MAAS should not require an IPMI Administrator user to commission/deploy a node
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| MAAS |
High
|
Lee Trager | ||
| 2.7 |
High
|
Lee Trager | ||
| 2.8 |
High
|
Lee Trager |
Bug Description
According to the spec[1], for IPMI users is enough to have the Operator privilege level to handle the power and device boot order of a node. Downgrading the privilege level of the maas IPMI user from Administrator to Operator in an HP iLO4 makes the power on process, for both commissioning and deploying, fail in MAAS with the following error:
/usr/sbin/
This issue appears because ipmi-chassis-config tries to run with an Administrator privilege level by default. Adding the '-l OPERATOR' parameter to the command line seems to fix this issue.
Also, the privilege level (Lan_Privilege_
Related branches
- MAAS Lander: Approve on 2020-08-05
- Lee Trager: Approve on 2020-08-04
-
Diff: 132 lines (+27/-7)6 files modifiedsrc/provisioningserver/drivers/power/ipmi.py (+10/-2)
src/provisioningserver/drivers/power/moonshot.py (+3/-1)
src/provisioningserver/drivers/power/seamicro.py (+3/-1)
src/provisioningserver/drivers/power/tests/test_ipmi.py (+5/-1)
src/provisioningserver/drivers/power/tests/test_moonshot.py (+3/-1)
src/provisioningserver/drivers/power/tests/test_seamicro.py (+3/-1)
- MAAS Lander: Approve on 2020-08-05
- Lee Trager: Approve on 2020-08-04
-
Diff: 132 lines (+27/-7)6 files modifiedsrc/provisioningserver/drivers/power/ipmi.py (+10/-2)
src/provisioningserver/drivers/power/moonshot.py (+3/-1)
src/provisioningserver/drivers/power/seamicro.py (+3/-1)
src/provisioningserver/drivers/power/tests/test_ipmi.py (+5/-1)
src/provisioningserver/drivers/power/tests/test_moonshot.py (+3/-1)
src/provisioningserver/drivers/power/tests/test_seamicro.py (+3/-1)
- Lee Trager: Approve on 2020-08-04
- MAAS Lander: Pending (unittests) requested 2020-08-04
- MAAS Lander: Approve on 2020-07-31
- Adam Collard: Approve on 2020-07-31
-
Diff: 132 lines (+27/-7)6 files modifiedsrc/provisioningserver/drivers/power/ipmi.py (+10/-2)
src/provisioningserver/drivers/power/moonshot.py (+3/-1)
src/provisioningserver/drivers/power/seamicro.py (+3/-1)
src/provisioningserver/drivers/power/tests/test_ipmi.py (+5/-1)
src/provisioningserver/drivers/power/tests/test_moonshot.py (+3/-1)
src/provisioningserver/drivers/power/tests/test_seamicro.py (+3/-1)
Changed in maas: | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Lee Trager (ltrager) |
Lee Trager (ltrager) wrote : | #1 |
tags: | added: sts |
Changed in maas: | |
milestone: | none → next |
status: | In Progress → Fix Committed |
Lee Trager (ltrager) wrote : | #2 |
I've backported this to 2.7 and 2.8. Please let me know if 2.4(bionic-updates) or 2.3(xenial-updates) need this as well.
Changed in maas: | |
milestone: | next → 2.9.0b1 |
Victor Tapia (vtapia) wrote : | #3 |
Thanks for the patch Lee, and sorry for the late reply. I tried to find moonshot and seamicro machines without success, but according to the moonshot documentation[1], both booting and setting the boot device should be achievable by operator users (haven't found anything about seamicro, but the company/brand died in 2015). I confirmed that 2.7 and 2.8 work fine with HP iLOs from different generations.
I'll open a different bug to discuss the creation of the maas user as an operator instead of an admin. Regarding backports, 2.4 and 2.3 are not needed unless the privilege level on user creation is changed for those releases.
[1]
https:/
https:/
Changed in maas: | |
status: | Fix Committed → Fix Released |
The ipmipower command uses OPERATOR by default while both ipmi-chassis-config and ipmitool use ADMIN by default. I've updated MAAS to always interact with IPMI BMC's using the OPERATOR level. For basic IPMI machines MAAS only uses the ipmipower command so most users won't be effected by this change. This does change the privilege level for both HP Moonshot/iLo and Seamicro users. We don't have either chassis in our CI so I can't test if this change works or breaks anything. Please test the attached branch and let me know if it solves this bug.
I'm not sure of the exact reason the MAAS IPMI user is created as admin. The code was written before I joined and there aren't comments explaining why. I will say from personal experience I've found it useful in debugging issues both in the MAAS CI and in the field. I can use the MAAS created IPMI user to access the console over IPMI and log into the BMC's web console to change BIOS settings.
I think we should discuss changing the privilege level separately.