Comment 27 for bug 1916860

Revision history for this message
Lee Trager (ltrager) wrote :

I took another look at this on the machine in question and did some more testing. I do now agree with Dan that ciphers are configured linearly. I have an updated branch[1] which now only configures with ipmitool linearly. What is confusing is some BMC firmware report supported ciphers out of order.

I don't see how MAAS can work around this firmware bug. MAAS can't always test BMC firmware settings as ciphers aren't used with ipmitool locally and many environments don't allow a machine to access the BMC network. Even when the machine does have network access to the BMC network iterating through ciphers can cause the BMC to lock the maas account due to rate limiting. I actually triggered that while testing on some machines that aren't effected by this bug. Even if MAAS works around that a vendor could release a firmware update which fixes the bug and breaks MAAS's access.

The work around is very easy. All you need to do is upload a custom commissioning script, which runs after 30-maas-01-bmc-config, that enables the right cipher. In this case that would be

ipmitool lan set channel 1 cipher_suite_privs XXaXXXXXXXXXXXXX