+-F,  Supermicro  X8SIE, Supermicro X9SCA-F-O, Supermicro H8DGU-F,
708       Supermicro X9DRi-F, Supermicro X9DRI-LN4F+, Supermicro  X9SPU-F-O,  Su‐
709       permicro X9SCM-iiF, Wistron/Dell Poweredge C6220.
710

KNOWN ISSUES

712       On  older  operating systems, if you input your username, password, and
713       other potentially security relevant information on  the  command  line,
714       this information may be discovered by other users when using tools like
715       the ps(1) command or looking in the /proc file system. It is  generally
716       more  secure  to input password information with options like the -P or
717       -K options. Configuring security relevant information in  the  FreeIPMI
718       configuration file would also be an appropriate way to hide this infor‐
719       mation.
720
721       In order to prevent brute force attacks,  some  BMCs  will  temporarily
722       "lock  up" after a number of remote authentication errors. You may need
723       to wait awhile in order to this temporary "lock up" to pass before  you
724       may authenticate again.
725

FILES

727       /etc/freeipmi//ipmiseld.conf /var/cache/ipmiseld/
728

REPORTING BUGS

730       Report bugs to <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
731
733       Copyright (C) 2012-2015 Lawrence Livermore National Security, LLC.
734
735       This program is free software; you can redistribute it and/or modify it
736       under the terms of the GNU General Public License as published  by  the
737       Free  Software Foundation; either version 3 of the License, or (at your
738       option) any later version.
739

SEE ALSO

741       freeipmi(7), ipmi-sel(8),  ipmiseld.conf(5),  bmc-device(8),  ipmi-con‐
742       fig(8), freeipmi_interpret_sel.conf(5)
743
744       http://www.gnu.org/software/freeipmi/
745
746
747
748ipmiseld 1.6.10                   2022-08-31                       ipmiseld(8)
Impressum