MAAS should not require an IPMI Administrator user to commission/deploy a node
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MAAS |
Fix Released
|
High
|
Lee Trager | ||
2.7 |
Fix Released
|
High
|
Lee Trager | ||
2.8 |
Fix Released
|
High
|
Lee Trager |
Bug Description
According to the spec[1], for IPMI users is enough to have the Operator privilege level to handle the power and device boot order of a node. Downgrading the privilege level of the maas IPMI user from Administrator to Operator in an HP iLO4 makes the power on process, for both commissioning and deploying, fail in MAAS with the following error:
/usr/sbin/
This issue appears because ipmi-chassis-config tries to run with an Administrator privilege level by default. Adding the '-l OPERATOR' parameter to the command line seems to fix this issue.
Also, the privilege level (Lan_Privilege_
Related branches
- MAAS Lander: Approve
- Lee Trager (community): Approve
-
Diff: 132 lines (+27/-7)6 files modifiedsrc/provisioningserver/drivers/power/ipmi.py (+10/-2)
src/provisioningserver/drivers/power/moonshot.py (+3/-1)
src/provisioningserver/drivers/power/seamicro.py (+3/-1)
src/provisioningserver/drivers/power/tests/test_ipmi.py (+5/-1)
src/provisioningserver/drivers/power/tests/test_moonshot.py (+3/-1)
src/provisioningserver/drivers/power/tests/test_seamicro.py (+3/-1)
- MAAS Lander: Approve
- Lee Trager (community): Approve
-
Diff: 132 lines (+27/-7)6 files modifiedsrc/provisioningserver/drivers/power/ipmi.py (+10/-2)
src/provisioningserver/drivers/power/moonshot.py (+3/-1)
src/provisioningserver/drivers/power/seamicro.py (+3/-1)
src/provisioningserver/drivers/power/tests/test_ipmi.py (+5/-1)
src/provisioningserver/drivers/power/tests/test_moonshot.py (+3/-1)
src/provisioningserver/drivers/power/tests/test_seamicro.py (+3/-1)
- Lee Trager (community): Approve
- MAAS Lander: Pending (unittests) requested
- MAAS Lander: Approve
- Adam Collard (community): Approve
-
Diff: 132 lines (+27/-7)6 files modifiedsrc/provisioningserver/drivers/power/ipmi.py (+10/-2)
src/provisioningserver/drivers/power/moonshot.py (+3/-1)
src/provisioningserver/drivers/power/seamicro.py (+3/-1)
src/provisioningserver/drivers/power/tests/test_ipmi.py (+5/-1)
src/provisioningserver/drivers/power/tests/test_moonshot.py (+3/-1)
src/provisioningserver/drivers/power/tests/test_seamicro.py (+3/-1)
Changed in maas: | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Lee Trager (ltrager) |
tags: | added: sts |
Changed in maas: | |
milestone: | none → next |
status: | In Progress → Fix Committed |
Changed in maas: | |
milestone: | next → 2.9.0b1 |
Changed in maas: | |
status: | Fix Committed → Fix Released |
The ipmipower command uses OPERATOR by default while both ipmi-chassis-config and ipmitool use ADMIN by default. I've updated MAAS to always interact with IPMI BMC's using the OPERATOR level. For basic IPMI machines MAAS only uses the ipmipower command so most users won't be effected by this change. This does change the privilege level for both HP Moonshot/iLo and Seamicro users. We don't have either chassis in our CI so I can't test if this change works or breaks anything. Please test the attached branch and let me know if it solves this bug.
I'm not sure of the exact reason the MAAS IPMI user is created as admin. The code was written before I joined and there aren't comments explaining why. I will say from personal experience I've found it useful in debugging issues both in the MAAS CI and in the field. I can use the MAAS created IPMI user to access the console over IPMI and log into the BMC's web console to change BIOS settings.
I think we should discuss changing the privilege level separately.